Jump to content

Desktoplayer.exe and userinit.exe Malware !

superduper

By superduper
in Resolved Malware Removal Logs

 Share

Recommended Posts

superduper

superduper

Posted
Posted

Hello , few days back. I downloaded a supposed to download a torrent file, but instead i downloaded a boot strap file. I thought it would be harmless, if i run it under virtualization through Shadow Defender. But maybe it bypassed that virtualization and the system is infected with Desktoplayer.exe and userinit.exe Malware.

Mant times i tried to used Malwarebytes, but it simply comes getting back. Please see the file.

I don't know what to do, i tried Kaspersky Security, it simply doesn't install, all i have left is Malwarebytes and its quite not getting to the source. Does anyone know the solution or simply format the pc would be the solution. Any solution is greatly appreciated, at this time.

Awaiting reply.

userinit.jpg

VirusRamnit.jpg

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted
Hello superduper and welcome to Malwarebytes,

My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please:

Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...

See if you do the following, if not skipthe staeps and move onto FRST....

Change the download folder setting in the default Browser so all tools we may use are saved to the Desktop:

user posted imageGoogle Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser. user posted image (may have changed to three (3) vertical dots.)
Choose Settings. at the bottom of the screen click the
"Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.

user posted imageMozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. user posted image Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu.

user posted imageInternet Explorer - Click the Tools menu in the upper right-corner of the browser. user posted image Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.

user posted imageChange default download folder location in Edge -Boot to a user account with admin status, select start > file explorer > right click on "Downloads" folder and select "Properties"

In the new window select "Location" tab > clear the text field box and type in or copy/paste %userprofile%\Desktop > select "Apply" then "OK"

Be aware you are not changing the Browser download folder location, you are changing the user’s download directory location.....

Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach those logs to your reply.


Let me see those logs in your next reply...

Thank you,

Kevin...
Link to post
Share on other sites
superduper

superduper

Posted
  • Author
Posted

@kevinf80: Thank you for your gesture. I did all you mentioned in the above post. After i had posted this thread, in 1hr time i had formatted by PC and restored the OS. I choose to format because i found these those thread which already mentioned about Ramnit virus, and the people choose to format their drive and start from scratch.

Link 1 Link 2

But after 1/2 hrs the virus simply came back again.l can't believe this, it's very nasty virus, one of mine USB antivirus detected one of the file as Ramnit.R1 virus.

Please see the picture. I would like to know your opinion. Its all messed up. I use a program call Instant Recovery and it makes a system snapshot of Primary OS and makes another Secondary snapshot. From looking at the results, even that Secondary snapshot is infected. It wasn't an effective System Recovery tool. I'll choose Rollback Rx later.

RollbackRx

It's good i have so many backups, but this virus is very nasty and really irritating. I would wait your consultation.

 

nircmd.jpg

Desktoplayer.jpg

FRST.txt

Addition.txt

malwareq.jpg

userinit1.jpg

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted
Thanks for those logs, continue:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply

Next,

Please open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the Scan is complete Apply Actions to any found entries.
  • Wait for the prompt to restart the computer to appear (if applicable), then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.


To get the log from Malwarebytes do the following:
 
  • Click on the History tab > Application Logs.
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
    XML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....


Let me see those logs, also tell me if there are any remaining issues or concerns....

Thank you,

Kevin....

 

Fixlist.txt

Link to post
Share on other sites
superduper

superduper

Posted
  • Author
Posted

@kevinf80:

Sorry for replying late: actually Sophos Virus Removal Tool took quite sometime to complete because it was reading two OS's because of the program Instant Recovery.

I left the pc and in the morning i found out the pc had shut down, so that was the reason. But i have finished all the scan:

There were no save the log file mentioned in Sophos Virus Removal Tool , but it did remove one virus some it couldn't delete. But i be running it throughout the day,

If it can catch any virus. Awaiting reply.

Fixlog.txt

mbam-log-2016-11-05 (00-27-04).txt

01.jpg

02.jpg

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

When you`ve ran sophos and are at the threat details window did you select "View Log File" option, did that not produce a log....?

FRST update cycle issue has been fixed by the developer, delete the version you have and d/l and run one more time as follows:

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.

Thank you,

Kevin...

 

Link to post
Share on other sites
superduper

superduper

Posted
  • Author
Posted

Hello, i ran the Sophos tool throughout the day, switched between snapshot and did a scan by Malwarebytes and Sophos tool.

I found out the Ramnit malware is gone, but the other malware or virus is still present. Please look at the picture. Actually there was the button to save the activity log in Sophos, but i was in a hurry to post the result. That was really stupid of me. I again ran the FRST tool. Really tiring to stare at the pc and fix. Every malware attack feels like new for me.

C:\$ISR\1 Here (1) represents the snapshot of the current OS. How the malware transfer there is really puzzling, i cannot leave Instant Recovery, because i need to remove the virus, all of them, from both the snapshots. Then probably i will remove it and install some other program.

To get a better idea of this program, you can check there website: Here 

03.jpg

04.jpg

SophosVirusRemovalTool2.log

SophosVirusRemovalTool1.log

Addition.txt

FRST.txt

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted
Tweaking.com Registry Backup
 
  • Download Tweaking.com Registry Backup from here, and save tweaking.com_registry_backup_portable.zip to your desktop.
  • Now we need to create a new folder to extract the zipped contents into. Right click on the zipped folder you just downloaded and select "Extract All".
  • Click the "Browse" button and from the list, expand "Computer", then expand "Windows (C:)", and click the "Make New Folder" button.
  • Call this folder something you will remember...like "RegBackup" then click "Ok", and then click "Extract".
  • From the newly extracted files, right click on hPxdDvj.png and select Run as Administrator (XP users just double click) to start Tweaking.com Registry Backup.(Windows Vista/7/8/10 users: Accept UAC warning if it is enabled.)
  • A screen like this should appear:
    user posted image
     
  • Type a custom name in Backup Name if you want, then choose Backup Now.
  • If backup is successful, a message will appear at the lower half of the screen with an option to view logs.
  • The registry backup will be created in %WindowsDrive%\RegBackup by default. You can customize the path in Settings.
  • Close Tweaking.com Registry Backup when done.


Next,

Can you UNINstall Instant Recovery via programs and features, then delete the snapshot folder C:\$ISR

Next,

Because of the problematic issues with Ramnit run the following Online AV scan, this can take many hours but is essentially wothwhile...

Next,

user posted imageScan with ESET Online Scanner

This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
Please visit ESET Online Scanner website.

Click there Run ESET Online Scanner.

If using Internet Explorer:
 
  • Accept the Terms of Use and click Start.
  • Allow the running of add-on.

If using Mozilla Firefox or Google Chrome:
  • Download esetsmartinstaller_enu.exe that you'll be given link to.
  • Double click esetsmartinstaller_enu.exe.
  • Allow the Terms of Use and click Start.


To perform the scan:
 
  • Select "Enable detection of potentially unwanted applications"
  • Make sure that Remove found threats is unchecked.
  • Scan archives is checked.
  • In Advanced Settings: Scan for potentially unwanted applications, Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked.
  • Under “Enable Stealth Technology select “Change” select any extra drives in that window.
  • Click Start
  • The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
  • When completed, the program will begin to scan. This may take several hours. Please, be patient.
  • Do not do anything on your machine as it may interrupt the scan.
  • When the scan is done, click Finish.
  • A logfile will be created at C:\Program Files (x86)\ESET\ESET Online Scanner. Open it using Notepad.



Please include this logfile in your next reply.

Don't forget to re-enable security software!

Next,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

Let me see those logs, also tell me if any remaining issues or concerns...

Thank you,

Kevin

 

Link to post
Share on other sites
superduper

superduper

Posted
  • Author
Posted

Please wait til tomorrow, i will leave it whole night for online scan. It might take a while. I did remove Instant Recovery and formatted the c:\ and 100 MB partition that Win7 usually makes during first time installation. I restored the pc but still getting same results by Sophos. Please see the picture, i havn't deleted it yet, i'll leave that to online scan.

Please wait , it might take a while.

Clipboard01.jpg

Sophos Virus.log

Link to post
Share on other sites
superduper

superduper

Posted
  • Author
Posted

Hello, after my last post i tried scanning with a few programs like SpyHunter and few Registry editor (RegClean Pro Here ) and the spyware or programs poped a lot of false positive results, i was again scared to mess with those.
So lastly i removed the other snapshot, booted from a Win 7 pendrive and did a format in all the partition then used a program called Active@ Boot Disk (Active Boot Disk), its a multi-utility program. Then i went to Active kill disk (Active Kill Disk); i choose to wipe the disk drive; partition after partition( i had already copied all the file present in D: & E: to Ext. Disk).
I thought it would completely wipe the disk at sector level.
So again i restore the pc and did a full scan with Sophos, their again it showed a malware with the name pwr.exe and two registry entry. Please see the picture.
 
 Then when i press Ctrl+Shift+Esc which is the hotkey to bring the Task Bar, there is a certain delay in displaying all the programs running in the background. It seems like something is running or consuming the memory. I don't know, as it is not seen in Task Bar and AnVir Task Manager. Please see the picture. (Its not too clear, sorry)
 I have atleast 2 backup files and an archive made from Instant Recovey which is pretty useless unless i use Instant Recovery. If i restore again, the virus or the malware itself runs in the background and infects that file present in c:\windows\system32\pwr.exe
 I can't believe it, its like this virus survived a nuke attack. I have had good results with Active Kill Disk.
 I am out of ideas and maybe i will have to use my pc with this virus or malware.
 I can't choose to perform Low Level Format using WD Diagnostic tool, writing 0's in the disk just for a single virus. I think doing so, will degrade the HDD and probably will crash very very soon. I have already trashed a 320 GB WD Disk and this is 1 TB WD Disk, which i just recently purchased it.
 If only you could suggest something really good. Awaiting reply.

Virus that fails to die.jpg

ScreenGif.gif

Clipboard01.jpg

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted
I want to have C:\Windows\System32\pwe.exe checked out by VirusTotal

Go to http://www.virustotal.com/
 
  • Click the Choose file button
  • Navigate to the file C:\Windows\System32\pwe.exe
  • Click the Scan it tab
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Copy and paste the results back here please.
  • Repeat the above steps for the following files


Regarding wiping your hard drives I always use DBan, I have the paid for version, there is a free version available... http://www.dban.org/

Let me see the results from VirusTotal...

Thank you,

Kevin...

 

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

We need to remove that file...

Open Notepad, select "Format" from the menu bar, make sure "Word Wrap" is not checked. Copy the text from the code box below to Notepad.

  

@echo off
del /f /s /q "C:\Windows\System32\pwe.exe"
del %0

 


Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"

It should look like this: user posted image<--XP user posted image <--vista or windows 7/8/10

Double click on delfile.bat to execute it.
A black CMD window will flash, then disappear...this is normal.
The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.

 

If you are using saved images to reinstall windows then those images are likely exploited and will be no good. Are you able to make a fresh install from an installation disk?

Link to post
Share on other sites
superduper

superduper

Posted
  • Author
Posted

Hello again, your bat file removed it, so would have Sophos, i didn't remove before because i wanted go deeper. But it didn't work.

i tried understanding the nature of the problem, and i know i have tried formatting the entire Disk partition. Then again Wiping the Disk

by a tool called Active Kill Disk. Doing this is enough to deter any virus from even existing. While i browsed in GOogle, there were a cases

of MBR viruses messing up by certain pc. So, i thought of nuking the WD Disk or LLF one time, hope that is enough to remove the mbr virus or any nasty virus.

The reason why i say mbr virus is because everytime i open Firefox a page openup. technologyto.com this page opens up.

So i'll be writing 0's and restore , start from sratch. i tried a lot of tool rootkits program, MBRcheck v.1.2.3 etc, but  I will report back when its all done..

Please see the picture, all the processes and services doesn't appear at once. Something is definitely consuming memory.

ScreenGif.gif

mbrcode.jpg

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

Let me know how you progress, also what you want to do next.. Run the following if possible.

Please download aswMBR ( 4.5MB ) to your desktop.
 
  • Double click the aswMBR.exe icon, and click Run.
  • There will be a short delay before the next dialog box comes up. Please just wait a minute or two.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Typically this is about a 100MB download so depending on your connection speed it can take a short while to download and become ready.
  • Click the Scan button to start the scan once the update has finished downloading
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.


Note: There will also be a file on your desktop named MBR.dat do not delete this for now. It is an actual backup of the MBR (master boot record).

Can you zip up and attach MBR.dat and attach it to your reply...

Thank you,

Kevin...

Link to post
Share on other sites
superduper

superduper

Posted
  • Author
Posted

Hello, last night i did a LLF writing 0's on to the disc ( no virus can survive that ! i think so) , i used the tool from WD website that runs on Dos.

After that i used Win7 bootable USB to load the OS , then restored an old image on top of the OS, and it booted to windows. However that was not all, i tried to install Vega Pro 11, they had their own keygen, and i used that. Now i am thinking that keygen or patch had a virus. So i immediately restarted and formatted that parition and restored it again. Maybe some amount of virus may have transferred from the patch. I did a scan by sophos again n it showed the same virus. I removed it.

I downloaded few mbr tools, aswMBR  was one of them. It did a scan and found two virus: please see the pic. The virus matches, also i uploaded the file  aswMBR  made after scanning. 

I also used mbrcheck 1.2.3 and there it showed different os entry. The picture where you see, " unknownbr code". i think it is detecting Rollback Rx and below is the xp entry. If i remove Rollback RS , you'll see both the entry of Win 7 and XP in green.

Sophos can remove the virus, but i don't know, pc still feels buggy. I am done with using Instant Recovery, which is a file back recovery, i want something robust like Rollback Rx,

Any thoughts, awaiting reply.

Clipboard01.jpg

asas.jpg

aswMBR 1.0.1.2290.rar

2mbrcheck.jpg

1mbrcheck.jpg

Link to post
Share on other sites
kevinf80

kevinf80

Posted
Posted

I already advised against using any previous image backups, that nemisis file PWR.exe will always comeback and catch you out... aswMBR should also have saved MBR.dat to your desktop can you zip that up and attach it.

Regarding keygens, that is asking for trouble. Malware writers will code whatever they like into KeyGens, you will get a licence key to use the software, but there will probably be other malicious entries that run when the keygen is run.....

Your best way forward is to format your Hard drive and install a fresh version of windows and keep well away from any images you have saved.....

Link to post
Share on other sites
superduper

superduper

Posted
  • Author
Posted

Hello, today i did another LLF and made parition and restored through an image. I had made three images, one made from Win7 default backupper , another by Acronis 2014 and other by Ghost 15. Win 7 backup and Ghost 15 image didn't work but Acronis image worked. Surprisingly it worked. About the c:\windows\system32\pwr.exe virus , i am thinking the virus must have probably been in the image all this time. So i will format and install from the start and scan with Sophos and post my log file here. I didn't want to delete or loose the image file because i have a lot of software already installed, and how much time consuming is to start from scratch. Will let you know, in few days.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.