Infected Files Regenerating Folders

Welcome to Major Geeks!

What thread is an old thread? This is a new thread you just started today as a new member!!

Again I have to ask what thread you are referring to.

I doubt it. I have not seen a true BIOS infection in close to 10 yrs.

It just sounds to me like Avast is cleaning up the junk that is getting put on your PC during surfing sessions. However if you want to full check your PC for malware you need to follow the instructions in the below:

READ & RUN ME FIRST Malware Removal Guide (incl. spyware, virus, trojan, hijacker)

But it is very likely that nothing will be found since you just formatted Are certain that you did not reinstall the problem yourself from some infected back files or you did not keep surfing the same old questionable websites ( that is assuming you are taking risks with where you surf )?

 

It is most likely just junkware that is getting into the system folders and perhaps Avast really cannot cleanup the NetworkService ( and likely the LocalService ) folders automatically. Even disk cleaning tools do not cleanup these folders automatically in most cases. CCleaner has an Addon called Winapp2.ini that adds these to the Applications tab part of CCleaner to allow cleaning the junk in them. See: http://www.winapp2.com/howto.html

 

And did you run the cleaner? And has it happened again since cleaning?

 

Did you also clean the LocalServices folders?

Okay the see my first response with a link to the READ & RUN ME if you wish to properly check your PC for malware. I expect that Avast is just finding general junk and that there is no real malware; however, the only real way to know is to run the complete process and attach the logs we ask for.

 

Yes repeat again for both NetworkServices and LocalServices.

I not really thinking this is a real problem, but let's also run a couple other tools.

Please download the latest version of FRST the below link.

Farbar Recovery Scan Tool and save it to your Desktop.

Note: Make sure you download the proper version ( 32 bit or 64 bit ) for your PC. Only one will run, the correct one. So it you make a mistake and download the wrong one, go back and get the other.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your next reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Make sure that your antivirus is disabled. See the below link for help on disabling it.

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

• Please download ZOEK and save it to your desktop (preferred version is the *.exe one - upper left corner).

http://hijackthis.nl/smeenk/

• Attached to the bottom of this message you will find a file called zoekscript.txt
• Download it too and save to your desktop - _it needs to be in the same location as the ZOEK tool
• Drag zoekscript file and drop it onto ZOEK icon - this should launch the program:
• The scan may take a while and may need a reboot.
• Upon completion a file zoek-results should appear.
• Attach it to your next reply.

 

I haven't seen any real cases of Confiker for a very long time. It's not impossible that this is Confiker but hard to tell from logs posted thus far. Your MGlogs.zip file from MGtools was very incomplete and if complete may have provided some important information. If you have not performed the reinstall yet I would like to see you run MGtools.exe again ( make sure you use Run As Administrator and that you let it run to completion ) and then attach a new MGlogs.zip file. Also the FRST log would have been real helpful. We have fixed many cases of Confiker in the past when it was prevalent.

However ever if you have a Virut type infection then this is a clear case where a reinstall is best. The important thing with Virut infections is that you cannot keep any of your old files and you cannot reinstall/reuse any of them from backups unless you are 100% certain that the backups came from a time when you had not been infected. Reusing just one single file that is infected will spread this infection all over again. And also if you had network drives ( shared drives/PCs ) they could also be infected.

 

A fully updated Windows PC really should not get a Confiker infection. Your PC is on Windows XP SP3, but I cannot tell if you had all patches installed. It is however an insecure and unsupported operating system. If you have more PCs like this on your network then they can also be infected and problematic.

Please run the below anti-rootkit tool from Malwarebytes.

• Download Malwarebytes Anti-Rootkit
• If you happened to get a ZIP file version instead of an EXE file then unzip the contents to a folder in a convenient location.
• Open the folder where you saved Malwarebytes Anti-Rootkit to. Now run mbar-1.07.0.1009.exe ( If running Vista, Win7 or Win 8, use right click and Select Run As Administrator )
  • Note: This filename will change as new versions are released, so this is just an example ).
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
• Wait while the system shuts down and the cleanup process is performed.
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
• If no additional threats were found, verify that your system is now running normally, making sure that the following items are functional:
  • Internet access
  • Windows Update
  • Windows Firewall
• If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included with Malwarebytes Anti-Rootkit and reboot.
• Verify that your system is now functioning normally.

Please do the below so that we can boot to System Recovery Options to run a scan.

For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.


Plug the flashdrive into the infected PC.

Enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)

Now please run the below so we can attempt to get a complete log from MGtools.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7, Win8 or Win10, don't double click, use right click and select Run As Administrator).
Then attach the below logs:

• the Malwarebytes Anti-Rootkitlog
• the FRST.txt log
• C:\MGlogs.zip