The Perfect virus?

Welcome to Major Geeks!

Please read ALL of this message including the notes before doing anything. Note if you cannot save things in C:\ then just save them to your Desktop. Make sure that you have disable UAC and rebooted first if you are running Windows Vista or Windows 7.

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide


and attach the requested logs when you finish these instructions.

• **** If something does not run, write down the info to explain to us later but keep on going. ****
• Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

• After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only SUPERAntiSpyware and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run SUPERAntiSpyware, Malwarebytes, ComboFix and MGtools on the infected account as requested in the instructions.
4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!!!

Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
​

 

Not if you have problems getting started on the instructions in my first message due to malware stopping you from running anything, then work thru the below steps instead:

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click and choose Run as Administrator


You only need to get one of them to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

1. Rkill.exe
2. Rkill.com
3. Rkill.scr
4. Rkill.pif

Once you've gotten one of them to run then try to immediately run the following.



Now download and Run exeHelper from Raktor

• Please download exeHelper to your desktop.
• Double-click on exeHelper.com to run the fix.
• A black window should pop up, press any key to close once the fix is completed.
• A log file named log.txt will be created in the directory where you ran exeHelper.com
• Attach the log.txt file to your next message.

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Now run this: Using Malwarebytes Anti-Malware

Now run this: Using MGtools



Now you need to attach (See: HOW TO: Attach Items To Your Post ) the below logs created while running the above scans

• the log from Rkill
• exeHelper log
• Malwarebytes Anti-Malware log
• MGlogs.zip - normally it is C:\MGlogs.zip - only attach this log from MGtools.exe DO NOT attach any logs seen in the MGtools folder.

 

You're welcome. Just attach the logs when you have completed all instructions.

 

Look in the c:\MGtools folder. Do you see any of the below logs? If so, attach them:

1. hijackthis.log
2. nwktst.log
3. newfiles.txt
4. procdll.txt
5. runkeys.txt

 

Goto the below link and follow the instructions for running TDSSKiller from Kaspersky

• TDSSkiller - How to run

• Be sure to attach your log from TDSSKiller

Now also please also download MBRCheck to your desktop.


See the download links under this icon

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )

Now let's try to debug why you are having problems with MGtools. Please click Start, All Program, Accessories and you will see ( among other things ) a Command Prompt entry.

• Right click the Command Prompt entry and select Run As Administrator.
  • It is critical that you run it this way.
• If you do this properly, a command prompt window will open with a title of Administrator Command Prompt.
• Enter the below commands at the command prompt each followed by the enter key. Try each command!!!! The bold black are commands. The purple/brown is merely informational.

cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
nwktst <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
ShowNew <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
GetRunKey <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
ShowNew <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.
analyse <-- this will try to run TrendMicro Hijackthis. Click Twice on the Accept button to accept the license agreement if it shows. Then run a scan and save a log. Tell me what error messages, if any, you see.



Now look for the C:\MGlogs.zip file and attach it no matter what happened while doing the above.

 

You appear to have ignore very early instructions in the READ & RUN ME FIRST that stated you must not have multiple antivirus programs running. The same goes for AntiSpyware and Firewalls. So to cleanup from the problems this may have caused and may still be casuing, you need to uninstall ALL of the below. Do not reinstall anything right now. We will add protection later.

• Emsisoft Anti-Malware 5.1
• ESET NOD32 Antivirus
• McAfee Security Scan Plus
• Norton 360
• Spyware Doctor 8.0

Also uninstall >>> Babylon toolbar


After doing the above, continue on with the below.


Also, please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1


Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  Code:

  :regfind
  902b75a7
  2809473936
  1876200024
  

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. You can just close this notepad window since the log is already saved on your Desktop. Be patient! It may look like it is not doing anything, but it takes awhile for this to scan thru your whole system look for matches.
• Please attach the SystemLook.txt log found on your Desktop to next reply.

Now please download and run Win32kDiag per the below instructions:

• Download this Win32kDiag and save to C:\Win32kDiag.exe. You must save it here!!!!
• Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this log

C:\win32kdiag.exe -f -r




Now we need to scan the system with this special tool.

• Please download Junction.zip and save it to your root folder (C:\Junction.zip)
• Unzip it and put junction.exe in the root folder (C:\junction.exe)
• Now click Start => Run... => Copy and paste the following command in the run box and click OK:
  
  cmd /c junction -s c:\ >C:\log.txt
  ​
• A command prompt window opens and also a license agreement from SysInternals will appear.
• Accept the license agreement and the scan will begin.
• Wait until a log file opens. Attach this C:\log.txt when it finishes (the command prompt window will close when it finishes).
• NOTE: It scans your whole hard disk so if can take a long time. Be patient and don't do anything else while it is scanning.

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

Now attach the below log:

• the logs from SystemLook, Win32Kdiag, and Junction
• C:\MGlogs.zip

 

Please tell me if you can find and delete the below file

C:\Windows\assembly\GAC_MSIL\Desktop.ini


If you find it and it seems to delete, reboot immediately and then tell me if it came back or not.

 

Please click Start, All Program, Accessories and you will see ( among other things ) a Command Prompt entry.

• Right click the Command Prompt entry and select Run As Administrator.
  • It is critical that you run it this way.
• If you do this properly, a command prompt window will open with a title of Administrator Command Prompt.
• Enter the below commands at the command prompt each followed by the enter key. Try each command!!!! The bold black are commands. The purple/brown is merely informational.

cd C:\Windows\assembly\GAC_MSIL <-- this changes to the folder I was asking about. The prompt should change to C:\Windows\assembly\GAC_MSIL>

del Desktop*.* <-- tell me what message you get back. Note there is only a space before Desktop*.* No other spaces.

 

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now rerun SystemLook, Win32diag and try Junction again with same instructions as previously given.



Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• C:\avenger.txt
• new logs from SystemLook, Win32Diag, and Junction if they ran
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

After Malwarebytes finishes, fix anything found and then reboot immediately if it finds anything to fix.

After reboot, then rerun TDSSkiller and attach a new log.

Also see if ComboFix will run

 

Hmmm! Try looking in Device Manager to see if anything shows up with a yellow exclaimation point next to it.

Did it finish? If so, please attach the log from it.

Delete any copies of ComboFix that you have and delete the C:\ComboFix folder if it exists. Then redownload a new version of ComboFix but before running it, boot into safe mode, then see if you can get it to run.

Then boot into normal mode and run this GMER - running with a random name and attach the log from GMER

 

That is just from Daemon Tools.

 

Whether or not you get ComboFix and GMER to run, continue on with the below instructions anyway.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.




Now run avenger.exe by double-clicking on it.

• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\TEMP
C:\Users\luca\AppData\Local\Temp

Now rerun SystemLook, Win32diag as previously requested.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).



Then attach the below logs:

• C:\avenger.txt
• new logs from SystemLook and Win32Diag
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Just remove that line from the fix and run the fix. Then attach the logs from Avenger and the new MGlogs.zip

ComboFix and MBAM showed lots of system files infected. You may have to uninstall/delete a number of programs to fix this. It is also possible that a reinstall may be required to fully make your PC reliable. You need to stop downloading the cracks which is likely to be where the problems began. And the online poker stuff is not help matters either.

 

Sorry about that. The HKEY_CURRENT_USER hive is not supported by Avenger. I had that fix all worked out for using with another tool but used Avenger instead and forgot to change those lines.

Do the below registry patch while I work up another fix.


Copy the bold text below to notepad. Save it as fixme2.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure that you tell me if you receive a success message about adding the above
to the registry. If you do not get a success message, it definitely did not work.

 

Okay new fix! Notice that I'm deleting Junction for now since the infection corruted its permissions.


Run avenger.exe by double-clicking on it.

• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Now delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\TEMP
C:\Users\luca\AppData\Local\Temp

Now rerun SystemLook, Win32diag as previously requested.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).




Then attach the below logs:

• C:\avenger.txt
• new logs from SystemLook and Win32Diag
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

No you are not totally clean yet. A few files from this infection that we have been trying to remove still remain and there are still some permissions issues still present as seen in the Win32Kdiag log.

Please uninstall Malwarebytes. Do not reinstall yet.

Also delete the current copy of ComboFix.exe that you have.

Now download this copy of combofix.exe and save it to your Desktop.

Now reboot your PC in safe boot mode and see if you can get ComboFix to run in safe boot mode.

Reboot normally ( whether it runs or not ) and report back to me what happened. And if ComboFix ran, attach the C:\combofix.txt log.

 

As you can see from your ComboFix log, a bunch of your programs are infected. You will have to uninstall the ones we can uninstall. And then we will have to see if there are uninfected replacements for the files we cannot fix by uninstalling. Do not reinstall anything after uninstalling as you may just reinfect them again. You must wait until your PC is clean to reinstall anything unless I ask you to install a program.

Also ComboFix shows you still have things from ESET, F-Secure.

If not already in Norma Boot mode, put your PC into normal boot mode before doing the below.



Uninstall all of the below:

• Alcohol 120
• Daemon Tools Lite and Daemon Toolbar if not uninstalled with the above.
• iTunes
• Punkbuster to remove this >> c:\windows\system32\PnkBstrA.exe
• your SAMSUNG software to get rid of the problem with c:\windows\system32\FsUsbExService.Exe being infected.
• Windows Live

Now please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1


Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  Code:

  :filefind
  MDM.EXE
  nvvsvc.exe
  

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. You can just close this notepad window since the log is already saved on your Desktop. Be patient! It may look like it is not doing anything, but it takes awhile for this to scan thru your whole system look for matches.
• Please attach the SystemLook.txt log found on your Desktop to next reply.

Now we need to use ComboFix again. Try this fix in Normal Boot Mode. If you have a problem, then run it in safe boode mode.

• Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
  • If it is not on your Desktop, the below will not work.
• Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
• If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
• Open Notepad and copy/paste the text in the below quote box into it:

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.

If after running Combofix you discover none of your programs will open up because you recieve the following error: Illegal operation attempted on a registry key that has been marked for deletion then you will need to reboot your computer which will normally fix this problem.

Now make sure that you are in Normal Boot Mode before doing the below.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• the SystemLook.txt log
• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

Looks like they took care of the rest of your malware. Since you did not say you were having anymore problems, I will assume all is good now.



If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

It has always been there. It is part of Windows. You just never saw it as you may have had it hidden.