Solved File recovery rogue scanner infection

[CanHazTrojanz?]

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 05-09-2012
Ran by SYSTEM at 2012-09-08 15:12:35 Run:2
Running from H:\
==============================================
DEFAULT hive was successfully copied to System32\config\HiveBackup
DEFAULT hive was successfully restored from registry back up.
SAM hive was successfully copied to System32\config\HiveBackup
SAM hive was successfully restored from registry back up.
SECURITY hive was successfully copied to System32\config\HiveBackup
SECURITY hive was successfully restored from registry back up.
SOFTWARE hive was successfully copied to System32\config\HiveBackup
SOFTWARE hive was successfully restored from registry back up.
SYSTEM hive was successfully copied to System32\config\HiveBackup
SYSTEM hive was successfully restored from registry back up.
==== End of Fixlog ====

 

[CanHazTrojanz?]

It appears I have internet, but another error popped up, from "Windows Installer" (though I didn't have the DVD or thumb drive hooked up on restart):

Windows Installer

The feature you are trying to use is on a network resource that is unavailable. Click OK to try again, or enter an alternate path to a folder containing the installation package 'SBVIPRE_EN.msi' in the box below.

Then there is a text box labeled: Use source:

C:\ProgramData\Downloaded Installations\{FA0F7527-B8F1-4541-A077-22F7B7829518}\{47E8BF80-5770-4211-8640-89A8B167B4D3}\

There are buttons to click OK, Cancel or Browse.

 

[Broni]

Good news about internet connection

That message seem to be coming from your Vipre AV program.

We restored your computer to few days ago so something probably got messed up..

Try to reinstall Vipre.

Also since we went back we need to re-run some scans.

Start with creating new restore point (after reinstalling Vipre).

Next, update MBAM, run it and give me fresh log.

 

[CanHazTrojanz?]

When I try to click on the Vipre AV icon on my desktop, I'm warned that the service isn't running and to contact technical support. I'd like to (obviously) update my AV, should I contact them to do so or is there something else to do?

 

[CanHazTrojanz?]

OK, we're posting at the same time:

A) Should I install Vipre on the thumb drive from another PC or just go online as-is from the infected PC to download a new copy?

I'll uninstall it, along with Malwarebytes (because I got an error when I first restarted: there was a missing DLL for MWB).

Edit: I can't uninstall Vipre, I get the same error message from Windows Installer.

New question: How do I install it fresh? Just download and run the EXE? Do I download from this unprotected PC or from another PC and then transfer the executable to the problem PC?

B) Then after I have Vipre and Malwarebytes installed fresh, you said to Start w/creating new restore point (after reinstalling Vipre)...but I'm not sure how to do that.

 

[Broni]

You should be OK to perform all downloads from this computer.

To create new restore point: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/

 

[CanHazTrojanz?]

I couldn't install Vipre, same error with the Windows Installer would popup, also see images:



I am going to rerun Malwarebytes and will post the new scan next.

 

[CanHazTrojanz?]

Oh, was that a "full" or "quick" scan of Malwarebytes?

Edit: Since you didn't reply I just went ahead and ran a full scan. Will post when it's done, also I've sent a support email to Vipre about the issue I'm having with their tool.

 

[Broni]

Did you uninstall Vipre first?

If having problem with uninstallation as well use free version of Revo...

Revo Uninstaller is more thorough in deleting programs on your computer than using the Add/Remove option in Windows. Since it is a more powerful tool, please be sure to follow the instructions carefully.

Please note there is a chance when you look for this program to uninstall through Revo it might not be listed because of the previous uninstall. If that is the case simply stop and let me know.

• Please download and install Revo Uninstaller Free
• Double click Revo Uninstaller to run it.
• From the list of programs double click on the program you want to remove
• When prompted if you want to uninstall click Yes.
• Be sure the Moderate option is selected then click Next.
• The program will run, If prompted again click Yes
• When the built-in uninstaller is finished click on Next
• Once the program has searched for leftovers click Next.
• Check the items in bold only on the list then click Delete. You may have to expand some folders by clicking the "+" mark.
• When prompted click on Yes and then on Next.
• Put a check on any folders that are found and select Delete
• When prompted select Yes then Next
• Once done click Finish.

 

[CanHazTrojanz?]

Revo ran into the same problem - Windows Installer saying the .msi file is not accessible or in the folder it's being called from. Then a new window opened up that said, "The installation source for this product is not available. Verify that the source exists and that you can access it." (From Windows Installer.)

I hit the "next" button and Revo thinks Vipre's built-in uninstaller completed its task (which it did NOT do), now it's scanning the registry and hard drive...

 

[CanHazTrojanz?]

Also, when I try to run Firefox, I am still told that "Firefox is already running, but is not responding. To open a new window, you must first close the existing Firefox process, or restart your system."

Furthermore, when I tried to install Vipre (I have it on my thumb drive), the program immediately asks for my license key (which is unusual - it goes through an initial set up first normally). When I input the key, I am told, "Congratulations! You are already up to date!" but there is NO Vipre listed under "All Programs" or "Add/Remove Programs"...

Also, when I run Chrome on the infected computer, it's still unable to open up LastPass, my password manager.

 

[CanHazTrojanz?]

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.09.08.08
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
IdHusseys :: IDHUSSEYS-PC [administrator]
9/8/2012 4:18:27 PM
mbam-log-2012-09-08 (16-18-27).txt
Scan type: Full scan (C:\|D:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 411224
Time elapsed: 1 hour(s), 32 minute(s), 5 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)

 

[CanHazTrojanz?]

So just to be clear, I did delete the bold registry keys, now Vipre's acting really funny when I try to install as mentioned above. I told Vipre about it, and they want to elevate my ticket to a professional malware removal person, but I'd like to see this through with you first.

 

[Broni]

Let's not worry about Vipre for now.
Let's make sure your computer is clean.

Please download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

• Double-click on the Rkill desktop icon to run the tool.
• If using Vista or Windows 7 right-click on it and choose Run As Administrator.
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
• If not, delete the file, then download and use the one provided in Link 2.
• Do not reboot until instructed.
• If the tool does not run from any of the links provided, please let me know.

If normal mode still doesn't work, run the tool from safe mode.

When the scan is done Notepad will open with rKill log.
Post it in your next reply.

NOTE. rKill.txt log will also be present on your desktop.

================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

 

[CanHazTrojanz?]

Rkill 2.3.10 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 09/08/2012 08:58:20 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* No malware processes found to kill.

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* Windows Defender Disabled

[HKLM\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

* Windows Defender (WinDefend) is not Running.
Startup Type set to: Manual

Searching for Missing Digital Signatures:

* No issues found.

Program finished at: 09/08/2012 08:58:24 PM
Execution time: 0 hours(s), 0 minute(s), and 3 seconds(s)
(Waiting for awsMBR to finish downloading and scanning.)

 

[CanHazTrojanz?]

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-09-08 20:59:00
-----------------------------
20:59:00.270 OS Version: Windows x64 6.1.7601 Service Pack 1
20:59:00.270 Number of processors: 2 586 0x602
20:59:00.271 ComputerName: IDHUSSEYS-PC UserName: IdHusseys
20:59:01.087 Initialize success
21:02:15.998 AVAST engine defs: 12090801
21:02:46.374 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
21:02:46.380 Disk 0 Vendor: WDC_WD2500BEKT-60V5T1 12.01A12 Size: 238475MB BusType: 11
21:02:46.393 Disk 0 MBR read successfully
21:02:46.399 Disk 0 MBR scan
21:02:46.419 Disk 0 Windows 7 default MBR code
21:02:46.437 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
21:02:46.452 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 224323 MB offset 409600
21:02:46.486 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 13848 MB offset 459823104
21:02:46.511 Disk 0 Partition 4 00 0C FAT32 LBA MSDOS5.0 103 MB offset 488183808
21:02:46.552 Disk 0 scanning C:\Windows\system32\drivers
21:02:58.027 Service scanning
21:03:20.735 Modules scanning
21:03:20.757 Disk 0 trace - called modules:
21:03:21.138 ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
21:03:21.150 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8003127060]
21:03:21.163 3 CLASSPNP.SYS[fffff880010d343f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80030cc060]
21:03:22.952 AVAST engine scan C:\Windows
21:03:25.811 AVAST engine scan C:\Windows\system32
21:06:30.747 AVAST engine scan C:\Windows\system32\drivers
21:06:43.655 AVAST engine scan C:\Users\IdHusseys
21:18:13.766 AVAST engine scan C:\ProgramData
21:19:47.450 Scan finished successfully
21:23:30.471 Disk 0 MBR has been saved successfully to "C:\Users\IdHusseys\Desktop\MBR.dat"
21:23:30.476 The log file has been saved successfully to "C:\Users\IdHusseys\Desktop\aswMBR.txt"

 

[Broni]

Looks good

Before we proceed please summarize what are the current issues.

 

[CanHazTrojanz?]

• Can't open Firefox, it says it's still running and to close it before opening a new instance.
• Cannot open LastPass in Chrome.
• Files still locked "access denied" in C drive.
• Files still ghosted on desktop.
• Vipre will not open, uninstall or reinstall.

It's concerning about Vipre since I have no AV presently, don't really feel safe after all this just surfing the net.

 

[Broni]

See if you can install any of these for now:
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
- free Microsoft Security Essentials: http://windows.microsoft.com/en-GB/windows/products/security-essentials
- free Comodo Antivirus: http://www.comodo.com/home/internet-security/antivirus.php

Uninstall Firefox completely using this manual: http://kb.mozillazine.org/Uninstalling_Firefox
Install fresh copy.

Same goes for Chrome...

1. Go to Start > All Programs > Google Chrome > Uninstall Google Chrome.
2. Delete your user profile information, like your browser preferences, bookmarks, and history, by selecting the "Also delete browser data" checkbox.
3. Select the default browser you'd like to use.
4. Click OK in the confirmation prompt..

Install fresh copy.

What files are "locked"?
What do you mean by "ghosted" files?

 

[CanHazTrojanz?]

When I opened the Avast link above, it meta-refreshed and this was the affiliate referral ID:
hxxp://affiliates.digitalriver.com/z/25497/CD133407/1ig7xd6thgjzh

(I put the x's there, no sense in posting random aff links.)

Looks like some affiliate is stuffing their cookies here...will try another PC to see if it's a techspot thing or the lowlife who infected me.

 

[CanHazTrojanz?]

Yeah, it seems like it's a "techspot" thing...happens on every computer. Going to skip out on that, as an affiliate marketer myself I know it's against the Federal Trade Commission to stuff your cookies unannounced. Not cool. Will try to download Avast without using that link.

 

[CanHazTrojanz?]

Thankfully both browsers are up and running fine!

I've also downloaded and installed antivirus and will work with Vipre tech support to get that program running again, in the meantime I feel safe as-is, thanks.

Also, LastPass installed and that's good: but I did lose all my bookmarks (not too worried on that account).

To answer your questions:

What files are "locked"?
Specifically it's "Documents and Settings" - access is still denied. I've seen in other tutorials where this folder is accessed, it wasn't like that before this infection.

What do you mean by "ghosted" files?
About 10 or so files and folders on my desktop have a transparent "ghost" look to them, which is what happens when files are hidden. I was having trouble copying these files earlier after the infection: I was planning on exporting my files to continue working for my clients during this disinfection period, but I couldn't export the files - they wouldn't show up in my thumb drive.

I haven't tested their ability to export at this point, but they have that same transparent look.

Edit: I was able to simply select "Properties" on the files/folders on the desktop, then de-select "hidden." My only concern is that this happened before and they came back as hidden files. I'll keep an eye on it.

 

[Broni]

Good news

"Documents and Settings" on Windows 7 is a hidden system folder. No reason to access it.
Open Windows Explorer, go Tools>Folder options>View tab and checkmark "Hide protected operating system files".
OK your way out.
Press F5 to refresh the view.

"ghosted" files....I assume you recognize those files as yours by their names?

 

[CanHazTrojanz?]

A problem I've noticed, Broni - the "Catalyst Control Centre" has stopped working, not sure how to fix it but it was fine prior to the infection.

 

[CanHazTrojanz?]

I just now saw your message re: the folder options - thanks, makes sense. Seems to be fine.

My "ghosted files" are regular documents/folders I've created, things I'm working on, but actually the problem hasn't returned, so that's fixed. The only remaining anomaly is the "Catalyst Control Centre" not working, I guess it's a Hewlett Packard thing, I don't have that function on other PCs in the home running Windows 7, and this laptop is the only HP machine I have.

It's just annoying, the warning that it's not working and the constant, "Windows is checking for a solution." Otherwise I'm not even sure what CCC even DOES.

But so far it looks like things are good, operating fine. I'm sure there will be random errors here and there where files were removed or the registry was messed with, but so long as it's not an infection, I'm happy. So far NO redirections in my searches, other than the typical Firefox or Chrome errors that happen time to time, nothing unusual I can see.