Bad infection

Discussion in 'Malware Help (A Specialist Will Reply)' started by Klepton, Feb 13, 2013.

  1. Klepton

    Klepton Private E-2

    I've been trying to fix the problems with a friend's laptop and had difficulty just booting it up. After spending many hours in the last few days trying to get it to boot up, I was finally able to. I suspect a bad infection since it does not let me perform any type of action with the Anti-virus that is installed (Avira Free). I am not able to update it or run a scan. In fact, the version that was installed on this laptop previously had expired and it wouldn't let me update. It would only redirect me to a page to purchase an upgrade. Therefore, I uninstalled the previous version (I think it was the free 2012 version) and downloaded the latest free version. After successfully installing it, however, I am not able to do anything with it. I also uninstalled older versions of Java, and although I was able to download the latest version, the install failed. I got an error about the Windows Installer Service.

    During the Vista & Windows 7 Malware Removal/Cleaning Procedure, when I first tried to run RogueKiller, it said it was outdated but trying to update it would fail. When I visited the developer's website, I noticed that there were 32-bit and 64-bit versions, which I hadn't before (and the instructions don't mention it like it does for Hitman Pro). Therefore, I downloaded the latest 64-bit version and was able to run it successfully. Additionally, I was not able to run Malwarebytes' Anti-Malware. The latest version seemed to have already been installed on this computer, but I got errors when trying to update it or run a scan with it. I proceeded to uninstall it, but wasn't able to reinstall it...even after renaming the setup file to mb.exe. I was able to run TDSSKiller successfully. I was also able to run Hitman Pro successfully, but it found 0 threats. I had trouble running MGTools. When I ran it first, I got an "Access Denied" error since the installed firewall (Comodo) prevented it from running. I had forgotten to disable the firewall, since I was only concerned with Avira which couldn't be enabled so I didn't worry about disabling it. I went through the steps in "Vista and Win 7 Debugging - If MGtools did not run properly" and was still unable to run it completely. I have attached the zip file it did produce even though it's almost empty (only contains 1 log).

    One last thing, the infected computer did not allow me to attach the necessary logs. I started this thread with the infected computer (since it's easy to upload the necessary files from it), but the Browse in the attachment did not work. Therefore, I had to copy them and upload them via a different computer. Is that also something that malware prevents (uploads to a website)?
     

    Attached Files:

    Klepton, Feb 13, 2013
    #1
  2. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    * uTorrent should not be allowed to run at startup -- it opens the system to everyone.

    Please re-run TDSSKiller and see if you can Delete this if found again:
    \Device\Harddisk1\DR2 ( Rootkit.Win32.BackBoot.gen )

    Please do the below so that we can boot to System Recovery Options to run a scan. There will be two options to choose from. One if you do not have your Windows 7 boot DVD and another when you have your DVD.

    For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
    For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Option1: Enter System Recovery Options from the Advanced Boot Options:

    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.

    Option2: Enter System Recovery Options by using Windows installation disc:

    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    On the System Recovery Options menu you will get the following options:

    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)
     
    dr.moriarty, Feb 15, 2013
    #2
  3. Klepton

    Klepton Private E-2

    I uninstalled uTorrent for now. I'll download it later and make sure it is not setup to automatically start when windows starts.

    I ran TDSSKiller and it found the same threat, but it only gave me the option to "Skip", "Copy to Quarantine", or "Recover". I selected "Copy to Quarantine". I then ran it again to see if the threat was gone, but it was detected yet again. This time I selected "Recover", even though I wasn't sure what it was supposed to recover. Anyhow, I got some sort of message and continued. I then ran TDSSKiller a 3rd time and this time it showed 0 threats. However, because of the message I got when I selected "Recover", I think it might've been a false positive. I had recently formatted the flash drive to NTFS and tried to make it bootable. The message I got said something about needing to re-run some program(s) to make it bootable again. I'm attaching the last TDSSKiller log which shows it found 0 threats.

    I downloaded the Farbar Recovery Scan Tool x64 and saved it on the flash drive. I booted into the Windows 7 DVD and ran the scan as instructed. I am attaching the FRST.txt log.

    *** NOTE - While I was waiting for a reply, I ran an ESET Online Scan and it found 1 threat. The only reason I ran it is because you had recommended it to me for another computer in another thread. Since I wasn't able to update or run any of the installed anti-malware/spyware/virus programs, I figured I'd give an online scanner a try. I figured it wouldn't hurt anything if I did. Anyhow, since I didn't want to change anything until I heard from you, I unchecked the "Remove found threats" option. I wasn't sure if you'd simply have me run an ESET scan again, but this time leaving that option checked so it can get rid of the threat, or whether you'd have me use something else to get rid of it. I have attached the ESET scan log. ***
     

    Attached Files:

    Klepton, Feb 15, 2013
    #3
  4. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Attached is fixlist.txt
    • Save fixlist.txt to your flash drive.
    • You should now have both fixlist.txt and FRST64.exe on your flash drive.

    Now re-enter System Recovery Options.
    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt).
    Please attach this to your next message. (How to attach)

    Now attempt to boot normally.

    *Shut down your protection software now to avoid potential conflicts.

    Let's see if the MGlogs.zip will properly polulate now - run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Windows 7, use right click and select Run As Administrator).

    If it doesn't then do the following-
    Please click Start, All Program, Accessories and you will see ( among other things ) a Command Prompt entry.
    • Right click the Command Prompt entry and select Run As Administrator.
      • It is critical that you run it this way.
    • If you do this properly, a command prompt window will open with a title of Administrator Command Prompt.
    • Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple/brown is merely informational.
    cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
    GRK64 <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    SN64 <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    analyse <-- this attempts to run HijackThis. Be sure to click the Accept button twice in the license agreement popup or it will just sit there and wait.

    If the MGlogs.zip still isn't complete, move on to this step:

    Download OTL to your desktop.
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Vista and Windows 7 users Right-click OTL and choose Run as Administrator)
    • When the window appears, underneath Output at the top change it to Minimal Output.
    • Check the boxes beside LOP Check and Purity Check.
    • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

    When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

    Attach both of these logs into your next reply.
     

    Attached Files:

    dr.moriarty, Feb 15, 2013
    #4
  5. Klepton

    Klepton Private E-2

    Ok, I ran FRST64 and pressed the Fix button. Once it finished, I rebooted normally.

    After booting up normally, I ran the C:\MGtools\GetLogs.bat file and again it didn't complete. I attempted to enable Avira's Real-time Projection, since it is "Stopped" but the program stopped responding. After a long wait with nothing happening, I decided to restart the computer. After the restart, I tried running the C:\MGtools\GetLogs.bat file again and this time the scan completed.

    I downloaded OTL to my flash drive and copied it to the computer's desktop.
    When I tried running it, I got an "Appication Error" window with the following message:

    Exception EOIeSysError in module OTL.exe at 000584A5.
    Class not registered.

    I downloaded the alternatives (OTL.com, OTL.scr) and when I tried running them I got the same error message as above for each.
     

    Attached Files:

    Klepton, Feb 16, 2013
    #5
  6. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Delete these desktop files:
    C:\Users\Michael\Desktop\utorrent.exe.11918.tmp
    C:\Users\Michael\Desktop\utorrent.exe.12186.tmp
    C:\Users\Michael\Desktop\utorrent.exe.13982.tmp
    C:\Users\Michael\Desktop\uTorrent.exe.2378.tmp
    C:\Users\Michael\Desktop\utorrent.exe.26627.tmp

    *Other than the tools (and their generated logs) our guide instructed you to save there, I strongly recommend that you clean up this account's Desktop immediately leaving only shortcut links. [ insert user account here ] Do not store downloads, exe files, iso files....etc on your Desktop. First it is not a safe place to keep them (i.e., you may loose them due to malware, and a cluttered Desktop is an easy hiding place for malware), and last but not least - it can have an effect on your PCs performance.

    Uninstall this outdated software:
    JavaFX 2.1.1

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista/Windows7, don't double click, use right-click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now download The Avenger 2.0 by Swandog469, and save it to your Desktop.

    See the download links under this icon http://forums.majorgeeks.com/chaslang/images/MGDownloadLoc.gif
    • Extract avenger.exe from the Zip file and save it to your desktop
    • Run avenger.exe by double-clicking on it. (Vista & Windows 7 users should right-click and "Run As Administrator')
    • Click OK at the warning to continue to use The Avenger
    • Do not change any check box options!!
    • Shut down your protection software now to avoid possible conflicts
    • Copy everything in the Quote box below, and paste it into the "Input script here:" part of the window.
    • Now click the http://img33.imageshack.us/img33/9159/executeavenger.jpg button
    • Click Yes to the prompt to confirm you want to execute.
    • Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
    • Your PC should reboot, if not, reboot it yourself.
    • A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot, just close it

    Now Copy the bold text below to notepad. (Do not include any space above the word "REGEDIT4")Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" . Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me whether or not you receive a success message about adding the above to the registry. If you do not get a success message, it definitely did not work.

    http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach the JRT.txt to your next message.

    Please also download Combofix. Make sure that your anit-virus is still disabled before you run it. (Vista and Windows 7 users should right-click and "Run As Administrator"). Follow all instructions given at the download site.

    Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Windows 7, use right click and select Run As Administrator).

    Please attach the following logs to your next reply:
    • C:\MGlogs.zip which will also contain the CF & Avenger logs
    • JRT.txt

    How is the pc running now?
     
    dr.moriarty, Feb 17, 2013
    #6
  7. Klepton

    Klepton Private E-2

    I deleted the utorrent.exe.*.tmp files from the desktop and cleaned it as much as possible, leaving only shorcut links.

    I couldn't Uninstall JavaFX 2.1.1 using "Unistall a Program" from the Control Panel. I kept getting a Windows Installer Service error. I used Revo Uninstaller, and although it failed both when trying to create a restore point as well as use the program's default uninstaller, it did seem to get rid of the program when I chose to delete all the files, folders and registry keys it found related to this program.

    I then decided to reboot to see if after bootup the program was really gone.
    During bootup, the system ran CHKDSK and I saw several messages about corrupted files. Once it booted up, I found no traces of JavaFX.

    I ran C:\MGtools\analyse.exe and selected the given lines then hit the "Fix Checked" button.

    I ran The Avenger and copied everything in the given quote box. I clicked on the "Execute" button and allowed it to reboot. However, when it booted back up, I only saw a window open an close immediately, but didn't get to see what it was. The log file did not open and I could not find C:\avenger.txt.

    I ran the fixME.reg file and did receive a confirmation that the registry key had been successfully added.

    I ran JRT and a log file was created.

    I ran ComboFix and a log file was created.

    I ran C:\MGtools\GetLogs.bat, but I think I double-clicked on it instead of right-clicking and selecting "Run as Administrator". Oops! Do I need to run this again?

    As far as how the PC is running, every time I restart it I keep seeing a message about Windows Updates being ready, even though I've tried installing several of them already. I was able to download some Windows Updates now, but 1 update keeps failing: Security Update for Microsoft .NET Framework 4 (KB2789642). Also, when I click on "Uninstall a Program" in the Control Panel, it does nothing. The same thing happens when I click on "Find and fix problems" under System and Security in the Control Panel. I don't know about all other items in the Control Panel, but these two were ones I was trying to get to recently and noticed they didn't work. Furthermore, I am still having trouble with Avira Anti-virus. I am unable to enable its Real-time protection, update it or run a system scan with it.
     

    Attached Files:

    Klepton, Feb 18, 2013
    #7
  8. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    Ugghh - a brain *hiccup*.. Avenger doesn't run on x64BIT systems.

    Just in case Windows Explorer needs to be shutdown beforehand:
    1. Click on Start, type cmd.exe, then click Ok
    2. Now right-click the Taskbar, choose Task Manager
    3. Open the Process Tab and locate Explorer in the list
    4. Right-click the name Explorer.exe and choose “End Process“, confirm if asked
    5. In the Command Prompt window, type each of the following, pressing the Enter key after each
    Code:
    [b]set log= "%UserProfile%\Desktop\log.txt"  [color=purple]<--- note the necessary space between the = and "[/color]
RMD /S /F /Q C:\Windows\assembly\temp\NLYBHAQY0G>> %log%[/b][color=purple][b]<--- note the necessary space after the D, S, F, Q, and >>[/b][/color]
[b]RMD /S /F /Q C:\Windows\assembly\temp\SBOVUX7IRV>> %log%[/b]
    • Now close the Command Prompt window and re-boot
    • Please attach the log.txt to your next reply.

    Now Copy the bold text below to notepad. (Do not include any space above the word "REGEDIT4")Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" . Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me whether or not you receive a success message about adding the above to the registry. If you do not get a success message, it definitely did not work.

    I see no remaining malware. The below tips might help but our Software Forum is where your other issues should be addressed.
    Try using Method 2: Repair the .Net Framework on this page ---> http://support.microsoft.com/kb/976982#method2
    You can use the System File Checker to check for corruption.
    Open a cmd.exe window as Administrator:
    Start, click Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.
    After the cmd.exe prompt, type: sfc.exe /scannow

    *After reviewing the log.txt file, I'll be ready to post our final steps for malware removal.

    dr.m
     
    dr.moriarty, Feb 20, 2013
    #8
  9. Klepton

    Klepton Private E-2

    I tried running the RMD commands, but got the following message:

    'rmd' is not recognized as an internal or external command,
    operable program or batch file.

    Then I tried RMDIR and got a message about /f being an invalid switch.
    Then I tried RD and got the same message about /f being an invalid switch.
    Then I tried RMDIR without the /f but I got a message about the file or directory not existing. I'm assuming it's because when I first tried the RMDIR and RD commands (with the /f switch), it deleted the files then when I tried them without the /f switch they had already been deleted? However, the log.txt file on the desktop is empty. It failed when I tried to upload it as an attachment. I'm assuming it failed because it is empty?

    I ran the fixME.reg file and it was successfully added to the registry.

    I tried using Method 2: Repair the .Net Framework on the given page and it did not work. In fact, I even tried Method 1 and it failed as well. I keep getting errors about the Windows Installer Service.

    I ran sfc /scannow and it completed with the following message:

    Windows Resource Protection found corrupt files but was unable to fix some of them.
    Details are included in the CBS.Log windir\Logs\CBS\CBS.log. For example
    C:\Windows\Logs\CBS\CBS.log
     
    Klepton, Feb 20, 2013
    #9
  10. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

    :(

    We are now beyond the scope of malware removal. I suggest that you post in the Software forum. The following article should help the members there get to the root of your problems-

    Use the System File Checker tool to troubleshoot missing or corrupted system files on Windows Vista or on Windows 7

    ________________________________

    Let's do the final cleanup steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Press and hold the Windows key http://forums.majorgeeks.com/chaslang/images/Windows_Logo_key.gif and then press the letter R on your keyboard. This opens the Run dialog box.
      • Copy and paste the below into the Run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 4 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    5. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove, you can delete these files now.
    8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 6 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    dr.moriarty, Feb 20, 2013
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds