Windows 7: Virtool win32 Obfuscator.xz detected w/ MSE

Hello,

I realize there's a similar thread on the front page but have come to the understanding I should create my own thread.

I recently ran a scan w/ MSE and came back w/ a hit for Virtool win32 Obfuscator.xz. MSE was unable to quarantine or remove it. I found what I think were the infected files and deleted/recycle bin them. (virus2.png)



It was a "cracked" game iso. I noticed under uninstall programs that the nba2k13 was still there and that I was unable to uninstall it. It has no size to it, so I'm not sure if this is just a "skeleton".(nba2k13 ChangeRepair) Notice I can only change or repair it. Reading further I've found that some "cracked" items use Obfuscator to hide itself from AVs for reasons of legality.

I uninstalled Power ISO and Daemon Tools Lite.

I looked over some other threads about this virus and ran DDS and GMER, also included is hijackthis.

It's my understanding that I should change all my passwords. What else should I be doing? Also would reformatting my HDD completely remove the virus? I have my resource and restore cds. I've backed up what files I need and have no problem about wiping my HDD.

I am currently running another complete scan on my HDD w/ MSE and as of this post it won't be finished for maybe an hour.

Thanks in advance.

Quadra,

Let's see if we can get to the root of the problem with this short scan. You ran other scans already, but this malware is rather "sneaky"...

Please download RogueKiller:
Tlcharger RogueKiller (Site Officiel)

When you get to the website, go to where it says:
(Download link) Lien de téléchargement
Select the version that applies to your system: x64
Click the dark-blue button that applies.
Save to the Desktop.

Close all windows and browsers
Right-click RogueKiller and select: Run as Administrator

Press: SCAN

When done, a report opens on the Desktop: RKreport.txt

Please provide the RKreport.txt (Mode: Scan) in your reply.
(Please do not delete anything! Thanks!)

A couple of questions...
The malware shows in Drive E:\
Is C:\ where Windows is installed?
Is E:\ an additional fixed drive?

Hey CB,

I tried running RogueKiller and it crashed three times. On the 4th attempt it stalled at "Searching". On the crashes it seemed to have found two things.(RogueKillerCrash)

I have windows installed on both C & E. === Edit: I tried running RogueKiller again and it crashed. Managed to get a bit more info about those two objects in pics.(Rogue2/3Crash)

Let's get rid of the adware you've got on your computer, then try to run RogueKiller again.

Download AdWareCleaner AdwCleaner Download to your desktop
1.Right-click on adwcleaner.exe and select Run As Administrator to launch the application.
2.Click on Delete button.
3.Confirm each time with OK.
4.Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.
Note: You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.


Next, download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and save it to your desktop.
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

Quadra,

Is this a dual boot?
If so, what Operating Systems?


~~~~
Let's run the ESET Online Scanner:
http://www.eset.com/us/online-scanner-popup/
Run it from Drive E:\, presuming it has Windows 7.

First, temporarily disable your Anti-Virus (MSE).
Info: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - BleepingComputer.com
Taking this action allows for ESET to run a little faster.

If possible, use Internet Explorer for this scan.

Right-click on the IE icon in the Start Menu and select: Run as Administrator

Go here to run the Scan:
ESET Online Scanner

Accept the Terms of Use, then click on: Start
When prompted, allow the Add-On/Active X to install.

Under Scan Settings, make sure that the option Remove found threats is not checked, and the option Scan Archives is checked.

Click on Advanced Settings and select the following:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

Now, click on: Start
The virus signature database begins to download. (This make take some time.)

Next, the Online Scan begins automatically.
Please do not touch the Mouse or keyboard during the scan, otherwise it may stall.

When the scan completes, click: List Threats
Please copy and provide the information presented in your reply. (If no malware is found, a list is not presented.)
Click the Back button, and then click the Finish button.


Notes:
1. Quarantined files are stored in the folder: \Local settings\Application data\ESET\ESET NOD32 Antivirus\Quarantine
2. Make sure you re-enable your Anti-Virus (MSE)

@Jacee

You beat me by one minute!!

The entries RogueKiller is showing do not appear to be of any consequence, if they are the only two items identified.

There is a lot of "stuff" on the logs, though.

Getting rid of it will make the going easier for ESET...less to scan.
ESET does target the Virtool win32 Obfuscator.xz

It looks as if the following files are the culprit:
E:\Users\Administrator\Desktop\FNIS\fa\NBA.2k13-RELOADED.ISO
E:\Program Files (x86)\2k Sports\NBA 2k13\rld.dll

There is a crack involved with the first file......ugh!

@Jacee I ran AdwCleaner and TFC as requested. Attempted to run RogueKiller 3 more times but still crashed on all attempts.

@CB Yes they are Dual Boot both Windows 7 64 bit home prem. I'm about to get started on ESET.

Quadra I hope you realize when these good folks get you fixed using cracked games or programs will start the mess all over again.

Another one of these , fantastic . Another bootleg game (ISO file)

Looks like AdwCleaner got rid of a lot of crap!