Hit by FileRepMetagen

Avast seems like it took care of the problem but I am trying to be a good boy and report this here. I know it is probably taken care of through the application but just in case it is not, or if this reoccurs. Since this is an “emergent” threat I thought it may help.

So Avast pops up it blocked something and I start getting all kind of other pop-ups about Windows Authentication needing to run as admin. This is what you get when your Windows or Office do not have a genuine key. I of course do not run those since I didn’t do anything to cause it. Avast comes up and says it removed something and wants to reboot and do a boot time scan. I can’t hit yes fast enough.

Boot scan was clean and I find this is the avast logs:

5/2/2016 9:46:50 PM C:\Users\Christopher Brown\AppData\LocalLow{C13871CC-D72B-4ED0-A209-941721E4D058}\TMP976A.exe [L] FileRepMetagen [DRP] (0)
File was successfully deleted…

This is the only record I can find of Avast doing anything at all.

I didn’t want to take any chances so I go to System Recovery to restore my last restore point. I find that it says not only are all my restore points deleted, but the system restore is disabled. I am a huge believer of this Windows feature and I know I have been making restore points. So I am stuck without being able to go back. I do create a restore point after turning this back on.

After that, I am spooked enough to run MBAM, which is clean. I also did the FRST and aswmbr, logs are attached.

Machine seems ok so far.

Thanks to all of you for what you do.

Did you set this task ?

Task: {7C8E9083-4562-4CD2-8E3E-57640F7C8BE9} - System32\Tasks\Hourly Chime => C:\Users\Christopher Brown\sound.bat [2015-09-23] ()

Unfortunately automated systems do not have the necessary intelligence to determine whether the folder needs to be deleted as well as the file

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: 2016-05-02 21:46 - 2016-05-02 21:47 - 00000000 ____D C:\Users\Christopher Brown\AppData\LocalLow\{CEAD6649-7A17-4ACF-B4E5-56CDABE71AE1} 2016-05-02 21:46 - 2016-05-02 21:47 - 00000000 ____D C:\Users\Christopher Brown\AppData\LocalLow\{5C5A5422-D619-4F52-BC38-AA7507B9403A} 2016-05-02 21:46 - 2016-05-02 21:46 - 00000000 ____D C:\Users\Christopher Brown\AppData\LocalLow\{C13871CC-D72B-4ED0-A209-941721E4D058} 2016-05-02 21:46 - 2016-05-02 21:46 - 00000000 ____D C:\Users\Christopher Brown\AppData\LocalLow\{2046C441-2D21-4F0B-BC54-FA0CD15E8A02} Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Wow, great you spotted that, but I did set that task myself. Reminds me that time is passing. Sad, I know.

I assume since I set it I don’t need to perform the operations?

I did not have the task on my remove list so you will need to run the fix

FRST crashed when executing the fix but dropped the attached log (which looks good to me). Here is the dump from the application crash:

Problem Event Name: APPCRASH
Application Name: FRST64.exe
Application Version: 6.5.2016.3
Application Timestamp: 572cdd16
Fault Module Name: ntdll.dll
Fault Module Version: 6.1.7601.23391
Fault Module Timestamp: 56e9ab48
Exception Code: c0000005
Exception Offset: 000000000000c259
OS Version: 6.1.7601.2.1.0.256.1
Locale ID: 1033
Additional Information 1: ddc4
Additional Information 2: ddc450a5a9a4890ebce2f0cdec70607e
Additional Information 3: 6bfb
Additional Information 4: 6bfb0a3602ba054d29ec3278a3933195

Read our privacy statement online:
http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0409

If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt

Frst crashed when it was emptying the temp files

Are you experiencing any problems ?

No problems. I had a bunch of stuff running when I ran it - I did not boot clean and do it on a quiet system. So it doesn’t surprise me it wasn’t able to clean the temp files. It looks like it was able to remove the other stuff, though, right?

Yep they are history, :slight_smile:

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Remove tools

Download and run Delfix
Select the options as shown

https://dl.dropboxusercontent.com/u/73555776/delfix.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

If you do need to keep Java then download JavaRa
Run the programme and select Remove Java Runtime. Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version

https://dl.dropboxusercontent.com/u/73555776/javara.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

https://dl.dropboxusercontent.com/u/73555776/CryptoPrevent.JPG

Malwarebytes

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme :wink:

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave: