Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with 'System Fix' Rogue


  • This topic is locked This topic is locked
12 replies to this topic

#1 jawnonimouze

jawnonimouze

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 08 December 2011 - 05:47 PM

Hi,

Approximately a week ago, my computer was infected by the 'System Fix' Rogue. I believe it infected the machine via a drive-by install/download using a vulnerability in Internet Explorer. I followed this removal guide on Bleeping Computer and everything appears to have been successful. I am posting this thread because I am still concerned about the possible rootkit that is installed with some variants of the 'System Fix' Rogue. I am also concerned that there may be something else on this machine that hasn't been detected. Your assistance is very much appreciated.

- There are 2 accounts on my Windows 7 System: Administrater Account, & Standard User Account
- My system has Software Restriction Policies configured for security, although I don't remember the specifics of its configuration
- From what I remember, the SRP prevents Standard User from installing software, or running executable files
- The Standard Account can only run executables that were originally installed by the Administrator
- There SRP policies that I setup were very strict, and more specific than what I am listing here. My memory cannot remember that far back :).
- I believe my computer was infected when I visited a malicious website with Internet Explorer, while I was logged into my Standard User Account.
- I think IE crashed when it happened, and a bunch of 'delayed write failed' messages came up afterwards. <-- I'm having a hard time remembering if this is how it happened LOL. I know, I know, it was only a week ago.
- I do remember this well though: Everytime I start my machine, and login to the Standard User Account, A LOT of 'delayed write failed' messages come up, as well as taskbar bubbles about hard drive problems, memory problems, etc....... the typical 'System Fix' Rogue symptoms.
- Catalyst Control Centre (CCC.exe) also crashes upon startup on this account.
- This is followed by the 'System Fix' "software" opening and performing a "scan", trying to convince me to "buy it", etc
- All the icons on the desktop/start menu/taskbar, and some files/folders on the hard drive are missing/hidden
- Cannot start task manager.
- If I reboot the machine and login to the standard account again, I have a small window of oppurtunity to open task manager and kill the malware process. This prevents the popups and 'System Fix' from opening.
- I logged in to my Administrator Account, and it seems that the Malware has had no effect whatsoever. Icons/Files are not missing, 'System Fix' & popups never come up. CCC does not crash. And if I open task manager as soon as I login, the malware process never even shows up in the list.
- It seems to me like the SRP has done its job??

I followed the instuctions from "Remove System Fix (Uninstall Guide)" for removing the malware. I did everything in this guide, from within my Administrator Account, because I cannot launch the executable files such as RKill and MBAM from the Standard User Account due to SRP (infection originally happened in the standard account). There is also a possibility that the Malware infection would have prevented these from running from the Standard Account anyway, although I'm not sure of that. First I ran RKill, and it gave this result: "Processes terminated by Rkill or while it was running: xe". Then I ran TDSSKiller, but it did not detect anything. Then I ran MBAM, and it detected 6 Infected Files, and 1 Infected Registry Key. MBAM Quarantined and Deleted the Infected Files and Infected Registry Key. I did not download and run unhide.exe just yet. I will leave this for last, as it is not important right now.

MBAM Results:
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GOOGLEUPDATE.EXE (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Files Infected:
c:\Users\John\AppData\Local\Temp\46B0.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\John\AppData\Local\Temp\eo14jyvmy2euul.exe.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\John\AppData\Local\Temp\googleupdate.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\John\AppData\Local\Temp\jar_cache550416788514084556.tmp (Rogue.FakeHDD) -> Quarantined and deleted successfully.
c:\programdata\g6duilnpyyinot.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\programdata\kmcildhhpnmcpi.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


After doing the above, I followed the instructions from "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help". Once again all of these instructions were done from within the Administrator Account. The Malware attack/infection occured in the Standard User account, and as it appears, it only affected the Standard Account. I could be wrong though; I'm no expert. I have run DDS and GMER, and attached the generated logs below. All of the info above is all that I can think of. I hope I did not miss anything. I will update this thread/post if I remember anything else.


----------------------------------------------------------------------------------------------------------------------------------------------------------------

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7600.16385
Run by Admin at 14:02:10 on 2011-12-08
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.2.1033.18.2047.1188 [GMT -5:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\system32\Macromed\Flash\FlashUtil10w_ActiveX.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: DhcpNameServer = 64.71.255.198
TCP: Interfaces\{C13D3D10-800E-4080-A694-CA8E5F008E78} : DhcpNameServer = 64.71.255.198
Handler: intu-tt2010 - {97A0575E-2309-4e75-8509-B1F9390C4DE7} - c:\program files\turbotax 2010\ic2010pp.dll
.
============= SERVICES / DRIVERS ===============
.
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-5 366152]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-5 22216]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\googleupdate.exe /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\googleupdate.exe /medsvc --> c:\program files\google\update\GoogleUpdate.exe [?]
.
=============== Created Last 30 ================
.
2011-12-05 19:50:24 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-05 19:50:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-05 19:45:02 -------- d-----w- c:\users\admin\appdata\roaming\Malwarebytes
2011-12-05 19:43:13 -------- d-----w- c:\programdata\Malwarebytes
.
==================== Find3M ====================
.
2011-10-25 21:22:18 1103080 ----a-w- c:\windows\system32\SpoonUninstall.exe
.
============= FINISH: 14:02:27.36 ===============


----------------------------------------------------------------------------------------------------------------------------------------------------------------

Attached File  Attach.txt   7.77KB   0 downloads
Attached File  Ark.txt   10.73KB   3 downloads

BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:19 PM

Posted 14 December 2011 - 05:50 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/431417 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 jawnonimouze

jawnonimouze
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 19 December 2011 - 07:36 AM

Sorry for the delay. My new logs are posted below. The description of my problem is in the first post. And I no longer have my Windows CD/DVD available.


----------------------------------------------------------------------------------------------------------------------------------------------------------------

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.7600.16385
Run by Admin at 17:56:11 on 2011-12-17
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.2.1033.18.2047.1521 [GMT -5:00]
.
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\AEADISRV.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\taskhost.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: DhcpNameServer = 64.71.255.198
TCP: Interfaces\{C13D3D10-800E-4080-A694-CA8E5F008E78} : DhcpNameServer = 64.71.255.198
Handler: intu-tt2010 - {97A0575E-2309-4e75-8509-B1F9390C4DE7} - c:\program files\turbotax 2010\ic2010pp.dll
.
============= SERVICES / DRIVERS ===============
.
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-12-5 366152]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-12-5 22216]
R3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\googleupdate.exe /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\googleupdate.exe /medsvc --> c:\program files\google\update\GoogleUpdate.exe [?]
.
=============== Created Last 30 ================
.
2011-12-12 17:52:23 -------- d-----w- c:\users\admin\appdata\local\Diagnostics
2011-12-05 19:50:24 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-05 19:50:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-12-05 19:45:02 -------- d-----w- c:\users\admin\appdata\roaming\Malwarebytes
2011-12-05 19:43:13 -------- d-----w- c:\programdata\Malwarebytes
.
==================== Find3M ====================
.
2011-10-25 21:22:18 1103080 ----a-w- c:\windows\system32\SpoonUninstall.exe
.
============= FINISH: 17:56:42.70 ===============


----------------------------------------------------------------------------------------------------------------------------------------------------------------

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,767 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:19 PM

Posted 19 December 2011 - 09:57 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the logs for my review.

#5 jawnonimouze

jawnonimouze
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 19 December 2011 - 07:41 PM

Hi nasdaq,

Thank you for your help. I have not yet followed the instructions that you gave me. The reason I have not done so is because, Combofix will delete my Temp files. As I stated in my first post, I have not yet run Unhide.exe. Unhide requires my Temp files to be intact in order for it to work properly. So I decided to put your instructions temporarily on hold, so that I could run Unhide.exe first. Well I ran Unhide.exe and it brought back all the missing desktop icons, other missing icons on C:\ and E:\, and most of the icons and folders in 'All Programs' on the Start Menu. However, it did not bring back my Taskbar icons and side panel icons on the Start Menu(Control Panel, Documents, Pictures, etc). I looked in this thread to find more information on how Unhide.exe works.

I followed the instructions in the above thread to manaually try and fix the problem. Unfortunately, in the '%Temp%\smtmp\' folder in only have a '1' folder and a '4' folder, and the '4' folder is empty. So the only folder I have with anything in it is '%Temp%\smtmp\1'. I have moved the contents of '%Temp%\smtmp\1' to 'C:\ProgramData\Microsoft\Windows\Start Menu' as per the instructions in the above linked thread.

I have attached screenshots of what the Start Menu & Taskbar looks like on my affected Standard User Account, as well as my un-affected Administrator Account.

EDIT: I have made some changes to this post.

Attached Files


Edited by jawnonimouze, 19 December 2011 - 07:56 PM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,767 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:19 PM

Posted 20 December 2011 - 10:58 AM

Unhide will only reset what it can find. It's not a miracle tool.

My concern is the infected computer.
Please run ComboFix to remove any remaining infected files.

Will deal with the rest of the problem after if we can.

#7 jawnonimouze

jawnonimouze
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 20 December 2011 - 02:38 PM

Hi... here are the logs that you requested.

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,767 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:19 PM

Posted 21 December 2011 - 09:23 AM

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 22

===

The right side of Windows 7 Start menu is called Navigation pane and it displays common locations and configuration options. To select items displayed there, click Customize... button in Taskbar and Start Menu Properties window.

Have a look at this page and see what you can restore.

http://help.artaro.eu/index.php/windows-7/customizing-the-looks-in-windows-7/change-start-menu-in-windows-7.html

===

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

Surf Safely, and Think Prevention!
===

#9 jawnonimouze

jawnonimouze
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 21 December 2011 - 02:12 PM

Okay. I've removed the older version of Java and installed the latest one. I followed the link that you posted and now the Start menu and Taskbar on the affected user account are back in business. I ran 'ComboFix /Uninstall'. And I've re-enabled Windows Defender and Firewall.

I just opened Internet Explorer in the user account that was affected by System Fix. IE gave me a message... something about my internet security settings being unsafe or high risk? It asked me if I wanted IE to fix the security settings for me, and I clicked 'Yes'. This was the first time that I've run IE from within the affected user account, since cleanup. BTW, when I ran DDS, GMER, ComboFix, etc, I ran them from the Admin account, not the affected user account. Hope thats what I was supposed to be doing.

Also I have a question for you. In the instructions for Removing System Fix, and in other guides around the internet, there is a mention of Registry Keys affected by the System Fix virus. I personally have not made any changes to the Registry Keys shown in any of these guides. Do we need to be checking/fixing these Registry Keys, or has it been taken care of by ComboFix, or.....? Just thought I'd ask, to be safe.

#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,767 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:19 PM

Posted 22 December 2011 - 08:42 AM

The registry key affected are listed under this section.

Associated System Fix Windows Registry Information:


Unless you are having some issues with this computer leave them alone.

#11 jawnonimouze

jawnonimouze
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:19 PM

Posted 23 December 2011 - 08:38 AM

The registry key affected are listed under this section.

Associated System Fix Windows Registry Information:


Unless you are having some issues with this computer leave them alone.

There don't seem to be any issues on the computer from what i can tell. But isn't it our goal, to undo changes made by the malware? I not sure I understand why it is okay to leave the registry changes as they are. Couldn't we set those keys back to their default setting, and remove the ones that were not there before the infection?

#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,767 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:19 PM

Posted 23 December 2011 - 11:28 AM

I do not change any of the registry settings unless it's causing problem.
One bad error on my part could lead you to reintall Windows.

#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,767 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:19 PM

Posted 29 December 2011 - 11:01 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users