A Nice Variety Of Issues

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by edpolakoff, Jul 8, 2018.

Tags:
  1. edpolakoff

    edpolakoff Private First Class

    This machine runs extremely slow. It's slow to boot and slow to shut down. On boot, it says it's missing an adobe file in an apple folder. I saw it noted in one of the logs. Logs showed a variety of trojans and other things.
     

    Attached Files:

    edpolakoff, Jul 8, 2018
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    The first log I looked at was TDSSKiller, which we no longer use, and it is from 2012/09/12 14:14:50.0103. I won't look at others until you rerun the entire Read and Run First and attach current logs.
     
    TimW, Jul 8, 2018
    #2
  3. edpolakoff

    edpolakoff Private First Class

    Tim,

    I'm sorry. I did follow the new procedure and didn't run TDSSKiller. I'm used to grabbing that log file when I see it and did it automatically without looking to see that it was old. I am adding the one I did miss sending you. The Read and Run First was done as directed. Just an error grabbing files on my part. ADW didn't run right the first time. I reran it at the beginning, hence the (S01)

    Ed
     

    Attached Files:

    edpolakoff, Jul 8, 2018
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    No problem....please rerun Hitman and remove everything it found!!

    The open back up RogueKiller and delete these:
    ¤¤¤ Files : 4 ¤¤¤
    [PUP.Gen1][Folder] C:\ProgramData\Ask -> Found
    [Root.ZeroAccess][Folder] C:\Users\Dan Reichart\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\L -> Found
    [Root.ZeroAccess][Folder] C:\Users\Dan Reichart\AppData\Local\{3b99f81f-31d5-dbab-1bcf-87d0107a285a}\U -> Found
    [PUP.Gen1][Folder] C:\ProgramData\Ask -> Found

    I haven't had to use this in a while...may not still be available:
    • Please download a ZeroAccess Removal Tool (By Webroot)to your desktop.
    • Double click on it to run it (If running Vista or Windows 78, and 10, right click on it and select "Run as an Administrator")
    • Type y and press enter to run the scan .
    • Hit any key to exit once it has finished it's scan.
    • Attach the log which will be in the same location as you ran the tool from. (Should be desktop)

    Reboot and rescan with RogueKiller and Hitman and attach those new logs as well.
     
    TimW, Jul 8, 2018
    #4
  5. edpolakoff

    edpolakoff Private First Class

    Tim,

    RK didn't find any of those 4 files. ZeroAccess is 32 bit only and looks like it's been replaced with something else and I'm not going to run it without you taking a look. There is a blog post on webroot's blog about it.

    I'll finish up reboot and running the scans you requested in a while. I wanted to update you before I forgot...
     
    edpolakoff, Jul 9, 2018
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    32 bit apps will still run on a 64 bit system. Yes?

    Try using this tool designed especially for this kind of infection.
    • Download and save this >> ESETSirefefRemover to your Desktop
      Double click it to run. If it reports Zero Access found, press the Y key. The next prompt will be to restore services, again press Y on the keyboard. Reboot.
     
    TimW, Jul 9, 2018
    #6
  7. edpolakoff

    edpolakoff Private First Class

    Normally I would agree that 32 bit should run on 64. This came up and said it would only run in 32 bits. The other thing that keeps popping up at startup is There is a problem starting c:\users\dan reichart\appdata\local\apple\adobe\xnbiqwby.dll

    The specified module could not be found.

    I'll run the rest of what you asked and post back. I've gotten to the point where if I don't mention something while it's in my head, I forget.
     
    edpolakoff, Jul 9, 2018
    #7
  8. edpolakoff

    edpolakoff Private First Class

    Esetsireferemover returned Threat not found. you don't have win64/sirefef in your system.

    RK and Hitman logs will follow in a bit
     
    edpolakoff, Jul 9, 2018
    #8
    TimW likes this.
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You need to find and delete this!! If you can't delete it manually, let me know.
     
    TimW, Jul 9, 2018
    #9
  10. edpolakoff

    edpolakoff Private First Class

    That file isn't there. I keep getting a message saying it's missing when the machine boots. Had to uninstall malwarebytes. It kept me from updating Rogue Killer. This machine is being so much fun! NOT
     
    edpolakoff, Jul 9, 2018
    #10
    TimW likes this.
  11. edpolakoff

    edpolakoff Private First Class

    Ok. Here are the RK and HitMan logs. How do I get rid of that message that says that file that you wanted me to delete is missing?

    The machine is starting to act more normal. It is getting faster on boot, shut down and opening things. We may be getting close.
     

    Attached Files:

    edpolakoff, Jul 9, 2018
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Ok, open RogueKiller and have it delete these;
    ¤¤¤ Registry : 15 ¤¤¤
    [PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\PIP -> Found
    [Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-2647147358-2688038113-1121380693-1000\Software\Microsoft\Windows\CurrentVersion\Run | (default) : C:\Users\DANREI~1\AppData\Local\Temp\1.4403295079451274E7 [x] -> Found
    [Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-2647147358-2688038113-1121380693-1000\Software\Microsoft\Windows\CurrentVersion\Run | Adobe : rundll32.exe "C:\Users\Dan Reichart\AppData\Local\Apple\Adobe\xnbiqwby.dll",RunServiceW [x] -> Found
    [Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-2647147358-2688038113-1121380693-1000\Software\Microsoft\Windows\CurrentVersion\Run | (default) : C:\Users\DANREI~1\AppData\Local\Temp\1.4403295079451274E7 [x] -> Found
    [Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-2647147358-2688038113-1121380693-1000\Software\Microsoft\Windows\CurrentVersion\Run | Adobe : rundll32.exe "C:\Users\Dan Reichart\AppData\Local\Apple\Adobe\xnbiqwby.dll",RunServiceW [x] -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SASDIFSV (\??\C:\windows\TEMP\SAS_SelfExtract\SASDIFSV64.SYS) -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SASKUTIL (\??\C:\windows\TEMP\SAS_SelfExtract\SASKUTIL64.SYS) -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SASDIFSV (\??\C:\windows\TEMP\SAS_SelfExtract\SASDIFSV64.SYS) -> Found
    [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SASKUTIL (\??\C:\windows\TEMP\SAS_SelfExtract\SASKUTIL64.SYS) -> Found

    Reboot and rescan with RogueKiller and let's see where we are.
     
    TimW, Jul 9, 2018
    #12
  13. edpolakoff

    edpolakoff Private First Class

    Tim,

    Here's the current RK log.
     

    Attached Files:

    edpolakoff, Jul 10, 2018
    #13
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Are you still getting the pop up?
     
    TimW, Jul 10, 2018
    #14
  15. edpolakoff

    edpolakoff Private First Class

    Nope!
     
    edpolakoff, Jul 10, 2018
    #15
  16. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Sweet!!

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Re-enable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now go to the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 or 10 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    7. After doing the above, you should work thru the below link:
     
    TimW, Jul 10, 2018
    #16
  17. edpolakoff

    edpolakoff Private First Class

    Thanks Tim! I appreciate the help. As usual it's a friend's computer and I'm just doing what you guys do, provide a service to help someone out. I used to fix x-ray machines and had to give that up 11 years ago. If I get a chance to help someone with tech, I take it...just for fun!
     
    edpolakoff, Jul 10, 2018
    #17
    TimW likes this.
  18. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are welcome. :)
     
    TimW, Jul 10, 2018
    #18

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds