reveton virus

Discussion in 'Malware Help (A Specialist Will Reply)' started by horizone, Feb 2, 2013.

  1. horizone

    horizone Private E-2

    This computer has multiple users. The user "techusera" was experiencing the reveton virus. I was unable to login as this user even in safe mode (it would just shut down), so I ran everything as the local administrator.

    It is better know - I can at least login without getting the "FBI" screen. However, since I didn't fix the items found by HitmanPro, I thought I should still post logs.

    I'm very sorry, but I made a mistake when I ran RogueKiller and allowed it to fix the registry items that it found. So sorry!! Hope that's not too bad.

    Thanks!
    Elizabeth
     

    Attached Files:

    horizone, Feb 2, 2013
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you install the Strongvault Online Backup stuff?

    ALso note that you forgot to disable UAC as requested and required.
     
    chaslang, Feb 2, 2013
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm going to assume that you did not knowingly want to install that Stongvault stuff anyway because I don't think you should have this on your PC. So in the below we will be removing it along with other items.


    Please download OTM by Old Timer and save it to your Desktop.
    • Run it by double clicking on it (Note: if using Vista, Win7, or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Files
C:\Program Files (x86)\Coupon Companion Plugin
C:\Users\techusera\AppData\Local\Temp\~!#E497.tmp
C:\Users\techusera\AppData\Roaming\mpeat.dll
C:\Program Files (x86)\Strongvault Online Backup
C:\ProgramData\Strongvault Online Backup
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Strongvault Online Backup
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\StrongVaultApp.exe.lnk
C:\Users\techmaster\AppData\Local\Strongvault Online Backup
C:\Windows\SysWOW64\sho1ED7.tmp
C:\Windows\SysWOW64\sho4B7D.tmp
C:\Users\techmaster\AppData\Local\Temp\*.*

:Reg
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110211181104}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}]
[HKEY_UESRS\S-1-5-21-1002098645-1641868332-1499944537-1465\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mpeat"=-
[-HKEY_UESRS\S-1-5-21-638095949-1320517516-2357822690-1000\Software\InstalledBrowserExtensions\215 Apps]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Messenger"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"SMessaging"=-
[HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\Run]
"SMessaging"=-
[HKEY_USERS\S-1-5-21-638095949-1320517516-2357822690-1000\Software\Microsoft\Windows\CurrentVersion\run]
"Messenger"=-
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Feb 2, 2013
    #3
  4. horizone

    horizone Private E-2

    Hello -

    I actually did disable UAC before I started. Pulled it down to Never Notify and rebooted. Not sure how it got re-enabled at full strength, no less!

    Strongvault popped-up for the first time that I know of while I was doing one of the scans - HitmanPro, I think. And no, I definitely don't want it.

    BTW - Strongvault.exe still exists in:
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
    I can't delete it - it says it is running.

    techusera is usable now. I get two runDLL errors for files not found: mpeat.dll and nfeco.dll
    The desktop does some pretty freaky stuff when I log out.

    Would it be safest to delete that profile after the user recovers their data?

    Thanks!
    Elizabeth
     

    Attached Files:

    horizone, Feb 2, 2013
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Let's see if we can cleanup the rest of the issues.


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - Global Startup: StrongVaultApp.exe
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    After clicking Fix, exit HJT.

    Uninstall the below software:
    Coupon Companion Plugin
    Java(TM) 6 Update 35
    Strongvault Online Backup

    If any do not uninstall of you cannot find them, just continue on.




    Now Run OTM.exe again by double clicking on it (Note: if using Vista, Win7, or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Files  
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Strongvault.exe                 
C:\Users\techmaster\AppData\Local\Temp\techmaster.bmp
C:\Program Files (x86)\Strongvault Online Backup\
C:\Users\techmaster\AppData\Roaming\Strongvault
C:\Program Files (x86)\Coupon Companion Plugin
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{3002C8EB-2A7E-419B-B77F-5AD7E9F54A5A}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{5E33D30D-D896-4D92-B033-5F45819B2937}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Coupon Companion Plugin]
[-HKEY_USERS\S-1-5-21-1002098645-1641868332-1499944537-1465\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mpeat]
:Commands
[purity]
[EmptyTemp]
[start explorer][Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    No run a scan with RogueKiller and attach the new log.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the the new RogueKiller log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Feb 3, 2013
    #5
  6. horizone

    horizone Private E-2

    When I login as techusera, I get two runDLL errors for files not found: ...\mpeat.dll and ...\nfeco.dll

    Otherwise, all seems good now.
    Thanks!
     

    Attached Files:

    horizone, Feb 3, 2013
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Then you should be giving me logs from when logged into that account. The logs you are giving me are from USERPROFILE=C:\Users\techmaster which will not show me what is going with the techusera account.
     
    chaslang, Feb 3, 2013
    #7
  8. horizone

    horizone Private E-2

    I did not rerun OTM, so refer to the logfile in the previous post for those results.
    The RogueKiller and MGTools logs are now from the techusera userid where the problem originated.

    NOTE: The userid techusera was initially unusable, even in safe mode, so that's why I was using techmaster.
     

    Attached Files:

    horizone, Feb 4, 2013
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay continue to use the techusera account now to finish your cleaning.​




    Please download OTM by Old Timer and save it to your Desktop.
    • Run it by double clicking on it (Note: if using Vista, Win7, or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C

    • (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of

      the code box
    Code:
    
[LEFT]:Processes
[LEFT]explorer.exe[/LEFT]
 
[LEFT]:Files
C:\Users\techusera\AppData\Roaming\nfeco.dll
C:\Users\techusera\AppData\Roaming\mpeat.dll
C:\Users\techusera\AppData\Roaming\pscasv.dll
C:\Users\techusera\AppData\Roaming\skype.dat
C:\$Recycle.Bin\S-1-5-21-1002098645-1641868332-1499944537-1465\$42e1ee2b4f43deee2bc3c7342a68d21d\n
C:\$recycle.bin\S-1-5-21-1002098645-1641868332-1499944537-1465\$42e1ee2b4f43deee2bc3c7342a68d21d\@
C:\$recycle.bin\S-1-5-21-1002098645-1641868332-1499944537-1465\$42e1ee2b4f43deee2bc3c7342a68d21d\U
C:\$recycle.bin\S-1-5-21-1002098645-1641868332-1499944537-1465\$42e1ee2b4f43deee2bc3c7342a68d21d\L
C:\$recycle.bin\S-1-5-21-1002098645-1641868332-1499944537-1465\$42e1ee2b4f43deee2bc3c7342a68d21d[/LEFT]
 
[LEFT]:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"nfeco"=-
"mpeat"=-
"pscasv"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"pscasv"=-
[HKEY_USERS\S-1-5-21-1002098645-1641868332-1499944537-1465\Software\Microsoft\Windows\CurrentVersion\run]
"nfeco"=-
"mpeat"=-
"pscasv"=-
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="explorer.exe"
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot][/LEFT]
[/LEFT]

    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.​


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator). ​


    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Feb 4, 2013
    #9
  10. horizone

    horizone Private E-2

    Now I get one runDLL error for file not found: ...\pscasv.dll
     

    Attached Files:

    horizone, Feb 5, 2013
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    According to your last logs, references to that DLL were cleaned up.

    Re-run a scan with RogueKiller and see if any items like below show under the Registry tab

    If they do show with the pscasv.dll file, then select them and click the Delete button.
    Then reboot and see if you still have a problem.
     
    chaslang, Feb 5, 2013
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds