Adlice forum

General Category => Malware removal help => Topic started by: effinglady on April 24, 2015, 03:48:28 am

Title: Assistance Requested
Post by: effinglady on April 24, 2015, 03:48:28 am
I suspect I may have an infection.  AVG detected Trojan horse msil7.bwhx.   This prompted me to run RogueKiller.  Please take a look at my report and advise me what steps I should take.

Thanks

RogueKiller V10.6.0.0 (x64) [Apr 17 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : soserenity [Administrator]
Started from : G:\Desktop_move\RogueKillerX64.exe
Mode : Scan -- Date : 04/23/2015  21:28:39

Processes : 0

Registry : 13
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-2978192904-255533574-1432524084-1000\Software\Microsoft\Windows\CurrentVersion\Run | MailRuUpdater : C:\Users\soserenity\AppData\Local\Mail.Ru\MailRuUpdater.exe  -> Found
[PUP] (X64) HKEY_USERS\S-1-5-21-2978192904-255533574-1432524084-1000\Software\Microsoft\Windows\CurrentVersion\Run | Search Protection : "C:\Users\soserenity\AppData\Roaming\Search Protection\SP.EXE" /autostart  -> Found
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-2978192904-255533574-1432524084-1000\Software\Microsoft\Windows\CurrentVersion\Run | MailRuUpdater : C:\Users\soserenity\AppData\Local\Mail.Ru\MailRuUpdater.exe  -> Found
[PUP] (X86) HKEY_USERS\S-1-5-21-2978192904-255533574-1432524084-1000\Software\Microsoft\Windows\CurrentVersion\Run | Search Protection : "C:\Users\soserenity\AppData\Roaming\Search Protection\SP.EXE" /autostart  -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Update webget ("C:\Program Files (x86)\webget\updatewebget.exe") -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Update webget ("C:\Program Files (x86)\webget\updatewebget.exe") -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Update webget ("C:\Program Files (x86)\webget\updatewebget.exe") -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

Tasks : 1
[Suspicious.Path] \\MailRuUpdateTask -- C:\Users\soserenity\AppData\Local\Mail.Ru\MailRuUpdater.exe (--scheduler) -> Found

Files : 0

Hosts File : 0

Antirootkit : 4 (Driver: Loaded)
[IAT:Inl(Hook.IEAT)] (chrome.exe) ntdll.dll - RtlCaptureContext : Unknown @ 0xffffffffed360217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (chrome.exe) wow64win.dll - sdwhwin32 : Unknown @ 0xffffffffed360217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (chrome.exe) wow64cpu.dll - CpuNotifyAffinityChange : Unknown @ 0xffffffffed360217 (call 0xffffffffeb2f0216)
[IAT:Inl(Hook.IEAT)] (chrome.exe) wow64.dll - Wow64KiUserCallbackDispatcher : Unknown @ 0xffffffffed360217 (call 0xffffffffeb2f0216)

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0: TOSHIBA MQ01ABD100 ATA Device +++++
--- User ---
[MBR] 6c5bee2a33b71e821770831803fd6426
[BSP] da718f200c79b6b4eb69e7ee20c6fa8e : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 51100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 104859648 | Size: 902666 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: Generic- Multi-Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_SCN_04232015_204903.log
Title: Re: Assistance Requested
Post by: Curson on April 24, 2015, 09:05:14 am
Hi effinglady,

Welcome to Adlice.com Forum.

Could you please give me the full name and path of the process detected by AVG ?
Did you install MailRuUpdater on purpose ?

Regards.
Title: Re: Assistance Requested
Post by: effinglady on April 25, 2015, 12:36:32 am
Hi Curson. 

I really appreciate the help.  I didn't install MailRuUpdater on purpose.  I have attached an AVG screenshot. 
Title: Re: Assistance Requested
Post by: Curson on April 26, 2015, 05:28:03 pm
Hi effinglady,

Thanks for the information.

Restart RogueKiller and select the following entries for deletion :
Quote
[Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-2978192904-255533574-1432524084-1000\Software\Microsoft\Windows\CurrentVersion\Run | MailRuUpdater : C:\Users\soserenity\AppData\Local\Mail.Ru\MailRuUpdater.exe
[PUP] (X64) HKEY_USERS\S-1-5-21-2978192904-255533574-1432524084-1000\Software\Microsoft\Windows\CurrentVersion\Run | Search Protection : "C:\Users\soserenity\AppData\Roaming\Search Protection\SP.EXE" /autostart
[Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-2978192904-255533574-1432524084-1000\Software\Microsoft\Windows\CurrentVersion\Run | MailRuUpdater : C:\Users\soserenity\AppData\Local\Mail.Ru\MailRuUpdater.exe
[PUP] (X86) HKEY_USERS\S-1-5-21-2978192904-255533574-1432524084-1000\Software\Microsoft\Windows\CurrentVersion\Run | Search Protection : "C:\Users\soserenity\AppData\Roaming\Search Protection\SP.EXE" /autostart
[PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Update webget ("C:\Program Files (x86)\webget\updatewebget.exe")
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Update webget ("C:\Program Files (x86)\webget\updatewebget.exe")
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Update webget ("C:\Program Files (x86)\webget\updatewebget.exe")
[Suspicious.Path] \\MailRuUpdateTask -- C:\Users\soserenity\AppData\Local\Mail.Ru\MailRuUpdater.exe (--scheduler)
Please copy/paste the report obtained in your next reply.

Please download Farbar Recovery Scan Tool (x64) (http://download.bleepingcomputer.com/farbar/FRST64.exe) and save it to your Desktop.
Regards.
Title: Re: Assistance Requested
Post by: effinglady on April 28, 2015, 01:49:32 am
Hi Curson.

Here is the new RogueKiller report.

RogueKiller V10.6.1.0 (x64) [Apr 24 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : soserenity [Administrator]
Started from : G:\Desktop_move\RogueKillerX64.exe
Mode : Scan -- Date : 04/27/2015  19:32:59

Processes : 0

Registry : 6
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

Tasks : 0

Files : 0

Hosts File : 0

Antirootkit : 0 (Driver: Loaded)

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0: TOSHIBA MQ01ABD100 ATA Device +++++
--- User ---
[MBR] 6c5bee2a33b71e821770831803fd6426
[BSP] da718f200c79b6b4eb69e7ee20c6fa8e : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 51100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 104859648 | Size: 902666 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: Generic- Multi-Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_SCN_04232015_204903.log - RKreport_SCN_04232015_212839.log - RKreport_SCN_04272015_183452.log - RKreport_SCN_04272015_191635.log
RKreport_DEL_04272015_191859.log - RKreport_SCN_04272015_192502.log - RKreport_DEL_04272015_192737.log

Title: Re: Assistance Requested
Post by: effinglady on April 28, 2015, 01:55:36 am
And the Farbar reports...They are too long to paste so I attached them.

Thanks again.
Title: Re: Assistance Requested
Post by: Curson on April 29, 2015, 09:04:32 pm
Hi effinglady,

Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

How is the computer running ?

Regards.
Title: Re: Assistance Requested
Post by: effinglady on May 01, 2015, 01:57:33 am
Hi Curson,

The computer has been running normally.  I haven't notice any lag in performance. 

I attached the request log.

EffingLady
Title: Re: Assistance Requested
Post by: Curson on May 01, 2015, 09:49:30 pm
Hi EffingLady,

Please remove the following directories :
Quote
C:\Users\soserenity\AppData\Local\Mail.Ru
C:\Users\soserenity\AppData\Roaming\Search Protection
C:\Program Files (x86)\webget
Then, please do a new scan with RogueKiller and copy/paste the report obtained in your next post.

Regards.
Title: Re: Assistance Requested
Post by: effinglady on May 06, 2015, 01:02:21 am
Hi Curson,

I deleted the first two directories but could not find the third (C:\Program Files (x86)\webget).

Here is the log.

RogueKiller V10.6.1.0 (x64) [Apr 24 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : soserenity [Administrator]
Started from : G:\Desktop_move\RogueKillerX64.exe
Mode : Scan -- Date : 05/01/2015  21:11:19

Processes : 0

Registry : 6
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> Found

Tasks : 0

Files : 0

Hosts File : 0

Antirootkit : 0 (Driver: Loaded)

Web browsers : 0

MBR Check :
+++++ PhysicalDrive0: TOSHIBA MQ01ABD100 ATA Device +++++
--- User ---
[MBR] 6c5bee2a33b71e821770831803fd6426
[BSP] da718f200c79b6b4eb69e7ee20c6fa8e : Windows Vista/7/8|VT.Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 51100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 104859648 | Size: 902666 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Generic- Multi-Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_SCN_04232015_204903.log - RKreport_SCN_04232015_212839.log - RKreport_SCN_04272015_183452.log - RKreport_SCN_04272015_191635.log
RKreport_DEL_04272015_191859.log - RKreport_SCN_04272015_192502.log - RKreport_DEL_04272015_192737.log - RKreport_SCN_04272015_193259.log
Title: Re: Assistance Requested
Post by: Curson on May 06, 2015, 08:55:47 pm
Hi effinglady,

Your report is clean.
How is your computer running now ?

Regards.
Title: Re: Assistance Requested
Post by: effinglady on May 07, 2015, 02:05:54 am
Curson,
 
That is a great report.  My computer is running well.

Thank you for all you help!

Effinglady
Title: Re: Assistance Requested
Post by: Curson on May 07, 2015, 08:42:00 am
Hi effinglady,

Your are very welcome.
I'm gald I was able to help you.

Regards.