infection, Computer Aid

system fix infection and missing icons on Windows 7

Posted on 21 November, 2011 by Luigi Martin21 November, 2011

I helped someone remove a fake antivirus called: System Fix

Fairly straightforward on an XP computer.

But the next day, my own Windows 7 PC got the same infection… but it seems a bit more difficult on Windows 7. Besides the warnings about disk corruption (which seemed genuine… I started to wonder about by drive failing… even though it was only 6 months old), I also developed other problems later.

It seems like it got in via a realistic-looking adobe reader update… We get so many adobe updates (it feels like they happen every day)… so its easy to just quickly click on the button that says: “yeah, sure, do your silly update and stop annoying me”.

Removing System Fix using MalwareBytes (while in safe mode), was easy, but after restarting the PC, I got all sorts of other problems:

All my start menu icons, desktop icons, were missing
The icons in the right-hand taskbar were no longer being hidden
The “pinned” icons on the left of the task bar were missing
I was getting a strange .net error at startup
Some desktop gadgets were missing.
resizing an internal window in event views would generate an MMC snap-in error

I soon figured it was the aftermath of the infection… and the solution is meant to be easy: all the icons, etc are hidden in a windows temp folder.

However: Since I don’t like the useless accumulation of temp files (which Microsoft still refuses to address as a real problem), I’m currently using CCleaner to automatically clear the contents of my temp folders… so there go my icons.

Ah, but a system restore should bring them back!

Darn! It seems System Fix also cleared out all system restore points!

But I still have a fall-back: Every week, I automatically copy my whole drive to a second drive in my PC… so my icons should be on my D: drive!

So, after a lot of digging around in folders I didn’t know existed (wow MS has changed the folder structure of Windows 7!), I managed to restore most things (although I had to cheat, since the pinned icons need a proper registry entry… but I got around that my just dragging the “pinned” shortcuts from their original folder, directly to the taskbar… thus creating a correct “pin”).

Many other items were restored quite simply… eg:

The start menu items: right-click on a blank part of the task bar -> properties -> start menu -> Privacy -> tick both “store and display recently opened…”. Then on the same window: customise… -> use default settings -> OK -> OK

The right-side task bar icons were restored to their original state (ie hiding some icons like the action centre) by right-clicking on a blank part of the task bar -> properties -> task bar -> Notification Area -> customise… -> untick: “always show all icons and notifications on the taskbar” -> OK

Next was to fix the .net error?

I tried the dotnetfx_cleanup_tool, and then re-installed .net, but that din’t help at all.

After looking closely at the error (and scrolling the non-resizeable error dialog box (using cursor keys!)), I could see that there was a permission problem with a file near:

C:Users{username}AppDataLocalMicrosoft

After checking with another Windows 7 system, I realised that all folders/files under the Microsoft folder were marked as hidden (and they shouldn’t be).

So I make all folders/files below that “un-hidden”.

That fixed the resizing event viewer problem, and the missing desktop gadgets.

Back to normal (at last).

It took a few hours to fix up all the “little” problems caused by all the settings and permission changes that this nasty little thing did 🙁

Firefox navigates to reported attack site c.ppcxml.net

Posted on 1 February, 2010 by Luigi Martin1 February, 2010

Another infected PC. This time, Windows XP also got corrupted.

So, as well as removing the infection, I also need to do a repair install of Windows.

But after all that, clicking on any google results (using Firefox) brings up a Firefox “reported attack site”… looking at the url, it seems I get redirected to c.ppcxml.net … regardless of which link I click on.

I quickly find the solution:

Use windows explorer to navigate to something like:

C:Program FilesMozilla Firefoxextensions{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}chromecontentffjcext

Note that there might be more than 1 folder that starts with “{CAFEEFAC-“… you might need to look at all of them.

I ended up renaming any file that ends in .XUL (I changed the extension from .XUL to .LUX).

You might need to try a few combinations, as its a fairly important file for Firefox.

Beware the quiet infections

Posted on 22 September, 2009 by Luigi Martin22 September, 2009

I’ve recently cloned a few drives for customers who have upgraded their computers via Computer Aid.

The process is simple enough: Clone the hard drive to the drive in the new computer, then a repair-install of XP, then a fix for internet explorer 7 / 8. After that, I might need to install XP SP3, plus any recent updates.

But lately, I’ve had a few problems, where either SP3 would generate an error, and back out, or IE 7 / 8 would not install, or sometimes, some other Microsoft updates (eg .net framework) would not install…

Very confusing until I do a malwarebytes’ scan and find a rootkit, or a trojan.

Whats worrying, is that infections seem to be on the rise, and worst of all, many are now so subtle, that you can barely know your computer is infected.

I found these particular infections, because I had to get the latest Microsoft updates… But I can see that many people, when faced with a failed Microsoft update, will just shrug their shoulders, and think to themselves: “its just a computer glitch… I’ll ignore it and it might go away in a few weeks time”.

Its ironic that the internet is a great way of expanding knowledge, yet it can also magnify the damage caused by ignorance…

stop 0X0000008E

Posted on 31 May, 2009 by Luigi Martin31 May, 2009

This laptop would (at seemingly random times), generate a blue screen (BSOD), with the error: Stop 0x0000008E

Customer tells me that a few days ago, norton found something bad, and removed it.

So I figure: I’ll install MBAM, and do a scan.

While Mbam is scanning, I check whats auto-starting, and disable anything that doesn’t need to start.

Part-way through that, I get the BSOD 0x0000008e

I decide to check for hardware issues (laptop is used in a footy club, so its probably not treated nicely at times). Ram test finds no problem, but the CPU (core2) seems quite warm at 48c, but nothing too bad. The hard drive is not low on space.

Back into windows, I restart mbam, while I check the net for error 0c0000008e, after about a minute of browsing, I get another BSOD.

I try 2 more times, but mbam just cannot complete the scan.

But I do manage to find out that the BSOD could be caused by a rootkit.

So I boot from my CD (UBCD4Win), start superantispyware, run an update, then scan the PC.

Sure enough, it finds and removes:

Rootkit.Aagent/Ggen-Loader
Rootkit.Agent/Gen-SoftV
Trojan.UnknownOrigin

After that, I restart into windows XP, and mbam finds about 180 infected components (mostly registry entries, but also a handful of infected files).

Once the laptop is totally clean, I remove norton antivirus 2005 (!), install antivir and windows defender (ie some modern protection), and then tell the customer of the possible consequences, if she doesn’t change the internet banking password ASAP.

I started wondering why an infection would cause a BSOD. It could be bad programming, but it might also be deliberate. Why?

It could be, that if the infection detects anything that seems like an attempt to either remove it, scan for it, or even search the net for anything related to anti-malware, then it generates a BSOD, in the hope of distracting the PC user.

It certainly had me guessing for a while.

don’t get infected with P2P

Posted on 3 April, 2009 by Luigi Martin3 April, 2009

Many people use P2P networks nowadays.

As time goes on, it seems that P2P networks are increasingly being used to spread the latest malware.

I admit I recently got infected, despite having some good protection in place.

So, after thinking about it, I’ve decided to add a new technique to minimise the risk even further.

Any P2P downloads will now go through a self imposed quarantine.

eg: if I download something today, then I won’t open the file for a week or two.

Its not easy, as most of us have the “want it now” mentality, but given the increasing risk of infection, then this will help me.

Why?

It can take days, if not weeks before new malware gets incorporated into anti-virus/anti-spyware databases, so a weeks delay means my security software has a good chance of detecting a “previously undetectable” virus.

Of course this is not the best answer, since if everyone did this, then we would be no better off, given that AV companies rely (in part) on user feedback.

At the moment, its just shifting the risk of infection on to people that are impatient 🙂

STOP 0X0000008E BSOD: not always a hardware problem

Posted on 26 October, 2008 by Luigi Martin26 October, 2008

This PC would start, briefly display the windows startup splash screen, and then restart.

Once it restarted a few times, I pressed F8, and tried safe mode: but it also restarted.

Next step: F8 again, and try “disable automatic restart…”

I see a blue screen, and the main error is: STOP 0x0000008E

I lookup the 8E error, and it looks like a hardware error (most likely RAM).

I do a RAM test, and the RAM passes with no fault.

I try booting a Mepis Cd (and also UBCD4Win), and they boot just fine… and UBCD4Win can also display the contents of the main hard drive.

OK, a hardware fault is looking very unlikely at the moment.

So I take out the hard drive, plug it into my main system, and do a scan.

Antivir finds (and quarantines) about 16 infected files.

After that, defender finds and cleans an extra 2 spyware infections.

Put the HDD back in the original PC, and it now boots correctly (and I also notice its got IE6 and a counterfeit version of XP).

I upgrade IE6 to IE7, install antivir, and thats about all I can do with the system for the moment.

Customer says she will get me to install a legit XP sometime in the future.

My first infected vista system

Posted on 4 June, 2008 by Luigi Martin4 June, 2008

Well, despite its significant shortcomings, vista does seem more secure than XP.

After over 1 year since its release, I had my first infected Vista system.

And in the process I found out a few interesting things about Vista.

The system had avast, and it had found a few problems, but didn’t seem able to fix the problem.

The avast log shows problems with files in (amongst other places) c:user{username}Appdatalocaletcetc.

But oddly, windows explorer won’t display the appdata folder.

In its own idiosyncratic way, vista actually lets you view the contents, but only if you actually type (or complete) the name in the “address bar” at the top of windows explorer… how odd!

Anyway, I find I just need to start in safe mode, remove the guilty files, fix the startup areas in the registry, and then defender took care of the rest.

I also reset the firewall settings to its default settings (as it seemed to be allowing most things). I also installed SP1 (without a hitch 🙂 ).

Computer Aid

Ph: 0402 133 866

Tag Archives: infection