[chromejael]

Hi, I will try and simplify the details as best as possible.


- 10 days ago -

My Windows Vista had a sudden influx of Trojans coming in, because my Trend Micro Antivirus was popping-off alerts like mad. I was currently surfing harmless sites, like Imageshack, and a few forums I've been visiting daily for 3 years with no problems.

I then realized my Trend Micro firewall had been turned off. Attempted to manually turn on firewall, but it refused to activate.

- Solution -

I physically unplugged my ethernet cable, and manually turned off the wireless/bluetooth (My HP laptop has a physical wireless switch on the front panel) to prevent anymore unwanted intrusions by the viruses/Trojans. Then I ran a complete virus scan, 1st with "Trend Micro Internet Security Pro", followed by "Malwarebytes Anti-Malware" (I have both softwares installed in my PC, scans were not run simultaneously, Trend Micro 1st, then Malwarebytes). Both softwares had each manage to detect/quarantine/delete a few Trojans. I then attempted to re-activate my Trend Micro Firewall, but still unable to activate.

I plugged the ethernet cable back in to search for a solution to my firewall before I did anything else. I managed to restore my Trend Micro firewall after using the solution provided in this article - http://www.hageltech...e-problems.html .

Coincidentally, I found out my System Restore capabilites had also been "messed up" by the attacks. As the solution to the firewall problem required Registry changes, I wanted to create a "Restore Checkpoint" before proceeding, and that was when I found out that System Restore had also been compromised by the attacks. I went ahead and performed the Registry changes anyway, and successfully restored my Trend Micro firewall.

Then, I did another round of full virus scans with my pair of softwares, and it found a few more viruses.

I ran a final virus scan with the pair of softwares, and my PC was finally free of any Trojans/Viruses.


- Current Status -

I still cannot create new System Restore Points. Here is the error message after System Restore fails to create a new checkpoint: "The writer experienced a transient error. if the backup process is retried, the error may not reoccur ( 0x800423F3)". I have tried a solution that required renaming the repository folder, among one of the steps, but still no change.

My desktop icon arrangement is now arranged in a "default" position, where all icons are placed from left to right. Placing an icon in the middle of empty space, followed by clicking "refresh", will result in every icon going back to this default position. This problem extends to every folder in the PC. All folder now remain a certain default view. Changing the a different view (thumbnails/details) or changing the column arrangements, will all dissappear when you close the window and come back, refresh, or boot up the computer each time. As if all the folders cannot remember custom folder configurations.

The firewall fix was done simply by downloading the registry files (one for the "Base Filtering Engine, and one for the Windows firewall), and double-clicking it, and clicking yes. However, I only performed the fix for the Base Filtering Engine, not the Windows firewall, at the time. Now that the fix looks fine, should I proceed with fixing the registry for the windoews firewall as well?

As for Trojans/Viruses, I presume there are no more since I ran both Antivirus softwares, and came back clean. Although, I might be wrong.

Here are the names of the Trojans/Viruses that were quarantined by my softwares (All of these are confirmed via date, as there are many other "Date-less" quarantined viruses in the list):

Trend Micro

troj_spnr.0cef12
troj_sirefef.DD
troj_zaccess.eox


MalwareBytes

trojan.bitminer
trojan.zaccess
spyware.password


My hopes are, that geekstogo can help me fix my System Restore back to working condition, restore my folder/icons to its original integrity, confirm that my Firewall fixes are correctly done, and once and for all confirm that there are no more traces of Trojans/viruses on my PC.

Thank you in advance to the kind person that helps me out!

Edited by chromejael, 12 June 2012 - 08:06 AM.

[Advertisements]

Hi - first lets check for any remaining malware

Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
• Under the Custom Scan box paste this in
  netsvcs
  %SYSTEMDRIVE%\*.exe
  /md5start
  consrv.dll
  explorer.exe
  winlogon.exe
  Userinit.exe
  svchost.exe
  /md5stop
  CREATERESTOREPOINT
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Post both logs

THEN

Download aswMBR.exe ( 4.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan



On completion of the scan click save log, save it to your desktop and post in your next reply



FINALLY

run farbar service scanner



Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

[Essexboy]

Hi - first lets check for any remaining malware

Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
• Under the Custom Scan box paste this in
  netsvcs
  %SYSTEMDRIVE%\*.exe
  /md5start
  consrv.dll
  explorer.exe
  winlogon.exe
  Userinit.exe
  svchost.exe
  /md5stop
  CREATERESTOREPOINT
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Post both logs

THEN

Download aswMBR.exe ( 4.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the "Scan" button to start scan



On completion of the scan click save log, save it to your desktop and post in your next reply



FINALLY

run farbar service scanner



Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

[chromejael]

OTL Logs.  OTL.Txt   109.95KB   143 downloads  Extras.Txt   42.68KB   149 downloads

[chromejael]

aswMBR log.

 aswMBR2.txt   2.07KB   147 downloads

[chromejael]

farbar service scanner log.

 FSS.txt   4.47KB   146 downloads
****

[Essexboy]

First of we will need to kill the malware, then I will repair the damage

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from "Start with Windows"
Reboot and then run OTL


Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTL
  O33 - MountPoints2\{11a3d5a7-546e-11dd-8967-001e377c5a8e}\Shell\AutoRun\command - "" = C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
  [2012/06/03 17:58:07 | 000,000,666 | ---- | C] () -- C:\Windows\Installer\{58f46eb3-8c2d-d4c7-da9e-0abb8b81a582}\L\00000004.@
  [2012/06/03 17:58:04 | 000,001,536 | ---- | C] () -- C:\Windows\Installer\{58f46eb3-8c2d-d4c7-da9e-0abb8b81a582}\U\00000004.@
  [2012/06/03 17:50:17 | 000,001,536 | ---- | C] () -- C:\Users\Danial\AppData\Local\{58f46eb3-8c2d-d4c7-da9e-0abb8b81a582}\U\00000004.@
  [2008/05/10 10:28:18 | 000,002,048 | -HS- | C] () -- C:\Windows\Installer\{58f46eb3-8c2d-d4c7-da9e-0abb8b81a582}\@
  [2008/05/10 10:28:18 | 000,002,048 | -HS- | C] () -- C:\Users\Danial\AppData\Local\{58f46eb3-8c2d-d4c7-da9e-0abb8b81a582}\@
  
  :Files
  ipconfig /flushdns /c
  C:\Users\Danial\AppData\Roaming\ethck.dll
  C:\Users\Danial\AppData\Local\{58f46eb3-8c2d-d4c7-da9e-0abb8b81a582}
  C:\Windows\Installer\{58f46eb3-8c2d-d4c7-da9e-0abb8b81a582}
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
• Accept the disclaimer and allow to update if it asks
  
  
  
  
  
• When finished, it shall produce a log for you.
• Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.



Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

REPAIRS

Download the attached zip file to your desktop and extract the Three reg files
Double click the reg files in turn and allow them to merge accept the warnings


NEXT


Reset/Renew TCP/IP connection

• Open an elevated command prompt. To do that:
  • Click the Start Orb
  • In the Start Search box type cmd.exe. A program named cmd.exe will be listed at the top of the menu list under Programs
  • Right click on cmd.exe and click Run as Administrator. A black command window will open up.
• At the blinking cursor type the following commands, pressing the Enter key after each command typed:
  • ipconfig /release
  Back at the blinking cursor tpye the following command, and press the Enter key.
  • ipconfig /renew
• Back at the blinking cursor type Exit and press the Enter key. This will close the command window.
• Reboot the computer

Reset Winsock on Vista / 7

• Open an elevated command prompt. To do that:
  • Click the Start Orb
  • In the Start Search box type cmd.exe. A program named cmd.exe will be listed at the top of the menu list under Programs
  • Right click on cmd.exe and click Run as Administrator. A black command window will open up.
• At the blinking cursor type the following commands, pressing the Enter key after each command typed:
  • netsh winsock reset catalog
  You should see an entry in the command window similar to the image below:
  
  
  Back at the blinking cursor tpye the following command, and press the Enter key.
  • netsh int ip reset reset.log hit
  You may get a response similar to the one in the image below:
  
  
• Back at the blinking cursor type Exit and press the Enter key. This will close the command window.
• Reboot the computer

[chromejael]

OTL Log

 OTL.Txt   96.61KB   180 downloads

ComboFix Log

 ComboFix.txt   22.08KB   149 downloads

-Description of current computer status-

The icons/folders seem to be back in working order, the desktop icons now retain it's position wherever I place it, and folders now remember settings, column arrangments, and view type

When I first started up Internet Explorer, the security alert popped-up, the kind that said something like "this page is going to an unverified/unauthorized place, are you sure?" message, so I just clicked yes. The webpage was Google, lol. And it also asked me if I wanted IE to be my default browser (which always has been), but after that, everything seems to be in working order, internet explorer-wise.

For the step that said "Repairs" (with the legacy_mpssvc.zip file), I skipped it because I was unsure if it meant repairs for if after ComboFix something went wrong, or if it meant something else. I continued on to the "Reset/Renew TCP/IP connection" step. Was "Repairs" part of the step? Please clarify, thanks.

Also, when I was in the "Reset Winsock on Vista / 7" step, after I entered "netsh int ip reset reset.log hit" and pressed "enter", I got a different set of messages. It had 4 to 5 lines of something ( I forgot to screencapture) but at the end of each line it said "Ok!" , so I'm just assuming everything went according to plan.

[Essexboy]

Hold onto the reg files for the moment whilst we recheck the system, to see if Combofix repaired the entries, although I do not feel it would have

Could you re-run Farbar please and post the new log

[chromejael]

Farbar Service Scanner log

[Essexboy]

OK Combofix did the repairs

What problems are remaining ?

Please download Malwarebytes' Anti-Malware

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish, so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

[chromejael]

Current status of my PC

The icons/folders problem has been resolved

I tested my System Restore by creating a new Restore Checkpoint, and it worked perfectly, I can now create checkpoints again
I have not tested it by actually restoring it to a checkpoint. Should I do a test just to be sure, or is it confirmed to be working fine?

[Essexboy]

Nope if it can create you should be good, did malwarebytes run OK ?

[chromejael]

I went ahead and performed a Full Scan.

Malwarebytes log


Malwarebytes Anti-Malware (PRO) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.13.07

Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 8.0.6001.18975
Danial :: DANIALHP [administrator]

Protection: Disabled

14/6/2012 4:43:25 AM
mbam-log-2012-06-14 (04-43-25).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 435792
Time elapsed: 2 hour(s), 57 minute(s), 52 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Edited by chromejael, 13 June 2012 - 11:19 PM.

[Essexboy]

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
I would recommend that you update to Service Pack 2

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :Commands
  [resethosts]
  [emptytemp]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done

Remove ComboFix

• Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
• In the Run box, type in ComboFix /Uninstall (Notice the space between the "x" and "/") then click OK
  
  
  
• Follow the prompts on the screen
• A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

• Go to control panel
• Select folder options (Appearance > Folder options in category view)
• Select the View Tab.
• Under the Hidden files and folders heading select Do not show hidden files and folders.
• Click Yes to confirm.
• Click OK.

SPRING CLEAN

To manually create a new Restore Point

• Go to Control Panel and select System
• Select System
• On the left select System Protection and accept the warning if you get one
• Select System Protection Tab
• Select Create at the bottom
• Type in a name i.e. Clean
• Select Create

Now we can purge the infected ones

• GoStart > All programs > Accessories > system tools
• Right click Disc cleanup and select run as administrator
• Select Your main drive and accept the warning if you get one
• For a few moments the system will make some calculations
• Select the More Options tab
• In the System Restore and Shadow Backups select Clean up
• Select Delete on the pop up
• Select OK
• Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

• Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

Keep safe

[chromejael]

There are still 3 of the cleaning softwares left on my desktop:

-aswmbr
-mbr (DAT file)
-FSS

How should I delete/uninstall them?