126 replies to this topic

[Elise]

Can you please rerun FSS and post me the new log?

Dowload and save McAfee Removal Tool to your desktop.

Run it to remove McAfee. After this, please restart your computer.

[edshead]

FSS:

Farbar Service Scanner Version: 13-02-2012
Ran by edshead (administrator) on 19-02-2012 at 09:56:39
Running from "C:\Users\edshead\Desktop\fixes"
Microsoft Windows 7 Home Premium  Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

Windows Firewall:
=============
Firewall Disabled Policy:
==================

System Restore:
============
System Restore Disabled Policy:
========================

Security Center:
============
Windows Update:
============
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit

**** End of log ****

Running McAfee removal and rebooting now.

[Elise]

Any change after the McAfee removal?

[edshead]

I'm going to ignore anything my computer says to the contrary and say yes, everything is perfect. After opening my eyes, unfortunately nothing has changed. Same problems as before in Device Manager (except the McAfee driver is gone). Audio and keyboard still behave the same but I don't know that I'd call completely not working a type of behavior. Although I don't know for certain, I believe the McAfee driver was level over from the Summer of 2010, as that was the last time I had any part of a McAfee suite installed on this computer (that was when the 24-months free with the laptop ran out). Uninstaller must've missed that driver.

[Elise]

The problem with this infection is that it patches legitimate drivers. Whenever security software detects it it becomes overzealous and deletes parts of the drivers from the registry. Without knowing what exactly was deleted, it is almost impossible to identify what was removed and thus what needs to be "put back".

That means unfortunately that there is very little we can still do about this (what would be necessary is the equivalent of a repair installation, a handy option available in XP, but no longer for vista/7).

One last thing you could try is to completely uninstall and reinstall service pack 1 for Windows 7. I cannot guarantee that will solve the problems, but it is the last thing that has a reasonable chance of working that we still haven't done.

[edshead]

If this is a problem with the uninstall of Comodo and AVG (so the logs are unintelligible), I could always reinstall them to get a look at the logs if that could point us to the issue.

If you want to go the SP1 route, I'll go that route. If it would be helpful to go with the reinstall of the overzealous scanners in order to read logs, I can do that as well. Let me know. I'm guessing SP1 is easier because it does't require diving through any more logs.

Worst case, and all of this fails, what next? I realize it's likely still a long way from the root of the problem. But for things like my Wireless card, that's depending on WLAN Service which won't run because of the ndisuio.sys issue that is in the Non-PnP drivers area you had me look into. I haven't ever traced a driver issue this deep into the O/S, but it seems like you probably have. Is it worth me following these down the line to the root, or from your experience, do you know if I'm going to bump into some MS binary that's custom to my system 15 steps down the line which prevents further tracing/troubleshooting? If that's the case, I guess I'm forced to go with the reinstall.

[Elise]

I don't remember right now, but re. wireless card, did you try to reinstall the drivers for that (by downloading them from the manufacturers website)?

It is not said that comodo/avg have actually stored the information, but it is possible. I would first try the Sp1 uninstall and after that reinstalling the applications.

[edshead]

First off, bad news. Can't uninstall SP1. Not sure if that's because I used a Win7 SP1 DVD to upgrade from Vista, or if it's because the pre-SP1 files got deleted at some point. Bottom line, I don't have the appropriate KB update available in "installed updates" in order to remove SP1. Using wusa at the prompt also doesn't work. Oh well.

Reinstalled AVG & Comodo, and the only log for an AVG scan where something turned up is attached.. (AVG is actually semi-colon delimited but it didn't let me upload csv files.) Comodo looks to have taken its log files with it when it uninstalled, or overwritten them in the reinstall. Still searching, but it's not looking good.

Also, a majority of the damaging crashes happened while combofix was running. That is, it would be running with the /nombr switch, freeze, and I'd have to do a hard reboot. I'm nearly certain that's what caused the damage, as the initial failures happened immediately after each one of those reboots. First, CFscan, keyboard mouse go out, scan again, audio goes out, scan again, wireless goes out. It's one of the things that drove me here.

Additionally, had another idea for pre-reinstall. I still have major problems in the attached sfctodo.txt according to SFC. I don't think SFC is working. We already knew that some of the files it has are corrupt and thus it's not copying them. It also looks like it's setting up "pending renames" that never actually execute. (I've checked for the folders that they should be renamed to, and they're not there.)

I've found instructions on mounting the install image off of the install DVD within the recovery environment. (These detailed instructions fix a specific issue, but it can be generalized to other windows system files. And unfortunately I can't find a similar example in Win7, but it works the same.) My thoughts were to create a text file with commands to fix each issue (cmd1: rename old file to back it up, cmd2: apply fix by copying from DVD, cmd3: append to log that it completed those two commands). Reason I'm not doing that in a batch file is that I'm using a batch file to wrap that text file, so I can use a loop to check for a non-0 exit from each command, and if a given command does exit with an error, append error/command that caused error to the log file, and ECHO something like, "You'd save yourself any more of a headache if you just reinstalled already." It's a bit of a shot in the dark, but I figure that if Windows (sfc) is identifying core problems for me where there is something specific I can do (execute the commands that it's trying to), that might be better than digging around from the GUI. With backups of each of the things I'm touching, along with the fact I probably have to reinstall anyway, I'm not seeing many drawbacks other than the time suck. I welcome your thoughts though.

Thanks again. You're the best!

P.S. I'm glad I hit 50 posts in this thread. I was half-way to my old 20mb upload quota. 150mb quota should get me through at least another couple days of this.

Attached Files

•  sfctodo.txt   371.58K   5 downloads
•  AVG_resshield.txt   616bytes   2 downloads

[Elise]

In this case you can indeed not reinstall SP1.

Can you look for the contents of c:\windows\erdnt\subs?

[edshead]

Didn't see ERDNT\subs. "dir /s" from \ERDNT\ attached.

Also, regarding wireless. Wireless adapter itself is fine, loading and showing no error in Device manager. Shows up in network connections as well. The WLAN service isn't starting though due to the ndisuio service not starting.

I did try to reinstall the driver, and reached the same result.

Attached Files

•  erdntdir.txt   8.52K   3 downloads

[Elise]

Before doing this, please make a new registry backup with Erunt!

You can download and import the ndisuio service from here: http://download.blee...s/7/Ndisuio.reg

[edshead]

That fixed my wireless access!!!!

Thank you!!!!

[Elise]

Glad to hear that!

Can you list the drivers that according to Device manager are still missing. We might be able to put those back as well

[edshead]

Here's the details tab of each device that device manager is giving a Code 39 error on. Additionally, I provided the driver details, which includes the driver file list for each device.

As a recap:

• Built-in keyboard has always used the default Windows driver as far as I know. I can't find a proprietary Dell driver for it anywhere.
   ps2keyboard.jpg   102.96K   0 downloads
  
• Touchpad does use a Dell driver, and I've installed the most current one from Dell's support site. That's the driver that gives the details you're looking at there.
   mouse.jpg   158.36K   1 downloads
  
• HD Audio driver: Made by Sigmatel (now IDT). Ever since I got the laptop, if I reinstalled Windows, or otherwise lost the driver, I had to use Dell's update for that. For my computer, the appropriate Dell update is R190517. Rather than attach the 8mb driver, you have a directory listing for the extracted Dell package. Installing the Sigmatel software from that Dell package now gives me an error saying I don't have that device. Similarly, pointing Windows' "update driver" at that folder says that it doesn't contain anything for my device.  r190517.txt   4.54K   0 downloads
  
  • Note, the above update is for Windows Vista. There isn't one for Win7, and using the Vista driver in Win7 means the external mic jack doesn't work (which I use). The solution I found was installing a driver for a slightly newer device from IDT, which worked flawlessly. That is Dell update R226903, and a directory listing for that 24mb package is also attached. Right now, I get the same problem with this package as the one above, where it doesn't recognize the device, and Windows doesn't recognize it as being an appropriate driver.
     r226903.txt   4.93K   2 downloads

Thanks for your continued efforts!!!!

Attached Files

•  hdaud.jpg   89.62K   0 downloads

[Elise]

While they are present, lets just merge the other services as well (except for dell as these are not available (don't forget a registry backup):

http://download.blee.../7/HDAudBus.reg
http://download.blee.../7/i8042prt.reg
http://download.blee...s/7/usbehci.reg

[edshead]

Following numbered section is to document your great work.

• I backed up the registry with ERUNT I started above. Then, I imported i8042prt.reg. Reboot.
  
• Keyboard works. Backup registry again with ERUNT. Import usbehci.reg. Reboot.
  
• No change in functionality. Backup registry again with ERUNT. Import HDAudBus.reg. Reboot.
  
• No change in functionality. Still, I check device manager and I see that the Code 39 errors are gone. Windows thinks that the Audio Codec and Touchpad are running fine.
  
• I uninstall the Dell Touchpad. Reboot. It auto-detects Dell Touchpad. It installs it, but it's still not working. I go to Device manager and tell it to uninstall and tell Windows to remove the driver software. Reboot. Install Touchpad driver from the Dell driver package mentioned above. (I think it's R286???) Reboot. Touchpad works.
  
• I install the IDT package (R226??? above). Reboot. Sound works.

Okay. So now that we have all the old problems done, here's a couple new ones that popped up. At some point a window started popping up trying to open the file Ed. (no extension.) It asked for a program to open with. I opened with notepad, and it's a blank file. Is this possibly where the rootkit might've been doing the logging?  OpenOnStart.jpg   84.69K   0 downloads

Also, I got a pop up from AVG saying autochk.exe was infected, but it wouldn't clean it because it's a system file. Both a log from AVG (actually not txt, it's csv if you want) that shows the detection as well as an MBAM scan of that file are attached. MBAM picks up nothing.

Attached Files

•  AVG-autochk.txt   1.45K   0 downloads
•  mbam-log-2012-02-20 (17-38-05)-autochk.txt   1.79K   1 downloads

[edshead]

Sorry. That window that is in the image above pops up on startup. Thank again, so much, for all of your help!!!

[Elise]

I'm glad to hear the registry fixes worked (strange though because the services were in fact present...).

Autochk.exe was also flagged in the File protection log you posted me, so it might be good to replace it.
Can you please download a new copy of combofix at this point and run it? If AVG flags autochk.exe, so may combofix.

[edshead]

I was having problems with chkdsk running on restart, and I believe it would've been autochk that ran at that point so it would make sense that it's not in good health.

Here's the combofix logs (quarantine log included). Note, I had a crash when I ran it the first time (froze like previous), so I ran with /nombr. The kicked myself a bit for not doing that the first time.

Attached Files

•  ComboFix-quarantined-files.txt   6.6K   0 downloads
•  combolog.txt   22.44K   2 downloads

[Elise]

Sorry, I didn't think to add that to the instructions either.

Can you please run the following OTL custom scan? Run OTL and copy/paste the following in the fix field. Click the NONE button and then Run scan.

/md5start
autochk.exe
/md5stop