Corrupt Files in ProgramData/Microsoft/Network

Abdsalamah · 04 Jul 2016

Hello There. I'm Just Registered For This... PLEASE READ CAREFULLY
My thing is..
Today. I turned on my pc.. everything went ok. after booting. and playing some games. a message appears down in the taskbar. that says error in system,corrupt files in C:\ProgramData/Microsoft/Network.. and everything gone was in my start menu. system tools etc. (my windows language isn't English, It's Arabic)
My problem isn't this. The problem. I can't install any program download from the internet. also i tried CHKDSK. but it says CHKDSK can't start due to installed packages or programs recently. and can this corrupt my files in the another Drivers like D: or E:.
Please Help me !! because there is so much important and personal files in the another driver and i Won't make them corrupt.
Best Regards
-Abd Salamah

torchwood · 04 Jul 2016

Hi Abd,
I dont see an Anti-virus in your system specs >> YOU NEED ONE.
I suspect you have picked up some malware.
Plrease run Malwarbytes (free), untick the trial, and then in the settings dashboard check the rootkit option.
Then run ESET on-line, dissable any other AV you might have.

After running the above also run from an elevated command mode
sfc /scannow
then
ipconfig /flushdns

Reboot, try a download

Roy

Abdsalamah · 04 Jul 2016

torchwood said:

Hi Abd,
I dont see an Anti-virus in your system specs >> YOU NEED ONE.
I suspect you have picked up some malware.
Plrease run Malwarbytes (free), untick the trial, and then in the settings dashboard check the rootkit option.
Then run ESET on-line, dissable any other AV you might have.

After running the above also run from an elevated command mode
sfc /scannow
then
ipconfig /flushdns

Reboot, try a download

Roy

hello. i didn't put my anti-virus program in my specs because it won't run .. and it's turned off. i can't install it again. and it's corrupt as well. and sfc /scannow stuck at 14% and says windows resource could not perform the requested operation and i runned ipconfig /flushdns and it says Windows IP Configration Succesfully flushed the DNS Resolver Cache.. what i will do now ?

torchwood · 04 Jul 2016

Hi Abd,
what AV was it?
Please still run Malwarebytes and ESET.

Roy

Abdsalamah · 04 Jul 2016

torchwood said:

Hi Abd,
what AV was it?
Please still run Malwarebytes and ESET.

Roy

Well. I installed MalwareBytes. I'm wondering how it installed. Whatever
It found one virus on KMService.exe
Everything in the pc is ok. but start menu programs gone (and i mean they are GONE)
i need system restore. but it seems to be removed from System32..
what's the solve ? Help me as you can !!!

torchwood · 04 Jul 2016

Hi Adb,
please answer my questions it will help.
Old AV please, what did ESET find.
post a copy of the malwareytes log and the one from ESET.

Roy

Abdsalamah · 05 Jul 2016

oh sorry i forgot. It's Avast! Free antivirus. here is the ESET LOG. 32 virus. all of them are trojan horse
----------------------------------------------------------------------------------------------------------------
<?xml version="1.0" encoding="utf-8" ?>
- <ESET>
- <LOG>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\1--3.lnk.vir - LNK/Agent.AK حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\1--3.xls.lnk.vir - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\2016علوم-الفصل-الثاني.docx.lnk.vir - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\2016علوم-الفصل-الثاني.lnk.vir - LNK/Agent.AK حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\Autorun.inf.lnk.vir - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\kk1.vbs__.vbs.lnk.vir - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\oEthHdQfxJBasYQ.lnk.vir - LNK/Agent.AK حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\System_Volume_Information.lnk.vir - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\جداول كاملة 2016.lnk.vir - LNK/Agent.AK حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\جداول ف222 - 2016.lnk.vir - LNK/Agent.AK حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\جداول__ف2_-2015-2016__كامل.lnk.vir - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\جداول__كاملة_2016.lnk.vir - LNK/Agent.AK حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\جداول_ف222__-_2016.lnk.vir - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\جدول_اول_ج2016_جديد222.lnk.vir - LNK/Agent.AK حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\جدول_اول_ج2016_جديد222.xls.lnk.vir - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\جدول_فارغ_الكامل.lnk.vir - LNK/Agent.AK حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\جدول_فارغ_الكامل.xls.lnk.vir - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\جدول_نموذج_عزمي.lnk.vir - LNK/Agent.AK حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\جدول_نموذج_عزمي.xls.lnk.vir - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\خطة_فصلية_رياضيات_ثاني_أ.docx.lnk.vir - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\خطة_فصلية_رياضيات_ثاني_أ.lnk.vir - LNK/Agent.AK حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\H\ملفات_مدرسية.lnk.vir - LNK/Agent.AK حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\UpMalware\1--3.xls.lnk - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\UpMalware\2016علوم-الفصل-الثاني.docx.lnk - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\UpMalware\Autorun.inf.lnk - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\UpMalware\System_Volume_Information.lnk - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\UpMalware\جداول__ف2_-2015-2016__كامل.lnk - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\UpMalware\جداول_ف222__-_2016.lnk - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\UpMalware\جدول_اول_ج2016_جديد222.xls.lnk - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\UpMalware\جدول_فارغ_الكامل.xls.lnk - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\UpMalware\جدول_نموذج_عزمي.xls.lnk - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
- <RECORD>
<COLUMN NAME="السجل">C:\UsbFix\Quarantine\UpMalware\خطة_فصلية_رياضيات_ثاني_أ.docx.lnk - LNK/Agent.AO حصان طروادة - تم تنظيفه وحذفه [1]</COLUMN>
</RECORD>
</LOG>
</ESET>
---------------------------------------------------------------------------------------------------------
حصان طروادة means trojan horse
السجل means log
تم تنظيفه وحذفه means cleaned and removed

Abdsalamah · 05 Jul 2016

Here is The MalwareBytes Log
-------------------------------------------------------------------------------------------------------
<?xml version="1.0" encoding="UTF-16" ?>
- <mbam-log>
- <header>
<date>2016/07/04 21:49:24 +0300</date>
<logfile>mbam-log-٢٠١٦-٠٧-٠٤ (٢١-٤٧-٣١).xml</logfile>
<isadmin>yes</isadmin>
</header>
- <engine>
<version>2.2.1.1043</version>
<malware-database>v2016.07.04.07</malware-database>
<rootkit-database>v2016.05.27.01</rootkit-database>
<license>trial</license>
<file-protection>enabled</file-protection>
<web-protection>enabled</web-protection>
<self-protection>disabled</self-protection>
</engine>
- <system>
<hostname>ABDSALAMAH-PC</hostname>
<ip>192.168.1.100</ip>
<osversion>Windows 7</osversion>
<arch>x86</arch>
<username>AbdSalamah</username>
<filesys>NTFS</filesys>
</system>
- <summary>
<type>threat</type>
<result>completed</result>
<objects>249857</objects>
<time>334</time>
<processes>0</processes>
<modules>0</modules>
<keys>0</keys>
<values>0</values>
<datas>0</datas>
<folders>0</folders>
<files>1</files>
<sectors>0</sectors>
</summary>
- <options>
<memory>enabled</memory>
<startup>enabled</startup>
<filesystem>enabled</filesystem>
<archives>enabled</archives>
<rootkits>disabled</rootkits>
<deeprootkit>disabled</deeprootkit>
<heuristics>enabled</heuristics>
<pup>enabled</pup>
<pum>enabled</pum>
</options>
- <items>
- <file>
<path>C:\Windows\KMService.exe</path>
<vendor>RiskWare.Tool.CK</vendor> <----------------- this is the virus
<action>success</action>
<hash>1aedab75ecae0531f50da0696f934db3</hash>
</file>
</items>
</mbam-log>
-------------------------------------------------------------------------------------------------

Abdsalamah · 05 Jul 2016

Look at the start menu.. It's almost empty. there is nothing. only my games.. also there is no paint.exe and no system restore. all of them are gone

torchwood · 05 Jul 2016

Hi Abd,
lookin at those logs.
RE-run malwarebytes, in the settings dashboard enable Rootkits, it was off last time.
Set it to auto quarentine.
There appear to be 2 infections, not 1.

Those shortcuts to your programes in the start menu,system restore and paint WERE ALL INFECTED, (anything with ".ink" = shortcut).
They have now been removed by ESET.

Did you only select them to run against the C drive?, if yes you need to select D and E as well.

It would appear that the infections came via an infected USB! device, throw it away

When we have cleared the malware.
We can get back to resetting your comp
(unistall/re-install Avast -- reset IP again -- system repair -- sfc scannow)

Roy