UPS Virus Problem

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Slider5150, Jul 7, 2011.

  1. Slider5150

    Slider5150 Private E-2

    Hello.

    Well, I finally got back into this computer far enough to run most of the programs. I am attaching the logs.

    This started when a buddy opened the ups attachement. Dingdong.

    Anyways, when he brought it to me, his ntoskrnl.exe was corrupt and windows wouldn't load. His computer has a raid1 which complicated things. After making a slipstreamed copy of his windows install disk with the raid drivers on it, I ran chkdsk /r and then managed to do a repair install on windows. Got me in. I copied his personal files out and began the process.

    (I thought ccleaner used to be part of this?)

    Anyway, given that we had already tried SAS and MBAM, the logs came up empty.

    Ran into a problem with MGTools. It is in the C: root. Double clicked, and it created the MGtools folder and that's it. I am pretty darn sure it never ran. The zip file was never created. A dos window popped open and closed in a blink and that's it. So no MG Tools log.

    Following your directions and doing the downloads was done with Safari. Explorer appears to be blocked.
    This is still the case.

    In one of the logs you will see a ntoskrnl.exe.bak2 or some such. I was backing up ntoskrnl file iterations while working on that. Not saying that the virus isn't hiding in there, but I was messing around with that and almost certainly created the file with that name.

    During the process run I kept getting popups stating that Microsoft Feeds Syncro had encountered a problem and needed to close. Usual looking crashed program error report box, not that that means anything...

    Please let me know what else I can do. At this point, having re-tested his explorer, I can confirm that it is still hosed. The error message is

    The requested lookup key was not found in any active activation content

    hmm.

    Pretty nervous about rebooting this sucker right now as I have been able to get into Windows a couple of times now and then the ntoskrnl problem starts again.

    Ug. I am sick of this sucker.

    Thanks for your time ya'll!!!

    Slider
     

    Attached Files:

    Slider5150, Jul 7, 2011
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm not seeing any malware in these logs.

    Not anymore. Some recent malware has been storing things in the temp folders and if CCleaner or another similar disk cleaner is run, you will lose the backs needed to fix the problems from the malware.

    Ran into a problem with MGTools. It is in the C: root. Double clicked, and it created the MGtools folder and that's it. I am pretty darn sure it never ran. [/quote] Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

    cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
    nwktst<-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    analyse <-- this will try to run TrendMicro Hijackthis. Click Twice on the Accept button to accept the license agreement if it shows. Then run a scan and save a log. Tell me what error messages, if any, you see.
    GetRunKey <-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    ShowNew <-- this will try to run all another scan from MGtools. Tell me what error messages, if any, you see.
    Now look for the C:\MGlogs.zip file and attach it no matter what happened while doing the above.


    Please also download MBRCheck to your desktop
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
    • Attach this log to your next message. (See: HOW TO: Attach Items To Your Post )



    Problems with Windows should be posted in the Software Forum.
     
    chaslang, Jul 7, 2011
    #2
  3. Slider5150

    Slider5150 Private E-2

    Hopped in and ran those bat files.

    nwktst, GetRunKey, and ShowNew all errored with

    The system cannot find the path specified.

    Well, so I ran DIR. Found nwktst. It's there.....

    Analyse ran. Only had to hit accept once. Log attached.

    Downloaded MBRCheck and ran it. Ran fine.

    When I hopped on this am, I had to close like 50 of those windows error boxes for the Microsoft Feeds Synchro. Sheesh.

    Thanks again.

    Slider
     

    Attached Files:

    Slider5150, Jul 8, 2011
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This is not malware. It is part of the Windows RSS platform that monitors RSS feeds you've subscribed to. I suggest that you turn it off ( at least for now ):
    1. Run IE and click the Tools menu selection.
    2. Then select Internet Options from the pop-up menu.
    3. Then click the Content tab of the Internet Options dialog box.
    4. No locat the Feeds and Web Slices section ( towards the bottom of the forum ) and click the Settings button.
    5. In the Feed and Web Slice Settings dialog box, uncheck the "Automatically check feeds and Web Slices for updates" check box.
    6. Then exit your browser and restart it.
    It is sound more like you have Windows problems than malware. Let's see if we can find out what the problem is with running the MGtools programs.


    Please click Start, Run, and enter cmd and click OK. This will open a command prompt window. Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple is merely informational.

    cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools> Tell me if you do not get this prompt.

    set > C:\envinf.txt <-- note the spaces around the greater than sign
    dir >> C:\envinf.txt <-- yes two greater than signs


    Now attach the C:\envinf.txt file.
     
    chaslang, Jul 8, 2011
    #4
  5. Slider5150

    Slider5150 Private E-2

    Good Morning. I am attaching the envinf.txt

    Right now, when I hop into the dos shell, I don't see the prompts. I can use DIR to figure out what folder i am in, and seem to be able to move around ok. I am tempted to re-start the system to see if it shows up, but this issue has a history of blowing up on re-boot (ntoskrnl.exe becomes corrupt or it goes into a reboot loop), so I am leary of that.

    Regarding the RSS feed. Looked under content, and that option wasn't there. Then I looked at the version of Explorer and it is 6. I imagine that upon repair-installing windows, the current Explorer got overwritten. I don't know how to kill RSS feeds in a version that old. Perhaps this explains the error I detailed below when I try to log into any other website. (I used www.ebay.com to test)

    Right now I have auto updates turned off. I am concerned about re-booting the computer, as noted above, and didn't want that happening automatically.

    Thoughts? Perhaps time to start doing some of the updates?

    Thanks again.

    Slider
     

    Attached Files:

    Slider5150, Jul 11, 2011
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have not rebooted since running ComboFix and that has left the PC in a strange state and could be the reason for the MGtools items not working. Or they may not be working due to other Windows issues. I have not seen any signs of malware yet. You may more likely just have a broken Windows installation. Perhaps you should post in the Software Forum and working on a repair/fix of Windows.
     
    chaslang, Jul 12, 2011
    #6
  7. Slider5150

    Slider5150 Private E-2

    Ok. I will re-boot and start doing the updates and see what happens. I will drop a note back, and if I continue to have issues, revive my thread over there. If I see anything curious, I will re-post here.

    Thanks a bunch!

    Slider
     
    Slider5150, Jul 12, 2011
    #7
  8. Slider5150

    Slider5150 Private E-2

    So I have now re-booted several times, and run all of the critical updates from Windows Update. Other than one thing, Windows appears to be functioning normally.

    One thing has me concerned about malware. I updated Malwarebytes, Super-AntiSpyware, MSE, and Spybot.

    Malwarebytes and Super-AntiSpyware both updated, including program mods for Super-AntiSpyware.

    Spybot reported no upgrades available.

    But, MSE reported an error, that it couldn't process updates due to internet connectivity issues. Whenever one of my spyware hunters fails to update like this, I start thinking that some malware is blocking it's update.

    Should I be so concerned when that happens? Should I un-install and re-install MSE? Switch to something else?

    Right now, I am running a full MSE scan, and my plan, assuming that MSE doesn't find anything, is to restart in safe mode and run Malwarebytes, Super-AntiSpyware, and Spybot and see if they dig up something.

    Thoughts?

    Thanks

    Slider
     
    Slider5150, Jul 12, 2011
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No I would not be concerned since none of your logs have indicated any malware was present.

    Yes if problem with MSE persist, you could uninstall, reboot, and reinstall and see what happens. For continue support with this you should post in the Software Forum since malware does not seem to be your problem.
     
    chaslang, Jul 12, 2011
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds