Root kit Malware

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by rosebudteg, Jun 10, 2015.

  1. rosebudteg

    rosebudteg Private E-2

    Hey there!

    Several years ago I used MajorGeeks to help me out of a few big malware issues on my computer and you guys really came through for me. All those times I messed up really taught me my lesson and I haven't really had many problems I couldn't handle on my own since.
    My wife, however, hasn't had the opportunity to learn her lesson the way I learned mine until now.
    Long story short she was trying to use an unknown website to listen to a sample of a song and see if it was a song she wanted to buy. A window pooped up telling her she needed to update her browser to play the download the file and she clicked "ok".
    Her computer is now a bit of a mess. I'm typing to you from my computer because her computer is in such a state that we disconnected it from the internet to limit any further damage.
    At first it just seemed like a browser takeover, so I followed the MajorGeeks instructions for solving a browser takeover. That definitely improved the state of the computer..she could now at least open Chrome. But then Chrome warned us that it detected a Root Kit. From my past experience with root kits I knew it was going to get dirty.
    So I started following the MajorGeeks instructions to clear out malware. On the first scan (RogueKiller) it gets to about 80% and stops on a file called beggy113.sys. Throwing that file name into Google returns zero results so I'm pretty sure it isn't supposed to be there. But I am not good enough with Windows 7 to delete things like that.
    I need your help. My wife has already said she learned her lesson and I honestly believe her because I got a phone call from her while I was at work yesterday because iTunes needed to update (on my computer) and she didn't want to click the "OK" button without permission.
    Attached are the screen prints of the stuff RogueKiller did find before stopping. Since I couldn't complete the RogueKiller scan I didn't continue forward with the TDSS, MBAM and other scans. Should I start those scans first?

    https://drive.google.com/open?id=0B6o9MEoEF4NYZk93WThkemc5MUk&authuser=0

    https://drive.google.com/open?id=0B6o9MEoEF4NYY1dJS2k0Z3NjNjg&authuser=0

    https://drive.google.com/open?id=0B6o9MEoEF4NYRlpTakxMMWFrSXc&authuser=0

    https://drive.google.com/open?id=0B6o9MEoEF4NYMXZ0ZlRhTUtKNkU&authuser=0

    https://drive.google.com/open?id=0B6o9MEoEF4NYM1M2YWlFT2RPQU0&authuser=0

    https://drive.google.com/open?id=0B6o9MEoEF4NYQUdZYjNudWM3dmc&authuser=0
     
    rosebudteg, Jun 10, 2015
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    We need you to complete as many of the requested scans as possible. Attach then when you are ready.
     
    TimW, Jun 10, 2015
    #2
  3. rosebudteg

    rosebudteg Private E-2

    Tim W - thank you for your reply. So after much back and forward between the two computers I am using to download and run all the scan I was able to run only one more of the suggested scans do to errors and not being able to connect to the internet on the malware computer (turned off the internet connection on that computer to prevent any further damage to the computer).

    I was able to run the Malwarebytes scanner and get the log from that scan. At this time I have done all that I can using the suggested scans. Here is the additional log. Awaiting next step........

    Thank you for all of your guy's help I cannot tell you how happy my wife will be when her computer is fixed.
     

    Attached Files:

    Last edited by a moderator: Jun 15, 2015
    rosebudteg, Jun 15, 2015
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Did you fix what MBAM found? If not, rerun and do so.

    What happened when you tried to run Hitman, RogueKiller and MGTools?
     
    TimW, Jun 15, 2015
    #4
  5. rosebudteg

    rosebudteg Private E-2

    Hello Tim W.

    Did you fix what MBAM found? If not, rerun and do so.

    Yes we did run the fix after the scan.

    What happened when you tried to run Hitman, RogueKiller and MGTools?

    When I tried to run Hitman Pro it would not run without being connect to the internet. To minimize the damage to the computer we turned off the internet connection.

    The log for the RogueKiller are the attachments in the first posting.

    As for the MGtools I forgot that I had not included that information in the first posting so I have included that information here. We did run a fix on everything that was found. This was the first scan we ran.
     

    Attached Files:

    rosebudteg, Jun 15, 2015
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I need the log from running MGTools.exe > C:\MGLogs.zip
     
    TimW, Jun 15, 2015
    #6
  7. rosebudteg

    rosebudteg Private E-2

    Hello Tim,

    Sorry it took me so long. I had to run the scan again as I could not find the log. I believe I did not save the first log not knowing I would need it later.

    I hope this is what you are looking I am sorry if I got the wrong thing again. Thank you so much for all your help.

    This is the wife by the way.
     

    Attached Files:

    rosebudteg, Jun 16, 2015
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    That is not the log I want. Please attach the C:\MGLogs.zip.
     
    TimW, Jun 16, 2015
    #8
  9. rosebudteg

    rosebudteg Private E-2

    Yay!!! :-D I found it.

    Here you go:
     

    Attached Files:

    rosebudteg, Jun 16, 2015
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Your log is incomplete. I also need you to attach the RogueKiller log....not the image.

    Run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).Make sure that you watch for the license agreement for TrendMicro HijackThis and click on the Accept button TWICE to accept ( yes twice ). Let it run until it is finished.

    Attach both the C:\MGLog.zip and the RogueKiller logs
     
    TimW, Jun 17, 2015
    #10
  11. rosebudteg

    rosebudteg Private E-2

    Sadly the printscreens is all we could get for the RogueKiller scan. As stated in the op "On the first scan (RogueKiller) it gets to about 80% and stops on a file called beggy113.sys." the scan stops and will not complete because of the malware.

    I ran the MGtools/Getlogs and was able to get the logs that you are looking for. I hope crossing my fingers this time.
     

    Attached Files:

    rosebudteg, Jun 17, 2015
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please connect to the internet and run Hitman......when it is done, disconnect. Attach the new log.
     
    TimW, Jun 17, 2015
    #12
  13. rosebudteg

    rosebudteg Private E-2

    Thank you again. I've been making her do all of the work since that is what taught me my lesson many years ago.

    Here is the HitManPro log.
     

    Attached Files:

    rosebudteg, Jun 20, 2015
    #13
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Reboot and rescan with Hitman ( do a scan only ) and attach the new log. Tell me how things are running.
     
    TimW, Jun 21, 2015
    #14
  15. rosebudteg

    rosebudteg Private E-2

    So okay I have now ran the Hitmanpro once again after rebooting my computer. Attached is the updated log.

    As for the function of my computer it is back running smoothly. It is no longer installing programs without permission. It is no longer removing my bookmarks and redirecting me when I attempted to open a website. The computer seems to be running at normal.
     

    Attached Files:

    rosebudteg, Jun 23, 2015
    #15
  16. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now go to the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    7. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.

    8. After doing the above, you should work thru the below link:

     
    TimW, Jun 25, 2015
    #16

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds