I really need some help please from suspected Malware/Repeated intrusion attempts

Hi there, I wonder if someone could please help with a problem I am having with Windows 7.

I posted my initial problem in another forum; here is the background;

SYSTEM

- Windows 7 64bit Home Premium edition (Up to date).
- Norton 360 (Up to date).
- 8GB memory
- Intel Core i7 processor.

Everything was stable and running well until only recently.

I have recently experienced repeated intrusion attempts, most of which seemed to have been successfully prevented by Norton, and I have also been receiving multiple zipped-up trojans each day via email (but these are always detected and quarantined with Norton). I called Norton tech support, and they assured me that Norton should be protecting me fine, that they could see no problems, and that the Norton software would let me know if there were. However, ever since these attacks begun, I have experienced the following problems with Windows 7.

- After start-up, sometimes only the task bar icons are active, and sometimes only the desktop icons are active. However, every now and then they both work at the same time, or are both frozen. This problem also reoccurs regularly while trying to use the PC; icons freezing, taskbar freezing, links freezing.

- Desktop icons have moved location and have become randomised. They can no longer be dropped, dragged or moved, and are permanently fixed. I tried changing this in the options, but the problem remains.

- Sometimes after opening a folder and/or a browser (Firefox or IE), for example, the folder window/browser freezes, and you cannot select anything within. Sometimes it unfreezes, but I have no idea why. Sometimes when you minimise/re-maximise the window it works again. Pressing Ctrl, Alt and Delete, and then closing some unused processes seems to temporarily unfreeze anything that is frozen.

- Drop down menus on web pages; you can click the arrow to expand the list, but you need to use the cursor keys/enter to scroll/select, the mouse won't work.

- Dragging and dropping files no longer works; either folder-to-folder, or straight into a related program. You can only open a file via navigating.

- The middle mouse wheel is permanently disabled from scrolling down web pages.

- Discovered that by ending all of the 'Processes by all users' that are not needed seems to temporarily fix the problem/lessons it, but then it reoccurs, and I have to repeat the process.

- No apparent performance issues when working/unfrozen.

- In Safe mode the problems still occur.

- Currently I can use my computer, and it seems secure, but I repeatedly experience the problems above which is frustrating.

Norton scans and Malwarebytes scans find nothing. However, looking at the Norton security history has been strange, and a couple of entries seem to have changed from an initial 'High' level of security risk to 'Info' and 'no action required'. The entries in question appeared to be network attempt related, so i blocked communication with this IP. I had also recently downloaded the evaluation copy of Malwarebytes anti-malware software, and I noticed the problems actually spiked after I had installed it. After the scan I uninstalled it, and then the Windows problems seemed to become less severe/less frequent, but unfortunately still an issue. The desktop icons moved to the new position automatically after uninstalling the program. Changing the desktop theme also doesn't affect the icon locations, but the background changes fine.

I was thinking of applying the last System Restore point, however, when I went to do this it said that no restore points had been created, and if i wanted to create one. I don't remember creating a system restore point, maybe once, however, I am certain I have run various scans in the past that had auto backed up with the system restore, and I was expecting to find these.

I was wondering if there is a way that I can look for/fix just the damaged Windows components, if that is what it is causing the problem?

Re-installing Windows from scratch is not a realistic option, I have many programs/plug-ins installed that would take an eternity to re-install and re-configure (around 3 weeks).

I have just performed a clean start-up, but the exact problem remained, so I assume the problem is within the core windows services, as opposed to a background program?

I was advised to re-install just the Windows 7 OS, but beforehand, I downloaded and ran all the scans as advised here http://forums.majorgeeks.com/showthread.php?t=35407

Unfortunately I cannot appear to attach the requested scan logs, as the icons are greyed out. Perhaps a related problem. Although I am sure that the scans found something. Is it ok to post the scan log results as copy?

Any help would be much appreciated, and I have had constant intrusion attempts for 5 days now

Kind regards
Carla
x

 

Hi Kestrel13!

Thank you for your reply.

I really need some help, especially as my second computer is now experiencing the same problems; frequent intruder attempts, security settings changing by themselves, Firewall rules creating themselves, a User folder called 'Default User' where accessibility is blocked for 'Everyone', IE security settings changing from the highest setting to 'Custom' by itself, one folder called 'DVD Maker', not an installation, just data, but located in my Program Files and needs permission from 'Trusted Installer' for access - i tried to uninstall with Revo Pro, even tried a forced uninstall in Safe mode/clean boot but still it remains, 'Documents and Settings' became inaccessible for Administrators (I managed to change this), 8 folders found in 'Users'; Me, All Users, Default, Default User, Public, TEMP, TEMP.PC_NAME, UpdatusUser, recycle bin is blocked and I keep having to manually close processes/services in Windows Task Manager under 'All Users' as i am unsure where exactly the malware is located...multiple problems etc.

The System specs for the 2nd PC are the same as the main PC, albeit with a little less powerful hardware, and a slightly older version of Norton.

Thanx for your advice, I have installed the most recent version of Firefox, and will attach the scan results of both PC's.

Kind regards
Carla
x

 

Hi Kestrel13!

Thank you for your reply. I am not sure if my initial reply/upload was saved, as I cannot see it. Could you please let me know if I need to upload the scan logs for PC1 again?

I really need some help, especially as my second computer is now experiencing the same problems; frequent intruder attempts, security settings changing by themselves, Firewall rules creating themselves, a User folder called 'Default User' where accessibility is blocked for 'Everyone', IE security settings changing from the highest setting to 'Custom' by itself, one folder called 'DVD Maker', not an installation, just data, but located in my Program Files and needs permission from 'Trusted Installer' for access - i tried to uninstall with Revo Pro, even tried a forced uninstall in Safe mode/clean boot but still it remains, 'Documents and Settings' became inaccessible for Administrators (I managed to change this), 8 folders found in 'Users'; Me, All Users, Default, Default User, Public, TEMP, TEMP.PC_NAME, UpdatusUser, recycle bin is blocked and I keep having to manually close processes/services in Windows Task Manager under 'All Users' as i am unsure where exactly the malware is located...multiple problems etc.

The System specs for the 2nd PC are the same as the main PC, albeit with a little less powerful hardware, and a slightly older version of Norton.

Kind regards
Carla
x

 

Hi Kestrel13!

Thank you for your reply, and my apologies, I didn't realise the forum thread rules

Ok I shall run through the steps shortly.

Cheers again friend,

Kind regards
Carla
x

 

Hi Kestrel13!

Just to confirm that I have now completed the steps as advised.

Please see the additionally requested scan logs attached.

Here is the latest:

- My system still freezes, desktop icons, browsers etc.
- Am still receiving intrusion attempts, seemingly detected by Norton 360 which lists them as Intrusion Prevention Engine started etc. and zipped up trojans via email. These emails sometimes seem to be coming from my own domain email address.
- I still have a suspiciously large number of Users, some of which are inaccessible.
- The DVD Maker folder in Program Files is still un-deletable, however, the permissions for 'TrustedInstaller' seems to have changed from All access to 'List Folder contents' only. Although I still can't change the permissions. I have also noticed in Task Manager that sometimes a process by 'TrustedInstaller' starts under All users called Windows Module Installer.
- I have uninstalled several programs that had suddenly stopped working.
- New processes that I haven't seen before occasionally activate themselves. I am manually closing everything I don't recognise that isn't essential to the system.
- One of the most common things I am seeing in Norton 360 history is:

Rule rejected UDP(17)
traffic with (192.168.0.1)
Port(2048)

Kind regards
Carla
x

 

Hi Kestrel13!

Both my computers have identical OS's installed, Windows 7 64bit.

When I look at my second PC at the following location, C:\Users there are only 3 folders within; 'My Username', 'Administrators' and 'Public'.

However, at the same location on my main PC (the one with the more severe problems) there are now 8 folders, and there never used to be. As the OS is the same on both PC's, I was expecting to find the same number of folders at this location.

I can confirm that on both PC's only one User account has ever been created by me.

The 8 folders within C:\Users are:

My Username, (I can access this folder as administrator).
All Users (I can access this folder as administrator).
Default (I can access this folder as administrator).
Default User (I CANNOT access this folder as administrator, blocked for a user group or name called 'Everyone' denying access to all Users. - I have never created this user name or group).
Public (I can access this folder as administrator).
TEMP (I can access this folder as administrator).
TEMP.PC_NAME (I can access this folder as administrator).
UpdatusUser ( I have no idea what this folder is for. Initially I didn't have access, but managed to change the permissions. It contains an 'AppData' folder and lots of shortcuts to places such as 'My Documents', 'Favourites' and 'Searches'. It also contains NTUSER.DAT, ntuser.dat.LOG1, and lots of .regtrans-ms files with names such as NTUSER.DAT{2b0a965a-f078-11e2-91a4-4061867a63ca}.TMContainer00000000000000000001.regtrans-ms

Also, whenever my computer freezes, I can click Ctrl, Alt and Delete to bring up the Task Manager, and then my PC seems to un-freeze. However, if I try to access Task Manager via right clicking on the Task Bar, Task Manager often crashes. I have had several random crashes over the last few days also (freezing to the point where the only solution is powering down).

Well I tend to manually close down any unnecessary processes to try to increase free memory, and am quite familiar with the processes and services I should see. The only software I have installed since these attacks began are the malware related scanning programs, which I can see in Task Manager.

If I go to Task Manager --> Show processes from all users --> There have been some unfamiliar processes appearing e.g. One I can see is called 'Windows Module Installer' and the User name next to it is 'Trusted Installer', which is also the user name/user group that has sole permissions over that DVD Maker folder I can't delete. It seems strange as I have never even created this User account. Another process that kept popping up automatically for the last few days was Microsoft Volume Shadow service. This process only began appearing after the problems and I don't know what it is for. This particular process hasn't appeared for a day or so now though. One other process that kept appearing yesterday was Virtual Disc Service, again I am unfamiliar with it and therefore suspicious, of course it is possible that I am just being a little paranoid with everything that is going on.

Email program; I am using Windows Live Mail, configured to receive emails via my own domain .co.uk email address.

Kind regards and Merry Xmas,
Carla
x

 

Things have improved Thank you for all your help Kestrel13!

Wishing you a very Merry Christmas and a Happy New Year =)

Carla
x