Combofix says null.sys is missing, is this a problem and where can it be restored from?

In logmein, under the preferences before you take control, choose the reboot option of Safe Mode, and reboot it. Then remote the PC again, and run combofix.....

Sounds like a DEP error on startup actually......
Go through your startups and see if you can isolate the problem.....
How to perform advanced clean-boot troubleshooting in Windows XP
http://support.microsoft.com/kb/316434

In MSConfig
I would disable all items under Startup, and retest.....
If it still fails, disable all non MS services....
If it still fails, disable the services, except for the Protected Storage. Then retest....
 

Can you replace the null.sys from another machine? Or, see if you have a copy in c:\windows\system32\dllcache.....

Are all null.sys files the same?  I'd be afraid to copy over the wrong one and render a BSOD or something. The machine at least works fine now. Any idea what null.sys does and is it essential?

It could be that the file has been patched and deleted by your antivirus.
It looks like a file patcher or virut might be present in the system as the CF log also shows that a lot of system files had failed the sigcheck.

Try scanning with DrWebCureIt, or Kaspersky's online scanner, or Nod32, to check for file infectors.
http://www.freedrweb.com/
http://www.kaspersky.com/virusscanner 

You could also submit at least 3 these files to confirm that a file infector is present:
http://virusscan.jotti.org/
winlogon.exe
svchost.exe
userinit.exe
termsrv.dll
services.exe
lsass.exe

Thanks RPG. What is a file inspector?

My fault, you said infector. I missread inspector. Anyway, at one point the machine had infections that mbam and combofix removed prior to the most recent log I posted. Now mbam and combofix are coming back clean and the trend micro monitor that's running on the machine doesn't seem to be picking anything up. The user is telling me the machine is running fine right now. Should I push the issue?  Would the virus/file infector be something that mbam and the real-time scanner from trend micro would not notice?  What does it mean when you said the files failed the sigcheck.

Thanks John.  That clears up what null.sys is used for.  Could that be why "Generic host processes for Win32 services" has to close everytime the machine first boots up (after login), but after that runs fine?

Either way, I have a new dilema/question here for RPG and John.  The user of the machine (like most of the users I support here) is very fanatic about not having their machine available.  They are very sensitive and don't like it out of their office after hours, etc.  After the fix I performed (combofix and MBAM with the above log attached) the machine seems to run fine, other than that generic host processes message when you first boot up.  If I ask for the machine back from the user and cause them more downtime, they look at me like I'm doing my job less because I'm causing more downtime.  However, if I know for certain it's going to be crashing and having problems because of what you see in that log, it's better to do that then have it fail again on them later.  

So I guess the question is, is anything in that log alarming that is going to cause problems if MBAM and Combofix seem to think it's clean now (and Trend Micro Real-Time) Anti-Virus is running.  RPG mentioned several files failing the sigcheck.  Is that something that needs to be fixed?  How would I go about that?  Thanks!

I suggested for those system files to be checked because all of those had failed the sigcheck.

Failing the sigcheck means failing the digital signature which could mean that those files might be patched, or that the catalog is corrupt, or that the cryptographic services weren't running at the time of those checks.

Since Combofix was able to run completely there is nothing to cause concern for virut, unless it's another file infector. I'm not sure about MBAM but Trend should noticed any file infector.
Since the pc is running fine, maybe a corrupt catalog was the caused of those files failing the signature check.

<<<"Is that something that needs to be fixed?  How would I go about that?">>>

All that's needed is for the online scanners to confirm that those files(even just 3 of those will do) are clean. If 3 are clean, most likely that the rest are also clean.
If they are clean then nothing needs to be done on them.

Thanks. So Combofix would have found virut or sality if it was there?  What about a file infector?  Would Combofix pick that up?  Either way the machine seems to be okay, other than the generic host proecesses having to be closed message when you first boot up. The users complaint actually wasn't spyware related I don't think, they were complaining that they occasionally lose the network connection on that machine. I just ran combofix and mbam to be safe while I was on the machine. I believe the network connection problem was an IP conflict as it was the only computer on the network not using DHCP and there is frequent power outages there, etc. I just became concerned based on the log.

Thanks RPG. Next time the user has a complaint I can scan those files. Right now I don't have access to the machine though without their supervision (they are very sensitive about their data) and I didn't want to alarm them and go asking to scan files unless we thought there was a problem. Its weird I know, but they are the bosses.

Thanks for continuing to reply RPG.  You really are an asset to EE.  I hope wherever you are employed you are highly compensated, because you are awesome!  

Anyway, I did some digging and this machine has had Combofix run once (and only once) before about a month ago.  Here is the original log.  I don't see CF deleting null.sys or anything like that. Just a bunch of installer files.  

I'm not sure if seeing the old log and what Combofix removed last time helps at all?
oldlog.txt

Actually, not sure how I missed that.  The CF log from a month ago clearly shows CF did delete null.sys.  Please see the above log.  Thanks!

c:\windows\system32\drivers\beep.sys
c:\windows\system32\drivers\null.sys

Thanks for that log, good job.
Yes, Combofix deleted null.sys as well as beep.sys. I would only assume that the beep.sys and null.sys were infected or patched that's why those were deleted. It's also possible that CF had false positives when flagging those files(I hardly think so but it does happen).

What you could do is scan the null.sys from the quarantine folder and see if it really was infected, and if it's clean and was a false positive you can then restore it.
C:\Qoobox\Quarantine\c:\windows\system32\drivers\null.sys.vir


<<"You really are an asset to EE.  I hope wherever you are employed you are highly compensated, because you are awesome!">>>

Thank you!... that means a lot to me....
An excellent feedback like yours is a great bonus for me to keep on volunteering here at EE.
I very much appreciate it, thanks.

Thanks RPG!  So that solves the null.sys mystery.  Do you see in that original log where it says Crytopgraic Services Error under SigCheck?  Could that shed any light as to why it's showing all those SigCheck failures in the new log?  I'm concerned that might be why the user was having network issues before.  

Maybe I'm being paranoid and should just consider this closed?  :)

Well done... yes the original log says 'cryptographic errror'.

Thanks.  So do you think the cryptographic errror in the first log is related to the sigcheck failure on the second log?  I'm trying to figure out if I should be worried about the sigcheck failurse and if that might be causing more problems with the machine.

Thanks for sticking with me.  I'd subscribe to EE just to have access to your advice (and everyone else who helped in this thread)!

Ah okay, so that means that the sigcheck problem has been there for over a month then.  Just possibly more files found last time . . . not sure what to do from here.  I guess I can only wait and see what happens.  If they are "patched" does that mean they are infected and assumingly will not run correctly?

Like I said, the reason I was asked to look at it to begin with was random problems like occasionally not being able to access network resources, sometimes they can't print (from other workstations) to the shared printer on this machine in question, et cetera.  I just assumed it was an IP address conflict issue once I set it back to DHCP it seemed to resolve everything.

Thanks.  It is running fine now, I just don't want the user to page me 3 days from now and tell me it crashed in the middle of a meeting or something important.  

When I was using it yesterday, it was able to surf the web, run Combofix, open Outlook, access network shares, etc.  

There can be many possible causes when a system 'crashed', rootkits, software conflicts, hardware etc. Since we only have the ComboFix log to base, that also doesn't rule-out stealth hidden nasties that don't show up in the CF scan.

When you have access to the system again just check to make sure that the Cryptographic Service(CryptSvc) is not disabled, and if it's broken you can also try fixing it.
http://icrontic.com/articles/broken-cryptographic-service

Hopefully it won't crash, fingers crossed.
Good luck, :)

Hi RPG,

I spoke with the user today and they said they have been using the machine and have not had any issues yet.  They also installed some research software and it went throug smoothly as well.  The only comment they had is that occasionally the machine would lose connection to the network, meaning it had no access to network shares, Exchange, network printers, etc.  A Reboot always solved this.  Again, I assume this was related to the DHCP issue I mentioned earlier.  They cannot recall if it's happended since I made that change.  However, do you think the file infector or the files that failed the sigcheck could cause this?  I do notice tcpip.sys is one of the files that failed sigcheck.  I'm not sure if this would be normal syptoms though.  Again my initial guess was it was a DHCP issue because every other machine we have set to obtain an IP automatically but this machine had a manual IP (although in the valid range) and the OpenDNS dns servers listed which I'm assuming may have been causing an issue with the domain server.  

Still I thought it was worth mentioning in case it sounds like something the patched file would do.  

Okay RPG, I finally got on that machine again.  The user had a quick question so while I was there I did a quick scan of the files you said to check.  You said to check 3 files, I went ahead and checked all of them at http://virusscan.jotti.org/ and got good news!

winlogon.exe - PASSED 0 infections found
svchost.exe - PASSED " "
userinit.exe - PASSED " "
termsrv.dll - PASSED " "
services.exe - PASSED " "
lsass.exe  - PASSED " "


I think the issue is the Cryptography services as you mentioned.  I checked the Event Viewer and the following error shows up a lot during the day:  

"The CryptSvc service failed to start due to the following error:
%%1290"

However, I didn't want to try your repair link until I posted this to you first as I wanted to find out how essential it is and what the risk is?  This computer seems to run just fine right now, so I wanted to find out how essential Cryptography services is and if there is any risk in repair.  It will be tough to convince the boss that his machine was running fine before, I fixed something that he didn't see causing a problem, and it caused it to become unstable.  

Thanks!

Well good news and bad.  The good news is that I went ahead and restored null.sys and beep.sys from the c:\windows\system32\dllcache folder, but I continue to see this in the event log when booting up

"The following boot-start or system-start driver(s) failed to load:
Beep
Null"

I also ran the suggestion that RPG gave for using the info here: http://icrontic.com/articles/broken-cryptographic-service to try and repair the Cryptographic services and it did not work, they still won't start and give the same ""The CryptSvc service failed to start due to the following error:
%%1290" error.  If it's relevent, the event log also shows "The Security Center service failed to start due to the following error: %%1290"  right after the CryptSvc error as well.  

Is there any other suggestions I can try?  The machine does run fine, reboots fine, I have LogMeIn access again, etc.  Question is, what will not having those services run log term do?  Does it matter?  The users primary concern was addressed at least and the malware was removed.  

What can I say, thanks to all contributors, but once again especially RPGgamergirl.  Thank you so much for sticking with my threads.  For those interested, I ended up starting a seperate EE thread on the cryptographic services issues and that didn't yield anything.  I ended up speaking with one of the authors of Combofix and they helped me get going again.  They were  NOT aware of this issue at the time, at least on a Windows XP2 machine.  I had to make some regedit changes and use Combofix for the repair after it was updated to address the issue.

Thanks again JohnB for explaining about Null.sys and RPG for sticking with me till the end.  Once again I think RPGgamergirl is worth the EE subscription price alone!

Hi Jsmply,

Sorry for my absence.
Glad to know you've got the issue resolved.
They (malware Experts) think that a tool' is going round writing incorrect values to MS services that causes Cryptographic services to malfunction, but might also be caused by this new "win32k.sys:1" infection also going round. Combofix Ver_09-08-03.09 attempts to fix the Crypto service but it doesn't always work so in some cases a reg fix is also needed.

Thanks for the points and awesome feedback so kind of you, much appreciated, :)

Thank you for using Experts-Exchange!

Hi RPG. I assume all versions going forward of combofix (not just that version) will also contain the fix (and possibly expand on it)?

Yes, all version up from ver_09-08-03.09 would.
This new infection affects the WMI...
It's a tough one since there is no tool for it yet.. Combofix and Rootrepeal developers are working on it.