Dear Malware Analysts (eg: jeffce),

Like fellow Jr. Member Ninjarider01, who was helped out by Malware Analys Jeff (u/n: jeffce) serving up what reads like Top Notch tech support, in the thread…

• ‘80000032.@ issues please assist’
» http://forum.avast.com/index.php?topic=110548.0

…I too have an “Ah cannae get yon bleedin’ Greeks tae understand as hoo we DINNAE WANT NO STUNKIN TROJAN HORSES aroond here!” type problem. Every few minutes, ‘avast!’ says that its “File System Shield has blocked a threat”, thereby preventing two files called ‘80000032.@’ and ‘80000064.@’ from doing any damage, and intimates that they have both been “Moved to chest”, implying a successful quarantining – but then a few minutes later, the identical warnings pop up again, and again, and again, ad infinitum.

http://i22.photobucket.com/albums/b336/dalinian61/Error-Corrections/TH1_zps55163dd8.jpg~original

http://i22.photobucket.com/albums/b336/dalinian61/TH2_zpsd37da75b.jpg~original

Ninjarider01’s problem file:
» C:\Windows\Installer{6ffbd671-8664-9daa-433f-67dc4b8a87c0}\U\80000032.@

My problem files:
» C:\Windows\Installer{39c63903-74d9-96aa-962e-413365d7bb3b}\U\80000032.@

» C:\Windows\Installer{39c63903-74d9-96aa-962e-413365d7bb3b}\U\80000064.@

Tempted as I may be to follow the solution in Ninjarider01’s problem-solving thread, I note that Jeff sensibly warns against such a course of action:

“DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision.
Doing so could make your system inoperable and could require a full reinstall of your OS losing all your programs and data.”

So, could I please get the same kind of interactive asynchronous assistance in turning this pesky and persistent pair of Trojan Horses into twin piles of metaphorical cinders+ash?

[i][b]Thanks in advance for your help and assistance,

Tim Jones[/b][/i]

PS#1: My Win7 OS runs in a Bootcamp partition on a MacBook Pro, so I’m only an occasional visitor there (proximally for website updating conformance testing purposes), being more used to the relatively secure and threat-free envionment of UNIX > Darwin > OS X – but I’ve enough multi-platform-savvy, determination and motivation to clear out all its malware, with a little help from ‘avast!’, plus you grand and selfless Malware Analyst crew.

PS#2: Having run an ‘avast!’ boot-time scan, I notice that the log ‘aswBoot.txt’ reports…

“Number of searched folders: 31867
Number of tested files: 647973
Number of infected files: 16”

…so the Trojan Horse Twins 80000032.@ and 80000064.@ may only be the most visible malware annoyances >:-{

Hi I will need the OTL log to determine which way to kill this beastie

Download OTL to your Desktop
Secondary link

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
dir “%systemdrive%*” /S /A:L /C
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

Hi Essexboy,

Many thanks for your prompt response (and BTW, that’s as grand a collection of iconic dragons as I’ve seen).

I believe I’ve followed your instructions, and here are those twin log files.

Here’s hoping you’ll have the diagnostic data for The Next Step.

Warm regards, Tim

OK killing time

Warning: this fix is specific to the user in this thread. No one else should follow these instructions as it may cause more harm than good. If you are after assistance, please start a thread of your own.

[*]Click on the Start
http://dl.dropbox.com/u/16537616/Canned%20Speeches/Start%20Orb.jpg
button and in the search box, type Notepad and click on it
[*]Copy (Ctrl+C) all of the text in the following box and paste (Ctrl+V) it into Notepad

fsutil reparsepoint delete "C:\Program Files\Windows Defender\en-US"
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpAsDesc.dll"
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpClient.dll"
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpCmdRun.exe"
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpCommu.dll"
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpEvMsg.dll"
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpOAV.dll"
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpRTP.dll"
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MpSvc.dll"
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MSASCui.exe"
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MsMpCom.dll"
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MsMpLics.dll"
fsutil reparsepoint delete "C:\Program Files\Windows Defender\MsMpRes.dll"

CD \
DIR /S /A:L > %USERPROFILE%\Desktop\JunctionPoints.txt
start %USERPROFILE%\Desktop\JunctionPoints.txt .
EXIT

[*]Go to File > Save As… and save it to your Desktop named fix.bat. Make sure you change the Save as type to All Files (.)
[*]Locate fix.bat on your Desktop and right click then select Run as administrator
[*]A log Junction.txt will be located on the desktop attach that

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

• IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Sure, wouldn’t I love it to be killing time already! :-*

Unfortunately… :-\

• fix.bat - flashes up a DOS execution box v briefly (c. 0.2 s); you wrote that “A log Junction.txt will be located on the desktop”, but sorry to say it isn’t.

• ComboFix.exe - ran it, it rebooted the OS, and recommenced its run on Win7 startup, but then…

http://i22.photobucket.com/albums/b336/dalinian61/Error-Corrections/ComboFix-error-state_zps98c9627c.jpg~original

I have already fully uninstalled Avira (or so I thought), but ComboFix reports that it detects ‘Avira Desktop’ as both active antivirus and antispyware, whereas the Win7 Defender Action Centre only reports ‘avast! Antivirus’ as ‘Status: Off’, and ‘Windows Defender’, also as ‘Status: Off’.

So… I haz a Puzzled & Perplexed! Halp!! ??? :o

You wrote:
“If you have a problem, reply back for further instructions.”

So I’ve left ComboFix.exe hanging for a response from me, as illustrated in the screenshot above.

Here’s where your ‘avast! Überevangelist’ superpowers get brought to bear, Imma hoping…

Hi Essexboy,

I’ve been pursuing this process so far at a friend’s home in Lewisham (the client for my website updating conformance testing), but the time has come to be traveling home to Vauxhall. So I’ll try sleeping Win7 with ComboFix.exe left hanging for a response from me, as illustrated in the screenshot above; and when I get home, I hope I’ll be able to give expediting your next troubleshooting instructions.

Thanks in anticipation, Tim 8)

Accept the warnings and allow combofix to run

fix.bat - flashes up a DOS execution box v briefly (c. 0.2 s); you wrote that "A log Junction.txt will be located on the desktop", but sorry to say it isn't.

I was too sleepy to do any more fixing last night, but thanks to your latest suggestion, I’m up and at it again this morning, with a freshly rested psyche.

ComboFix has run, including a reboot-&-resume, and written its ComboFix.txt log to C:\ - attached. If my intuitions are correct, I’m looking over a metaphorical battlefield strewn with the corpses of virus-infected files, malware, spyware, and - to my great personal satisfaction - I spy twin piles of cinders+ash where once stood a pesky and persistent pair of Trojan Horses:

((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))
[…]
c:\windows\Installer{39c63903-74d9-96aa-962e-413365d7bb3b}\U\80000032.@
c:\windows\Installer{39c63903-74d9-96aa-962e-413365d7bb3b}\U\80000064.@

Still no ‘Junction.txt’ log on my desktop from running ‘fix.bat’, but I hope that that may now be moot.

However, these processes do seem to have left a couple of ‘desktop.ini’ files on my desktop. When we’re done, all is clean and healthy, and I’m grinning like a Cheshire cat, would I be right in assuming I can delete the following files? …

[b]C:
• ComboFix.txt

Desktop[/b]

http://i22.photobucket.com/albums/b336/dalinian61/Error-Corrections/DeletionCandidates_zpsea320e40.jpg~original

when essexboy is done, he will do a cleanup…then all those programs/files/folders will be gone

Grand, so, Pondus - thanks for the heads-up on your team’s post-disinfection clean-up protocols.

I’m happy as the proverbial pig in [ clover | sh¡t ] that no more incessant-5-minutely ‘avast!’ Trojan Horse warnings are popping up. In the realm of the imagination [1], I pissed on their cinders+ash smoking pile remains, and when the steam had died down, my Dirty Big Boots and I trampled their remains into the dust.

“I love the smell of immolated malware in the morning. Smells like… VICTORY!” ;D

IMHO, you guys come across as one of the most impressive examples of a high tech net-mediated gift economy collective - an affiliation of experts freely giving of their greatly beneficial expertise to complete ‘strangers’. On the basis of the ‘pay it forward’ principle, rest assured I’ll be redoubling my efforts to pass on my skills (eg: proximally, web design, outdoor cinema democratica, creative writing peer support), and namechecking the very-good-folk-indeed in the avast! forum’s Malware Analyst team as a personal inspiration and motivation for being generously giving and good towards everybody, for free, for ever.

For this way lies the Federation-of-Planets-spanning gift economy future portrayed in Gene Roddenberry’s visionary Star Trek universe. Or as Steve Earle has it, the revolution starts now:

Last night I had a dream
That the world had turned around
And all our hopes had come to be
And the people gathered round
They all brought what they could bring
And nobody went without
And I learned a song to sing
The revolution starts now

• Steve Earle, from ‘The revolution starts now’
» audio & lyrics – http://www.kovideo.net/the-revolution-starts-now-lyrics-steve-earle-697327.html

[1] Imagination: the ONLY nation worth defending, and here’s poetry evidence that proves my point:

http://i22.photobucket.com/albums/b336/dalinian61/a-World-Change-album/TheimaginationbyJohnHegley_zps1ff17601.jpg~original

ah a nice start to my day … Thankee

Yes there are corpses scattered around. The reason I did the reparse points manually is 'cos I am still not 100% sure that combofix does a proper job on that. For the rest it just walked all over them

How is the computer behaving now ?

Could you run one further OTL scan for me to confirm that all reparse points are history

[*]Run OTL
[*]Select All Users
[*]Under the Custom Scan box paste this in

netsvcs
BASESERVICES
dir “%systemdrive%*” /S /A:L /C
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

AFAICT, all of Win7 is running perfectly smoothly since the ComboFix run - zero pop-ups from avast! and all apps behaving as expected. 8)

Some of the more technical stuffz you say I can’t fully comprehend, and that really is just fine with me - I’m more than content to be spared the intricacies, safe in the knowledge that you folks in the Malware Analysis team REALLY do know your onions.

I followed your ‘run one further OTL scan’ instructions, and attach the resuting log, OTL.Txt (beginning ‘OTL logfile created on: 16/07/2013 15:47:35 - Run 2’).

Howzit lookin, pardner?

Looks good to I, Combofix missed one folder so I will kill that as we tidy

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Files C:\Windows\Installer\{39c63903-74d9-96aa-962e-413365d7bb3b}

:Commands
[resethosts]
[emptytemp]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Remove ComboFix
[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall
(Notice the space between the “x” and “/”)
then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[]A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

Clear Restore Points

Go Start > All Programmes > Accessories > System tools
Right click Disc Cleanup and select run as administrator
When it pops up at the first prompt select OK after it has done some calculations the tabs will appear
Select More Options tab
Press Sytem Restore and Shadow Copies Cleanup button

https://dl.dropbox.com/u/73555776/disc%20clean.JPG

: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article and this article.
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

If you use on-line banking then as an added layer of protection install Trusteer Rapport

It is critical to have both a firewall and anti virus to protect your system and to keep them [b]updated.

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe

Hey EssexBoy,

Thank you soooo much for your sterling assistance in cleaning out the scumware from my Win7 partition – very well done, that [ man | bot | dragon | construct ], sez I!

I followed your post-disinfection clean-up protocol, and all seems to have gone well, with a sole exception: fix.bat remains on my desktop – is it OK for me to delete it by hand?

I’ve also followed your suggestions in the Win7 partition:

0. Java disabled in browsers:
   Control Panel > Java > Security tab >
   [unchecked] Enable Java content in the browser
   Test page » http://java.com/en/download/testjava.jsp

1. Malwarebytes Anti-Malware – installed (+ clean bill-of-health quick scan result, as expected)

2. FileHippo update checker – installed (+ three apps updated)

3. Trusteer Rapport – installed

And when I get back over to OS X, I’ll also be disabling Java in browsers, and installing Trusteer Rapport (as also recommended by my bank).

I had no idea how grossly insecure Java had become, and I confess that I am somewhat shocked that such a great cross-platform SW idea from Sun seems to have become such a gaping and embarrassing security risk under Oracle, to their everlasting shame. I use Vuze (written in Java) in both OS’s, so I’ll keep Java installed and up-to-date, but turned OFF in all browsers.

I’ll most likely be dipping in to Win7 over the next 24 hours, as I test some website updates for browser conformance, so I’ll hope to post an update on my Win7’s continuing good health in a day or so’s time.

For a second bite of my Great-Gratitude-Cherry, I’d like to point you towards a re-reading of my « Reply #9 on: Today at 10:24:03 AM » above. Your team and yourself are a real life-enhancing inspiration, and since I’m contemplating acquiring a Samsung Ativ Q [ Win8 | Android 4.3 ] ultrabook/tablet hybrid, the lessons I’ve learned through this process from you will no doubt save me a shed-load of security-related hassles later on: love on ya, essexboy! <Big Thank You Hug ;D >

Peace-&-Love, Tim

It was a pleasure to assist and thank you for the kind words… You may delete the fix.bat (I forgot about that :-[ )

Keep safe and enjoy

Hi EssexBoy,

I haz a frowny face.

http://imgc.allpostersimages.com/images/P-473-488-90/64/6451/3WAH100Z/posters/david-sipress-man-with-a-frowny-face-looks-at-picture-of-smiley-face-and-thinks-those-cartoon.jpg

I have not had the opportunity to dip back in to my Win7 partition to do web site update conformance testing until today – and now Win7 won’t start up normally… ARRRGGHHH! >:(

Win7 wil start up in Safe Mode, but when I try a Normal Mode start up, at the end of the process, after the ‘Welcome’ screen, where I would expect to see…

• desktop background
• desktop [ icons | widgets ] in the foreground
• Win7 taskbar

…instead all I see is a jet black screen with the white Win7 pointer cursor, which responds as expected to trackpad input by moving around; I have ‘Sticky Keys’ enabled by default, with audio feedback switched on, and the modifier keys moop and neek appropriately and as expected, when pressed. :o :

So… what the dickens has gone wrong now, I wonder?

And more to the point… can you and/or your Magnificent Malware Analyst team mates please, Please, PLEASE help me get back to where I was* before I first posted here a week ago: ie – Win7 works normally?

• of course, that’ll actually be ‘Win7 works normally AND all prior malware infections have been exterminated!’, for which I remain, of course, very grateful indeed

Yours in hopeful supplication, Tim

OK prior to this did you do any updates at all (specifically windows ones)

To recap it was working OK, you shut down and then when you restart you just get the black screen

Now you mention it, several days ago, back when Win7 was running normally, I do seem to recall hitting a ‘Postpone by 4 hours’ option button on a Win7 ‘Updates ready to install’ pop-up alert. So it is conceivable that today’s Big Black Blank Screen wonkyness when running in Win7 “Normal” (sic) Mode is indeed consequent upon the [ background | start up ] installation of those postponed Win7 updates. :-\ ???

I’m betting you know the elegant way to resolve this self-harming behaviour of Win7, amirite?

Yep there have been a few cases where windows update has messed windows up

OK from safe mode run Avast and select Security > Behaviour shield
Select Settings (top right)
Select Trusted Processes
Add the following two files :

C:\Windows\ImmersiveControlPanel\SystemSettings.exe
C:\Windows\explorer.exe

Then OK out and try a normal boot

Hmmm…

http://i22.photobucket.com/albums/b336/dalinian61/Error-Corrections/avast/AddTrustedProcess_zps2de4b246.jpg~original

Unfortunately, it only seems like I can add trusted processes

I seem to be able to successfully add ‘C:\Windows\explorer.exe’ to avast!’s ‘Trusted Processes’ list by [browse]ing to it (But… see below).

However… with ‘show hidden files and folders’ switched on in the Folder Options control panel, when I [browse] to [b]C:\Windows[/b] there is no ImmersiveControlPanel directory to be seen. And if I search inside C:\Windows on the string ‘SystemSettings’, then the search terminates with a ‘No items match your search’ result. Nevertheless, I can just copy-&-paste the string ‘C:\Windows\ImmersiveControlPanel\SystemSettings.exe’ into the ‘(enter process name)’ field then hit the [Add] button, and it would seem like I’ve added ‘C:\Windows\ImmersiveControlPanel\SystemSettings.exe’ to avast!’s ‘Trusted Processes’ list.

http://i22.photobucket.com/albums/b336/dalinian61/Error-Corrections/avast/NoImmersiveControlPaneldir_zps934d20e2.jpg~original

No such folder as ‘ImmersiveControlPanel’ in my ‘[b]C:\Windows[/b]’ directory

http://i22.photobucket.com/albums/b336/dalinian61/Error-Corrections/avast/NoSystemSettingsdotexe_zps0c192154.jpg~original

No files with filenames containing the string ‘SystemSettings’ exist within my ‘C:\Windows[…]’ directory tree

But…
Once I hit the [OK] button, if I go straight back to confirm that avast! has indeed remembered which processes are to be trusted, then the ‘Trusted Processes’ list shows up as blank and empty as when I first located it.

So this evidence would seem to suggest that:
(1) neither the ‘ImmersiveControlPanel’ directory nor its ‘SystemSettings.exe’ executable exist within my ‘C:\Windows[…]’ directory tree
(2) avast! cannot be obliged to remember which processes to trust (techno-Alzheimer’s? :o )

Needless to say, given these shortcomings, after trying to school avast! in which processes to trust in Safe Mode, then rebooting Win7 into Normal Mode simply repeats the Big Black Blank Screen error state. So I’d very much welcome any further ‘what to try next’ remedial action suggestions.