System Crippling Virus Lowsec/Skynet

Hello,

I have come here in the previous weeks through google searches to various problems with malware. Up until this point I have been able to find the solutions necessary in these and other forums to deal with the malware (so i thought) but now my system has been completely crippled.

Tonight, at around 8:30 I was surfing google news using google chrome, opened up five news tabs in rapid succession and got a message from AVG Free 8 (fully updated) saying that some file in my IE temp folder was infected. It couldn't be cleaned or quarantined. I closed my browser down and reopened it and after a few seconds later a message popped up from avg twice more with a different file in the windows system folder being infected. None of them could be found. A few seconds later I got another message saying Adobe acrobat 32 had some error followed by a virus message from AVG for acrobat.

I closed down all programs and first updated and then ran malwarebytes. I start the scan and disable the network connection because i think it is updating itself as I watch the lights blink away. It detected 14 objects, mostly listed as trojans and stolen data. It cleaned as many as it could and said that some needed a reboot as necessary for complete cleaning. As the computer was shutting down I again got an Adobe Acrobat error.

I rebooted. The computer started up very slowly and when I went to run malwarebytes after reboot, I was being told the file was not found. Opening up the folder, i tried to run it directly, and it was forbidden. No problem (I thought). I would try to rename it. Access denied (as others in this forum have expressed).

I reboot and try to jump into safemode. None of the safeboot modes work, so I boot back into normal mode and reinstall a clean set of safemode boot registry files (useful from the last time I had skynet). I successfully boot into safemode and to my horror find that whatever rootkit I have, it functions in safemode.

I open up RootRepeal (my Savior from my previous skynet infection). It opens fine. I scan the processes. 15 items found, no problem. I tell it to scan my files on my G drive (my /systemroot/) It starts happily along and then suddenly Closes. I click to run it only to find that I am not denied access to rootrepeal as well. I Log onto this computer (netbook) and read up about not having access to files in xp because of viruses, and then following directions on a site I find on google, use the security tab -> advanced to reset all the security access to the folder in which rootrepeal. It lets me run it again, but a soon as I start a scan of files, the file is closed, and I am once again locked out. Ugh.

At this point I decided to use safety.live.com. Now I have not read this being advertised as a good idea anywhere in any forums, but after my previous infection, with AVG and malwarebytes turning up nothing I went through a lengthy email process with two MS representatives to repair my windows update (destroyed in the previous skynet infection) live.com was able to repair the problem. In the process I noticed it had AV repair online so I logged onto safemode with networking, re-enabled my network connection and went to safety.live.com

The scan started well but then suddenly the window was closed out. I couldn't start it again and alarmed looked to my network connections. It was greyed out listed as disabled. Not only that but the connection would go through some cycle of disabling when i clicked on it to disable. At this point i thought it was disabled but my router light was flashing happily away for that port, and wondering if windows was reporting it as disabled but really transferring my data away, I disconnected the computer from the router physically.

I have been on the forums for the last two hours reading others' problems and the stickies. I see that you guys regularly request Mgtools logs, so with some hassle I got them on the infected computer and ran them. Unfortunately no logs were produced. I ran the clean.bat which removed almost everything but then got weird errors when i tried to run it again. After a reboot and another run, no logs were produced a second time. At this point, I am almost convinced the virus has the ability to detect any form of scanning software and kill the process.

I have no logs from MGtools to attach, but I have tonight's (and my older mbam) logs that I can attach if that will help in anyway. I suspect in some way the infections are all related, as each time they seem the variant of the previous one. This is problematic for me because each time I have 'cleaned it off' MB and AVG would tell me my system was clean (after enough iterations and removal steps). Unfortunately, looking over the logs, I see one entry about skynet again.

I guess I should attach the obligatory crying smiley :cry but at least I have access to most of my files still. I would like to get this cleaned off and have since read up on the other lines of defense (sun java and spywareblaster) that would have been nice to know about previously.

I have attached the logs from tonight and past infections.
Help would be appreciated. I plan on never using Adobe software(flash and reader) again just in case because it seems like it came through there, and I don't use IE for anything except updating windows (which I did last time as soon as it was fixed).

Thanks for any help that you can give, it would be greatly appreciated.

Mike

 

I guess I wasn't very clear in my post. I am at work right now, but I remember quite clearly.
Root Repeal doesn't get a chance to finish before it is terminated and then locked down. If it is generating a .txt file, It certainly isn't in the same directory as the .exe file or anywhere else I can find it.

The first time I ran MG tools, It just sat at the dos window and did nothing. (IIRC it told me that it had found my system directory and that was it)
Any subsequent run of the getlogs.bat flashes up a DOS window (blink of the eye) with no logs generated in my root directory of my windows install. Is there a way I can find the logs or even know if the virus is allowing them to be generated, like running from an external source? Please let me know.

Thanks,

Mike

 

TimW

I got home and Reran Wgtools in Safemode.
It produced 2 files in the WGtools directory, :

Filelog.txt
Getunkey.txt

I am attaching them to this post. No files were created in the Root.
It doesn't appear that the malware lets the batch complete. Afterward running the getlogs.bat, I ran the analyse.exe and chose to scan and get logs. The scanning began but was closed a few seconds into the scan. Trying to run it a second time produced the error:

"Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." Which is the same thing that happened before with RootRepeal.

Thanks for the Help so far,
Very encouraging.

Mike

 

Thanks for the Reply.
Here are the result:

It stopped working at the same place that it has in the past, creating the same files as attached in my previous response. I let it sit at that spot for 30 minutes before going on to running FixAVP.exe. Running FixAVP loaded a bunch of files and shut the system down almost in the blink of an eye. After a lengthy reboot I checked the Root folder of the windows drive for any log files. I found nothing. With no MGlogs.zip to attach I went on to run the Win32KDiag.exe. I have attached the log file generated there to this post.

Thanks for the help, it is greatly appreciated.

Mike

 

TimW,

Thanks for the reply.
Not to sound pretentious or ungrateful for your help, I just wanted to ask if you really meant eventlog.dll(file listed as unaccessible with win32kdiag) or logevent.dll (as you have it entered in the command).

Just wanted to make sure before I started, thanks for all the help. I really appreciate it.

Mike

 

TimW (and Chaslang)

Thanks for the help. I followed your directions and everything worked without incident as far as I can tell. The files you have requested are attached.

You guys are great, this has really boost my optimism.
I am looking forward for the next steps

Mike

 

Thanks for getting back to me!
The files are attached!

Your comment about restarting my Anti-Virus (avg 8.5) has me curious. Should it start to pick things up as files/rootkits get deleted? It hasn't yet, but my definitions might be out of date. Ever since the virus hosed my internet connection I have left it disconnected from the router ever since. Malwarebytes told me on the day of the infection that some of the files were classified as 'stolen data' And so I was wondering if it is ok at this point to connect it back up again and get updates? If it finds stuff, should i let it take action?

 

Tim!

Thanks for the response.
-I deleted the files you listed.
-I downloaded the updates for AVG and moved them to the infected computer and installed them without incident.

Initially analyse.exe wouldn't run for me. The permissions were still locked down by the virus, so I ran mgclean.bat and then reran the mgtools.exe to recreate the folder. I attached the HJT log to this post (I believe getlogs.bat also includes it in the MGlogs.zip).

From there I tried to run MBAM.exe and it was also locked down. I get the "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." error. The suggestion on the internet is to reset the permissions, but right clicking on the file causes the computer to stall (the virus?) for a long while before nothing happens. Right clicking on other files quickly brings up the standard 'right click' menu where I can access the properties.

I hadn't installed SAS up to this point so I connected to the internet and installed it, updated it, and let it run. It found around 35 trojan agents, of the UAC and skynet variety. I let it clean them and the log is attached here.

I let the compute restart after cleaning by SAS and then again attempted to run MBAM. It wouldn't work still, and since I cannot rename it and cannot reset the permissions for the program or the parent folder, I then reran getlogs.bat and am calling it a night. I figured these logs would be good enough for now.

I am posting this from the infected computer, But I will keep it disconnected in case the virus still has the ability to update itself (which is what I believe happened from the previous infections and wasn't entirely cleaned up).

Thanks For all your help. I really appreciate it all and look forward to your next post.

Mike

 

I Uninstalled MBAM, downloaded a new version, ran the scan of the G: drive. It found two items which were removed.

I have attached the log.

A subsequent reboot and scan of the entire system produced no further hits.
Is the system 'clean yet'? I was at this point last time and got the same virus a couple of weeks later, so I still wonder if there is stuff hidden on the computer.

 

I hate to bump this thread before you gentlemen get a chance to respond, but I decided since I now have internet access and MBAM and SAS were turning up nothing new, that I would give safety.live.com a shot at my computer. (Which fixed my windows update problem last time I had the virus).

I was locked out of internet explorer (like many other programs) and ran this string that I found on the internet that was supposed to reset my permissions/accessibility.

secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

After running it from the command prompt, I was able to again start IE explorer.
From there I ran the quick scan and found nothing. The Complete scan found 3 additional things that the other too programs cannot find, two of which were fixable, the third was not. Since I have no logs I will attach screenshots.

I realize that windows live cleaning two of the files from my computer means that I probably need to update my logs, so I reran analyse.exe and getlogs.bat and am attaching the mglogs.zip as well (it has a copy of the hijackthis log inside of it).

Sorry for the extra files.
Thanks for the help.

Mike

 

Thanks TimW. You have been a huge help.
If the logs are clean I am happy. The virus found from the live scan was in the temp internet folders, and I think CC cleaner removed all of those.

I am only having one problem, which I cannot tell is from the virus or may be from damage caused from the virus (and thus not really relevant to this forum). I am getting weird disk errors. I cannot for example access my virus vault for AVG. I get an initialization failed message. The AVG forums say that this is a problem with my computer and not with the Software.

Office was not working as well, it would lock on startup. The diagnostic tool for office crashed repeatedly, giving me this error:

Exception Processing Message C00000a3 Parameters 75b6bf7c 4 75b6bf7c 75b6bf7c

After a couple of crashes I chose to continue and the diagnostic tool apparently fixed it. I had multiple other files 'locked down' by the virus which the secedit string (post #16) seemed to fix, but not all.

If this is just damage to the hard drive or windows settings is there anyway whatsoever to find and repair this stuff? Reinstalling may work for MBAM, but not so much for necessary windows folders.

Thanks for all your help. How do I give you one of the 'thanks' things for the forum?

Mike

P.S. Is there some sort of thread that explains the motivation/reasoning behind the Malware experts for providing this kind of help. It is really appreciated, but it is also a never ending battle. Do you guys take donations, like the tools you recommend us using do?

 

Fair enough, Thanks.

MBAM, RootRepeal, and analyse.exe (hijackthis) all wouldn't let me run them, but i could delete them and reinstall them without a problem so at this time there are no other executables that have given me problems.

How do I give you one of the official forum thanks? Or is that something not available to a forum private? If I wanted to make a donation to you how would I do that? Or in the event that you don't want donations, a software utility of your choice?

Again, thanks for the help. Everything has been working for a week now with only minor software glitches I am working on, Case closed I guess

Mike

 

Wow. Thank you TimW.
I appreciate everything. It makes a huge difference.

And just last night I was browsing opening up dozens of tabs when Comodo Caught a Buffer Overflow in AcroRd32.exe (I didn't even open up a pdf!), which I am sure is the same thing that happened when all this started (and AVG reported right as the system went down), so again thank you. Your advice has saved me severe headache yet again.

Mike

(I also uninstalled Adobe Reader and installed Foxit immediately thereafter).