Malware riddled laptop MB not updating

[madmardigan]

Running a Toshiba L455D older laptop given to me that basically went its whole life with only AVG 2011 to protect it. Win 7 32 bit. Cant connect at all so I'm using a desktop to make this post Installed MB from a usb drive like 2 years ago trying to help its former owners but it wouldn't let me update it. Fast forward to today.  I ran it un-updated and it got rid of  some malware.  Still no internet connection and it wont let me update.  Can't run spybot search and destroy either.  I know there's still malware on this computer as it hadn't been updated in years.

Cliffs- old shi**y laptop with basically no protection for years.  Ran un-updated old Malwarebytes scan trying to clean it up.  Found/quarantined some of it but it still wont let me update.  Can't connect online either.  No its NOT my router.  I know this for a fact.

Ok I ran FRST and included both txt files.  Any help would be much appreciated!

Addition_25-09-2016 15.30.57.txt

FRST_25-09-2016 15.30.57.txt

[kevinf80]

Hello madmardigan and welcome to Malwarebytes,

Run the following:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" except for Internet make sure that box is cleared. Ensure only Addition.txt is selected under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

Let me see those logs in your reply...

Thank you,

Kevin....

 

fixlist.txt

Edited January 25, 2017 by kevinf80
typo

[madmardigan]

Ok I got a problem here....I put the fixlist.txt in the folder opened FRST and hit the Fix button.  It did its thing, created the fixlog.txt file I attached, restarted my laptop automatically.  I start FRST again, it says "failed to get updates (5)".  I uncheck the Internet box made sure everything else was good then hit Scan again and it exits FRST automatically!. Tried again same thing it exits the program right away.  Its like whatever is on here is pretty persistent.  I'm sure you have a solution though.

Fixlog.txt

[madmardigan]

Another thing I just learned...this is actually not the first time someone tried to tackle this problem.  Apparently the laptop was wiped clean and the OS reinstalled by its former owners some time ago.  So whatever is on here is pretty nasty.  Could it be a rootkit?

[kevinf80]

Yes definite rootkit, we see that with FRST and attempt to remove it... Also tunnel adapters have gone into renew overdrive under network adapters. continue as follows: Copy and paste the textl below (quote box) into notepad , in notepad click on "file" then "save as" call it IPV6.reg and save to desktop. Double click on IPV6.reg to merge into registry, reboot to take effect.   Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters] "DisabledComponents"=dword:ffffffff   Next, Please read carefully and follow these steps. Download TDSSKiller from here  http://support.kaspersky.com/downloads/utils/tdsskiller.exe and save it to your Desktop. Doubleclick on to run the application. The "Ready to scan" window will open, Click on "Change parameters"   Place a checkmark next to Verify Driver Digital Signature and Detect TDLFS file system, (Leave "Service & Drivers" and "Boot Sectors" ticked. Click OK.   Select "Start Scan"   If an infected file is detected, the default action will be Cure, click on Continue.   If a suspicious file is detected, the default action will be Skip, click on Continue.   It may ask you to reboot the computer to complete the process. Click on Reboot Now.   If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file to your reply. If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file to your reply.

 

[madmardigan]

Ok I ran the tool and here's the log file.  There was another option under "objects to scan" that was not included in the screen shot above.  It's called "Loaded modules" and it required an extra file to be installed or something like that for it to work.  As I had no internet access at the laptop I left it alone.  Should I try to include the loaded modules object and scan again?  It rebooted ok so I'm hoping its done.

TDSSKiller1-26-2017.txt

[madmardigan]

Ok I ran the tool one more time and I'm not sure what happened with the log file before.  I thought I copied and pasted it all but I guess not.  Anyway it didn't detect the rootkit but the other 6 "suspicious" items that you told me to skip are still there, of course.  Here's the full log from the second scan.  Hope I didnt mess anything up here

TDSSKillerscan2.txt

[kevinf80]

16:45:24.0089 0x0e2c  \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user

That entry needs to be cured, were you offered that option..?

 

[madmardigan]

Yeah but it said only medium risk and the default was to skip so I did it per your instructions.  Ill run it again cure it.  Then post log.  Thank you for your help btw your awesome!

[madmardigan]

Ok I ran it again here's the log file

TDSSKillerscan3.txt

[madmardigan]

Ok I ran it after I deleted the TDSS file system and quarantined the other stuff.  Here's latest log file.  At least it appears we're making progress.  I know it may seem dumb that I skipped over the last item but I learned some time ago with stuff like this to follow instructions exactly.  Two questions:

1. Where do I go from here?

2. How will I know definitively that this laptop is clean of all malware?

TDSSKillerscan4.txt

[kevinf80]

We are definitely making good progress, FRST removed the rootkit, TDSSKiller has removed its file system. Is no big deal that you do not remove first time round, that file system is inert without the rest of the infection....

I want you to run the followimg scans to have another look at your system:

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt" Next, Download Farbar Service Scanner from here: http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/ and run it on the computer with the issue. Make sure the following options are checked:   Internet Services Windows Firewall System Restore Security Center/Action Center Windows Update Windows Defender   Press "Scan". It will create a log (FSS.txt) in the same directory the tool is run. Please copy and paste the log to your reply. Let me see those logs... Thank you, Kevin...

 

 

[madmardigan]

FRST refuses to run.  Same as before I check all the options you tell me to, hit scan, then it immediately quits.  Only error message is when I first start it it says failed to get update. 

I reboot, it still refuses to run!

I ran the scanner but I should tell you I disabled the wifi on my laptop because I didn't want the infection to spread on my home network (wasn't connecting anyway)  and I disabled windows updates because it was taking forever to update and I didn't want anything interfering with this process.  This laptop has been neglected for some time....so in the logs it will say no Internet service and wuauserv is disabled.  Both of those are my doing.  Should I reenable them?

What do I need to do to get FRST to run?

FSS.txt

Edited January 26, 2017 by madmardigan

[kevinf80]

Delete FRST tool d/l a fresh version and transfer to sick PC, that should run... Do the following first....

Also wscsvc Service appears to be missing, i`ve attached wscsvc.zip download to sick pc Desktop, unzip so you have wscsvc.reg double click to merge that reg file, agree any merges or alert prompts... Reboot.

 

 

 

 

wscsvc.zip

Edited January 26, 2017 by kevinf80

[madmardigan]

Ok here are the files...I know they're not the right timestamps but they're the latest scan logs I double checked

FRST_26-09-2016 23.01.43.txt

Addition_26-09-2016 23.01.43.txt

Can you tell me a little bit about what you're looking for in the logs?  Like as far as technical details?

This is the most difficult virus removal I've done yet, partly because this laptop is so old and slow.

I'm actually an IT undergraduate so I'm using this as education (not much experience with malware infections so far) .  Otherwise  I would've trashed this thing already

Edited January 26, 2017 by madmardigan

[kevinf80]

What we look for is pretty much straightforward, you produce a thread and describe what is wrong. We go looking initially with FRST, that gives an overview of your system. From there we try to deal with what we find... In this case TDL4 rootkit infection is on your system, a nasty infection that runs its own file system.. Tools we use are very good at locating and removing the infection, problem after that is nearly always registry damage or exploits created by the infection..... For now remove Spybot Search and Destroy, it can cause problems for us... https://www.safer-networking.org/faq/how-to-uninstall-2/ I note the time issue in logs, no connection bars online time checks... Latest logs look good, but we still have no internet. How does this pc normally connect, wired or wireless...? Right click on the internet icon on tray next to clock, select TroubleShoot. What feedback do you get...? Run FSS again and post the fresh log...

 

[madmardigan]

Ok here it is....I'm posting from the laptop for the first time!  Yay! hope it looks good

Do i start updating everything?  windows, malwarebytes, etc?

Oh and that IPV6 registry entry you had me do earlier that seemed to deactivate the tunnel adapters:  Do I need to delete that entry?  Do I keep it like that?  It wont affect connectivity at all will it?

FSS.txt

Edited January 27, 2017 by madmardigan

[kevinf80]

We still need to check for remnants of the infection and possible 3rd party infections, these are typical nusances that are often left behind after we remove TDL4...

You have Malwarebytes version 3.5xxx 3.6 is now available download and install over the top of current version....

Download and install Malwarebytes from Here: https://www.malwarebytes.com/mwb-download/thankyou/ When complete Open Malwarebytes, select > "settings" > "protection tab" Scroll down to "Scan Options" ensure Scan for Rootkits and Scan Scan within Archives are both on.... Leave all other settings to default.. Go back to "DashBoard" select the Blue "Scan Now" tab...... When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply... Next, Download AdwCleaner by Xplode onto your Desktop.   Double click on Adwcleaner.exe to run the tool. Click on the Scan in the Actions box Please wait fot the scan to finish.. When "Waiting for action.Please uncheck elements you want to keep" shows in top line.. Click on the Cleaning box. Next click OK on the "Closing Programs" pop up box. Click OK on the Information box & again OK to allow the necessary reboot After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed... Next, Download Sophos Free Virus Removal Tool and save it to your desktop. If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete..... Please Do Not use your PC whilst the scan is in progress....   Double click the icon and select Run Click Next Select I accept the terms in this license agreement, then click Next twice Click Install Click Finish to launch the program Once the virus database has been updated click Start Scanning If any threats are found click Details, then View log file... (bottom left hand corner) Copy and paste the results in your reply Close the Notepad document, close the Threat Details screen, then click Start cleanup Click Exit to close the program If no threats were found please confirm that result.... The Virus Removal Tool scans the following areas of your computer: Memory, including system memory on 32-bit (x86) versions of Windows The Windows registry All local hard drives, fixed and removable Mapped network drives are not scanned. Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan. Next, When those scans are complete let me see the logs... I also note Windows Updates is disabled, you can enable and update OS... Its 15 after midnight local time for me, catch up later.....zzzzzzzzzzzzzz Thank you, Kevin...

 

 

[madmardigan]

sorry i havent replied been busy.  hey i cant find the sophos log file anywhere but it found some malware registry entries ten deleted it.  i can run it again if you need me too but it took forever to run last time. 

there's two adw logs for some reason so i included them both

what do you think?

AdwCleaner[S0].txt

AdwCleaner[C0].txt

mbscan2.txt

[kevinf80]

Sophos logs are saved here: C:\ProgramData\Sophos\Sophos Virus Removal Tool\Logs

What is the current status of your PC, is it running ok, are ther any remaining issues or concerns...?

[madmardigan]

I looked all over for it it's nowhere to be found....not in any of the sophos folders and a search of pc turned up nothing :-(  Ill run it again in a bit but the sophos tool takes soooo long I dont really want to deal with it right now.  Ill run it later then post the log

As far as issues the only issue I think remaining is it's being a pain in the ass to update.  It hangs up during dl.  I tried to run the microsoft update fixer tool thing and it hung up too.

i ran some netsh commands in the command prompt to reset some stuff and it seemed to work at first then at 97% it hangs again lol. 

Any ideas about how to get it updating again?

[kevinf80]

Run Option 3 from the following link: https://www.sevenforums.com/tutorials/91738-windows-update-reset.html

Any improvement...?

[larsonreever]

Nice tutorial, this will be very handy
 

[madmardigan]

kevinf80 just an update...

Everything seems to be running fine on the laptop.  You were a great help thank you so much.

I will say however that talking to some IT pros I'll never be able to fully trust this laptop again...so I'll just use it for education purposes and basically wont put any sensitive info or visit sensitive sites on it or anything.  But again it runs fine you were much more help than my friends dad who was supposed to be an "IT wizard" lol.

Sorry I forgot to update earlier I know it's been a while.

[kevinf80]

Thanks for the update, good to hear your laptop runs ok. I know is long time since you post, but I give clean up instructions... When this is done make sure to change all passwords used on your system, specifically any that have financial implications...

Uninstall Sophos AV http://www.askvg.com/how-to-completely-uninstall-remove-a-software-program-in-windows-without-using-3rd-party-software/ Next, Download "Delfix by Xplode" and save it to your desktop. Or use the following if first link is down: "Delfix link mirror" If your security program alerts to Delfix either, accept the alert or turn your security off. Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator Make Sure the following items are checked:   Remove disinfection tools <----- this will remove tools we have used. Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created. Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection Now click on "Run" and wait patiently until the tool has completed. The tool will create a log when it has completed. We don't need you to post this. Any remnant files/logs from tools we have used can be deleted… Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful.... Answers to Common Security Questions and best Practices Do I need a Registry Cleaner? Take care and surf safe Kevin...