kevin! its back!

[Koneko]

I think I got it back or worse this time.  Lock out windows firewall, hitman pro, emisoft emergcy kit, and trend mirco platium (my sis gave me a paid account protection since she had computers available, and it would be better...LOL...can't wait to tell her that hers sucks when she comes back from vacation.).   Ripped through real quick.  I hadn't even gotten to trying to load or transfer data I saved that I needed.

So went into router to check that out and see what is happening there by the logs.  Breaches that got through recently are all IP's listed on black hats directory.   Is opera with vpn a safer browser?  so I'm back to factory reset again.

Is there a way to monitor hosts and data traffic?  Also got FRST to run.

FRST_20-03-2018 02.35.20.txt

Addition_20-03-2018 02.35.20.txt

@kevinf80

Edited March 20, 2018 by AdvancedSetup
Added Kevin name for an alert

[Koneko]

Really you and every other anti virus considers this a clean program!   Both this and other one were supposedly from the Toshiba corperation?....ya right.   This is twice with 2 different files from a so called Toshiba corperation as legit?

SVC=some sort of host       So what is it really doing?   virus total says its clean...I do not believe it!    There is no way I can get two files that I cannot delete, and both are from the so called toshiba corporation.   Someone has ripped off certificates.

This time its made it so I cannot get back online either.

atkznvxsvc_virus.rar

[kevinf80]

Hello again Koneko,

What do you mean by this statement..? is your reference to "You" meaning "me...?"

Quote

Really you and every other anti virus considers this a clean program!   Both this and other one were supposedly from the Toshiba corperation?....ya right.   This is twice with 2 different files from a so called Toshiba corperation as legit?

 If you are referring to smartservice infection then the root cause is nothing to do with Toshiba.. Your internet connection is lost because the Winsock is busted, that can be fixed with FRST.

You also state that you are back at Factory Reset, is that true...

kevinf80.

[Koneko]

I haven't done it yet (the full reset).  

I went to virus total to see how the atkznvxsvc.exe program got on again.    Yet all the files in the folder show nothing as a virus or another rootkit.   On there I checked every file in the archive and it says every anti-virus says they are all ok.

Why would I have hosts sending data from addresses within the Russian Federation?  At least that where it shows the addresses are located in form the router logs.  So used the XP again to change the router password and name, and check and make sure any unwanted changes to that were done either, and make sure the address numbers have changed.   The reason is because the reload happened on the 17th, and files in the system 32 folder are all listed as either then or when the computer was built.   So the 6 files in the archive you have are the only new ones added to the system 32 directory since then.   I spent the 18th and 19 mostly loading games back on through their loaders which took hours because your loading gigs at only about 1.7megs/sec.   Neverwinter was day in itself.    

This time I took extra precautions.   Like deleting files in temp folder that weren't needed.   Did that after each update windows, hp, AMD (cpu&gpu), games. 

I got the smartservice back?  Is that what your saying?

 

virus check.rar

[kevinf80]

I`m not saying you have smartservice infection, I see nothing in your logs to indicate smartservice... The Winsock Catalogue is busted, that is why your connection is lost...

I ask what you mean by this quote from your reply.. especially the word listed in red

Quote

Really you and every other anti virus considers this a clean program!   Both this and other one were supposedly from the Toshiba corperation?....ya right.   This is twice with 2 different files from a so called Toshiba corperation as legit?

 

[Koneko]

Ok I apoligize for that.    I thought I had that virus again, and I was frustrated with my sisters suggestion as I cannot contact them, because I'm not the primary computer on the account.   So her cool idea and easy fix as I took her to airport yesterday morning...seems like backfired on me.

[kevinf80]

You need not apologize, I just wondered what you meant...  Is no big deal i`m here to help and always will... One of the easiest ways to pick up any malware or infection is via cracked software, or key generators used to licence such software, simple as that.

There are other routes such as cool looking adverts on torrent sites, when selected you are immediately redirected to exploited websites where you will pick up fileless malware/infection that is written into Memeory (RAM). The code is generally injected into a running process which is then used as an exploit. Typical contract fileless malware can be injected by visiting a malicious website. You were more than likely redirected after clicking the an attacker's advert or similar. As the malware doesn't exist as a file, it can often elude usual security such as your AV program etc.

Next,

To fix the Winsock do the following:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Next,

To prevent unauthorized changes to the hosts file mark it as "read-only". To do so, navigate to the hosts file with Windows Explorer - the file is located in the %Systemdrive%\Windows\System32\drivers\etc folder - right-click the file, select Properties, check the Read-only Attribute, and click OK.

Thanks,

Kevin...

fixlist.txt

[Koneko]

do i have  to put any text in frst...or just hit fix?

 

[kevinf80]

Save the file I attached "fixlist.txt" to the same folder that holds FRST, do not open the file when you are ready to run FRST. When ready open FRST and select the fix tab just once. FRST will then run and follow the script in the file fixlist.txt When complete FRST will produce a log "fixlog.txt"

[Koneko]

this is wierd I cannot copy or move the file without it deleting the information.   When I copied it over, then opened it in notepad there was no text.   But there was another file in the trash folder.   Same name and size....only difference is the text before it.   If I try to copy the text, and then save it.....it doesn't save a fixlist.txt like it should.   it says the same files size but nothing is there.

[Koneko]

can i paste the text in frst and try that way.  I copied the text from here again, and made the file read only.   So when the flash drive is transfered, it will be read only so i can open it copy it and then paste it into frst program.

[Koneko]

the paste 1 picture shows me coping the data into file.   I can save it, or save as...same thing will happen.

When you save it it changes the data.  See second pic with hidden code.   I hit select all to see what may be there and something gets highlighted.  That file is only 243 kb, and yours is 482 kb.    If I didn't see it with my own eyes, I wouldn't believe you could overwrite a file as it saves.   Which makes me totally curious on how its done.

[Koneko]

figured out how to run it.   I used the flash drive that had frst on it.   file attached.

still not working

Fixlog.txt

[kevinf80]

There is no fix confirmation in the log. Try this way:

Open FRST, copy and paste the following into the text field, then select fix tab...

 

Quote

start::
CloseProcesses:
Winsock: -> Catalog9 - Broken internet access due to missing entry. <==== ATTENTION
Winsock: -> Catalog9-x64 - Broken internet access due to missing entry. <==== ATTENTION
CMD: netsh winsock reset
Reboot:
end::

Is a log produced...?

[Koneko]

seemed like it worked.   it began installing updates.

can i turn firewall back on before trying to log on?   I don't like having an open computer.

Fixlog.txt

[Koneko]

can't get firewall or anti-virus programs back on.

[kevinf80]

Select Windows key and R to open run box, type or copy/paste services.msc select enter, from services window check the following..

Check the "Base Filtering Engine" in services, is set as per the attached image..?

[Koneko]

says started...not running.    When trying to start firewall or antivirus programs that same error comes up.

[Koneko]

antivirus programs now give service did not respond to start or control request in a timely fashion.

checked dependancies and started what was listed...still no go

[Koneko]

got defender to work  and run a scan 

[kevinf80]

Can you also run a scan with Sophos AV as follows, may take couple of hours to complete:

Download Sophos Free Virus Removal Tool and save it to your desktop. If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete..... Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...   Double click the icon and select Run Click Next Select I accept the terms in this license agreement, then click Next twice Click Install Click Finish to launch the program Once the virus database has been updated click Start Scanning If any threats are found click Details, then View log file... (bottom left hand corner) Copy and paste the results in your reply Close the Notepad document, close the Threat Details screen, then click Start cleanup Click Exit to close the program If no threats were found please confirm that result.... The Virus Removal Tool scans the following areas of your computer: Memory, including system memory on 32-bit (x86) versions of Windows The Windows registry All local hard drives, fixed and removable Mapped network drives are not scanned. Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan. Saved logs are found here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs

[Koneko]

will not run, even when i click run as admin

[Koneko]

i did get the emsisoft commanline scanner to work...not sure what to run for it.

[Koneko]

found 2 with command line scanner     see pic

[kevinf80]

What difference has that made..?