Adlice forum

General Category => Malware removal help => Topic started by: jpraymond on May 01, 2016, 08:06:41 PM

Title: Problems return after reboot
Post by: jpraymond on May 01, 2016, 08:06:41 PM
I have run Rogue Killer Premium 3 times, yet the same errors reappear after reboot.

Rather than posting more info than you need, I have attached 4 .txt files, and 3 or 4
.jpg files for a better view of what I see.

Please advise? (No, I can't afford to update beyond Win XP Home, as I'm on SSDI)

Thank you very much. (If I've posted in the wrong area, please move to such), and if possible,
please undo my dumb-ass move of "Show all as read" or some command, as there are many I
am unable to view...

MË₮ẮĻĦËẮÐ
Title: Re: Problems return after reboot
Post by: Curson on May 02, 2016, 01:50:02 PM
Hi jpraymond,

Your computer is infected with a variant of trojan Gootkit, a Trojan horse that steals confidential information.
Please consider that all your online accounts may have been compromised and be especially warry of unauthorized transactions if you use online banking.

Please download Farbar Recovery Scan Tool (x86) (http://download.bleepingcomputer.com/farbar/FRST.exe) and save it to your Desktop.
Quote from: jpraymond
Thank you very much. (If I've posted in the wrong area, please move to such), and if possible,
please undo my dumb-ass move of "Show all as read" or some command, as there are many I
am unable to view...
I'm sorry but I'm unable to reverse this operation.
This command marks all threads as read but you should be able to access them without problems.

Regards.
Title: Re: Problems return after reboot
Post by: jpraymond on May 02, 2016, 05:25:50 PM
Thank you Curson.

 Have done as instructed, and will post the 2 files now. I really appreciate the help, especially knowing the ramifications it could cause.

 Prior to reading your reply, I had run Malwarebytes, and it found the same problem as before. I did not reboot, and then ran RogueKiller, supposedly cleaning the system, then logged onto the Adlice forum. If you wanted the FRST.exe run prior to removing the virus(s), please send me an email and I'll reboot and not run virus /  malwarebytes software before running the two programs to rid this system of the problems.

 Thank you once again,

 JP
Title: Re: Problems return after reboot
Post by: Curson on May 02, 2016, 06:31:30 PM
Hi jpraymond,

It's OK.
Uninstall the following softwares using Add/Remove programs (if present) :
Quote
Adobe Flash Player 20 ActiveX
Amazon Assistant
MySecurityCenter License Service

Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.

How is the computer running now ?

Regards.
Title: Re: Problems return after reboot
Post by: jpraymond on May 02, 2016, 09:42:02 PM
About to run program... sorry, had to run out and get a suit, for a legal suit going on in Salem, Ma., as not one of my old suits fixed.  :-[

When deleting the 3 programs you gave, I had to go into boot mode to remove the Amazon Assistant... it was probably in process with other Amazon programs.

Will respond again and post file you requested...

Again, thank you very much for the help...  8)

--------------------------------------------------------------------------

Did as you said, and result at this time

When it first came up with an error, it shut down mail account, and mspaint.

Can't attach anything in edit mode...
Title: Re: Problems return after reboot
Post by: jpraymond on May 02, 2016, 10:08:44 PM
 txt file and jpg files attached. should I reboot into safe mode, then try it?

 Thanks again for you efforts!!!
Title: Re: Problems return after reboot
Post by: Curson on May 02, 2016, 10:16:18 PM
Hi jpraymond,

Yes, please try in Safe Mode.

Regards.
Title: Re: Problems return after reboot
Post by: jpraymond on May 02, 2016, 10:59:35 PM
In safe mode, after running program in safe mode, reboot into regular mode, things would not work, and eventually forced me into another reboot, into safe mode...

Prior to forced reboot, tried to open adobe .pdf, and it seems the Amazon Assistance was needed.

In trying to copy/paste info as I've always been able to, only the "hand" for up/down mouse use was usable, and no "arrow" was visible. that seemed odd to me.
Title: Re: Problems return after reboot
Post by: Curson on May 02, 2016, 11:03:56 PM
Hi jpraymond,

Please attach the following file in your next reply.
Quote
C:\Documents and Settings\Jeff\Desktop\Fixlog.txt

Regards.
Title: Re: Problems return after reboot
Post by: jpraymond on May 02, 2016, 11:12:20 PM
Sorry, thought I had attached it first...

What I meant by nothing worked, I was referring to NSS, and other functions. System crashed after a few minutes, then I rebooted into safe mode to reply. Only left half was viewable,
as right half was all adds... and although viewable is color red underlined, it is correctly spelled.

Thanks... forgot to mention, the SONAR.Kotver!gen1 virus warning did NOT reappear after running scan/fix. System seems to be more stable, it was running slower before this... Directory I was working on with MANY .pdf files are now under /FRST/ Quarantine/C/Temp/ (vertically like)
2011
2012
2013
2014
2015
contained 49 .pdf files that I was working on for the court hearing tomorrow. That Is a big problem! I will add to next reply, which may help you see my new dilemma...
Title: Re: Problems return after reboot
Post by: Curson on May 02, 2016, 11:23:53 PM
Hi jpraymond,

The infection has been removed.
What do you means by "NSS" ? Is booting into Normal Mode still possible ?
I have trouble understanding your explanations.

Regards.
Title: Re: Problems return after reboot
Post by: jpraymond on May 02, 2016, 11:50:12 PM
Ok will do, with my "current view" as well...

NSS = Norton Security System, yes, booting into normal mode is ok, and stabilized.
 
I'm sorry, describing the best I can... this English language
is quite a pain to learn...


Title: Re: Problems return after reboot
Post by: Curson on May 03, 2016, 12:06:21 AM
Hi jpraymond,

OK, I'm glad the system is now working great.
You will need to download a PDF reader, since "Amazon Assistant" was removed.
I suggest PDF-XChange Viewer (http://www.tracker-software.com/product/pdf-xchange-viewer/download?fileid=445).

Quote from: jpraymond
Directory I was working on with MANY .pdf files are now under /FRST/ Quarantine/C/Temp/ (vertically like)
I wrote a script to restore this directory.
Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Are you able to access your files ?

Regards.
Title: Re: Problems return after reboot
Post by: jpraymond on May 03, 2016, 12:52:53 AM
After running the PDF-Viewer then install, opened .jpg file, still have... was checking with the drop down menus in PDF-Viewer, went to Tools-Basic Tools - Select Tool allowed the pointer to return.

You're an amazing master of the codes! After working at DEC for !4 years, then PC repair business after the BIG "downsizing" of DEC.  :'( Never have been able to find anything close to what I was doing at DEC, or come close to what I was making, I (barely) get by.

Thanks for the assistance (FAR beyond my expectations!!!) I'll run Rogue Killer to ensure that is clear, and get back to the files, which hopefully will allow me "Grandparent Rights" to see my 2 grandsons I've never seen, and hopefully get to know them, and continue on with the relationship. Also hope to reconcile things with my daughter, who for reasons beyond my imagination, hasn't seen me since 2008 (all her choices, not mine)

Should anything new show up after the running of the RK SW, I'll let you know... otherwise, thanks doesn't seem to be enough for all the support! It's been an amazing experience!!!

Best regards, and God bless you and those you love and care for in ways only He can!

JP  8)
Title: Re: Problems return after reboot
Post by: Curson on May 03, 2016, 01:07:17 AM
Hi jpraymond,

I'm glad the issue has been resolved.
You can now delete FRST and the files linked to it, except the C:\FRST folder.
I will be very grateful if you could zip it and attach it in your next reply so I would be able to analyze the malware more deeply.

I strongly advice you to change your passwords since they may have been stolen.

Thanks for the kind words, this is very appreciated. :)
I wish you all the best, especially with the family issues.

Regards.
Title: Re: Problems return after reboot
Post by: jpraymond on May 03, 2016, 05:27:38 AM
Will try tomorrow after court in order to zip smaller files, as the whole thing just won't upload. I need to shower, and get up in 5 hours. Thanks for everything! Peace,

Attachment file from running RK program, coming out clean... perhaps someday you'll be able to address the hooks?

JP
Title: Re: Problems return after reboot
Post by: Curson on May 03, 2016, 05:37:07 PM
Hi jpraymond,

Quote from: jpraymond
Will try tomorrow after court in order to zip smaller files, as the whole thing just won't upload. I need to shower, and get up in 5 hours. Thanks for everything! Peace,
Please take your time, this is not urgent. :)

Quote from: jpraymond
Attachment file from running RK program, coming out clean... perhaps someday you'll be able to address the hooks?
I think those hooks are implemented by Norton Security System, so it's safe to assume they are legit.

Regards.
Title: Re: Problems return after reboot
Post by: jpraymond on May 03, 2016, 08:00:41 PM
I hope the first zip file went through ok? Here are the "Logs" content. Never mind my question in previous reply, as I did not know I could reply to the same post more than once... (if the first one did not work, then this will be the first and I'll have to split the previous .zip file)

Much like life, this is a continuous growing experience, or a permanent learning curve...  ???
Title: Re: Problems return after reboot
Post by: jpraymond on May 03, 2016, 08:13:48 PM
Does not look like the Hives.zip or Logs.zip worked, will try smaller sub-dirs...
Title: Re: Problems return after reboot
Post by: jpraymond on May 03, 2016, 08:20:42 PM
Sorry. you now have 2 "Logs"... how about a "Quarantine.zip" file, then I'll break down the hives.

FYI, Shockwave crashed, and has been doing that for over a week. With virus / trojan gone,Shockwave sucks!
Title: Re: Problems return after reboot
Post by: jpraymond on May 03, 2016, 08:50:41 PM
If I don't succeed the first time, try, try again  :-\

1.713 KB... what is the limit should this fail?
Title: Re: Problems return after reboot
Post by: jpraymond on May 03, 2016, 08:58:52 PM
That appears to have worked... next is "Hives_NoUsers"

7.27 KB

Ok. that seems to have worked... please email me it you encounter any problems with the files.

Thanks again Curson!

JP
Title: Re: Problems return after reboot
Post by: Curson on May 04, 2016, 12:48:00 AM
Hi jpraymond,

This is perfect.
Many thanks. :)

Regards.
Title: Re: Problems return after reboot
Post by: Curson on May 04, 2016, 01:45:40 PM
Hi jpraymond,

Thanks to your contribution, the analysis is doing great.
However, I would need an additional file to complete it.

Please follow the following process :
1) Launch the command prompt windows (cmd) with admin rights and copy/paste the following command :
Code: [Select]
reg save HKCR "%USERPROFILE%\Desktop\HKCR.hiv"
Do not close the command prompt until it says "Operation Completed

5) A new file named HKCR.hiv should has been created on your desktop. Please zip it and attach it with your next reply.

Many thanks for your contribution. :)

Regards.
Title: Back again... {Sigh}
Post by: jpraymond on May 19, 2016, 08:10:35 PM
 Hi Curson, sorry to return with the "Same old story..." but it's back. After running Anti-Malware, after reboot, this appeared...

 "Cannot export C:\DOCUM~T\Temp/HKCURUNONBU.reg
:Error writing the file. There may be a disk of file system order."

 In a basic dialogue box that had "Ok", again appeared over the 1st box, then normal screen appeared under the 2, just before I clicked on X. Attached are screen shots.

 After many tries, I have yet to find something in both apps to cause it to check E: which is a problem.

 Could you explain what are the steps to take to cause both C: and E: to be scanned at the same time? I am stuck here and can go no further. Can't find anything under both SW programs to even check the E: drive alone. Need extra help here please?

In the AfterRK Run, you'll notice I did not check the box

             Detection                          Type
"Suspicious Path|Vt.unknown | Registry:Run ... as I was concerned the "Type" - Registry Run might make it worse.
If you think there is no damage, I'll run it again (will most likely will HAVE to anyway) after reboot. Attached is rk_1.tmp, and 2 saved screen shots.

Thanks for the advice on PDF-XChange Viewer ... it works GREAT!

Please advise when convenient for you...

Thanks yet again Curson!

(No directory was created as with previous work) Ok, now what? rk_1.tmp. will try to rename file with .txt extension

You cannot upload that type of file. The only allowed extensions are doc, gif, jpg, jpeg, pdf, png,t xt, zip, rar, 7z,log, json(?)

Addition: Anti-Malware continues to find
RootKit.Fileless.MYGen return after reboot, and running Rogue Killer this time nothing showed up, nor create new .tmp file. 

Also, forgot to mention, prior to this new problem, I have address book names, some new, and some old that had been deleted. These are still there, and have tried copying file, then import into "OpenOffice Calc" hoping to be able to edit/delete. The names that show when I forward, reply and any function in E-Mail I never added must be in a different file, that only shows up as mentioned.

I'm guessing when I attached E: (500 GB), and something there  probably caused the virus to return. Will try to redirect scan to both C: and E:, and will let you know what, if anything shows up.

I'll edit after trying this, normal, then safe mode (Unsure if the drivers load needed to run either, or both Anti-MalWare and RogueKiller, and hope for the best. Be back to let you know what happens.
Title: Re: Problems return after reboot
Post by: Curson on May 20, 2016, 02:22:13 PM
Hi jpraymond,

The infection seems to have returned.
I believe it uses a vulnerability in Windows XP to propagate.

Quote from: jpraymond
Could you explain what are the steps to take to cause both C: and E: to be scanned at the same time? I am stuck here and can go no further. Can't find anything under both SW programs to even check the E: drive alone. Need extra help here please?
RogueKiller is currently only able to scan the systemdrive.
With Malwarebytes Anti-Malware it's possible, using the "Custom Scan" feature. Please do a scan of all your drives and attach the report obtained with your next reply.

Quote from: jpraymond
In the AfterRK Run, you'll notice I did not check the box

             Detection                          Type
"Suspicious Path|Vt.unknown | Registry:Run ... as I was concerned the "Type" - Registry Run might make it worse.
If you think there is no damage, I'll run it again (will most likely will HAVE to anyway) after reboot. Attached is rk_1.tmp, and 2 saved screen shots.
Please remove the following entry :
Quote
[Suspicious.Path|VT.Unknown] HKEY_USERS\S-1-5-21-839522115-1580818891-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Run | dzrth : "C:\Documents and Settings\Jeff\Local Settings\Application Data\ccb018\15848b.lnk"

Quote from: jpraymond
Thanks for the advice on PDF-XChange Viewer ... it works GREAT!
You are welcome.

Quote from: jpraymond
(No directory was created as with previous work) Ok, now what? rk_1.tmp. will try to rename file with .txt extension
I was able to read it this way. :)

Quote from: quote
Also, forgot to mention, prior to this new problem, I have address book names, some new, and some old that had been deleted. These are still there, and have tried copying file, then import into "OpenOffice Calc" hoping to be able to edit/delete. The names that show when I forward, reply and any function in E-Mail I never added must be in a different file, that only shows up as mentioned.
There is very little chance this issue is malware-related.

Please follow the following process :
1) Launch the command prompt windows (cmd) with admin rights and copy/paste the following command :
Code: [Select]
reg save HKCR "%USERPROFILE%\Desktop\HKCR.hiv"
Do not close the command prompt until it says "Operation Completed

2) A new file named HKCR.hiv should has been created on your desktop. Please zip it and attach it with your next reply.

Regards.
Title: Re: Problems return after reboot
Post by: jpraymond on May 20, 2016, 09:48:09 PM
After a couple of reboots, and finding the problems came back each time, noticed it slows Mozilla Firefox down to a crawl after a short period of time, delaying my attempts to get back to the forum.

I've done everything possible to manually remove errors that return each reboot. I have 5 files to attach.

As the 47 items were on the screen, there was  an attempt to take a file from my system, to upload it to a virus database of some sort, but Malwarebytes blocked it every time. I will try to write down the IP address and try to add that to malwarebytes approved IP addresses.

Also tried to upgrade to a current version, but have problems trying to do such.
Title: Re: Problems return after reboot
Post by: jpraymond on May 21, 2016, 05:11:29 AM
This time, ran in safe mode. Ran RogueKiller first, (without driver)  found 15848b, and zipped it to be attached, and a couple others. however, when the system reboots (from Off, as to clear memory) to start, it all returns.

As far as upgrading, I purchased the license for 1 year, and don't want to buy, or extend yet, so what's the problem in trying to upgrade to newer version?

Thanks... will blow up system with Semtex if not fixed by Sunday   :o
Title: Re: Problems return after reboot
Post by: Curson on May 22, 2016, 03:28:08 PM
Hi jpraymond,

Unless you attach the files as asked you to (Malwarebytes Anti-Malware's report and HKCR.hiv), I won't be able to help you.
Please attach them with your next reply.

Regards.
Title: Re: Problems return after reboot
Post by: jpraymond on May 22, 2016, 07:05:58 PM
i'm sorry, my attempt to reply did not work. I will try to zip the HKCR.hiv, then attach the zip file. Again, had to change .tmp to .txt.

Since the most recent time I ran Malwarebytes, was this AM after a forced  reboot (machine had not been shut down for 1 1/2 - 2 days), so please tell me where the report generated is found, and I'll attach it.

Also included is today's RK run, with a 2nd internet explorer affected, as before there was only 1. I could find no files generated after cleaning. Also still working to upgrade present version.

JPR
Title: Re: Problems return after reboot
Post by: Curson on May 22, 2016, 11:18:42 PM
Hi jpraymond,

I've sucessfully analysed the registry dump your provided.
Please follow the following process to found Malwarebytes Anti-Malware's report.

To retrieve the scan log information (Method 1) :
To retrieve the scan log information (Method 2) :
Alternatively, logs are named by the date of scan in the following format: mbam-log-yyyy-mm-dd and automatically saved to the following locations:
Quote from: jpraymond
Also still working to upgrade present version.
We recently made a few changes in the Updater that breaks compatibility with older RogueKiller versions.
Could you please download and manually install RogueKiller latest version (http://download.adlice.com/RogueKiller/setup.exe) ?

Regards.
Title: Re: Problems return after reboot
Post by: jpraymond on May 23, 2016, 01:25:45 AM
Here are the results (With new version, thank you!)

Method 1 - No Export
Method 2 - No View, No Export
Method 3 - Settings, History Settings, Export? No Export Log button, although checked.
Method 3a - Manually find Dir. with log, copy newest log to desktop.

MBam- log-201...04-04).xml (xml not included in allowed file types) Will include with .zip file.

Before and after .jpg files for view with new version.

Other files generated by RogueKiller, also attached... changed .tmp generated when I save results to .txt

Thanks again, (and for this, and for that), thanks!!!

JPR
Title: Re: Problems return after reboot
Post by: Curson on May 23, 2016, 03:51:30 PM
Hi jpraymond,

Thanks for the reports.

Please download Farbar Recovery Scan Tool (x86) (http://download.bleepingcomputer.com/farbar/FRST.exe) and save it to your Desktop.
Regards.
Title: Re: Problems return after reboot
Post by: jpraymond on May 23, 2016, 06:00:03 PM
Thanks... was up until 3:00, and just woke up...

It seems Rootkit.Fileless.MTGEN became active overnight, when I was sleeping. Ran Malwarebytes, it says it is now gone, but no idea what triggered it?

Should I run Fix on FRST or RogueKiller? Will wait until you reply.

Thanks again for all the work you're doing to help! Best customer service I've ever experienced!

JPR
Title: Re: Problems return after reboot
Post by: Curson on May 23, 2016, 06:10:50 PM
Hi jpraymond,

The fix will be using FRST.

Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.

How is the computer running now ?

Regards.
Title: Re: Problems return after reboot
Post by: jpraymond on May 23, 2016, 07:15:58 PM
After reboot, computer is running slow, and strangly...  (i.e. when trying to log in after FRST suggested reboot, there are 2 pages to enter Comcast mail. It was repeating the 1st step (Welcome to Comcast page) 2 - 3 times, prior to actually enter "mail" that I had clicked on in the 1st page, then same 2nd page, and finally was able to log into my email so I could respond to to you. Right now, I am typing the text, and wait until it actually shows up. Ok, now typing as usual. Ran as you directed, and will attach the file you asked for. While you analyze that, going to run MWB to see if the RootKit.List.MTGen appears.

Thank you again,

JPR
Title: Re: Problems return after reboot
Post by: Curson on May 23, 2016, 07:36:32 PM
Hi jpraymond,

I want to make sure the infection is now really gone.
Please download SystemLook (http://jpshortstuff.247fixes.com/SystemLook.exe) and save it to your desktop.
Code: [Select]
:dir
C:\Documents and Settings\Jeff\Application Data
C:\Documents and Settings\Jeff\Local Settings\Application Data
:regfind
mshta javascriptNote: The log can also be found on your Desktop entitled SystemLook.txt

Regards.
Title: Re: Problems return after reboot
Post by: jpraymond on May 23, 2016, 08:16:17 PM
Ran MWB and RogueKiller and came up with nothing at all!

Rather hesitant to connect to the E: drive... should you come up with a modification of your software, please let me know. Do you recommend I delete previous files, .tmp, ,jpg, and others associated with this problem?

Thank you seems insufficient for all the work, and help you've provided, but until better words come to mind, or someone else's mind, THANK YOU!

SystemLook.txt will be attached in a few... I know this has been a PITA for you, and thanks for your patience, kindness, and I think I've said before, the BEST customer service I have ever experienced... Peace!

JP
Title: Re: Problems return after reboot
Post by: Curson on May 23, 2016, 08:36:47 PM
Hi jpraymond,

Quote from: jpraymond
Ran MWB and RogueKiller and came up with nothing at all!
Good. :)

Quote from: jpraymond
Rather hesitant to connect to the E: drive... should you come up with a modification of your software, please let me know. Do you recommend I delete previous files, .tmp, ,jpg, and others associated with this problem?
I don't think the infection is propagating through drives, so you can reconnect it.
Please don't delete those files for now, there is still a folder we must take care of.

Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Quote from: jpraymond
Thank you seems insufficient for all the work, and help you've provided, but until better words come to mind, or someone else's mind, THANK YOU!
SystemLook.txt will be attached in a few... I know this has been a PITA for you, and thanks for your patience, kindness, and I think I've said before, the BEST customer service I have ever experienced... Peace!
It was not so difficult but you are very welcome. :)

Regards.