Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Virtool win32 Obfuscator.xz detected w/ MSE


21 Mar 2013   #1

Windows 7 Home Premium 64 Bit SP1
 
 
Virtool win32 Obfuscator.xz detected w/ MSE

Hello,

I realize there's a similar thread on the front page but have come to the understanding I should create my own thread.

I recently ran a scan w/ MSE and came back w/ a hit for Virtool win32 Obfuscator.xz. MSE was unable to quarantine or remove it. I found what I think were the infected files and deleted/recycle bin them. (virus2.png)

It was a "cracked" game iso. I noticed under uninstall programs that the nba2k13 was still there and that I was unable to uninstall it. It has no size to it, so I'm not sure if this is just a "skeleton".(nba2k13 ChangeRepair) Notice I can only change or repair it. Reading further I've found that some "cracked" items use Obfuscator to hide itself from AVs for reasons of legality.

I uninstalled Power ISO and Daemon Tools Lite.

I looked over some other threads about this virus and ran DDS and GMER, also included is hijackthis.

It's my understanding that I should change all my passwords. What else should I be doing? Also would reformatting my HDD completely remove the virus? I have my resource and restore cds. I've backed up what files I need and have no problem about wiping my HDD.

I am currently running another complete scan on my HDD w/ MSE and as of this post it won't be finished for maybe an hour.

Thanks in advance.




Attached Thumbnails
Virtool win32 Obfuscator.xz detected w/ MSE-virus2.png   Virtool win32 Obfuscator.xz detected w/ MSE-nba2k13-changerepair.png  
Attached Files
File Type: txt dds.txt (19.6 KB, 13 views)
File Type: txt attach.txt (12.3 KB, 7 views)
File Type: log GMERLog.log (8.0 KB, 10 views)
File Type: log hijackthis.log (10.5 KB, 17 views)
My System SpecsSystem Spec
.

21 Mar 2013   #2

Windows 7 Home Premium
 
 

Quadra,

Let's see if we can get to the root of the problem with this short scan. You ran other scans already, but this malware is rather "sneaky"...

Please download RogueKiller:
Tlcharger RogueKiller (Site Officiel)

When you get to the website, go to where it says:
(Download link) Lien de téléchargement
Select the version that applies to your system: x64
Click the dark-blue button that applies.
Save to the Desktop.

Close all windows and browsers
Right-click RogueKiller and select: Run as Administrator

Press: SCAN

When done, a report opens on the Desktop: RKreport.txt

Please provide the RKreport.txt (Mode: Scan) in your reply.
(Please do not delete anything! Thanks!)

A couple of questions...
The malware shows in Drive E:\
Is C:\ where Windows is installed?
Is E:\ an additional fixed drive?
My System SpecsSystem Spec
21 Mar 2013   #3

Windows 7 Home Premium 64 Bit SP1
 
 

Hey CB,

I tried running RogueKiller and it crashed three times. On the 4th attempt it stalled at "Searching". On the crashes it seemed to have found two things.(RogueKillerCrash)

I have windows installed on both C & E. === Edit: I tried running RogueKiller again and it crashed. Managed to get a bit more info about those two objects in pics.(Rogue2/3Crash)


Attached Thumbnails
Virtool win32 Obfuscator.xz detected w/ MSE-roguekillercrash.png   Virtool win32 Obfuscator.xz detected w/ MSE-rogue2crash.png   Virtool win32 Obfuscator.xz detected w/ MSE-rogue3crash.png  
My System SpecsSystem Spec
.


21 Mar 2013   #4
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Let's get rid of the adware you've got on your computer, then try to run RogueKiller again.

Download AdWareCleaner AdwCleaner Download to your desktop
1.Right-click on adwcleaner.exe and select Run As Administrator to launch the application.
2.Click on Delete button.
3.Confirm each time with OK.
4.Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.
Note: You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.


Next, download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and save it to your desktop.
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
My System SpecsSystem Spec
21 Mar 2013   #5

Windows 7 Home Premium
 
 

Quadra,

Is this a dual boot?
If so, what Operating Systems?


~~~~
Let's run the ESET Online Scanner:
http://www.eset.com/us/online-scanner-popup/
Run it from Drive E:\, presuming it has Windows 7.

First, temporarily disable your Anti-Virus (MSE).
Info: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - BleepingComputer.com
Taking this action allows for ESET to run a little faster.

If possible, use Internet Explorer for this scan.

Right-click on the IE icon in the Start Menu and select: Run as Administrator

Go here to run the Scan:
ESET Online Scanner

Accept the Terms of Use, then click on: Start
When prompted, allow the Add-On/Active X to install.

Under Scan Settings, make sure that the option Remove found threats is not checked, and the option Scan Archives is checked.

Click on Advanced Settings and select the following:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

Now, click on: Start
The virus signature database begins to download. (This make take some time.)

Next, the Online Scan begins automatically.
Please do not touch the Mouse or keyboard during the scan, otherwise it may stall.

When the scan completes, click: List Threats
Please copy and provide the information presented in your reply. (If no malware is found, a list is not presented.)
Click the Back button, and then click the Finish button.


Notes:
1. Quarantined files are stored in the folder: \Local settings\Application data\ESET\ESET NOD32 Antivirus\Quarantine
2. Make sure you re-enable your Anti-Virus (MSE)
My System SpecsSystem Spec
21 Mar 2013   #6

Windows 7 Home Premium
 
 

@Jacee

You beat me by one minute!!

The entries RogueKiller is showing do not appear to be of any consequence, if they are the only two items identified.

There is a lot of "stuff" on the logs, though.

Getting rid of it will make the going easier for ESET...less to scan.
ESET does target the Virtool win32 Obfuscator.xz

It looks as if the following files are the culprit:
E:\Users\Administrator\Desktop\FNIS\fa\NBA.2k13-RELOADED.ISO
E:\Program Files (x86)\2k Sports\NBA 2k13\rld.dll

There is a crack involved with the first file......ugh!
My System SpecsSystem Spec
21 Mar 2013   #7

Windows 7 Home Premium 64 Bit SP1
 
 

@Jacee I ran AdwCleaner and TFC as requested. Attempted to run RogueKiller 3 more times but still crashed on all attempts.

@CB Yes they are Dual Boot both Windows 7 64 bit home prem. I'm about to get started on ESET.


Attached Files
File Type: txt AdwCleaner[S1].txt (13.5 KB, 19 views)
My System SpecsSystem Spec
21 Mar 2013   #8

Windows 7 Pro. 64/SP-1
 
 

Quadra I hope you realize when these good folks get you fixed using cracked games or programs will start the mess all over again.
My System SpecsSystem Spec
21 Mar 2013   #9

Windows 7 Ultimate 32-Bit & Windows 7 Ultimate 64-Bit
 
 

Another one of these , fantastic . Another bootleg game (ISO file)
My System SpecsSystem Spec
21 Mar 2013   #10
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

Looks like AdwCleaner got rid of a lot of crap!
My System SpecsSystem Spec
Reply

 Virtool win32 Obfuscator.xz detected w/ MSE




Thread Tools




Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 08:50 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33