1) shudder noises 2) soldierx files found

[nar]

Please see 4 attachments:

1- FRST Txt
2- Addition
3- 4 Questions for answer that includes
4- Windows Essential Scan Results - the original concern plus shudder/camera sounds when new page is opened especially sensitive info, though sound is shut down in Bios and webcam disabled.

 

Addition.txt

FRST.txt

[AdvancedSetup]

Hello @nar

 

Please visit this web page and read the ComboFix User's Guide:

• Once you've read the article and are ready to use the program you can download it directly from the link below.
• Important! - Please make sure you save combofix to your desktop and do not run it from your browser
• Direct download link for: ComboFix.exe
• Please make sure you disable your security applications before running ComboFix.
• Once Combofix has completed it will produce and open a log file.  Please be patient as it can take some time to load.
• Please attach that log file to your next reply.
• If needed the file can be located here:  C:\combofix.txt
• NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.

[nar]

Combo Fix attached

Why so many registry key locked?

ComboFix.txt

[nar]

PS to Combo Fix

The shudder noise went off while Combo Fix in progress.  It went off again while writing the mail.

[nar]

PS to Combo Fix

1) The shudder noise went off while Combo Fix in progress.  It went off again while writing the mail.

2) Windows Update displays msg that Updates are off though I turn on every time that occurs.  After reboot msg again displays Updates are off.

[AdvancedSetup]

We're simply scanning to check for malware. Your issues may have nothing to do with malware but best to rule it out.

Please run the following and post back the logs as attachments when ready.

STEP 01
Please run a Threat Scan with MBAM. If you're unable to run or complete the scan as shown below, please see the following:
MBAM Clean Removal Process 2x
When reinstalling the program, please try the latest version.

Right click and choose "Run as administrator" to open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkit and Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button.
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.

Please restart the computer first and then run the following steps and post back the logs when ready.

STEP 02
Please download Junkware Removal Tool to your desktop.

• Shutdown your antivirus to avoid any conflicts.
• Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next reply message
• When completed make sure to re-enable your antivirus

STEP 03

Fix with AdwCleaner

Please download AdwCleaner by Xplode and save the file to your Desktop.

• Right-click on icon and select Run as Administrator to start the tool.
• Accept the Terms of use.
• Wait until the database is updated.
• Click Scan.
• When finished, please click Clean.
• Your PC should reboot now.
• After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

STEP 04
Download Sophos Free Virus Removal Tool and save it to your desktop.
 

• Double click the icon and select Run
• Click Next
• Select I accept the terms in this license agreement, then click Next twice
• Click Install
• Click Finish to launch the program
• Once the virus database has been updated click Start Scanning
• If any threats are found click Details, then View Log file (bottom left-hand corner)
• Copy and paste the results in your reply
• Close the Notepad document, close the Threat Details screen, then click Start cleanup
• Click Exit to close the program
• If no threats were found, please confirm that result.

STEP 05
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens, click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here.
• Please attach the Additions.txt log to your reply as well.

 

Thanks

 

[nar]

for Step 1 MBAM, should existing all MBAM programs be uninstalled first?  I'm running MBAM and MBAM anti-exploit.

[AdvancedSetup]

No, if they're working fine then leave them be. The reinstall is only if you're having an issue running them. Thanks Nar

 

[nar]

Attached are MBAM, JRT and AdwCleaner text files.

Ran into glitch on Sophos:
Windows pop-up:  "computer low on memory, please close and restart computer."
2nd pop-up:  "open programs"
It hung up at C:Windows\System32\en-US
it had run for about 1 1/2 hrs.  I selected Help, got chrome.exe application error:  0xc000012d.  "The application was unable to start correctly.

Do other AV need to be shut down when running Sophos?
What to do to resume Sophos?

JRT scan Nov 9.txt

AdwCleaner[C0] scan Nov 9.txt

mbam scan Nov 9.txt

[AdvancedSetup]

No, I don't think Sophos is going to find anything either since none of the other tools did at this point. Let's go ahead though and reset your browsers back to default.

 

Please visit each of the following sites and let's reset all of your browsers back to defaults to prevent unexpected issues.
If you are not using one of the browsers but it is installed then you may want to consider uninstalling it as older versions of some software can pose an increase in the potential for an infection to get in.

Internet Explorer
How to reset Internet Explorer settings

Firefox
Click on Help / Troubleshooting Information then click on the Reset Firefox button.

Chrome

I would like to reset Chrome back to defaults to completely clear out what is going on with Chrome.

You can keep your “Bookmarks” if you want to keep them, but you have to export them first – >> Export Bookmarks << – Everything else should be removed.

Then I need you to go to >> Google Sync << and sign into your account.
Scroll down until you see the “reset sync” button and click on the button
At the prompt click on “Ok”.

.
Reset Your Browser Settings
.

1. In the top-right corner of the browser window, click the “Chrome Menu” icon (Three horizontal lines)
2. Select “Settings”.
3. At the bottom, click “Show advanced settings…”
4. Scroll down until you see “Reset settings”, Then click on the button “Reset Settings”.
5. In the dialog that appears, click “Reset”.

.
Close Chrome and restart it and check it out for me please

[nar]

1 IE installed last month in the shop, should still be reset? can save bookmarks?

2 will chrom reset also reset the android phone?

[AdvancedSetup]

IE reset should not remove the bookmarks, but go ahead and export them just to be safe.

Chrome should have no change on the phone unless you have the phone and Windows synced.

[nar]

Chrome and IE have been reset.   I noted before resetting that 19 tabs were "open" in chrome though everything was closed. Chrome did not delete bookmarks.

1) Could that be caused by forced shut down when programs are still running in background?
2) Should the last Farbar tool be run?
3) Any thoughts on restoring Windows Updates.  It remains in "checking" mode for hours.
4) One of the tools removed "tracing keys."  Were those malware?
 

[AdvancedSetup]

No the tracing keys I believe are just used for tracking sort of like cookies, but I'll double check to make sure.

Please try the following for Windows Updating issues. This information was posted by another member @daledoc1 in another location on the forum.

 

 

 

Further information from @NICK ADSL UK, an MS MVP and MBAM forum Expert:

http://www.sevenforums.com/windows-updates-activation/400680-how-do-i-reset-windows-update-components-post3283801.html#post3283801

Quote

Having now spoken to the senior Microsoft team i can tell you that all of these issues have been replicated and the fixes are as follows

windows vista with service pack 2
Windows6.0-KB3185911-x64 (1) only needs to be installed for the June to September automatic updates to function correctly

windows 7 with service pack 1
Apply KB3020369 and then KB3172605 in that order. further reading here
Following a clean install, Windows Update remains at "Checking For - Microsoft Community

There are other updates procedures floating around across many forums with regards the updates not either working or installing 'and it has been very difficult to find what update caused this malfunction to come about
<snip>

also here for more important reading with regards updating the windows operating systems
Search for Windows Updates takes forever? - A possible solution

 

 

So, MS still asserts that this mess was not an underhanded plot to make Win7 so painful that we'd all be forced to upgrade to Win10.
And, they likewise claim that they don't know what patch broke updates for 7 and Vista.
I'm not 100% convinced, as this has been a hugely widespread issue for many, many months, reported all over the intertubes.

But at least there is now a workable solution, even if the user must take the steps to manually apply it, because there has been nothing shipped to all users to definitively resolve it.

C'est la vie.

[nar]

1) Downloaded KB3020369 as per above instructions however it continues to run msg "searching for updates on this computer."  When the hard drive was replaced along with Windows 7 last month, apparently no updates were downloaded or they would show in the Update History correct?  In light of this should there be another starting point rather than KB3020369? Would it help to run Updates in Safe Mode?

2) Attached is prtscrn BEFORE connecting to internet.  On opening Chrome it displayed this page complete with bookmarks (some deleted by me before sending) though I was not connected to internet.  Does Chrome recognize user even without internet? Since the problems started with computer and network, I am using router as firewall only, not wi-fi, and connecting on ethernet.  

3) The concern is the shudder sounds continue:  it occurs first after booting before connecting to internet, then whenever sensitive content is opened both online or stored on computer.  I have used this same computer for several years, a user knows when computer acts differently. It started when going online from a different location.  The computer, phone and reader were all hacked about the same time with this odd shudder sound or flash when opening sites in the case of the cell, when turning pages in case of the reader and as described when using computer.  I found an unsupported file on the reader that flashed when deleted.  Also, a business site went down and my employer was hacked. Coincidence?  Seems like too many coincidences.  Neither employer or self have ever had issues like this.  I hired two IT experts, the network router was redone twice and replaced once.

The KB3020369 installer is still looking for updates.  

[AdvancedSetup]

Yes, Chrome and other browsers have cache and registry entries they often read or reflect from. Safe Mode normally would not help for this, but you need to have Internet access before and during the installation of both of those KB installers. Unless you or your computer are a victim of some new as of yet unfound State Level attack by a Government (very unlikely) then there is nothing special here going on. If you're really that suspicious then remove the hard drive. Buy a new one (drives are $50 or less now days for small drives) and FDISK, Format, and reinstall Windows 7 from scratch again. That will 100% remove any type of known, in the wild threats. Though my guess is this "shudder" is possibly your CD/DVD drive? Maybe pull the power from it so that it is not used at all and see if the shudder goes away. Remove the sides of the computer. Does the shudder go away?

 

 

[nar]

1) Are you talking about disabling CD Player in Device Manager or something else to pull the power.  Keep in mind that hard drive and Windows were replaced last month at the shop after which the 4 soldierX files were picked up by MS Security Essentials.  So a clean install was done less than 30 days ago.

2) Chrome and Windows Updates are separate issues.  Yes, connected to internet for downloading and installing updates but as mentioned it just hung up "looking for updates."  What can be done to get beyond this so Update actually installs?

[AdvancedSetup]

To disable the CD Player I mean to turn the computer off. Remove the side from the computer. Locate the power cable that goes to the CD/DVD physical drive and unplug it. Then start the computer back up and see if that "shudder' sound goes away. 

As for a "clean" build at the shop, I have no way of knowing what or how the install was done. That said, a computer that has been built and not setup with protection can easily potentially get infected within minutes of being rebuilt by going to the wrong website or accidentally clicking or mousing over some bad advertisement. Without the Windows updates and good security protection, one can have all sorts of infections in a 30 day period. However, my point is that there are millions of infected computers and your case though very important to you is not unique and in the vast majority of cases of infections can be cleaned up and protected going forward.

As an aside you may wish to read the following which will give a bit more guidance on the issue The complexity of finding, preventing, and cleanup from malware

At this time the current logs are not showing any specific signs of an ongoing infection. We can run a couple more scans though to help assure you the computer is not infected. On a personal level I am not a fan of the Chrome browser (but that's my own personal choice, I think it's too hooked into one of the world's largest marketing firms in the world and constantly profiling you and your use of the computer in order to target marketing at you. I'm not saying other browsers don't do it too, but they're not even close to the ability of Chrome to analyze, report, market, and target you. But, again some people actually find that a plus and want it, so your mileage may vary)

There are dedicated forums and website posts to help deal with the Windows update issue. We can attempt to address it here if you like or we can simply ensure you're not infected and you can work somewhere else if you like on your Windows update issue, just let me know.

Thanks again

Ron

 

 

[nar]

Ron, definitely want to get the Updates running again so great if we can move forward.  It hung up trying to install the first KB file in the instructions.

[nar]

Also, what browser do you like in place of Chrome?  

I wonder if the shudder sound is part of the google tracking process.  So weird that it started at the time everything was hacked.  I had the computer 4 years before this started, thought the new hard drive would solve it.  Will try removing the side as suggested.

 

[AdvancedSetup]

I use Firefox with Adblock Plus and NoScript add-on plugins.

Try installing the 2nd update first instead and see if that helps or not and let me know.

Also let me know how it goes removing the power from the CD/DVD drive.

 

[nar]

Ron,

Back to an original question on this chain regarding  two Trojan:Win32/Rundas!plock files and two HackTools from SoldierX (attachment 2) found by Microsoft Security Essentials during scan after hard drive replacement in shop in Oct. (The shop installed MSE for the first time, I was not running it prior to replacing hard drive. ) 

Attachment 1, Recycle Bin, shows that a SoldierX folder, the source of the trojans and hack tools, had been created on new hard drive!  When device was picked up, nothing was said about the trojans or hacktools or why the folder was created.  I found the history scan several days later. These specific trojans steal users’ personal data by allowing remote control as per below.   The shop tech claims the files labeled by MSE as Trojans and Hack Tools are NOT malware but that MS treats them as such.  He also advised these "trojans and hack tools" ARE actually MS files.  

His advice clearly contradicts MSE and below removal instructions.  If these tools were used to hack my machine, they had 4 days to steal data.  Can you address the following:

1.  Is there any legitimate reason for installing a SoldierX folder containing trojans and hack tools with described purpose of stealing personal data?  Is there anyway his advice makes sense to you??

2. Why would a MS security product, MSE, declare their own files to be Trojans and Hack Tools, rate as "Severe" and display their source as SoldierX, a site that claims to be the Largest Hacker Database in the world? Obviously SoldierX is not an MS approved provider.   

3. What recourse is available when files of malicious intent are installed by someone trust to repair and protect your computer?

4. Can you confirm that http://blog.removevirusnow.org/trojan-win32-rundas-plock-removal/ is a legit site for instructions to completely remove these files?  Or other recommendations specific to complete removal which appears to require more than scan tools?  I am very concerned.   This Trojan did reappear in Oct after deleting and rescanning with MSE.  It is not appearing now.  

5.  I am considering a new machine but do not like Cortana on Windows 10.  It continues to record after disabling.  Is there a way to stop, prevent, mutilate all Cortana functionality?

 

6.  I am still trying to get Windows Update to resume downloads.

 

7.  Shudder sounds are not from cd drive. Shudder can also go off while reading screen with no keyboard use.  Shudder has  gone off several times while composing this mail. When computer, phone and reader were hacked, two other family members were hacked and my employer (small business) was also.  Additionally I found that a perpetrator using my phone had posted a scam craigslist page which craigslist removed at my request.  Based on U.K.'s November "Snoopers Charter" and  U.S.'s Rule 41 (now in effect) the personal data being collected does not necessarily require malware. Is this correct? So how to prevent this loss of personal data?

 

8.  What do you recommend regarding encrypting computer files?

 

9.  btw, what is use for spoiler icon in Edit menu on this page?

 

Thanks!

[AdvancedSetup]

If you truly believe the person at the shop installed Trojanized software then you can report it to the 

Internet Crime Complaint Center

Internet Crime Complaint Center (IC3) FAQ

If you're going to report it then there really isn't much else we can or should do at this time as that may jeopardize any possible investigation on their part.

However, I would say that it's possible to spend months on this and there is a possibility of not using the computer during a possible investigation.

Please let me know how you would like to proceed.

Thanks

 

[nar]

Could those trojans and hacktools have been stored elsewhere on computer such that replacing hardware did not remove them?  I would think that after installing MSE if he found that level of malware, he would have brought that to my attention since cleaning the system was part of the reason for hiring him. Leaving that malware on the computer for customer to find accidentally was quite shocking let alone claiming the files should be kept as they are needed by MS.  

I have no doubt any reasonable person would have these same questions.

I want to proceed with the questions as submitted yesterday to ensure computer is clean and safe.  

Thanks!

[AdvancedSetup]

I'm sorry but the overall answer is I don't know.

Should the files be there after a clean install of Windows? = NO
There is a website called SoldierX and it does deal with hacking
No the site you listed for removal is just a scam to get you to install their software to scan and then they charge you for removal
You can heavily curtail the use of Cortana but and block most of the telemetry but not sure you can stop all of it without making the OS a bit useless
 

Complete total waste of time that I'm not going to get involved in. If you're thinking of getting a new computer or installing Windows 10 then fixing Windows updates is like buying a new car and then crushing it in the junkyard, something you'd never do. There is no reason to spend hours or days fixing something you're getting rid of.

For the most part, encrypting files is for those paranoid or when transferring data between you and someone else and you need to ensure complete privacy. In general, everyday use unless you're doing something illegal, there should not be a need to encrypt files. It has a purpose, but for most people, it's not necessary.

Spoiler hides text until you click on the link, thus if you don't want to see the "

Spoiler

answer

" don't click it.