Microsoft Zeus Virus Detected Critical Alert

Hello,

This computer’s hard drive was likely remotely accessed and compromised due to an official looking and professional sounding Microsoft Critical Alert warning against closing the web page or shutting down the computer. No payment was made; however, the remote access software used was <snip>. Some of the multi-tasking processes noted, commands used and possible files affected were (and not in accuracy or precise order):

• Run Citrix Online Starter
• Remote fixing
• Run: devmgmt.msc
• C:\WINDOWS\System 32\CMD – DIR /S
• Citrixonlinelauncher.exe-074A6C2C.pf and C:\WINDOWS\Prefetch
• Diagnostic identification and notification of an error code for IP address infection by conflicker worm but conficker was referenced via wikipedia.
• Network identified as not protected and permission was requested to connect the call to a network expert (via Citrix)

Issues Found Post Zeus Virus Adware:


#1: Both msiexec.exe and MSIEXEC.EXE-2F8A8CAE.pf were found in Windows XP Task Manager (and/or Explorer Search).

• While Malwarebytes 2.2.1.1043 didn't detect any malware or adware, 200-plus malware/adware were detected by Superantispyware.
• Although neither application was running after installing and running Free Supersantispyware scan, MSIEXEC.EXE-2F8A8CAE.pf was still there in C:\WINDOWS\prefetch. I just did an Explorer Search and neither file was found.
• After the scan, Superantispyware was uninstalled.

#2: Because of the Zeus Virus Microsoft Critical Alert Adware on 12/5, I also discovered an IP address 61.135.132.59 (Beijing, China) was encoded in the web exclusions of my Malwarebytes scan v 2.2.1.1043 with the Add/Remove functions disabled (grayed out). It’s possible that Malwarebytes scan wasn’t working for a long time and well before 12/5 due to the encoded web exclusion.

These breaches may or may not be related to the Microsoft Zeus Critical Alert pop-up. I have since uninstalled Malwarebytes 2.2.1.1043, ran the mbam-clean utility and rebooted the computer and then I installed the newly release Malwarebytes 3.0.4. Malwarebytes did not detect any malware or virus. However, I can't really trust the new Malwarebytes either because there are settings and operating glitches where Malwarebytes was stuck in updating files and cannot be terminated in Windows Task Manager or in anyway during the second scan. I had to uninstall, run mbam-clean, reboot, redownload, uninstall, reinstall and run the scan. I haven't run the scan a second time yet to see if the scan will update w/o getting stuck. In any case, I believe there were PUPs found in a few of the 5 ReadMeFirst scans logs.

My Questions Are:

1. Can you tell based on the remote software technology and the commands used, can the scammer actually have a copy of the hard drive or removable thumb drive? How long do the scammers have access to the computer information through a remote access software? Does the hard drive information disappear as soon as the remote support session ends or can they have it indefinitely? And can they have remote control of the computer indefinitely?

2. I know my Windows XP need to be replaced urgently, but I haven’t had the time to do any in-depth reading or research on the pros and cons of buying a Mac vs Windows. Do you have an opinion?

3. Would you kindly review the five attached required ReadMeFirst logs and guide me in removing all malware and adware on this computer?


Thank you

 

Hi Chaslang, thanks for the written instructions. I will do my best in completing it.

Q1: I do not have the executable analyse.exe under G:\MGtools as instructed or anywhere on the hard drive. I did a Windows Explorer Search for the executable on the entire C:\ drive and it yielded "Search is complete... no results to display". Therefore, which executable should I use to run HijackThis-MGtools if there is no analyse.exe?

Regarding what specific actions were taken during "Network identified as not protected and permission was requested to connect the call to a network expert (via Citrix)".

My impression and a review of my scattered written notes on the probable sequence of event is that there are two distinct phases of the technical support involving two different people. The first part, the more technical and lengthier of the two, appears to involve downloading Citrix Online Launcher to \Local Settings\Application Data\Citrix as well as \Plugins in establishing remote access connection as well as allow virtual written communication through Notepad. After running commands for devmgmt.msc and C:\windows\system32\cmd.exe -DIR /s and programs running through DOS, the first tech diagnosed and referenced the worm infection on my IP address. And because it was determined that my network was not protected, he asked for my permission to transfer the call to a network expert.

I talked to the Network Security Tech probably for less than 5-10 minutes because the nature of the call was more of a sales than a technical support call. He first assured me the IP address infection and network problems would not require me to go out and buy a new computer. He explained that local ISPs do not provide IP network security. As soon as he said he will install a fee-based software on my computer, I objected and asked if he would allow software to be installed on his computer without vetting the security service provider or the security software if the role was reversed. The network security expert started talking fast and over me a bit on matters unrelated to my computer security problem or how his security software and service would be the technical resolution. And because the support call was taking on the focus of a sales call, I ended the call by asking for the price of the service/software, his direct line so we could get connected again after I do some research on the security software (Advanced Level Security) and the company providing the service (TechZcare, Virginia) he is offering. As far as I know (and not a techie), no commands or changes were made or programs were downloaded to the computer during this shorter second part of support phase because just before we ended the phone conversation with a possible call back on my part, the network tech click on the malware/Microsoft Critical Alert screen to show me how my computer screen remained locked and unresponsive.​

Waiting for your instructions on the missing MGtools analyse.exe before proceeding.

 

Chaslang, I ultimately did find analyse.exe in the MGtools directory after a closer look of the files.

You listed a total of 3 lines to be fixed in HijackThis. I found an extra line of O2-BHO: (no name) – { } – (no file) line in HijackThis System Scan, so a total of 4 lines were fixed in my case. I hope it was okay to do so.

Attached are the 3 the scanned log files:

• OTM MovedFiles 12212016.log
• JRT 12212016.txt
• MGlogs 12212016.zip

Super grateful for your expertise. Please let me know what this all means. I will report back how the computer is running sometime tomorrow. First, I need to get some sleep.

 

Happy Holidays, Chaslang,

Yes, I already found and executed analyse.exe. Please review the attached 3 scanned logs in the previous response and let me know what you see and if my computer is clean.

My computer seems to be working as before, but I am still reviewing and working on installing security software. Thanks.

 

Good to know the 3 logs are clean.

NOTE: No AV program is currently installed. Only Malwarebytes Free 3.0.5 is installed. Avastclear.exe was run last week in preparation for conflict-free fresh AV install later. Could you please help with removing any remaining registry, drivers and services associated with Avast, Symantec, Trendmicro, or Ad-Aware by Lovasoft with the help of FRST.txt and Addition.txt?

Do I need to worry about Accounts ASPNET and Guest - Limited Enabled and Guest HelpAssist - Limited-Disabled listed on Addition.txt as being remote access accounts? Please advise.


Attached are FRST.txt and Addition.txt from running Farbar Scan Tool yesterday on 12-26-16.

 

Am I suppose to get an attachment fixlist.txt from you?
Just want to confirm FRST64.exe is the same FRST.exe (Farbar Recovery Scan Tool) I ran yesterday?

 

I’m not sure if the Farbar Fix completed or not. I ran FRST.exe and clicked on Fix as instructed. In the middle of Farbar Fix, the standard Windows Error Reporting dialogue box came up asking to send error report to Microsoft. I clicked on “Don’t Send” and a Fixlog.txt was generated nevertheless. My computer also didn’t not reboot automatically. I rebooted the computer manually just in case.


Do I need to rerun Farbar Fix again or differently?

Can I and should I install and run an AV program now?


See attached Fixlog.txt

 

Success! After numerous failed attempts at running Farbar Fix in Safe Mode, the fix is completed and the computer reboots automatically. Double-clicking instead of right clicking on FRST.exe in Safe Mode seems to be the trick in running the fixlist.

3 Outstanding Problems:


Windows could not boot in Safe Mode Windows XP Home Edition on the first attempt. The first error message when booting into Safe Mode-Windows XP Home Edition: "Windows could not start because the following file is missing or corrupt. Please reinstall a copy of <windows root>\system32\hal.dll" How do I reinstall hal.dll and restore Windows XP Home Edition Safe Mode functionality?

On the second attempt in booting into Safe Mode but via Windows <default>, I logged in as Administrator, but FRST.exe and Fixlist.exe were not on the desktop and there was no Internet connection. I could neither configure the desktop display nor establish internet access. Windows would not keep the display resolution I set so I can reconfigure the browser home page or get Internet connection. How can the Administrator account in Safe Mode be totally lacking in basic reconfiguration capability let alone administrative rights? Does this mean I should have logged in the Owner instead of the Administrator User Account? If so, should I and how do I make Owner the Administrator Account and should I then delete the Administrator Account?

Booting up the computer in Safe Mode on the third try to run Farbar Fix was via the Windows Recovery Console option. A system error message was generated: “INF file txt setup.sif is corrupt or missing. Status 14. Setup cannot continue. Press any key to exit. What is the proper fix for this problem?

Please review the attached fixlog.txt What do you think? Is my computer clean now? What should I do next?

Thanks for all you do.