Adlice forum
Software feedback => RogueKiller => Topic started by: markem on July 29, 2020, 11:22:11 PM
-
Last week I downloaded a program and ran it. It turned out to be a set of viruses. I went to MajorGeeks, downloaded RogueKiller et al, and RogueKiller found everything and got rid of it. I then rebooted and ran RogueKiller a second time. It found the virus again and killed them. Repeat a couple more times. So then I looked at MSCONFIG - nothing there. Then I used FileLocator and found one of the virus programs had a link (ScrSnap.lnk). I removed the files and folders in the temp/ directory. Rebooted. Ran RK. Found and removed viruses again. So, on a hunch, I ran MiniTools and found a 16MB partition on my hard drive. I ran DiskManager and - it did not see it. I tried to look at the partition but could not get to it. It was hidden and locked. So then I used MiniTool to reformat it and delete it. Currently I am running RK again to see if now the viruses show up. My main reason for posting is that this is the first time I have seen a virus create its own partition and just wanted you to know about this. If the viruses show up again I'll post about it.
-
Hi markem,
Just to be sure, we will be doing a full system investigation.
Please download Farbar Recovery Scan Tool (x64) (https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/) and save it to your Desktop.
- Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will produce a log called FRST.txt in the same directory the tool is run from.
- Please attach log back here using the "Attachments and other options > Attach" feature.
- The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe). Please also attach that along with the FRST.txt into your reply.
Regards.
-
I have Avira running, have run HitManPro and RogueKiller again. I have no idea what may show up. One thing I do know now is - My Wndows 7 Pro now says I need to put in the activation key again. Ugh. :-(
-
Here are the files. :-)
-
Hi markem,
Your system is damaged.
Please make a backup of your personal data before proceeding any further.
Uninstall the following programs if you haven't installed them :
Advanced Port Scanner
FileZilla Server
Free ZIP Password Recovery
TightVNC
kernrate
Download and run kavremover (http://media.kaspersky.com/utilities/ConsumerUtilities/kavremvr.exe) to remove some residual drivers from Kaspersky.
Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !
Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Is your computer new (less than four months old) ?
Regards.
-
Ok. All of those I installed myself except the last one. But - I will uninstall all of them for this. I'll let you know how it goes here in a bit (or maybe tomorrow since it is almost midnight here). By the way - I use Revo to do the uninstalls because it does get rid of registry entries and files which might have been left behind.
Question: Avira is still running. It is scanning all of the disk drives. Should I stop it? Or wait for it to complete? Waiting could take a week or more. I'm thinking "Stop it" - but want to be sure. Thanks ahead of time.
To tell you more - I have several computers and use TightVNC to talk to them and FileZilla to move files around. Since my computer got infected I have NOT used either to do anything. I will be changing the password to the router here in a few moments. Already changed bank's info, Paypal, eBay, Amazon, and several other accounts. I'm writing a PHP script to scan all drives to ensure nothing has been installed and then I'll be writing one to send me to all 500 some odd websites to change the passwords on those as well. (Viruses are always a pain in the rear.)
-
Hi markem,
These software could have been installed by the attacker. If you are the one you did, you don't have to uninstall them.
Regarding your question about Avira, stop it. You can run it later again to be sure to get rid of all the leftovers.
It's a good thing you changed your passwords.
Could you please attach the fixlog.log file with your next reply ?
Regards.
-
Here is the output. After days of trying to back up my information I finally gave up. The virus has unactivated my system, deleted my AlcoholSoft 120% license, and several other licenses. I'm going to have to try to back everything up as best I can and wipe the hard drive, install Linux, install Oracle's Virtual Box, and run Windows software from there. Thanks for your help. Here is the log. I'll wait for your reply.
-
Hi markem,
OK, I understand.
Good luck with your system reinstallation.
Regards.
-
Thanks and thanks for your help. System is really acting weird right now. :-/
-
Hi markem,
You are welcome.
Sorry I was not able to help you further.
Regards.
-
Let me add a new twist to this problem. The virus has some kind of a part to it that kills USB devices. Ugh. Now on my laptop. Going to run the program again and upload the text file.
Running Avira PC Cleaner and ClamWin. Avira has found 6 viruses so far.
-
Here are the laptop's files.
-
Found the problem with USB. Uploading info. need to know how to fix if possible. It is beiginning to muck with laptop;s keypad.
-
Hi markem,
If you do a full system reinstall, all these problems will be gone.
Regards.
-
Would that it was that simple. Both the Desktop and Laptop have software that you MUST uninstall BEFORE wiping and reinstalling. Otherwise - it is just a huge hassle. Not just for me but for all of the software companies. Not to mention I also have to reset all of my 700 website locations. So yeah. Simple. Really. :-)
-
Hi markem,
OK, I better undersand the issue.
Your best bet is to reinstall the motherboard's drivers. They should be available on your computer manufacturer website.
Regards.
-
Ok. I'll give that a try. Should be simple. I own a dell.
-
Ok. For the FUTURE - here is my solution
Step #1 : Do a Google search for a site that has the top 25 FREE antivirus programs including such things as Malwarebytes, SuperAntiSpyware, Avira, Kaspersky, and CLAMWIN. ClaimWin is a really neat free piece of software. It is still running but so is Kaspersky. Anyway - a small plug there for free software. :-) I currently have HitManPro running, RogueKiller running, Kaspersky running, and ClamWin running. This is to keep my system safe while I get rid of the virus stuff. Also I have #3 below running.
Step #2 : Download or RE-download all of your drivers. Look for the USB driver install and RE-install it. Then, reboot, then check to see if you can see every USB device you own. If not - RE-install it again and repeat. At some point you should be able to see your devices.
Step #3 : YOU NEED TO HAVE THIS AND RUN IT if netsh.exe (or NETSH.EXE) shows up in your Task Manager. Or better yet - download Microsoft's excellent Process Explorer and then look for the above program. If you have it you REALLY NEED my little program. This is called process.au3 (or PROCESS.AU3). It is an AUTOIT program. You can find and download AutoIt by Googling it, click on the download, go ALL THE WAY down to the bottom and download it. There is also a Script Editor (I use VIM). Install AutoIt and then run this simple program. What does the program do? It looks at your tasks, checks to see if netsh.exe is running, and if so - it kills it. It does this until there ARE no netsh.exe programs running, then it sleeps for 30 seconds and checks again. Here is the program:
#include <WinAPI.au3>
#include <Date.au3>
Local $iConsole, $hConsole, $aGetConsoleWin
$iConsole = _WinAPI_AttachConsole(-1)
If $iConsole = 0 Then Exit
$hConsole = _WinAPI_GetStdHandle(1)
If $hConsole = -1 Then Exit
_WinAPI_WriteConsole($hConsole, @CRLF & @CRLF & "Hello World" & @CRLF)
$aGetConsoleWin = DllCall("kernel32", "ptr", "GetConsoleWindow")
local $c = 0
while 1
$c = $c + 1
; if $c > 10 then exit
$iPID = ProcessExists( "netsh.exe" );
If $iPID Then ; Check if the Notepad process is running.
killProcess( $iPID )
_WinAPI_WriteConsole($hConsole, @CRLF & @CRLF & _Now() & " : NETSH is running" & @CRLF)
Else
_WinAPI_WriteConsole($hConsole, @CRLF & @CRLF & _Now() & " : NETSH is NOT running" & @CRLF)
sleep( 50000 );
EndIf
wend
If Not @error Then
DllCall("user32", "bool", "PostMessage", _
"hwnd", $aGetConsoleWin[0], _
"uint", 256, _ ; WM_KEYDOWN
"wparam", 13, _ ; VK_RETURN
"lparam", 0)
EndIf
end
Func getProcess()
; Run Notepad
Run("notepad.exe")
; Wait 10 seconds for the Notepad window to appear.
Local $hWnd = WinWait("[CLASS:Notepad]", "", 10)
; Display a list of Notepad processes returned by ProcessList.
Local $aProcessList = ProcessList("notepad.exe")
For $i = 1 To $aProcessList[0][0]
_WinAPI_WriteConsole($hConsole, @CRLF & @CRLF & _Now() & " : " & _
$aProcessList[$i][0] & @CRLF & "PID: " & $aProcessList[$i][1] & @CRLF )
Next
; Close the Notepad window using the handle returned by WinWait.
WinClose($hWnd)
EndFunc ;==>Example
Func killProcess( $iPID )
; Run Notepad
; Close the Notepad process using the PID returned by Run.
ProcessClose($iPID)
EndFunc ;==>Example
You should be able to run the program by just typing "autoit3 process.au3". This will keep netsh.exe from downloading more viruses onto your system. Ok - so first you download AutoIt3, install, run this program AND THEN you run something like Kaspersky and ClamWin (I am running a lot of them and none of them seem to interfere with the other antivirus programs.)
Step #4 : So you have made it this far - after days of reading information online about what to do I FINALLY found how to stop netsh.exe. This is how you do it:
netsh interface ip reset log.txt
This resets your internet interface, gets rid of any commands that might have been put into netsh.exe's execution loop. You MUST reboot after this or netsh.exe will just continue to start up new instances of it.
This is what I have so far. I have NOT yet rebooted because I am backing everything up and I am making a DVD with drivers for my laptop.
PS: The Preview didn't seem to do anything. Let me check this again. Ah! That got it! :-)
PPS: The AutoIt3 program was taken, in part, from examples in the AutoIt3 documentation. The netsh command was taken from:
https://lizardsystems.com/articles/configuring-network-settings-command-line-using-netsh/ (https://lizardsystems.com/articles/configuring-network-settings-command-line-using-netsh/)
You can also use:
netsh interface ip delete arpcache
Which can clear the arpcache.
And - argh. Netsh.exe is still trying to run - but wait! I still have not rebooted. Ugh. I will reboot tomorrow. Hopefully all of the 7-zip programs will have finished and yes - I know the archives might have a virus in them. Probably not with all of the antivirus software that is running - but we shall see! :-)
Mark