Trojan.Agent - Riskware "Windows Vista Recovery"- all files marked as hidden.

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by v_w, Jun 7, 2011.

  1. v_w

    v_w Private E-2

    Me again! Different PC and user this time though.

    I've previously (successfully!) healed this machine on two occasions but the user doesn't seem to be able to spot the difference between A/V I've installed and the fake Riskware popups all over the questionable sites he visits :(

    What started as a simple disinfect has progressed into a browser hijack issue. All user files have been marked as hidden, obviously in an attempt to make the user believe all their files have been deleted. I'm not sure how I'm going to reverse the file properties though - any ideas?

    **********

    I have read and digested all the sticky posts on virus removal. I have run all housekeeping procedures, UAC is off and CD emulation has been halted. I have followed the instructions for Vista virus removal and my results are as follows;

    SUPERAntiSpyware - installed and successfully scanned - found and cleaned 6 errors - the log is attached SASLog06062011.txt

    Malwarebytes Anti-Malware - installed and successfully scanned - found and cleaned 1 error - the log is attached MBAMLog06062011.txt

    ComboFix - installation halts at "output folder C:\32788R22FWJFW" and the machine crashes. I have to power off and restart.

    RootRepeal - installed and successfully scanned - the log is attached RRLog06062011.txt

    MGtools - installed and successfully scanned - the log is attached MGlogs.zip

    As per my thread from February, I still detest asking for help but I am once again stumped.

    I welcome your expert advice.

    / vw
     

    Attached Files:

    v_w, Jun 7, 2011
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Oh dear... next time he has a problem, send him here to run the procedures himself! So he can see what has to go on. If he is not capable of coming here himself and running the scans I must ask how he manages on a day to day basis?

    Please download and save the below to your Desktop or anywhere else you can find it ( if the Desktop is not showing )

    http://download.bleepingcomputer.com/grinler/unhide.exe

    Now run it. Did that help?
     
    Last edited by a moderator: Jun 7, 2011
    Kestrel13!, Jun 7, 2011
    #2
  3. v_w

    v_w Private E-2

    Hey Kestrel, t'was you who helped last time, I hope you know what you're getting yourself into!

    I often wonder how people like this get themselves dressed in the morning :)

    It did, thank you - all previously hidden files are now visible.

    On to the next stage?
     
    v_w, Jun 8, 2011
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes, little bit more to do.


    Java(TM) 6 Update 24 <-- Uninstall outdatd Java.

    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.

    • Right-click OTM.exe And select " Run as administrator " to run it.
    • Paste the following code under the [​IMG] area. Do not include the word Code.

    Code:
    :Files
C:\Users\Jack\AppData\Local\BITB9FC.tmp
C:\ProgramData\40360928
C:\ProgramData\~40360928r
C:\ProgramData\~40360928
C:\ProgramData\mOnPhNd06504

:Commands
[emptytemp]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


    I want you to run TDSSKiller so refer to the below for how to do so.

    TDSSkiller - How to run

    Reboot your machine and install the most current and up to date version of Java available here at the below link:

    Java Runtime 6

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let us know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Jun 8, 2011
    #4
  5. v_w

    v_w Private E-2

    Done.

    Done;

    Code:
    All processes killed
========== FILES ==========
C:\Users\Jack\AppData\Local\BITB9FC.tmp moved successfully.
C:\ProgramData\40360928 moved successfully.
C:\ProgramData\~40360928r moved successfully.
C:\ProgramData\~40360928 moved successfully.
C:\ProgramData\mOnPhNd06504 folder moved successfully.
========== COMMANDS ==========
 
[EMPTYTEMP]
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Jack
->Temp folder emptied: 21358022 bytes
->Temporary Internet Files folder emptied: 17417422 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 615 bytes
 
User: Public
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3998 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 741 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 37.00 mb
 
 
OTM by OldTimer - Version 3.1.18.0 log created on 06092011_075309

Files moved on Reboot...

Registry entries deleted on Reboot...
    Tried all manner of methods to get this to run and it wont - no error messages at all. It appears in the list of running programs (using task manager) for a few seconds, then vanishes.

    Done - Java 6 Update 26

    Done and attached - MGLogs.zip

    I'm still being redirected when clicking search results in Google, etc. If I pick a link from the history (as I do to get here) then it works fine.

    I also still appear to have hidden items within the start menu. The main folders are all visible (itunes for example) but when expanding the folder, it's empty.

    Thanks for your assistance thus far!
     

    Attached Files:

    v_w, Jun 9, 2011
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You have an MBR infection.

    Do you have your boot CD? If not:

    Vista and Win7 Recovery disc


    For fixing the boot issues:
    To run the Bootrec.exe tool, you must start Windows RE. To do this, follow these steps:

    1. Put the Windows Vista or Windows 7 installation disc in the disc drive, and then start the computer.
    2. Press a key when you are prompted.
    3. Select a language, a time, a currency, a keyboard or an input method, and then click Next.
    4. Click Repair your computer.
    5. Click the operating system that you want to repair, and then click Next.
    6. In the System Recovery Options dialog box, click Command Prompt.
    7. Type Bootrec.exe, and then press ENTER.

    Then you can do this:

    Bootrec.exe /fixmbr

    Now does TDSSKiller run? :)
     
    Kestrel13!, Jun 9, 2011
    #6
  7. v_w

    v_w Private E-2

    Done

    It does not.

    As before, it appears in the running programs list and then vanishes.
     
    v_w, Jun 9, 2011
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hmm, and you are sure you followed the instructions exactly? What about the redirects. Reboot the machine and surf...does it still redirect??
     
    Kestrel13!, Jun 9, 2011
    #8
  9. v_w

    v_w Private E-2

    Yup, I followed the instructions to the letter - I'd hate to waste your time by skipping anything.

    Browsing is painfully slow but when something does finally happen, it doesn't appear to redirect.

    FWIW The virus/infection is (or was) "Windows Vista Recovery".
     
    v_w, Jun 9, 2011
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    I am glad the redirects appear to have stopped however I still worry about TDSSKiller not running properly.

    Okay then move the TDSSkiller.exe file ( or redownload it ) to your root folder so that you have C:\TDSSkiller.exe to make it much easier to run.

    Then reboot your PC with your DVD and then get into the command prompt window. The enter the below and hit enter ( it is case insensitive ):

    C:\tdsskiller.exe

    Hopefully it runs okay. Then reboot normally and see if things are working better of not. Attach the log from TDSSkiller if it made one in your root folder.
     
    Kestrel13!, Jun 9, 2011
    #10
  11. v_w

    v_w Private E-2

    TDSSKiller ran fine from within the recovery console command prompt and found no errors whatsoever however it still fails to run from Windows itself.


    When searching for an alternative to TDSSKiller the first result within Google points toalternative.to

    If I click the link I'm taken to
    Code:
    md.climatechange.us
    and after a brief pause I end up at either
    Code:
    22000.c.evoplus.com
    or eBay UK.

    If I copy and paste the result into a new tab the correct page displays.

    Sorry, I thought the issue had been sorted, it appears I was wrong. :(
     
    Last edited by a moderator: Jun 10, 2011
    v_w, Jun 10, 2011
    #11
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Your thread is starting to look very similar to this one Hidden desktop files + google redirect

    Re-run everything:

    Attach logs.
     
    Kestrel13!, Jun 10, 2011
    #12
  13. v_w

    v_w Private E-2

    Yup, pretty much identical so far.

    The infected file (at least for me) was volsnap.sys

    SUPERantispyware - clean but log attached - SASLog100611.log

    Malware Bytes - as above - MBAMLog100611.txt

    Combofix - actually worked this time and the log is attached - CFLog10062011.txt

    MGTools - logs attached - MGLogs.zip

    Redirection appears to have ceased. I've rebooted a few times and things seem a bit more sprightly too.

    Thanks for your help so far!
     

    Attached Files:

    v_w, Jun 10, 2011
    #13
  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes the logs look good! So combined with your comment on how things are running I think it is time to wrap up. :)

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Jun 11, 2011
    #14
  15. v_w

    v_w Private E-2

    Carried out all the steps and things are back to normal....except...

    The start menu is still showing various folders as being empty - there are no hidden files to display so my best guess is that these folders really are empty.

    Taking "Games" as an example.

    Start > All Programs > Games is empty, however, Start > Games (right hand side of the start menu) shows all the installed games.

    I have a feeling the answer is to repopulate these manually myself.

    That issue aside we're done and I can't thank you enough (again). I will be purchasing more stuff from the store to show my appreciation.

    / v_w
     
    v_w, Jun 12, 2011
    #15
  16. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes indeed. Afraid so.
    You're welcome! safe surfing.
    Thankyou very much. :)
     
    Kestrel13!, Jun 12, 2011
    #16

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds