I’m not sure what’s wrong - something seems to be. I’m hoping the helpful crew here might be able to tell me if there is. ;D
It might be that, as seems customary with Windows, the system starts to crack up at about 2 years of age. I really don’t want to go through the whole clean install process if I can possibly avoid it. And, I want to be sure that any system backup I make any time soon can be trusted.
There was some malware detected by SAS scheduled scan (undetected by avast!), but it was over 30 days ago and is now deleted.
Also, recently found the Win32:Hupigon-ONX in an old backup made using Drive Image XML and Bart PE. That’s gone now, and so is DIX.
I can’t find any other malware by any means available to me, but I don’t know what damage may have been done by the two mentioned.
The aswMBR log saves as a .dat file. Is it supposed to do that?
I can get it to save as a .txt file by editing the file name - removing the “.txt” extension from there - before saving. Can’t attach the .dat file, of course. In part, it says “Invalid partition table Error loading operating system Missing operating system”.
Thanks Pondus.
In the meantime, I was thinking I should mention:
Last night I had a message that System File Protection had stopped working properly, and, at the same time Spybot crashed as well. I uninstalled spybot - probably should’ve done that a while ago, according to some advice I received around here.
This morning, a message about Windows Data Execution Prevention in relation to Generic Hosts File.
A string of other ‘odd’ things happening, which I don’t recall in any detail - except, machine crashed (to blue screen) twice while I was on Games.com recently. No info about drivers either time, but the first one said something like ‘paging error in a non-paged area’.
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
Thanks essexboy.
I’m assuming that the OTL Quick Scan you want is with the same settings found on http://forum.avast.com/index.php?topic=53253.0 - i.e., select All Users and paste
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
CREATERESTOREPOINT
into Custom Scans/Fixes, then Quick Scan.
Please correct me if I’m mistaken, and I’ll do it again according to more specific instructions.
The only ‘problems’ to report at this stage are:
1.)After running the Custom Fix, system failed to restart correctly. I hit OK on the ‘system needs to restart’ message which appeared, but got stuck on “Windows is shutting down…” for ages. So, I had to hit the power button to shut down and start up again.
2.)OTL then wants to run at startup, before allowing taskbar or desktop icons to load. I decided to run it and all it does is display logfile for the fix.
3.)I don’t know why the attached file says “run - 5”. Run 2 or 3 might make more sense to me. Plus, I don’t know exactly why it doesn’t produce a new “Extras” log. I think if I reboot and delete (or rename, maybe) existing logs, then it will revert to run 1 and make a new Extras file. Also, despite using the pasted Custom Scan, if I ran OTL more than once without rebooting some of the settings were changed. Not sure if it’s such a big problem. Just saying, is all.
The “sysinternals” entries, I would have to guess, probably come from running RootkitRevealer which I did about 3 times because it ran into problems with saving anything. It wouldn’t save to desktop, as I wanted, but only to system32. Different results on each scan too, but somewhere around 100 discrepancies - most, but not all, aswSnx private storage\sfzone.…
One entry, which I can recall, was about a password protected file in system32 (showed on one scan only). It happens that it was the "same file can’t be found’ if I opened Bart PE and clicked on Plugins. Can’t tell you what it was now tho.
No apparent problems at this time, thank you gentlemen. And, unless I’m imagining things, machine is running faster today.
Hmm, well… Now you mention it: It did seem strange to me when I noticed they were all .exe files. A scanner like RR really shouldn’t make any extra exe files, I would think, temporary or otherwise.
Does that mean the “RootkitRevealer” I have is a fake too?
And the site I got it from [http://technet.microsoft.com/en-us/sysinternals/bb897445]?
Last visited August 24, apparently, so the date stamps on the files seem about right…
Not that it’s any use, I know, running RootkitRevealer without someone expert enough to interpret the results. But, after finding the hupigon-onx thing in an old backup I figured it must’ve come from something/somewhere - possibly still lurking on my machine. Did all the other scans I could first; MBAM, SAS and KVRT in Safe Mode… kind of forgot avast! BTS, tho I do run avast! scheduled scans. Just curious really to see if RR might show anything useful.
@ Pondus:
Yeah. Tho, I thought I could ‘force’ OTL to revert to run 1 somehow…
It happened once or twice. Now I’m thinking that might have been due to System Restore in the first place, plus the fact I have two copies of OTL.exe.
Whatever the case, the Extras text produced in this instance does give me a clue why my internet connection fails on boot up so often; about once a week for as long as I can remember.
Not sure what I can do about it, yet… Restarting my computer is the only ‘fix’ I found so far.
I have comne across a fair few files that pretend to be sysinternals, another favourite is borland
RK is legit but there is only one exe file and that does not use a random name
How is the computer now ?
There is a way of forcing a fresh extra’s log
After that, if you want to see this output you will need to instruct the user to select either the Use SafeList or All option in the Extra Registry group before performing the next scan
Um… I was wondering too, why, as it looks, it runs some kinda ‘service’. Checked out the site http://technet.microsoft.com/en-us/sysinternals/bb897445 again, and this is what it says in the Introduction:
“…We’ve therefore updated RootkitRevealer to execute its scan from a randomly named copy of itself that runs as a Windows service.” So… I’d be guessing it is genuine after all.
Well, maybe. It is still a bit strange in that it hung after clicking Save every time, and in that wants to save to system32 folder. I tried twice (maybe thrice) to save to desktop. It could ‘see’ the files previously ‘saved’ to desktop. I couldn’t tho; only the one which I eventually let save in system32. Plus, different results on each scan.
Machine is running pretty good, I think, thank you. Better than me probly, anyway. lol
Giving myself a headache trying to figure if there’s any way to update Flash.ocx, or even if Flash player uses ocx any more. Secunia PSI sees all .ocx files as either ‘insecure’ or ‘end of life’. One program I know of still installs flash8.ocx. No big deal, I suppose, just trying to ‘tidy up’.
I ran into some problems earlier in the piece:
One was that running sfc /scannow ended up wiping a lot of Windows Update backup (uninst) files. I don’t remember it doing anything like that before. Update installs are all intact it seems, but there’s no way to uninstall them should the need arise. Plus, I had BIG PROBLEMS on another machine because the Norton Ghost restore disc supplied with it was missing those files (WMP rollback especially). And now I’m aiming at making a new image backup for myself, I’m wondering if it will turn out the same. I can still rollback WMP, apparently, but the installation is broken somehow. Don’t use it much but it’s still annoying that I can’t get the graphic equaliser (or any “enhancement”) to show.
The other thing was that last time I ran scans in Safe Mode it lost much of my Custom Desktop settings and my custom mouse pointers and my custom sound scheme - on normal reboot, that is. I haven’t seen it lose desktop settings on this machine before, but it was a constant occurrence on another machine I had. At the time, some MSVP reckoned it was caused by malware. I’m not convinced.
Too much information? ;D
Thanks for
Quote
After that, if you want to see this output you will need to instruct the user to select either the Use SafeList or All option in the Extra Registry group before performing the next scan
And thanks for all your help.
Always much appreciated.
The good news, as far as I’m concerned and, as far as finding malware goes…
Managed to make an image of my HD (using DiscWizard from Seagate) and, after mounting it, did a custom (right-click) scan on it.
It took 3 hours to complete but, no threat found! yay No hupigon-onx.
Couldn’t scan a whole bunch of ‘password protected’ files. Nothing of concern tho, as far as I could see. lol There’s a zipped up rootkit sample still in my Sent Mail which I posted to you guys as undetected malware about 2 1/2 years ago.
One last thing:
Extracts from ‘virtual’ OTL log - same entries on my actual system, I think, but I suppose you would have said already if they were anything to worry about.
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
[2010/03/23 12:49:57 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Colin\Application Data\Mozilla\Extensions
[2011/05/31 16:39:47 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Colin\Application Data\Mozilla\Firefox\Profiles\c4uj0gae.default\extensions
[2011/08/28 17:55:00 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
Thanks again fellas. I’ll get out of your way now.
Yes, all happy now. And, thank you very much once again. 8) 8)
Well… As far as what can be accomplished here, I am.
I still need to figure if there’s a way to repair the Windows Update setup, and the Media Player. So, I guess I’ll be trotting along to MS Help now… :-\ :
Oh, and…
Somewhere up the page I mentioned something about OTL settings seeming to change if it is run more than once without reboot.
It happens, as I noticed since, that a couple of settings change during the Custom Scan anyway.
So, I’m all happy with that too now. ;D
Be seeing yous. Hopefully, NOT in the very near future.
I can still rollback WMP, apparently, but the installation is broken somehow. Don’t use it much but it’s still annoying that I can’t get the graphic equaliser (or any “enhancement”) to show.
