'datafilehost' malware. Black screen, deleted restore points

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by tsundere, Aug 31, 2014.

  1. tsundere

    tsundere Private E-2

    About 2 weeks ago. I tried to download a file at this 'file hosting' website: http://www.datafilehost.com/d/e9d6f3bc

    but I forgot to uncheck the box that says 'use our download manager etc...' I then got a file with the same name as the actual file (tools v6.0.8.zip), but it's actually malware... So I launched the exe in that zip and bad stuff happened. I then ran the antimalware programs and retrieved the logs attached here. Here are the symptoms in chronological order.

    day 1
    -ran the exe, then realised it was fake
    -uploaded to virustotal and half of the AVs returned positive
    -I tried to system restore but all the restore points before that day were deleted. I know there were many lost restore points because I saw them previously. And there's usually a lot.
    -I restarted and got a black screen. Had to power off manually.
    day 2ish
    -I ran the antimalware programs
    -I saw that new restore points were being made from after the date I clicked the exe. I am still worried because my pc usually keeps a lot of restore points (i think even going back 6 months) and now there was only 1.
    -no more black screen
    day 7ish
    -Started to get connection timeout/dns errors in chrome when loading certain websites. It can be solved by refreshing about 10 times.
    today (day 18)
    -Opened system restore and saw "No restore points have been created", then error window pops up saying "There was an unexpected error (0xC0003005) Please close system restore and try again."
    -This is very sad and atypical, my pc is usually very healthy when it comes to system restores and I have not installed anything else dodgy since day 1


    note:mglogs didn't really complete properly I think. It was stuck on hijackthis for 2 hours so I closed it.
    Sorry for the lengthy read,
    Regards
     

    Attached Files:

  2. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

  3. tsundere

    tsundere Private E-2

    Ok I'll get to work. It should be done in a couple of hours. Do you want me to upload the exe file itself?
    Thanks a lot for helping me =)
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    In the instructions for using MGtools the below information appeared which you are advised to follow
    Since you probably did not close other applications/windows, you probably never saw the TrendMicro HijackThis license agreement and it was waiting for you to click twice as stated. Thus MGtools did not finish. ;)
     
  5. tsundere

    tsundere Private E-2

    Ok thanks man, I will keep that in mind when I run mgtools again =).

    (As a side note, since my MBAM trial has expired, I found a legitimate way to reset the trial with one google search 0.0. Not sure if it's intentional or it's some kind of hole but rest assured, I will gladly buy a subscription if all goes well =))
     
  6. tsundere

    tsundere Private E-2

    There was something important I forgot to mention. When I clicked that virus exe file, nod32 immediately detected a whole bunch of threats and quarantined them. It must have detected some more the next day too -.-. I'm thinking it probably didn't catch all of them due to the remaining symptoms. I have attached screenshots of the nod32 quarantine log. Thankyou very much
     

    Attached Files:

  7. tsundere

    tsundere Private E-2

    Here are screenshots of the nod32 quarantine log. I could not copy the text.
     

    Attached Files:

  8. tsundere

    tsundere Private E-2

    Oh I just realised, Chaslang, you created the MGTools xD. I feel honoured
     
  9. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Just a little junk to cleanup

    *Again - please check the scan dates for the most recent logs created by the requested tools. No recent logs means you didn't follow our guide's instructions.
    Is your system configured to use a proxy?

    Uninstall this outdated software:
    Java 7 Update 9

    NOTE:Mozilla Firefox 26.0 (x86 en-US) is also outdated - the current stable version is Mozilla Firefox 32.0 Final

    Please re-run HitmanPro and fix/delete all Potential Unwanted Programs
    Ignore all other detections.
    Afterwards, click the Next button.
    HitmanPro may want to reboot the PC in order for the changes to take affect, please do so.
    After reboot and when you are back in Windows, run another scan with HitmanPro and then attach the latest HitmanPro log

    Please download AdwCleaner by Xplode and save to your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
      Vista/Windows 7/8 users right-click and select Run As Administrator
    • Click on the Scan button.
    • AdwCleaner will begin...be patient as the scan may take some time to complete.
    • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
    • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
    • Attach the logfile to your next next reply.
    • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
    [​IMG] Now download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach the JRT.txt to your next message.
    Now install the current version of Sun Java from:
    *Make sure that when you install the new version of Java that you uncheck the Install the Ask Toolbar junkware checkbox. You do not want to add what most people consider malware to your PC. Also just in case Oracle changes the Java installation in the future to possible install other junk, uncheck all but just installing Java.
     
  10. tsundere

    tsundere Private E-2

    The scan date was 2 days ago, are we getting the date format mixed up?

    No, at least it shouldn't be.

    Also I don't really use Firefox these days (I use Chrome instead). Can I uninstall Firefox?

    I will follow your instructions now, thanks for your help Dr. Moriarty
     
    Last edited: Sep 3, 2014
  11. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    :p Yes - you are correct
    Also "yes" on the uninstall of the older Firefox.

    And you're welcome!
     
  12. tsundere

    tsundere Private E-2

    When I try to run JRT, all I see is a black commandline window with a flashing underscore. It does not say "press any key to continue". I'm guessing something went wrong. I disabled all nod32 protection except HIPS and I ran as admin. Thankyou
     
  13. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    tsundere,

    Did you also try running in Safe Mode? Did AdwCleaner run?
     
  14. tsundere

    tsundere Private E-2

    Dr. Moriarty, yes I think AdwCleaner ran successfully, though the scan seemed very short. I will try safe mode now :wave
     
  15. tsundere

    tsundere Private E-2

    Safe mode did not seem to help. I still got a black window with no text and a flashing underscore. I have some of the default services disabled on here. Do you think that could be the cause?
     
  16. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    I, too, have done some system service tweaks but have no problems.

    * In the interest of being thorough - please perform this online scan and then we will finish up.

    Using ESET's Online Scanner

    Attach the ESETScan.txt log, please.
     
  17. tsundere

    tsundere Private E-2

    Attached are the logs. Please tell me what you think ;)
     

    Attached Files:

  18. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Move AdwCleaner.exe directly to your Desktop, as instructed by the R&R ME FIRST guide.
    About the expected results from NOT removing the Cracks & Hacks as I instructed.

    Re-run AdwCleaner.exe
    • Click on the Scan button
    • When the scan is ready click on the Clean button
    • A log file will automatically open after the scan has finished
    • Please attach the log file, located at C:\AdwCleaner[S0].txt

    How is the pc running now?
     
  19. tsundere

    tsundere Private E-2

    I probably missed something somewhere, but I did not see a 'R&R ME FIRST guide' anywhere. Hopefully, I did the adwcleaner scan properly this time as these scans seem to really help. It's a pity I couldn't get JRT to work.

    Sorry about the cracks, my friend installed all my software a very long time ago and I don't know where they all are. Hopefully eset got rid of most of them (I checked 'delete quarantined items'+'uninstall on exit'.

    My pc is running much better now and it can make restore points again! I'm quite impressed so far, but I would still like to be thorough. There are still issues with loading certain webpages but it happens less frequently. Thanks again for your help so far.
     

    Attached Files:

  20. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    You're welcome

    It's the fifth from the top "Sticky/Pinned" thread that appears on every page in this forum, the one that told you which tools to run when starting a topic here.
    READ & RUN ME FIRST Malware Removal Guide (incl. spyware, virus, trojan, hijacker)

    Please download OTL by OldTimer.
    • Save it to your desktop.
    • Double-click on the OTL icon on your desktopto run it. (Note: if using Vista, Win7 or Win8 use right-click and select Run as Administrator)
    • Check the "Scan All Users" checkbox.
    • Set the "Output" to "Minimum Output".
    • Change the setting of "Drivers" and "Services" to "Use Safelist"
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
      Code:
      activex
      netsvcs
      drives
      
    • Now click the [​IMG] button.
    • One report will be created:
      • OTL.txt <-- Will be opened
    • Attach OTL.txt to your next message. (How to attach)

    Let's see if re-setting your browsers might help:

    Reset Internet Explorer 9, 10, and 11 to Defaults
    Reset Chrome to Defaults
     
  21. tsundere

    tsundere Private E-2

    Here are the logs =)
     

    Attached Files:

  22. tsundere

    tsundere Private E-2

    If I use OTL to 'cleanup', will it be reversible?
     
  23. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    No! Please perform only the instructions given to you until we are finished with the malware removal.

    [​IMG] Fix items using OTL by OldTimer

    Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
    Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Copy the text in the code box below and paste it into the [​IMG] text-field.
    Code:
    :OTL
    O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O4 - HKLM..\Run: []  File not found
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab (Java Plug-in 10.9.2)
    016 - DPF: {CAFEEFAC-0017-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab (Java Plug-in 1.7.0_09)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab (Java Plug-in 1.7.0_09)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{4F4C0E17-E03A-45F9-BC0A-26504A153B85}: DhcpNameServer = 8.8.8.8
    [2014/08/15 14:00:00 | 000,000,540 | ---- | M] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job
    @Alternate Data Stream - 135 bytes -> C:\ProgramData\Temp:C8B8CEBD
    @Alternate Data Stream - 130 bytes -> C:\ProgramData\Temp:B449BECA
    :Files
    C:\Windows\TEMP\*.*
    C:\Users\My\AppData\Local\Temp\*.*
    :commands
    [purity]
    [emptytemp]
    [start explorer]
    [reboot]
    Now click the [​IMG] button.
    If the fix needed a reboot please do it.
    Click the OK button (upon reboot).
    When OTL is finished, Notepad will open. Close Notepad.
    A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

    Attach this log to your next message. (How to attach)

    Describe any remaining malware issues.
     
  24. tsundere

    tsundere Private E-2

    All the symptoms I described originally seem to be gone =). The system restore window looks fine and there are restore points made by hitmanpro. Whether or not it will work, I don't know. Was it normal for there to be a black screen with UAC asking to run OTL.exe after I logged in windows; after rebooting from otl? The black screen went away after I clicked ok and notepad was opened, and my desktop appeared.
     

    Attached Files:

  25. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Sounds like UAC wasn't disabled, which we recommended while we do the cleaning. ;) And, one of the processes stopped by OTL causes your Desktop icons and wallpaper to disappear while it works.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    7. After doing the above, you should work thru the below link:
     
    Last edited: Sep 6, 2014
  26. tsundere

    tsundere Private E-2

    I have run into a slight problem :cry. I am not sure if I am infected again. Everything was going well until I stumbled into one of those 'update your java websites' while browsing by accident.
    This is the order of events:
    -The link url began with a d+number, it is somehow not in my history anymore
    -I closed immediately, but chrome still downloaded a file: javaupdate_setup.exe
    -nod32 immediately detected a threat called f52.tmp in the download folder and quarantined it
    -I did not run the exe file and proceeded to delete it.
    -nod32 immediately detected a threat called $r9ycbhr.exe in recycled bin and quarantined it.
    -I installed the latest version of Java as you instructed
    -I notice that physical memory usage is now at 90% when chrome is up. However after about 10-20 minutes it drops to back to 60%. It was usually always immediately at about 70% before. I'm not sure what's going on here but my pc is pretty much unusable when memory usage is at 90%.
    -I ran bitdefender's online scanner, no threats detected (though the scan lasted like only 30 seconds)
    -I ran a malwarebytes threat scan and it suddenly shuts down my pc during a certain point in the scan before the scan finishes (towards the end). The 'shut down' resembles holding the power button, there are no microsoft screens.
    -I thought it could be due to RAM exhaustion (my pc sometimes powers down when usage >95%, but it hasn't happened for years) but when I ran the scan again, I monitored the usage and it was only at about 70% when it's about to power down. It happened again

    Sorry about potentially ruining everything, but please help!
     
    Last edited: Sep 6, 2014
  27. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    :(

    If only my removal instructions had been followed in a timely manner...

    1. Totally uninstall and remove "ESET 5.0.94.0 and TNOD Licenser 1.4.1.0" a.k.a. TNod User & Password Finder
    Suggestions for a replacement are given in the How to Protect yourself from malware!

    2. Re-run the ESET Online Scanner to verify the system is still clean.
    3. Yes, you have issues with both available RAM and Free Space and need to increase them promptly.
     
  28. tsundere

    tsundere Private E-2

    Ok I will do that. But will that fix the malwarebytes problem?
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds