Tricky Trojan Horse Twins called 80000032.@ and 80000064.@ (plus other scumware)

[dalinian]

Hi EssexBoy,

I haz a frowny face.



I have not had the opportunity to dip back in to my Win7 partition to do web site update conformance testing until today – and now Win7 won't start up normally… ARRRGGHHH! 

Win7 wil start up in Safe Mode, but when I try a Normal Mode start up, at the end of the process, after the 'Welcome' screen, where I would expect to see...

• desktop background
• desktop [ icons | widgets ] in the foreground
• Win7 taskbar

…instead all I see is a jet black screen with the white Win7 pointer cursor, which responds as expected to trackpad input by moving around; I have 'Sticky Keys' enabled by default, with audio feedback switched on, and the modifier keys moop and neek appropriately and as expected, when pressed.     

So… what the dickens has gone wrong now, I wonder?

And more to the point… can you and/or your Magnificent Malware Analyst team mates please, Please, PLEASE help me get back to where I was* before I first posted here a week ago: ie – Win7 works normally?

* of course, that'll actually be 'Win7 works normally AND all prior malware infections have been exterminated!', for which I remain, of course, very grateful indeed

Yours in hopeful supplication, Tim

[essexboy]

OK prior to this did you do any updates at all (specifically windows ones)

To recap it was working OK, you shut down and then when you restart you just get the black screen

[dalinian]

Now you mention it, several days ago, back when Win7 was running normally, I do seem to recall hitting a 'Postpone by 4 hours' option button on a Win7 'Updates ready to install' pop-up alert. So it is conceivable that today's Big Black Blank Screen wonkyness when running in Win7 "Normal" (sic) Mode is indeed consequent upon the [ background | start up ] installation of those postponed Win7 updates.   

I'm betting you know the elegant way to resolve this self-harming behaviour of Win7, amirite? 

[essexboy]

Yep there have been a few cases where windows update has messed windows up

OK from safe mode run Avast and select Security > Behaviour shield
Select Settings (top right)
Select Trusted Processes
Add the following two files :

C:\Windows\ImmersiveControlPanel\SystemSettings.exe
C:\Windows\explorer.exe

Then OK out and try a normal boot

[dalinian]

Hmmm…


Unfortunately, it only seems like I can add trusted processes

I seem to be able to successfully add 'C:\Windows\explorer.exe' to avast!’s ‘Trusted Processes’ list by [browse]ing to it (But... see below).

However... with ‘show hidden files and folders’ switched on in the Folder Options control panel, when I [browse] to C:\Windows\ there is no ImmersiveControlPanel directory to be seen. And if I search inside C:\Windows on the string 'SystemSettings', then the search terminates with a 'No items match your search' result. Nevertheless, I can just copy-&-paste the string 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe' into the '(enter process name)' field then hit the [Add] button, and it would seem like I've added 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe' to avast!’s ‘Trusted Processes’ list.


No such folder as 'ImmersiveControlPanel' in my 'C:\Windows\' directory



No files with filenames containing the string 'SystemSettings' exist within my 'C:\Windows\[...]' directory tree


But...
Once I hit the [OK] button, if I go straight back to confirm that avast! has indeed remembered which processes are to be trusted, then the ‘Trusted Processes’ list shows up as blank and empty as when I first located it. <sigh>

So this evidence would seem to suggest that:
(1) neither the 'ImmersiveControlPanel' directory nor its 'SystemSettings.exe' executable exist within my 'C:\Windows\[...]' directory tree
(2) avast! cannot be obliged to remember which processes to trust (techno-Alzheimer's?      )

Needless to say, given these shortcomings, after trying to school avast! in which processes to trust in Safe Mode, then rebooting Win7 into Normal Mode simply repeats the Big Black Blank Screen error state. So I'd very much welcome any further 'what to try next' remedial action suggestions.

[essexboy]

OK could you reboot to safe mode please and select Command Prompt
At the command prompt type the following and press enter :

rstrui.exe

Follow the on screen instructions and select the restore point made prior to the windows update

It should then reboot to normal mode
Once there when windows tries to update do not let it install the updates but copy the KB numbers and let me know what they are

[dalinian]

Ah-HA!  Well, that's more like it: all went well and as planned, AFAICT...



...followed by checking which Windows Updates borked my Win7 partition: and the Chief Suspects are as follows:




Since I don't recall asking for these two, they are prolly blameless:




Hope this helps in enabling you to root out the bad apples, so to speak.

[essexboy]

OK do not install the updates at the moment

Update IE to IE10 downloading from here http://windows.microsoft.com/en-gb/internet-explorer/ie-10-worldwide-languages

Once installed then recheck windows updates
Install all .NET and office updates.
Then let me know which ones remain

[dalinian]

Curiouser and curiouser!     

I couldn't find a way to prevent Win7 doing its 'Important Updates' thang automatically, but... the whole shebang seems to have righted itself, second time around!     

Win7 starts up in Normal Mode as expected, with the 'desktop image + icons + widgets + taskbar' combo appearing as indeed they should, in contradistinction to the Big Black Blank Screen of nothingness which appeared prior to Win7's second stab at installing those 22 'important updates' noted above.

The 'Windows Update' control panel now only shows the two optional updates, and I'm not going to the added time expense of matching the top 22 records in its 'Review your update history' table with the 'Chief Suspects' screenshot above - it just seems fair to assume that, on its second attempt at installing these 22 'important updates', Win7 succeeded where it had previously failed.

I was planning on putting IE10 in place, so many thanks for the link to its download page - it's now installed and seems to be running fine.

Goodness knows what went right this time cf. what went wrong last time, but I'm just fine about not looking this particular gift horse in the mouth. My inner mythology lover is wont to offer the explanation that a malicious and mischievous Pack of Gremlins tried messing up my Win7 partition, but once they saw I'd brought in Malware Analyst Gunslinger EssexBoy to straighten things out, the cowardly little minxes fled to a less well protected PC elsewhere. Pure and utter nonsense, I know, but as good a story as any! 

So thanks for looking mean and dangerous and intimidating the WRONGNESS into going vamoosh at the hurry up - I really appreciate your assistance. Here's hoping it'll continue to be uninfected plain-sailing from this point onwards. 

[essexboy]

It was my pleasure, I like your descriptive English...  Something my old English master tries to drum into me.. but, alas he failed

Keep safe