Windows Firewall warning messages and explorer restarts

Discussion in 'Malware Help (A Specialist Will Reply)' started by ElLoco, Apr 16, 2008.

  1. ElLoco

    ElLoco Private E-2

    Hello,

    I'm facing some problems which I think are linked to a virus/trojan. I ran a setup which contained a virus which my virus scanner reported. However it crashed my windows Vista and since the reboot I'm facing some problems. My explorer seems to be restarting every so often and I receive warnings from the windows vista firewall. I'm not 100% sure that it's my explorer that's restarting but my screen flickers and some or all programs are killed which is a pain if you need to do long scans.
    The firewall warnings are all of the following structure:
    "Windows firewall has blocked some features of this Program.
    Unblock Keep on blocking"

    In the details it says something like "program blocked from accepting incoming network connections". This occurs for all types of applications (e.g. task manager, notepad, ...).
    I ran the Vista Cleaning Procedure Steps twice because I forgot to remove the restore points and I thougt the virus redeployed because of this. However after running it twice I'm still facing the same problems with the windows firewall and with the explorer restarting.

    Can anybody help me out? Is this a Trojan/Virus or just my system being messed up?
    I added two zip files with the results of my two scans.
    Much appreciated,

    El Loco
     

    Attached Files:

    ElLoco, Apr 16, 2008
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    The READ ME does not ask you to remove your restore points until all malware has been verified to have been removed. This was a bad idea since using System Restore may have been an easy/only way to recover from your problem if we do not see any malware reasons for them. But let's see what we can find and go from there.;)

    Why are you approving all the malware to have access thru your firewall? I see a load of things in the list of aproved applications for your firewall. You should go thru your list of approved items and remove any that you do not recognize. Here are a few that I quickly notice:

    Uninstall the below old versions of software:
    Java(TM) 6 Update 3

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
    O11 - Options group: [java_sun] Java (Sun)

    After clicking Fix, exit HJT.

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Apr 17, 2008
    chaslang, Apr 17, 2008
    #2
  3. ElLoco

    ElLoco Private E-2

    Chaslang already thanks for the help.

    Regarding the Windows Firewall entries allowed to have access.
    I didn't allow those applications to have access. I always clicked keep on blocking. However during one of my many virus scan I found a virus called somethink like FirewallBypass so I think this has something to do with it. In my allowed programs in the firewall they were not indicated as allowed either, no thick in the thickbox. To be sure I removed them from the list too.

    I did the actions you requested and attached the log files.
    Currently I seem to still have flickers on my screen of about 1 sec, explorer crashes and random closing of applications. I'm not having the windows firewall issue anymore.

    I also ran avast last night which found some virusses Win32:Sality in a couple of files. Before I ran your hints, avast bluescreened my computer because it did a quick scan when logged in. I had the same problem when I wanted to run AdAware yesterday. The error message was:
    STOP: 0x0000008E (0x0000005,0x0034006D,...)
    I looked on the internet and this could also be due to a virus. Currently after your hints I'm not having the blue screen anymore when avast does it quickscan. But maybe this is valuable information.

    The registry entries were succesfully imported.

    I hope that my new logs are showing improvements.
    Thanks for the help already!

    El Loco
     

    Attached Files:

    ElLoco, Apr 17, 2008
    #3
  4. ElLoco

    ElLoco Private E-2

    Cheered to quickly. The firewall issues are also still appearing as are the explorer restarts.
     
    ElLoco, Apr 17, 2008
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    One of the worst things you can do (besides malware) to your PC is to install multiple antivirus programs. We even stated right at the beginning of the READ ME that you must not do this. You have to uninstall all but one antivirus program name. I quickly noticed Avast and Avira. Pick one and only one and uninstall ALL others immediately!! It appears that you recently have installed quite a few which is not a good thing to do. It most likely has clutted up your registry with thousands of left over registry entries from all of these programs.

    You still need to cleanup your Allowed Applications List in your Windows Firewall. I still see all of those entries. In fact I will give you a registry patch down below to try and remove everything from the approved list and we are going to install a better firewall since the Windows Firewall still leaves much to be desired.

    You also added more things to the list that do not need approval as they do not try to access the network. I see the below:
    "C:\\cf\\psexec.cfexe"= C:\cf\psexec.cfexe:*:Enabled:ipsec
    "C:\\MGTools\\grep.exe"= C:\MGTools\grep.exe:*:Enabled:ipsec
    "C:\\MGtools\\zip.exe"= C:\MGtools\zip.exe:*:Enabled:ipsec
    "C:\\MGTools\\swwhoami.exe"= C:\MGTools\swwhoami.exe:*:Enabled:ipsec


    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Now install a real firewall: Comodo Personal Firewall

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Apr 18, 2008
    #5
  6. ElLoco

    ElLoco Private E-2

    I tried to execute combofix but I am unable to execute it. It starts and then says it is going to change the clock and after that I get a black screen. In safe mode I get a BSOD: STOP:c000021a.

    The registry merge was succesfull.

    I installed the Comodo firewall and I'm worried now. I seem to be getting a lot of messages about different applications trying to modify exe files on my disk. I keep blocking them but they keep on coming. e.g Firefox.exe is about to modify the contents of C:\Data\...\bla.exe

    However since I'm just now seeing that the virus is also effecting all my exe files and it hasn't been picked up by windows firewall and my avast virusscanner I'm wondering if they are not already all infected.

    I'm considering seriously to format my computer because now I'm getting the close of the programs again as in my initial post and the restarts. Is it possible for me to copy all my data to a second hard disk, reinstall windows, recopy them to my first disk, run a virusscan and hope that the virusscanner picks up the virusses?
    Or should I just delete all my applications (.exe files), copy my personal data (mail, docs,...) and reinstall to be sure I don't get infected again?
     

    Attached Files:

    ElLoco, Apr 18, 2008
    #6
  7. ElLoco

    ElLoco Private E-2

    Which virusscanner do you recommend if I would reinstall or to at least still try to find the infected files now?
    Thanks,

    El Loco
     
    ElLoco, Apr 18, 2008
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay I will give you a different fix below.

    It could be normal activity. Without seeing exact details I cannot say. even what you mentioned about bla.exe is incomplete and does not give full or correct information. I don't think you have a folder named C:\Data

    It is your choice on what you with to do. You must be very careful not to back and restore any infected files which is not easy to do if you don't know what is infected. One approach would be to not backup anything that could be considered an excuteable file. You do have a bunch of problems! Some may be malware but some are not. Some are due to what you have done by installing multiple antivirus applications. Even now, the antivirus programs that you do have installed are not running properly and my fix below will correct this.

    Begin by uninstalling avast! Antivirus which appears to be broken.


    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKCU\..\Run: [runspysweeperscheduleatstartup] "C:\Windows\system32\msfeedssync.exe" /ScheduleSweep=User_Feed_Synchronization-{8CA40A34-EE34-4E7A-8B87-A7206F483208}

    After clicking Fix, exit HJT.


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Now download The Avenger by Swandog46, and save it to your Desktop.
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it.
    • Do not change any check box options!!
    • Copy everything in the Quote box below, and paste it into the Input script here: part of the window:
    • Now click the Execute button.
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the Reboot now? question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

    Now download and install this: AVG Free Edition Make sure you check for updates and then run a Full Scan on your PC.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.

    Then attach the below logs:
    • C:\avenger.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Apr 19, 2008
    #8
  9. ElLoco

    ElLoco Private E-2

    Sorry about the late respons.

    I reinstalled my computer over the weekend deleting all exe files on my data disk since some of them were infected also. I needed to reinstall windows anyway to enable AHCI on my SATA disk so it wasn't a big issue. However I would like to thank you Chaslang for your help.

    This thread can be closed.

    El Loco
     
    ElLoco, Apr 24, 2008
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Apr 25, 2008
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds