also @ TechSpot: Windows 8 Release Preview leaked, Microsoft may raise OEM prices

TechSpot

[Solved] Yet another case of the System Check virus

Discussion in 'Virus and Malware Removal' started by talasker, Jan 18, 2012.

Page 3 of 3

  1. Broni Malware Annihilator

    Let's see, if we can recover your missing features.
    Download and run UnHide
    Let me know, if it worked.
    Broni, Jan 26, 2012
    #41

  2. talasker Newcomer, in training

    Unhide did not seem to work. The folders you get from Start -> All Programs -> most of my program folder/directories are still blank. Oh well.

    I actually have something else to report. For the last few days, Avast has opened up a pop-up window citing a program called C;\\WINDOWS\AMBDEF.EXE may be up to no good. It's says "Resource: System auto-start settings". And it suggests Denying the action and terminating the pgoram. Which I do.

    Is this yet another virus or instance of malware?
    talasker, Jan 28, 2012
    #42

  3. Broni Malware Annihilator

    You'll have to restore all items manually.
    See my guide HERE

    Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders, UN-check Hide protected operating system files.
    NOTE. Make sure to reverse the above changes, when done with this step.
    Upload following files to http://www.virustotal.com/ for security check:
    - C:\\WINDOWS\AMBDEF.EXE
    IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
    Post scan results.
    Broni, Jan 28, 2012
    #43

  4. talasker Newcomer, in training

    Here is the scan results.

    ssdeep
    768:HN3ZAUJOobOcYju7vX4NDLLUzkXm5JZOFe9IwtbtWFEt88:HZt1Oc+2ovLqkX6OFy/Bzt88
    TrID
    Win64 Executable Generic (59.6%)
    Win32 Executable MS Visual C++ (generic) (26.2%)
    Win32 Executable Generic (5.9%)
    Win32 Dynamic Link Library (generic) (5.2%)
    Generic Win/DOS Executable (1.3%)
    ExifTool

    UninitializedDataSize....: 0
    InitializedDataSize......: 20480
    ImageVersion.............: 0.0
    ProductName..............: SPI Restore Application
    FileVersionNumber........: 1.0.0.6
    LanguageCode.............: English (U.S.)
    FileFlagsMask............: 0x0017
    FileDescription..........: SPI Restore Application
    CharacterSet.............: Unicode
    LinkerVersion............: 8.0
    FileOS...................: Win32
    MIMEType.................: application/octet-stream
    Subsystem................: Windows GUI
    FileVersion..............: 1, 0, 0, 6
    TimeStamp................: 2008:01:24 08:24:13+01:00
    FileType.................: Win32 EXE
    PEType...................: PE32
    InternalName.............: SPIRestore
    ProductVersion...........: 1, 0, 0, 6
    SubsystemVersion.........: 4.0
    OSVersion................: 4.0
    OriginalFilename.........: resdef.exe
    LegalCopyright...........: Copyright (C) 2006
    MachineType..............: Intel 386 or later, and compatibles
    CompanyName..............: Creative Technology Ltd.
    CodeSize.................: 28672
    FileSubtype..............: 0
    ProductVersionNumber.....: 1.0.0.6
    EntryPoint...............: 0x150f
    ObjectFileType...........: Executable application

    Sigcheck

    publisher................: Creative Technology Ltd.
    product..................: SPI Restore Application
    internal name............: SPIRestore
    copyright................: Copyright (C) 2006
    original name............: resdef.exe
    file version.............: 1, 0, 0, 6
    description..............: SPI Restore Application

    Portable Executable structural information

    Compilation timedatestamp.....: 2008-01-24 07:24:13
    Target machine................: 332
    Entry point address...........: 0x0000150F

    PE Sections...................:

    Name Virtual Address Virtual Size Raw Size Entropy MD5
    .text 4096 25476 28672 6.20 661744811237eb1ec6a818643b07b1f9
    .rdata 32768 10654 12288 5.58 727964e457fc2469779c2afae7071d67
    .data 45056 6340 4096 2.15 2854997fe2da2a2ac338a11d08e75d8d
    .rsrc 53248 1032 4096 3.72 14907306ad4bc23aef54cb777c3ac78c

    PE Imports....................:

    ADVAPI32.dll
    RegSetValueExA, RegDeleteValueA, RegOpenKeyA, RegCreateKeyA

    KERNEL32.dll
    Sleep, LoadLibraryA, GetProcAddress, GetCommandLineA, HeapFree, GetVersionExA, HeapAlloc, GetProcessHeap, GetStartupInfoA, GetLastError, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetModuleHandleA, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, DeleteCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, HeapDestroy, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, InitializeCriticalSection, GetCPInfo, GetACP, GetOEMCP, RtlUnwind, HeapSize, MultiByteToWideChar, GetLocaleInfoA, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW

    ole32.dll
    CoCreateInstance, CoInitialize

    USER32.dll
    wsprintfA

    First seen by VirusTotal
    2009-05-16 09:28:59 UTC ( 2 years, 8 months ago )
    Last seen by VirusTotal
    2012-01-24 19:55:52 UTC ( 4 days, 16 hours ago )
    File names (max. 25)

    file-3460140_EXE
    AMBDEF.EXE
    file-473725_exe
    talasker, Jan 29, 2012
    #44

  5. Broni Malware Annihilator

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\Updreg.EXE (Creative Technology Ltd.)
O15 - HKU\S-1-5-21-746137067-1482476501-725345543-1003\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O15 - HKU\S-1-5-21-746137067-1482476501-725345543-1003\..Trusted Domains: line6.net ([]* in Trusted sites)
[2012/01/17 20:48:46 | 000,000,853 | ---- | M] () -- C:\Documents and Settings\Bob\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk
@Alternate Data Stream - 88 bytes -> C:\Documents and Settings\Bob\Desktop\xyz.com.exe:SummaryInformation
@Alternate Data Stream - 58 bytes -> C:\Documents and Settings\Bob\Desktop\Ben Folds - Perth.avi:com.dropbox.attributes

:Commands
[purity]
[emptytemp]
[emptyjava]
[emptyflash]
[Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    =============================================================

    1. Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    2. Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.
    • Do NOT post JavaRa log.

    ==============================================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

    2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
    • Make sure the following options are checked:
      • Internet Services
      • Windows Firewall
      • System Restore
      • Security Center
      • Windows Update
    • Press "Scan".
    • It will create a log (FSS.txt) in the same directory the tool is run.
    • Please copy and paste the log to your reply.


    3. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    4. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click on List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
    Broni, Jan 29, 2012
    #45

  6. talasker Newcomer, in training

    All processes killed
    ========== OTL ==========
    Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\UpdReg deleted successfully.
    C:\WINDOWS\Updreg.EXE moved successfully.
    Registry key HKEY_USERS\S-1-5-21-746137067-1482476501-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\intuit.com\ttlc\ deleted successfully.
    Registry key HKEY_USERS\S-1-5-21-746137067-1482476501-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\line6.net\ deleted successfully.
    C:\Documents and Settings\Bob\Application Data\Microsoft\Internet Explorer\Quick Launch\System Check.lnk moved successfully.
    ADS C:\Documents and Settings\Bob\Desktop\xyz.com.exe:SummaryInformation deleted successfully.
    ADS C:\Documents and Settings\Bob\Desktop\Ben Folds - Perth.avi:com.dropbox.attributes deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 56475 bytes

    User: All Users

    User: Bob
    ->Temp folder emptied: 66219 bytes
    ->Temporary Internet Files folder emptied: 69651 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 52408217 bytes
    ->Google Chrome cache emptied: 354314420 bytes
    ->Flash cache emptied: 1908447 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 56475 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 32902 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 31482 bytes

    User: Sue
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 5627957 bytes
    ->Flash cache emptied: 2260 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 2444907 bytes
    %systemroot%\System32 .tmp files removed: 2577 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 505 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 398.00 mb


    [EMPTYJAVA]

    User: Administrator

    User: All Users

    User: Bob
    ->Java cache emptied: 0 bytes

    User: Default User

    User: LocalService

    User: NetworkService
    ->Java cache emptied: 0 bytes

    User: Sue
    ->Java cache emptied: 0 bytes

    Total Java Files Cleaned = 0.00 mb


    [EMPTYFLASH]

    User: Administrator
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Bob
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: LocalService

    User: NetworkService
    ->Flash cache emptied: 0 bytes

    User: Sue
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.31.0 log created on 01302012_081219

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
    talasker, Jan 30, 2012
    #46

  7. talasker Newcomer, in training

    Results of screen317's Security Check version 0.99.24
    Windows XP Service Pack 3 x86
    Internet Explorer 8
    ``````````````````````````````
    Antivirus/Firewall Check:
    Windows Firewall Enabled!
    avast! Free Antivirus
    Antivirus up to date!
    ```````````````````````````````
    Anti-malware/Other Utilities Check:
    SUPERAntiSpyware Free Edition
    Java(TM) 6 Update 30
    Adobe Flash Player 11.1.102.55
    Mozilla Firefox (x86 en-US..)
    ````````````````````````````````
    Process Check:
    objlist.exe by Laurent
    AVAST Software Avast AvastSvc.exe
    AVAST Software Avast avastUI.exe
    ``````````End of Log````````````
    talasker, Jan 30, 2012
    #47

  8. talasker Newcomer, in training

    Farbar Service Scanner Version: 18-01-2012 01
    Ran by Bob (administrator) on 30-01-2012 at 20:49:33
    Microsoft Windows XP Professional Service Pack 3 (X86)
    Boot Mode: Normal
    ****************************************************************

    Internet Services:
    ============

    Connection Status:
    ==============
    Localhost is accessible.
    LAN connected.
    Google IP is accessible.
    Yahoo IP is accessible.


    Windows Firewall:
    =============

    Firewall Disabled Policy:
    ==================


    System Restore:
    ============

    System Restore Disabled Policy:
    ========================


    Security Center:
    ============

    Windows Update:
    ===========

    File Check:
    ========
    C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
    C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
    C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
    C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
    C:\WINDOWS\system32\netman.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\srsvc.dll => MD5 is legit
    C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
    C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
    C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
    C:\WINDOWS\system32\qmgr.dll => MD5 is legit
    C:\WINDOWS\system32\es.dll => MD5 is legit
    C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
    C:\WINDOWS\system32\svchost.exe => MD5 is legit
    C:\WINDOWS\system32\rpcss.dll => MD5 is legit
    C:\WINDOWS\system32\services.exe => MD5 is legit

    Extra List:
    =======
    aswTdi(9) Gpc(3) IPSec(5) ndisrd(8) NetBT(6) PSched(7) Tcpip(4)
    0x09000000050000000100000002000000030000000400000009000000060000000700000008000000
    IpSec Tag value is correct.

    **** End of log ****
    talasker, Jan 30, 2012
    #48

  9. talasker Newcomer, in training

    EST Scan File:


    C:\Documents and Settings\Bob\Application Data\Microsoft\Document Building Blocks\1025\Build\index\tsco.exe Win32/HideWindow application
    talasker, Jan 31, 2012
    #49

  10. Broni Malware Annihilator

    Your computer is clean [IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. (Windows XP only) Run defrag at your convenience.

    11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

    12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    13. Please, let me know, how your computer is doing.
    Broni, Jan 31, 2012
    #50

  11. talasker Newcomer, in training

    All processes killed
    ========== OTL ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Bob
    ->Temp folder emptied: 66673 bytes
    ->Temporary Internet Files folder emptied: 70141 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 55404837 bytes
    ->Google Chrome cache emptied: 167348886 bytes
    ->Flash cache emptied: 470 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Sue
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 665741 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 213.00 mb


    [EMPTYFLASH]

    User: Administrator
    ->Flash cache emptied: 0 bytes

    User: All Users

    User: Bob
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Flash cache emptied: 0 bytes

    User: LocalService

    User: NetworkService
    ->Flash cache emptied: 0 bytes

    User: Sue
    ->Flash cache emptied: 0 bytes

    Total Flash Files Cleaned = 0.00 mb


    [EMPTYJAVA]

    User: Administrator

    User: All Users

    User: Bob
    ->Java cache emptied: 0 bytes

    User: Default User

    User: LocalService

    User: NetworkService
    ->Java cache emptied: 0 bytes

    User: Sue
    ->Java cache emptied: 0 bytes

    Total Java Files Cleaned = 0.00 mb

    Restore points cleared and new OTL Restore Point set!

    OTL by OldTimer - Version 3.2.31.0 log created on 02012012_054828

    Files\Folders moved on Reboot...
    File move failed. C:\WINDOWS\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

    Registry entries deleted on Reboot...
    talasker, Feb 1, 2012
    #51

  12. talasker Newcomer, in training

    The computer seems to be running fine. I'd like to give it a few days and see what is what.

    Thank you very much for all your help. I have two final questions for you.

    1. How can I repay you? Is there a way to donate to TechSpot?
    2. Who the hell is making these trojan horse viruses and what was the purpose of the virus/viruses that infected my computer?
    talasker, Feb 1, 2012
    #52

  13. Broni Malware Annihilator

    Way to go!! [IMG]
    Good luck and stay safe :)

    1. See my signature (totally optional).
    2. Hahaha....bad guys :)
    Broni, Feb 1, 2012
    #53
Page 3 of 3