Tired, Frustrated, Infected, And Confused...

Before i begin explaining the problem, i want it to be known, i already posted about this issue on comodo support forums, and waiting well over 12 hours without getting a reply before deciding to post here.

here is a hyperlink to the original post, in this post i will try to summarize without missing the core details as best i can. https://forums.comodo.com/virusmalw...ctory-reset-found-an-infection-t124203.0.html

I also want to give a big thanks in advance to all the hardworking awesome tech's here at majorgeeks, i have been coming to this site for years and i have never been dissatisfied with the results. you guys are awesome.

so lets get started.

the short and dirty of it is, got a laptop used, toshiba satellite L755, from a pawn shop, used it with windows 10 for about a week before my wife said she cannot stand the OS and requested that i do a linux install instead. loaded a liveusb for linux mint, looked at the partition table, found out they upgraded to 10 from 7 and she wanted 7 more than linux. i rebooted doing the classic toshiba factory reset(hold the zero key, power on, reset to out-of-box condition), that all went smoothly. did the toshiba first time use setup for drivers and bloatware. came to majorgeeks, first thing, picked up pc-decrapifier, comodo, and spybot 1.6.2. ran the decrapifier, removed tons of garbage, installed, updated and immunized with spybot, then installed comodo. all was well until what happened next.

Went to use dragon browser, got a blank white screen, totally woulld not run, probably because the software for the OS is from 2012, no problem, chrome runs, log into chrome with intent to install no-scripts and adblock plus. found out the chrome was super old and unsupported. downloaded the installer for a new chrome, when to run it, got an error code, looked the code up, found out i needed system updates to run the new installer. no problem.

go to windows update, check for updates. 160-ish updates needed, most of them important, with like 9 optional. select them all, begin the update process. updates run, reboot ensues, after reboot, find out only about 100ish of the updates actually took, the rest failed. then comodo starts going haywire throwing threat detections from C:\Windows\assembly folder. serialization.dll's are all up and down the list, tagged as malware.

attempt to follow the file path to inspect/scan the files individually. cannot access any of them, they dont show up in file explorer or using CD/ListDir commands in CMD.

i attempted to run updates a second time, and 59 updates failed. causing me to wait for a few hours for the changes to revert.

scan the whole assembly folder with spybot and comodo. no threats found, but comodo finds 176 unrecognized files. i submit them all to comodo for review.


i start looking around the web for related cases of this malware. i find only one relevant post, from bleepingcomputer.com/forums. i read the whole post, turns out in 2012 someone else had almost the exact same issue with almost the exact same laptop. read the whole thing and boy did i feel my butthole pucker.

turns out the poor guy never actually resolved the issue, after utilizing the following tools. this bothered me because i have always considered most of these tools to be last resort only, heavy hitters, the tools where as follows: GMER, ComboFix, Tweaking, AVG rescue CD, HijackThis, spybot 1.6.2, malware bytes, and a couple other lesser programs.

i was rather intimidated that hijackthis, GMER, combofix and tweaking could not fix the issue, as i have used them all, and they are some of the strongest softwares i have ever used in malware/virus removal.

i am at a bit of a loss as to how to proceed. some posts hinted the problem was because of an out of date java 6 jre, some hinted it was because of a faulty .NET framework or runtime, to be honest, i am not sure.

below i will include some attachments of the threat detection, windowsupdatelog.txt and whatever relevant information i can find.

i did not follow the readmefirst for the forum, but i have done some extensive scanning and searching on my own previous to making this post, which equivalates the results of the readme first. if there is anymore information i can provide, or anymore questions about the situation i can answer, i will be happy to, just say the word. i also request that whoever reads this, also reads the post i made on the comodo forum, as it contains certain questions and some minor information i left out here. thank you guys for everything, looking forward to some useful advice. i dont really want to move forward on my own with my other ideas without discussing it with some other techs first.

thank you again, hope to hear from you soon.

Below is a text copy of my windowsupdatelog.txt file, because for some reason i cant upload it, so i copy pasted the contents of the text file into a pastebin and gave the link.

https://dpaste.de/1yOF

 

i want to note really fast, i have not run any programs other than spybot, regedit to try and view, but no changes made, and comodo, in trying to pursue this, as i do not want to cause system instability or deal with conflicting removal software.

 

a few pics of my update history, a bit easier to read than the log

 

and the second half.

 

i have not cross-posted within majorgeeks.com. i actually was going to post here first, but i thought maybe i should go to comodo, against my gut instinct, and i was right. the incredible lack of response from them was disheartening, so i decided i should have just trusted my instincts and post here. as it stands, majorgeeks has been my goto for over a decade and i would prefer to follow this post, as the comodo post has not even been viewed by an admin, no reply given in over 12 hours, not even so much as a "hold tight, we will get back to you", from this point forward i will not be following anything from the comodo post until we have reached a point here where it is resolved or we cannot resolve it and resign, then after, i will try to pursue the comodo forum, and i will dedicate my attention to any help majorgeeks can offer. i apologize if i have been disrespectful or broken any rules.

is there anything else i can do to be useful or give information which might be helpful while i wait?

totally off-topic, tell eldon i said hi, i miss talkin to that old bat!

 

I have removed the posts from comodo's forums to pursue help here at majorgeeks. i apologize, i didnt think about the ramifications of my initial actions. thank you. yet again if there is anything i can provide to help, please let me know, or just give me a "hold tight, we will talk soon" kinda message. thank you again, sorry for the cross post.

 

as before, i am for some reason unable to upload txt files to majorgeeks. my best guess as to why, because i am stuck using a chrome version from 2011, and it is a security risk. eitherway, i attempted an upload and it failed so here are the log files saved in pastebins, because it is the next best thing i can do aside from taking screenshots. im sorry for the inconvience i am doing my best within a messed up working environment. dont know why i can upload images but txt files seem to always fail.

Malwarebytes AdwCleaner
https://dpaste.de/qcuq

Malwarebytes scanlog without rootkit activated
https://dpaste.de/J6Bh

Malwarebytes with rootkit scan activated
https://dpaste.de/VeSX

RogueKiller log
https://dpaste.de/1FFv

Ran into a problem with MGTools not covered in the tutorial or in the other link about why it might not be running. I did run the installer and the getlogs.bat as an administrator. not sure why i dont have permission. image attached.

 

as suspected, the logs here, with the exception of MGTools because it wont run properly, show no indication of any problems linked to the issue i am having with windows updates or the problems detected by comodo during the update process caused by the serialization.dll's in C:\Windows\assembly, shown in the images attached to my initial post. now if you will excuse me for an hour or two, i have to go remove a bunch of programs that i never needed like mbam and roguekiller then clean up all the traces, junk data, and adverts left behind... let me know what i can do next, and if you have an alternative solution to the issue with MGTools, as i could not get it to work after multiple tries and methods of enhancing my permission status.

 

sweet, finally got the MGLogs.zip file to populate and run. just had to set MGTools itsself to compatibility mode for windows 7 (eventhough i am on windows 7) and set it to always run as admin, here you are. now the problem is, i cannot upload the MGLogs.zip to major geeks, same error style as when i try to upload text files. so here is a hyperlink to a site where you can download my MGLogs.zip... yet again, i cant update my browser until we fix the windows update issue, so i cant actually follow the protocol for this website and i apologize. i am doing what i can, with what i have.

https://we.tl/t-3QNFkmrrZf

i am trying to get a firefox browser to install now, so i dont have to rely on hyperlinks and can actually upload the data.. no luck yet, but i am not out of tricks in my bag, so hopefully by my next post i will be able to upload properly via firefox.

EDIT***

that log file was rather empty. re-ran MGTools, got the getlogs.bat to run, should yield different results soon, ignore the file in the link above, i will post the new one when i finally have the actual log produced.. wow, this tool is a pain in the butt. hopefully it actually produces something useful unlike every other program i have ran and installed needlessly so far. hope its worth the time and effort i am wasting on it.

 

i did save it directly to my C:\MGtools, it created the following filepath anyway.

C:\VTRoot\HarddiskVolume2\MGtools

not really important though. i got it to run properly, i am waiting for it to finish before i run hitmanpro, as i had problems downloading hitman with the crap chrome browser i was on and had to get it on another system and transfer it via USB drive.

MGTools is running now, and i finally got it running properly, just waiting for it to finish, then i will run hitmanpro. although i would say, the MGTools tutorial you have, needs to be updated, as it is unclear how it will work in the step by step, and it auto-runs the GetLogs.Bat when you start it up. telling people to run the getlogs.Bat will only cause confusion. why tell someone to do something that is automated?

 

MGTools stalled and crashed after three hours of running analyse.exe. whatever, doesnt matter, it wont give me the information i seek anyway. hitmanpro log showed absolutely no results or threats.

any other programs i need to download and install and run? or can we start actually researching the System.Runtime.Serialization.DLL files which are causing the issue, as i highlighted in my initial post? because i am a little frustrated after working on this all of last night, all of today, and taking a bunch of unnecessary steps to find no real information which will be progressive towards a positive resolution. Whether the solution is simple or complex, the problem is very cut, clean and dry. i have a bad serialization.dll file, which is automatically populated during the update process, the dll itsself is showing up with comodo as a tagged and verified malware, and it is causing critical failure and reversion during the system update process.

what do i need to do to prevent the infected serialization.dll's from populating, and how do i get healthy dll's to populate instead, and how can i locate the core file that is causing the corrupt dll's to populate in the first place?

because so far i have not found a way to locate it, and if i remember learning about pickling in python correctly, there is no way to check a serialized data packet, and during the unpacking process it is dangerous, as there is no way to verify its authenticity or safety, albeit, because comodo utilizes code analysis through python, and have an engine designed to scan serialized data as it is unpacking, it has been the sole tool to detect the active malware on my machine, but only during the unpacking process. now, eventhough System.Runtime.Serialization.dll is not using python based code, they are still unpacking and packing serialized data, which the comodo code detection is designed to scan, which explains why it is the only tool so far to actually catch it, and it only catches it during the act of installing the updates through the windows system update.

now that we have covered the basics of this problem, and are on the same page, lets step down off our high horses, climb down our ivory towers, and come to realize, i have been doing computers for 20+ years and programming for more than 3+years, you are obviously talented and skilled at what you do, or you would not be in the position you are in, mr.jedi master with a sith avatar, put our dicks away, stop talking to each other like the other person is an effing six year old with trisinomy problems, and figure this out, because the results of this could potentially help lots of users in the future prevent headaches like the one i have throbbing in my skull right now.

down to business. my suspicion is, either the out of date java6 JRE is infected, causing malware to populate and fail the update, the .NET framework is infected, or the C++ runtime is infected, all of which are utilized during the windows update process, all of which have the permissions to create serialized data during the update and all of which could be infected to populate malicious data instead of the default data as it should.
now, i wanted to make sure i could get denture before pulling my teeth out, but as it stands, i have been one by one removing, scanning, and installing the newest version of each of the runtime packages listed above. lo, and behold! my windows update went off without a hitch after replacing all three of them with new versions from trusted sources.
Thanks for nothing tim, you have been about as useful as a permanent marker on a chalkboard. remind me next time to talk to eldon or moriarty, atleast then i can have a decent conversation with someone who doesnt treat me like a mexican trump supporter.

ban me. i dont care. eff you tim. i have atleast six accounts, i buy and sell refurbished hardware daily, and i know how to run a proxy. if i want to come back. i will be back. next time, instead of ignoring everything the person in need of help posts, try paying attention to what they are saying, and instead of asking people to literally waste an entire day running unnecessary programs, you can take five minutes to consider an actual solution without sending them through fiery hoops with no actual results.

glad i could figure it out on my own without you. feel bad for the next guy who asks you for help. thanks for ruining over a decade of good memories on these forums with a single day of garbage. you can explain to your boss why my yearly donation to the website wont arrive this christmas. fuck it. bridge burned.

 

Wow.

 

Not cool silvervulpus…...TimW gives his time and knowledge here for Nada!

Where else do you get anything in this world for free?

 

Not from my ex-wife, that's for sure ......