Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Windows desktop won't fully load; suspect malware


  • Please log in to reply

#46
Lamont_Cranston

Lamont_Cranston

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts

virustotal results:

 

bdftdif.sys = 0/56

bdselfpr.sys = 0/59

mbrbac = 0/47

 

 

The last time I used System Restore (on May 23rd) it disabled Bitdefender to about the same state its in now.  A repair install from Add or Remove Programs appeared to restore Bitdefender, but at the expense of a non-starting MBAE. 

 

I dunno if I'm going to be forced to choose between the two.  I could try the Panda Cloud AV as a replacement, but that might behave the same way with MBAE.


  • 0

Advertisements


#47
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

I checked on the Bitdefender forum to see if people were complaining of a conflict and normally the free versions of each get along:

 

https://forum.bitdef...bytes-programs/

 

I use the free Avast which seems pretty good except for their annoying popups trying to get you to buy it.  They claim to support XP and their boot-time scan is the best.  It starts before Windows fully loads so can catch a lot of malware that others can't.  (tho it takes all night to run)   I also have the free MBAM without a problem.


  • 0

#48
Lamont_Cranston

Lamont_Cranston

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts

Thanks for posting the link.  Looks encouraging, although the topic starter may be using a newer version of Bitdefender Free for a newer version of Windows.

 

Having used avast in the past, it was my first choice after MSE went away for XP.  However, when I tried a lean custom offline install on this box avast had issues.  Couldn't uninstall it and couldn't get online after the install went haywire.  Had to go to a public library and download the avast uninstall tool to a CD.  Running that in Safe Mode was the only way to get back to normal. 

 

That's when I installed Bitdefender as my second choice, which worked fine until this variant of ZeroAccess came along.  I'm hesitant to try avast again after my last experience.  Being less than impressed with the vague detection results Panda's onlne scanner generated, I'm also hesitant to try the Panda Cloud AV although others seem to like it.  Nevertheless, these seem to be my only lean options.

 

I'll try a repair install of Bitdefender Free 2015, and if that doesn't work with MBAE a complete uninstall and reinstall and see what happens.  If I'm unsuccessful I might try avast again.  The only other thing I can think of is Voodoo Shield, but support for that on XP ended several months ago.


  • 0

#49
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

Did you ever rerun Combofix to see if it still sees ZA in the TCP/IP stack?


  • 0

#50
Lamont_Cranston

Lamont_Cranston

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts

Thanks for reminding me.  I'll run ComboFix again after I finish with the automotive sites--I'm under deadline pressure to address my car's issues.


  • 0

#51
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

OK.  No hurry.


  • 0

#52
Lamont_Cranston

Lamont_Cranston

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts

Another long scan.  When ComboFix warns that rootkit ZeroAccess! is "a particularly difficult infection" its an understatement.  Just won't stay gone from TCP/IP.


  • 0

#53
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

Appears this may be a false positive on Combofix's part.  I have found several posts where they have run every test known to man and nothing was found.  Combofix is no longer being updated or supported so we can't ask the developer.  

 

Were you able to get BitDefender to work?


  • 0

#54
Lamont_Cranston

Lamont_Cranston

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts

Haven't tried another repair install of Bitdefender yet.  I'm a little spooked by what I experienced today--more strange behavior.

 

Got home from work just in time to watch my PC reboot on its own again.  Saw the empty DVD and floppy drives light up for a few seconds as this occurred.  Remembering what happened last time, I immediately checked System Restore after my desktop loaded.  Thankfully, all new restore points created since the last spontaneous reboot were still there.

 

Updated MBAM and ran a full scan on the A, C, and E drives.  Nothing detected.  I too had been thinking ComboFix was generating FPs.  No other scanner I've tried has found ZeroAccess.  After this episode I'm not sure what to think.


Edited by Lamont_Cranston, 27 June 2017 - 06:21 PM.

  • 0

#55
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

Run VEW again.  Let's see if what happened left us an error message.


  • 0

Advertisements


#56
Lamont_Cranston

Lamont_Cranston

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts

Here are the latest VEW logs:

 

 

Vino's Event Viewer v01c run on Windows XP in English
Report run at 27/06/2017 8:53:49 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 27/06/2017 5:02:41 PM
Type: error Category: 0
Event: 1002 Source: Dhcp
The IP address lease 192.168.0.2 for the Network Card with network address 000BDBBF2B86 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

Log: 'System' Date/Time: 25/06/2017 5:21:35 PM
Type: error Category: 0
Event: 7022 Source: Service Control Manager
The Malwarebytes Anti-Exploit Service service hung on starting.

Log: 'System' Date/Time: 20/06/2017 7:03:52 PM
Type: error Category: 0
Event: 1002 Source: Dhcp
The IP address lease 192.168.0.2 for the Network Card with network address 000BDBBF2B86 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

Log: 'System' Date/Time: 18/06/2017 12:33:20 PM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Log: 'System' Date/Time: 18/06/2017 11:26:55 AM
Type: error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load:  avc3 bdftdif bdselfpr ESProtectionDriver Fips gzflt intelppm trufos

Log: 'System' Date/Time: 18/06/2017 11:25:44 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Log: 'System' Date/Time: 18/06/2017 11:25:14 AM
Type: error Category: 0
Event: 1002 Source: Dhcp
The IP address lease 192.168.0.2 for the Network Card with network address 000BDBBF2B86 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

Log: 'System' Date/Time: 17/06/2017 10:01:44 PM
Type: error Category: 6
Event: 16 Source: Windows Update Agent
Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Log: 'System' Date/Time: 17/06/2017 8:11:18 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Log: 'System' Date/Time: 17/06/2017 7:53:32 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Log: 'System' Date/Time: 17/06/2017 7:45:27 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Log: 'System' Date/Time: 17/06/2017 7:31:02 AM
Type: error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load:  avc3 bdftdif bdselfpr ESProtectionDriver Fips gzflt intelppm trufos

Log: 'System' Date/Time: 17/06/2017 7:29:48 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Log: 'System' Date/Time: 15/06/2017 1:50:02 PM
Type: error Category: 6
Event: 16 Source: Windows Update Agent
Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Log: 'System' Date/Time: 13/06/2017 11:47:27 PM
Type: error Category: 0
Event: 7022 Source: Service Control Manager
The Malwarebytes Anti-Exploit Service service hung on starting.

Log: 'System' Date/Time: 13/06/2017 11:38:16 PM
Type: error Category: 0
Event: 7022 Source: Service Control Manager
The Malwarebytes Anti-Exploit Service service hung on starting.

Log: 'System' Date/Time: 12/06/2017 8:45:30 PM
Type: error Category: 0
Event: 7006 Source: Service Control Manager
The ScRegSetValueExW call failed for Start with the following error:  Access is denied.  

Log: 'System' Date/Time: 12/06/2017 8:45:26 PM
Type: error Category: 0
Event: 7006 Source: Service Control Manager
The ScRegSetValueExW call failed for Start with the following error:  Access is denied.  

Log: 'System' Date/Time: 12/06/2017 8:45:23 PM
Type: error Category: 0
Event: 7006 Source: Service Control Manager
The ScRegSetValueExW call failed for Start with the following error:  Access is denied.  

Log: 'System' Date/Time: 12/06/2017 8:44:07 PM
Type: error Category: 0
Event: 7006 Source: Service Control Manager
The ScRegSetValueExW call failed for Start with the following error:  Access is denied.  

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 25/06/2017 9:49:25 PM
Type: warning Category: 0
Event: 4 Source: bcm4sbxp
Broadcom 440x 10/100 Integrated Controller: The network link is down.  Check to make sure the network cable is properly connected.

Log: 'System' Date/Time: 18/06/2017 12:43:48 PM
Type: warning Category: 0
Event: 1073 Source: USER32
The attempt to reboot BADDABING failed

Log: 'System' Date/Time: 17/06/2017 7:04:58 AM
Type: warning Category: 0
Event: 1073 Source: USER32
The attempt to power off BADDABING failed

Log: 'System' Date/Time: 17/06/2017 7:01:45 AM
Type: warning Category: 0
Event: 1073 Source: USER32
The attempt to power off BADDABING failed

Log: 'System' Date/Time: 10/06/2017 6:17:01 PM
Type: warning Category: 0
Event: 1003 Source: Dhcp
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 000BDBBF2B86.  The following error occurred:  The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

Log: 'System' Date/Time: 10/06/2017 6:16:59 PM
Type: warning Category: 0
Event: 4 Source: bcm4sbxp
Broadcom 440x 10/100 Integrated Controller: The network link is down.  Check to make sure the network cable is properly connected.

Log: 'System' Date/Time: 10/06/2017 6:16:31 PM
Type: warning Category: 0
Event: 4 Source: bcm4sbxp
Broadcom 440x 10/100 Integrated Controller: The network link is down.  Check to make sure the network cable is properly connected.

 

 

 

Vino's Event Viewer v01c run on Windows XP in English
Report run at 27/06/2017 8:57:18 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 08/06/2017 8:39:11 PM
Type: error Category: 0
Event: 1000 Source: Application Error
Faulting application plugin-container.exe, version 52.1.2.6346, faulting module unknown, version 0.0.0.0, fault address 0x00000000.

Log: 'Application' Date/Time: 08/06/2017 5:21:40 PM
Type: error Category: 0
Event: 1000 Source: Application Error
Faulting application repair_windows.exe, version 3.9.0.33, faulting module gdi32.dll, version 5.1.2600.6460, fault address 0x0000ef4b.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 27/06/2017 5:02:41 PM
Type: warning Category: 0
Event: 41 Source: EMET
The PinRule "FacebookCA" expired on 8/1/2016 12:00:00 PM and will not be used to validate certificates, please update this rule or delete it

Log: 'Application' Date/Time: 27/06/2017 5:02:41 PM
Type: warning Category: 0
Event: 41 Source: EMET
The PinRule "MSLiveCA" expired on 8/1/2016 12:00:00 PM and will not be used to validate certificates, please update this rule or delete it

Log: 'Application' Date/Time: 27/06/2017 5:02:41 PM
Type: warning Category: 0
Event: 41 Source: EMET
The PinRule "MSSkypeCA" expired on 8/1/2016 12:00:00 PM and will not be used to validate certificates, please update this rule or delete it

Log: 'Application' Date/Time: 27/06/2017 5:02:41 PM
Type: warning Category: 0
Event: 41 Source: EMET
The PinRule "TwitterCA" expired on 8/1/2016 12:00:00 PM and will not be used to validate certificates, please update this rule or delete it

Log: 'Application' Date/Time: 27/06/2017 5:02:41 PM
Type: warning Category: 0
Event: 41 Source: EMET
The PinRule "YahooCA" expired on 8/1/2016 12:00:00 PM and will not be used to validate certificates, please update this rule or delete it

Log: 'Application' Date/Time: 27/06/2017 5:02:41 PM
Type: warning Category: 0
Event: 41 Source: EMET
The PinRule "MSOffice365CA" expired on 8/1/2016 12:00:00 PM and will not be used to validate certificates, please update this rule or delete it

Log: 'Application' Date/Time: 26/06/2017 10:09:45 PM
Type: warning Category: 0
Event: 41 Source: EMET
The PinRule "FacebookCA" expired on 8/1/2016 12:00:00 PM and will not be used to validate certificates, please update this rule or delete it

Log: 'Application' Date/Time: 26/06/2017 10:09:45 PM
Type: warning Category: 0
Event: 41 Source: EMET
The PinRule "MSLiveCA" expired on 8/1/2016 12:00:00 PM and will not be used to validate certificates, please update this rule or delete it

Log: 'Application' Date/Time: 26/06/2017 10:09:45 PM
Type: warning Category: 0
Event: 41 Source: EMET
The PinRule "MSSkypeCA" expired on 8/1/2016 12:00:00 PM and will not be used to validate certificates, please update this rule or delete it

Log: 'Application' Date/Time: 26/06/2017 10:09:45 PM
Type: warning Category: 0
Event: 41 Source: EMET
The PinRule "TwitterCA" expired on 8/1/2016 12:00:00 PM and will not be used to validate certificates, please update this rule or delete it

Log: 'Application' Date/Time: 26/06/2017 10:09:45 PM
Type: warning Category: 0
Event: 41 Source: EMET
The PinRule "YahooCA" expired on 8/1/2016 12:00:00 PM and will not be used to validate certificates, please update this rule or delete it

Log: 'Application' Date/Time: 26/06/2017 10:09:45 PM
Type: warning Category: 0
Event: 41 Source: EMET
The PinRule "MSOffice365CA" expired on 8/1/2016 12:00:00 PM and will not be used to validate certificates, please update this rule or delete it

Log: 'Application' Date/Time: 26/06/2017 9:45:44 PM
Type: warning Category: 0
Event: 41 Source: EMET
The PinRule "FacebookCA" expired on 8/1/2016 12:00:00 PM and will not be used to validate certificates, please update this rule or delete it

Log: 'Application' Date/Time: 26/06/2017 9:45:44 PM
Type: warning Category: 0
Event: 41 Source: EMET
The PinRule "MSLiveCA" expired on 8/1/2016 12:00:00 PM and will not be used to validate certificates, please update this rule or delete it

Log: 'Application' Date/Time: 26/06/2017 9:45:44 PM
Type: warning Category: 0
Event: 41 Source: EMET
The PinRule "MSSkypeCA" expired on 8/1/2016 12:00:00 PM and will not be used to validate certificates, please update this rule or delete it

Log: 'Application' Date/Time: 26/06/2017 9:45:44 PM
Type: warning Category: 0
Event: 41 Source: EMET
The PinRule "TwitterCA" expired on 8/1/2016 12:00:00 PM and will not be used to validate certificates, please update this rule or delete it

Log: 'Application' Date/Time: 26/06/2017 9:45:44 PM
Type: warning Category: 0
Event: 41 Source: EMET
The PinRule "YahooCA" expired on 8/1/2016 12:00:00 PM and will not be used to validate certificates, please update this rule or delete it

Log: 'Application' Date/Time: 26/06/2017 9:45:44 PM
Type: warning Category: 0
Event: 41 Source: EMET
The PinRule "MSOffice365CA" expired on 8/1/2016 12:00:00 PM and will not be used to validate certificates, please update this rule or delete it

Log: 'Application' Date/Time: 26/06/2017 6:33:51 PM
Type: warning Category: 0
Event: 41 Source: EMET
The PinRule "FacebookCA" expired on 8/1/2016 12:00:00 PM and will not be used to validate certificates, please update this rule or delete it

Log: 'Application' Date/Time: 26/06/2017 6:33:51 PM
Type: warning Category: 0
Event: 41 Source: EMET
The PinRule "MSLiveCA" expired on 8/1/2016 12:00:00 PM and will not be used to validate certificates, please update this rule or delete it

 


  • 0

#57
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

Not sure why but looks like EMET has woken up.  Apparently you need to open it up and delete the PinRules that it is complaining about.

Log: 'Application' Date/Time: 27/06/2017 5:02:41 PM
Type: warning Category: 0
Event: 41 Source: EMET
The PinRule "FacebookCA" expired on 8/1/2016 12:00:00 PM and will not be used to validate certificates, please update this rule or delete it

Log: 'Application' Date/Time: 27/06/2017 5:02:41 PM
Type: warning Category: 0
Event: 41 Source: EMET
The PinRule "MSLiveCA" expired on 8/1/2016 12:00:00 PM and will not be used to validate certificates, please update this rule or delete it

Log: 'Application' Date/Time: 27/06/2017 5:02:41 PM
Type: warning Category: 0
Event: 41 Source: EMET
The PinRule "MSSkypeCA" expired on 8/1/2016 12:00:00 PM and will not be used to validate certificates, please update this rule or delete it

Log: 'Application' Date/Time: 27/06/2017 5:02:41 PM
Type: warning Category: 0
Event: 41 Source: EMET
The PinRule "TwitterCA" expired on 8/1/2016 12:00:00 PM and will not be used to validate certificates, please update this rule or delete it

Log: 'Application' Date/Time: 27/06/2017 5:02:41 PM
Type: warning Category: 0
Event: 41 Source: EMET
The PinRule "YahooCA" expired on 8/1/2016 12:00:00 PM and will not be used to validate certificates, please update this rule or delete it

Log: 'Application' Date/Time: 27/06/2017 5:02:41 PM
Type: warning Category: 0
Event: 41 Source: EMET
The PinRule "MSOffice365CA" expired on 8/1/2016 12:00:00 PM and will not be used to validate certificates, please update this rule or delete it

 

 

 

You might just want to uninstall EMET. MS was supposed to stop supporting it in Jan of this year (tho they extended it 18 months) and the newest version won't work on XP anyway.

 

 Doesn't seem like that would cause it to reboot tho.

 

Wondering why something else keeps getting your IP address.  Is there another device using this router?  Open a Command Prompt and type:

arp  -a   >  \junk.txt
notepad  \junk.txt

Copy the text from notepad and paste it into a reply

.


  • 0

#58
Lamont_Cranston

Lamont_Cranston

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts

Here it is:

 

Interface: 192.168.0.2 --- 0x10003
  Internet Address      Physical Address      Type
  192.168.0.1           50-67-f0-ee-be-b6     dynamic   
 


  • 0

#59
RKinner

RKinner

    Malware Expert

  • Expert
  • 24,598 posts
  • MVP

Doesn't seem to be anyone else on the network so I don't know why DHCP is acting up.  Perhaps the conflicting device is not on right now.

 

I would clear the alarms:

 

Start, Run, eventvwr.msc, OK to bring up the Event Viewer.  Right click on System and Clear All Events, No (we don't want to save the old log), OK. Repeat for Application. 

That way if you get new ones they will be easier to see.


  • 0

#60
Lamont_Cranston

Lamont_Cranston

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts

Done in Event Viewer.

 

EMET is version 5.0, the last to run smoothly on XP.  Kept it because EMET can be customized whereas MBAE free cannot.  Right now EMET is set up to complement MBAE. 

 

I've read that pin rules from the latest version of EMET can be imported to 5.0, but I don't know how to do it and don't have time to learn.  After I get an AV up and running, I'll delete the expired rules from 8/1/16.


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP