Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Weird Shortcut in C: (snqn) and suspected Ramnit?


  • Please log in to reply

#61
roadran

roadran

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts
Changes still can't be saved! :(
  • 0

Advertisements


#62
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
Were you able to manually change the NtpServer?
  • 0

#63
roadran

roadran

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts
Yes
  • 0

#64
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
Download Process Monitor http://live.sysinter...com/Procmon.exe

Right click on it and Run As Admin.

While it is running, Go in and try to change the time server.

Once you have done that and it gives you the error, File, then uncheck Capture Events. Once it stops,

File, Save, check Highlighted Events then OK. It should save the file to logfile.pml which should be on your desktop. Close Process Monitor. Zip up the file or rename it to logfile.txt then
Attach the file to an email to me (I'll send you the address in a PM) and then send it. That may show me what is going wrong.
  • 0

#65
roadran

roadran

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts
Done
  • 0

#66
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
Apparently I need a 64 bit system in order to read it. Try it again but this time when you Save it, click on Format: Comma-Separated-Values (CSV). I should be able to read that in Excel.
  • 0

#67
roadran

roadran

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts
Ok, done. Thanks for helping me! =D
  • 0

#68
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
That one was empty. My fault.
Try it again:
Run Process Monitor by right clicking and Run As Admin.
While it is running, Go in and try to change the time server.

Once you have done that and it gives you the error, go back to Process Monitor, File, then uncheck Capture Events. Once it stops,

File, Save, Check All Events then CSV then OK. It should save the file to logfile.csv which should be on your desktop. Overwrite the old one. Close Process Monitor.
Attach the file to an email to me (I'll send you the address in a PM) and then send it. That may show me what is going wrong.

This should normally be a very large file which is why I had you attach it to an email.
  • 0

#69
roadran

roadran

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts
Done :)
  • 0

#70
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
Apparently there is something wrong with the w32time.dll file.

Not sure why it really needs to change the file but I don't see that error on mine. Let's try and replace the file with the other one that is on your system.

Copy the text in the code box by highlighting and Ctrl + c


:files
C:\Windows\SysNative\w32time.dll|C:\Windows\winsxs\amd64_microsoft-windows-time-service_31bf3856ad364e35_6.1.7600.16385_none_e49c555686fbabd6\w32time.dll
     
:Commands
[Reboot]


then Rightclick on OTL and select Run As Administrator to start. Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the RUN FIX button (NOT THE QUICK SCAN button!) at the top
Let the program run unhindered, OTL will reboot the PC when it is done.
  • 0

Advertisements


#71
roadran

roadran

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts
Saddly, It still doesn't work :( I also checked permission, it's set to everyone full control.

If you need I have hashes for the w32time.dll that was recently just copied over.

MD5: 1c9d80cc3849b3788048078c26486e1a
SHA1: b7ac0545ec3a41c17a8c7670ed4276bbac8a8599
CRC32: 8560e94d
SHA-256 34a89f31e53f6b6c209b286f580cc2257ae6d057e4e20741f241c9c167947962
SHA-512: 037c59d3a1c305493c94e3b78ce0049ccc7688d11bf196bdaad42e171a73ef34181b3403e2dd884f7cb684c6e0118b0778f734b4d7af4fc7112d3fb9e3803019
SHA-384: 1ded3ed30e9d38665e06e27bb0e7c524bad069f8f59423bd9720150f64cb51b7bd85ed144e4738c7d62949f7e0bfa5a

Edited by roadran, 14 March 2012 - 08:53 AM.

  • 0

#72
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
I'm running out of things to try. Going to have to ask on our internal forum for more ideas. I'm at a disadvantage since I don't have a 64 bit system to play on.

Ron
  • 0

#73
roadran

roadran

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 142 posts
Ok, thanks! :)
  • 0

#74
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
Turns out I do have one more idea. Got a friend to export his registry keys for the time service off his 64 bit. Let's replace yours with his:

Download the attached zip file. Save it and then right click and Extract All. There should be two .reg files. Right click on each and Merge.

These will each erase the old registry entries first then install the new. You might want to export the two keys in question before
doing the Merge so you can back up if things go wrong.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime]

Ron
  • 0

#75
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP
If that didn't help then I have these suggestions from the internal forum:

1. Register the w32time.dll
Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue. Type with an Enter after each line:

cd  \windows\syswow64
regsvr32  \windows\system32\w32time.dll
(If regsvr32 \windows\system32\w32time.dll doesn't work then try
regsvr32  \windows\sysnative\w32time.dll


2. Run VEW again and see if there is more info in the event logs


1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.

Ron
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP