MBR plus wha? Issues

Have run the "read & run me 1st"

First symptoms:
SAS wont run.
Malwarebytes wont run.
Microsoft Security Essentials would not turn on real time protection.
SAS could run after using RougeKiller

Need to run ComboFix for internet to work.
MG Tools still wont get past getting system-info for printers
(recent Nitro installation is suspicious)

Had an issue with a nonstandard MBR on a second disc, which is now unmounted.
MBR-check now comes up clean.
Cant get access to printers panel under controlpanel. Printing crashes editors.

I can run SAS and Malwarebytes now, but problems persist after restart: No avir or net access without running ComboFix.

How do I clean the mashine?
How do I clean the unmounted disc with bad MBR?

 

Before we get start we need to make sure there are no strange partitions on the system.

Do the following:

1. Click on the Start button and then choose Control Panel.
2. Click on the System and Security link.
   
   Note: If you're viewing the Large icons or Small icons view of Control Panel, you won't see this link so just click on the Administrative Tools icon and skip to Step 4.
3. In the System and Security window, click on the Administrative Tools heading located near the bottom of the window.
4. In the Administrative Tools window, double-click on the Computer Management icon.
5. When Computer Management opens, click on Disk Management on the left side of the window, located under Storage.
   
   After a brief loading period, Disk Management should now appear on the right side of the Computer Management window.
   
   Note: If you don't see Disk Management listed, you may need to click on the |> icon to the left of the Storage icon.

Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.

 

This looks very normal to me.
Not sure if its normal that you would have unallocated areas between partitions, but its nothing new on this installation.

Microsoft security essentials wont update, and windows update is blocked too.

 

Managed to get around the problem with MGTools stopping while getting system info. Log is attached.

 

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java:

• Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 29.
• Click the "Download JRE" button to the right.
• Accept the license agreement.
• Click on the download link for your system and save it to your desktop. Users of Windows Vista/7 64-bit can install both the 32-bit and 64-bit JRE without conflicts.
  Windows x86 Offline (jre-6u29-windows-i586.exe)
  Windows x64 (jre-6u29-windows-x64.exe)
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.(Vista/7 users, right click on the JRE download and select "Run as an Administrator.")

-----------------------------------------------------------

Now we need to use ComboFix to remove some stuff.

• Make sure that the copy of combofix.exe that you downloaded earlier is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it

(make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KillAll::

File::
D:\Windows\system32\meiyl.txt
D:\Windows\System32\drivers\kcaji.sys
D:\Windows\SysWOW64\meiyl.txt
D:\Windows\SysWOW64\drivers\kcaji.sys

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe
  http://f.imagehost.org/0093/th_CFScript.gif
• Follow the prompts.
• When it finishes, a log will be produced named d:\combofix.txt
• I will ask for this log below

Note: DO NOT mouseclick combofix's window while it is running. That may cause it to stall.

The ComboFix folder should not be renamed since ComboFix and even we would have suspicions about it. Also when you uninstall CF, the folder would not be removed since it does not look for that folder name.

-----------------------------------------------------------

Attach logs for:

• ComboFix (D:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

Uninstalled Java
After reset it was hard to get browser, ComboFix and other software to run.
After several attempts of starting SAS, combofix and other operations, MGTools got running and normalized the computer somewhat.
Had to download and rename a ComboFix.exe and copy to desktop before I was succesful in running the delete-script.
Had to do a hard reset when ComboFix reset got stuck.
Microsoft security essentials was then gone, browser blocked.
Again MGTools normalized the computer somewhat:
I can now use browser again, but with windows update its all snafu.

 

OK, going to change tools and attack this from a different angle.

Download -->> OTL <<-- to your desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Minimal Output.
• Check the boxes beside LOP Check and Purity Check.
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
    Note: These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
  • Attach both logs with your next reply.

 

That went well - with no surprises.

 

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  Code:

  :OTL
  O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
  O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present 
  @Alternate Data Stream - 1241 bytes -> D:\ProgramData\Microsoft:TZ2upUtMjWiMhyUxpQQGFE
  @Alternate Data Stream - 1102 bytes -> D:\ProgramData\Microsoft:wxxShP7Bu1yBUQd4hIOnD
  @Alternate Data Stream - 1072 bytes -> D:\Users\Shenpen\AppData\Local\JQwSpiq3fjLlROM:Yj9PH4ImP87PsGPpfJg
  @Alternate Data Stream - 1013 bytes -> D:\ProgramData\Microsoft:N4paRqV6ssG99zmnvFK
  
  :Files
  D:\Users\Shenpen\AppData\Local\JQwSpiq3fjLlROM
  
  :Commands
  [Purity]
  [EmptyTemp]
  [EmptyFlash]
  [EmptyJava]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Attach the new log produced by OTL (C:\_OTL).

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

Log attached.

The proceduere seemed to run as planned, but so far it has not had the desired effect. Normal use of browser is stil blocked and a very long procedure with ComboFix / GM / is nesssesary to get back to semi-normal use.

Its never very clear what worked when i get things running.
Windows update never get online.

 

Run ComboFix and attach the ComboFix log.

 

Did a cold boot to desktop, started Combofix, which did its usual update rutine, but didn't progress beyond trying to make a new restorepoint. Started MGtools which stops when trying to get system info on printers, but proceeds when that is manually aborted. When MG finished Combofix got moving again and finished its procedures.

Log attached.

 

Now we need to use ComboFix to remove some stuff.

• Make sure that the copy of combofix.exe that you downloaded earlier is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it

(make sure you scroll all the way down in the code box to get all lines selected ):

Code:

KillAll::

Driver::
hvafvv

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFScript.txt on top of ComboFix.exe
  http://f.imagehost.org/0093/th_CFScript.gif
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: DO NOT mouseclick combofix's window while it is running. That may cause it to stall.

The ComboFix folder should not be renamed since ComboFix and even we would have suspicions about it. Also when you uninstall CF, the folder would not be removed since it does not look for that folder name.

[hr]
Attach logs for:

• ComboFix (C:\combofix.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

Printing works, browser works, MS Secruelty Essentials works, windows update works!

"hvafvv"? Was my "wha" suggestion not so far out after all?

Big thank you for you efforts! I can safely say that I would not have found this on my own.


Anything left to do?

 

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You have a suggestion of how to deal with the disconnected disc?

It had a non-standard MBR, but not nessesarily a MBR infection. Things did improve a bit when it was disconnected.

Is there a safe way to scan and clean it without re-infecting the system?

 

TDSSKiller should see the infected MBR on the other drive while it is connected, and you should be able to repair it with TDSSKiller.

 

I reconnected the drive and did a scan with TDSSkiller. It found nothing but i got reinfected after first reboot.
Did the kill script with CF and back to normal with the drive disconnected again.

 

You can boot to the system from a Linux Live CD, such as Knoppix or Ubuntu, with the disk connected. You will then be able to copy any information you want to keep, and remove the partition using gParted, then create a new partition & format the disk.

 

Just needed to rerun the killscript with the disc connected.

 

Happy that worked for you, instead of coping the data and wiping the drive.

 

Infection lingers on:

After rebooting with second hard drive attached the usual symptoms occurred again.

After detaching the second drive and repeating clean-up procedure the problems now persist.

 

Run a scan with OTL while the infect drive connected, attach the log with your next reply.

 

Scan was run with the same settings as posted ealier.

 

With the drive connected, do the following:

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  Code:

  :OTL
  O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
  O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - No CLSID value found.
  O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
  O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
  O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
  O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
  O8:[B]64bit:[/B] - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000 File not found
  O8:[B]64bit:[/B] - Extra context menu item: Se&nd to OneNote - res://D:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105 File not found
  O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000 File not found
  O8 - Extra context menu item: Se&nd to OneNote - res://D:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105 File not found
  O18:[B]64bit:[/B] - Protocol\Handler\ms-help - No CLSID value found
  O20:[B]64bit:[/B] - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
  O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
  
  :Commands
  [Purity]
  [EmptyTemp]
  [EmptyFlash]
  [EmptyJava]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done

• Download TDSSKiller and save it to your Desktop.
• Double-click on TDSSKiller.exe to run the application.
  
  http://img4.imageshack.us/img4/1907/tdss1.png
• Click Change parameters
  
  http://img593.imageshack.us/img593/288/tdss2.png
• Check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
  
  http://img521.imageshack.us/img521/1456/tdss3.png
• Click on the Start Scan button to begin the scan and wait for it to finish.
  NOTE: Do not use the computer during the scan!
• During the scan it will look similar to the image below:
  http://img6.imageshack.us/img6/9136/tdss4.jpg
• When it finishes, you will either see a report that no threats were found like below:
  http://img696.imageshack.us/img696/9898/tdss5.jpg
  
  If no threats are found at this point, just click the Report selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.
• If any infection or suspected items are found, you will see a window similar to below:
  http://img854.imageshack.us/img854/905/tdss7.jpg
  • If you have files that are shown to fail signature check do not take any action on these. Make sure you select Skip. I will tell you what to do with these later. They may not be issues at all.
  • If Suspicious objects are detected, the default action will be Skip. Leave the default set to Skip.
  • If Malicious objects are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
    Make sure that Cure is selected. Important! - If Cure is not available, please choose Skip instead. Do not choose Delete unless instructed to do so.
• Click Continue to apply selected actions.
• A reboot may be required to complete disinfection. A window like the below will appear:
  http://img828.imageshack.us/img828/4812/tdss6.jpg
  Reboot immediately if TDSSKiller states that one is needed.
• Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run.

Attach logs for:

• OTL (C:\_OTL)
• TDSSKiller (C:\TDSSKiller.(Version)_(Date)_(Time)_log.txt)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

Windows functionality seems to be back to normal again.

Small mishap: procedure wasn't followed strictly as a suspicious file was copied to quarantine:

RTCore64 ( UnsignedFile.Multi.Generic ) - User select action: Quarantine
(from log)

 

All functionality seems to be back to normal now. ____ :dancer:

 

RTCore64.sys may have been the problem. It's a valid driver and should have been digitally signed.

Run OTL click the CleanUp button. This will remove OTL, as well as some other tools if they are still present.

 

Again: Thank you for your efforts!

 

Back to infected status after another reboot
Then ran
MGtools
Combofix
OTL-scan
OTL-fix with script from post # 9
Computer now seem to work in a totaly normal way
OTL-fix with script from post # 25
After OTL resquested reboot computer is back to infected status
Repeat of the above procdedures ending with post #9 script gives me full functionality again.
Tdskiller scan shows RTCore64 is unsigned again, with no cure (choose skip).

 

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  Code:

  :OTL
  O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
  O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present 
  @Alternate Data Stream - 1128 bytes -> D:\ProgramData\Microsoft:N4paRqV6ssG99zmnvFK
  @Alternate Data Stream - 1050 bytes -> D:\ProgramData\Microsoft:TZ2upUtMjWiMhyUxpQQGFE
  
  :Commands
  [Purity]
  [EmptyTemp]
  [EmptyFlash]
  [EmptyJava]
  [ResetHosts]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Attach the new log produced by OTL (C:\_OTL). (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

Download avz4.zip from here

• Unzip it to your desktop to a folder named avz4
• Double click on AVZ.exe to run it.
• Run an update by clicking the Auto Update button on the Right of the Log window: http://rathat.geekstogo.com/images/AVZupdate.jpg
• Click Start to begin the update

Note: If you receive an error message, chose a different source, then click Start again

• After the update, from the "File" menu, choose "Standard Scripts"
• Put a check next to item 2: Advanced System Investigation
• Click Execute selected scripts
• At the next prompt, click the OK button
• Let the scan run and click "OK" when the completion prompt pops up
• Now Close out of the Standard Scripts window, and exit AVZ
• Navigate to the avz4 folder and locate the folder LOG
• Inside the LOG folder you will find virusinfo_syscheck.htm, virusinfo_syscheck.htm and virusinfo_syscheck.zip
• Attach the Compressed file, virusinfo_syscheck.zip, to your next reply.

 

Auto-update was not a problem.

 

I'm not seeing any malware.

Close all windows then double click on AVZ.exe

• Click File > Custom scripts
• Copy & paste the contents of the following codebox in the box in the program
  Code:

  begin
  SearchRootkit(true, true);
  ClearHostsFile;
  RebootWindows(true);
  end.

• Note: When you run the script, your PC will be restarted
• Click Run
• Restart your PC if it doesn't do it automatically.

Attach a fresh AVZ log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

Please post script

 

Script added to my previous post.

 

After running script pc boots into hijacked state. No new logfile produced.

 

And MGtools + OTL with post # 9 script brings it back to full functionality.

 

Tdskiller scan shows RTCore64 is unsigned again, with no cure (choose skip).

 

AVZ does not produce a log, You have to run a new scan with AVZ. Hence, the "Attach a fresh AVZ log." in the instructions.

Stop running older fixes.

RTCore64.sys is an unsigned driver, Stop running tools I did not ask you to run.

Do not do anything other thatn what I posted.

Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Also attach a fresh scan log from OTL.

 

sure

 

Run OTL.exe

• Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
  
  Code:

  :OTL
  DRV - (utm0mti0) -- D:\Windows\SysWOW64\drivers\utm0mti0.sys ()
  [2011/12/14 12:02:25 | 000,007,168 | ---- | M] () -- D:\Windows\SysWow64\drivers\utm0mti0.sys 
  @Alternate Data Stream - 1192 bytes -> D:\ProgramData\Microsoft:N4paRqV6ssG99zmnvFK
  @Alternate Data Stream - 1012 bytes -> D:\ProgramData\Microsoft:TZ2upUtMjWiMhyUxpQQGFE
  
  :Files
  D:\Program Files\Common Files\system\g9ODBMfM
  D:\Program Files\Common Files\system\WzSmGWFNxzM0O
  D:\Users\Shenpen\Local Settings\TEMP\pGc0paIv
  
  :Commands
  [Purity]
  [EmptyTemp]
  [EmptyFlash]
  [EmptyJava]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Attach the new log produced by OTL (C:\_OTL). (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

 

Well - that leaves the pc rather useless as there is no browser function after OTL reboot.

 

Disconnected the lan-cable and after a few minutes SAS booted and MS-Security Essentials turned on. Browser is obviously back to life too.
Stil some symptoms of infection, like controlpanel malfunction.

 

OK, run ComboFix and attach the ComboFix log.

 

ComboFixed

 

Your ComboFix log looks fine. How are things running?

 

Some of the usual symptoms are gone:MS-security is up, SAS is up, but control panel for printers is still not working.

But the real test is doing a reboot or two and see what happens.

 

You mean Printers & Faxes in the Control Panel or the manufacturers Control Panel for the printer?

 

Printers & Faxes in the Control Panel

 

Press the Windows Key + R on your keyboard and type this command: control printers

Does Printers & Faxes open?