A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #14184  by Quads
 Sat Jun 23, 2012 8:29 am
This is what can happen to Windows 7 after the use of OTL or Combofix after or during the process of removal of the leftovers. attached

Quads
Attachments
netsvcs_win7_problem.jpg
netsvcs_win7_problem.jpg (17.94 KiB) Viewed 428 times
 #14185  by sUBs
 Sat Jun 23, 2012 8:42 am
Quads wrote:This is what can happen to Windows 7 after the use of OTL or Combofix after or during the process of removal of the leftovers. attached
I like to see this first hand. Which dropper did you use?
 #14187  by sUBs
 Sat Jun 23, 2012 9:02 am
Quads wrote:I can't remember which dropper I used it was a frw days ago, I was testing one as I had a user appear after the use of OTL on XP the netsvcs key was stuffed, XP is easier to fix

It's this thread that reminded me http://www.bleepingcomputer.com/forums/topic457851.html
It's okay if you can't remember which dropper? Can you tell me IF it's the malware which deleted the netsvcs key OR was it the doing of the tools?
 #14188  by Quads
 Sat Jun 23, 2012 9:18 am
It's the malware that damages the netsvcs key a far few of the times but also after that somethings is still not right as the use of Combofix or OTL to clean up causes after the restart the classic mode, audio etc, like the Bleeping Computer thread shows, With XP I had to run the netsvcs fix as the last thing to do.

They have not done so on the Bleeping Computer thread yet, but Win7 is harder than XP with this problem.

Quads
 #14190  by sUBs
 Sat Jun 23, 2012 9:35 am
Quads wrote:It's the malware that damages the netsvcs key a far few of the times
If it's malware that's deleting the key, then there's little a tool can do. Legitimate 3rd party programs may also write to such keys. Perhaps inadvisable for automated tools to over-write them default values.

When the machine is left in such a state, the user should seek help from a trained person who would be able to advise them.
 #14192  by Quads
 Sat Jun 23, 2012 9:53 am
The key is not deleted because the symptoms are not there to say that it is deleted, as the Bleeping Computer thread also shows is that it was after running Combofix the problem with screenshot appeared.

netsvcs fixed once already, then

"ummm, ok. After I merged the CFscript to combofix.exe it ran then restarted the computer, but when it restarted the desktop is blank almost like it formatted. But also the task doesnt look like like aero, it looks solid grey and has the old start button. and now after the combofix log finished a handle license agreement popped up for susinternals software. is this normal? "

Quads
 #14193  by sUBs
 Sat Jun 23, 2012 10:32 am
it was after running Combofix the problem with screenshot appeared.
Doubt if it's ComboFix's doing. Do you have an X64 machine? Try exporting your netsvcs and compare it.
 #14195  by Quads
 Sat Jun 23, 2012 10:38 am
That's OK

I am just telling people all over to be aware of what happens after Combofix and OTL.

I am working on a thread at the moment where Combofix won't even run buy just unpacks and that is it.

Quads
 #14196  by sUBs
 Sat Jun 23, 2012 10:40 am
Quads wrote:I am just telling people all over to be aware of what happens after Combofix and OTL.
Lol .. I already said it wasn't caused by ComboFix. Answer is there. Just look closer. ;)
I am working on a thread at the moment where Combofix won't even run buy just unpacks and that is it.
Whenever that happens, it's generally advised to double click CF once more. If/When that doesnt work, a reboot typically works.
  • 1
  • 18
  • 19
  • 20
  • 21
  • 22
  • 56