Solved Virtool win32 Obfuscator.xz detected w/ MSE

[Quadra]

Hello,

I realize there's a similar thread on the front page but have come to the understanding I should create my own thread.

I recently ran a scan w/ MSE and came back w/ a hit for Virtool win32 Obfuscator.xz. MSE was unable to quarantine or remove it. I found what I think were the infected files and deleted/recycle bin them. (virus2.png)

It was a "cracked" game iso. I noticed under uninstall programs that the nba2k13 was still there and that I was unable to uninstall it. It has no size to it, so I'm not sure if this is just a "skeleton".(nba2k13 ChangeRepair) Notice I can only change or repair it. Reading further I've found that some "cracked" items use Obfuscator to hide itself from AVs for reasons of legality.

I uninstalled Power ISO and Daemon Tools Lite.

I looked over some other threads about this virus and ran DDS and GMER, also included is hijackthis.

It's my understanding that I should change all my passwords. What else should I be doing? Also would reformatting my HDD completely remove the virus? I have my resource and restore cds. I've backed up what files I need and have no problem about wiping my HDD.

I am currently running another complete scan on my HDD w/ MSE and as of this post it won't be finished for maybe an hour.

Thanks in advance.

 

[cottonball]

Quadra,

Let's see if we can get to the root of the problem with this short scan. You ran other scans already, but this malware is rather "sneaky"...

Please download RogueKiller:
Tlcharger RogueKiller (Site Officiel)

When you get to the website, go to where it says:
(Download link) Lien de téléchargement
Select the version that applies to your system: x64
Click the dark-blue button that applies.
Save to the Desktop.

Close all windows and browsers
Right-click RogueKiller and select: Run as Administrator

Press: SCAN

When done, a report opens on the Desktop: RKreport.txt

Please provide the RKreport.txt (Mode: Scan) in your reply.
(Please do not delete anything! Thanks!)

A couple of questions...
The malware shows in Drive E:\
Is C:\ where Windows is installed?
Is E:\ an additional fixed drive?

 

[Quadra]

Hey CB,

I tried running RogueKiller and it crashed three times. On the 4th attempt it stalled at "Searching". On the crashes it seemed to have found two things.(RogueKillerCrash)

I have windows installed on both C & E. === Edit: I tried running RogueKiller again and it crashed. Managed to get a bit more info about those two objects in pics.(Rogue2/3Crash)

 

[Jacee]

Let's get rid of the adware you've got on your computer, then try to run RogueKiller again.

Download AdWareCleaner AdwCleaner Download to your desktop
1.Right-click on adwcleaner.exe and select Run As Administrator to launch the application.
2.Click on Delete button.
3.Confirm each time with OK.
4.Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.
Note: You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.

Next, download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and save it to your desktop.
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

 

[cottonball]

Quadra,

Is this a dual boot?
If so, what Operating Systems?


~~~~
Let's run the ESET Online Scanner:
http://www.eset.com/us/online-scanner-popup/
Run it from Drive E:\, presuming it has Windows 7.

First, temporarily disable your Anti-Virus (MSE).
Info: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - BleepingComputer.com
Taking this action allows for ESET to run a little faster.

If possible, use Internet Explorer for this scan.

Right-click on the IE icon in the Start Menu and select: Run as Administrator

Go here to run the Scan:
ESET Online Scanner

Accept the Terms of Use, then click on: Start
When prompted, allow the Add-On/Active X to install.

Under Scan Settings, make sure that the option Remove found threats is not checked, and the option Scan Archives is checked.

Click on Advanced Settings and select the following:
Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

Now, click on: Start
The virus signature database begins to download. (This make take some time.)

Next, the Online Scan begins automatically.
Please do not touch the Mouse or keyboard during the scan, otherwise it may stall.

When the scan completes, click: List Threats
Please copy and provide the information presented in your reply. (If no malware is found, a list is not presented.)
Click the Back button, and then click the Finish button.


Notes:
1. Quarantined files are stored in the folder: \Local settings\Application data\ESET\ESET NOD32 Antivirus\Quarantine
2. Make sure you re-enable your Anti-Virus (MSE)

 

[cottonball]

@Jacee

You beat me by one minute!!

The entries RogueKiller is showing do not appear to be of any consequence, if they are the only two items identified.

There is a lot of "stuff" on the logs, though.

Getting rid of it will make the going easier for ESET...less to scan.
ESET does target the Virtool win32 Obfuscator.xz

It looks as if the following files are the culprit:
E:\Users\Administrator\Desktop\FNIS\fa\NBA.2k13-RELOADED.ISO
E:\Program Files (x86)\2k Sports\NBA 2k13\rld.dll

There is a crack involved with the first file......ugh!

 

[Quadra]

@Jacee I ran AdwCleaner and TFC as requested. Attempted to run RogueKiller 3 more times but still crashed on all attempts.

@CB Yes they are Dual Boot both win7 64 bit home prem. I'm about to get started on ESET.

 

[Layback Bear]

Quadra I hope you realize when these good folks get you fixed using cracked games or programs will start the mess all over again.

 

[VistaKing]

Another one of these , fantastic . Another bootleg game (ISO file)

 

[Jacee]

Looks like AdwCleaner got rid of a lot of crap!

 

[VistaKing]

Quadra,

Have you run the ESET scanner ? If so upload the log file please.

ADDED:

I saw that you uninstalled Daemon Tools and Power ISO . You might also want to run this little tool below .

SCSI Pass Through Direct (SPTD), which is a well known BSOD causer. Uninstall the program at first(which you did already) . Then download SPTD standalone installer and execute the downloaded file as guided below :

Download

For 32-bit OS


Download

For 64-bit OS

Double click to open it.

Click this button only: (look at image below )

   Note

If it is grayed out, as in the picture, there is no more SPTD in your system, and you just close the window.

 

[Quadra]

@VistaKing ESET is still running it's at about 450k files scanned right now, seems to be scanning my C: too.

@LaybackBear Yes.

 

[VistaKing]

It scans the entire drive .

After the scan has completed do the steps I added HERE it will help you in the long run .

 

[Quadra]

Just a follow-up. ESET is still running and I'm about to turn in for the night. So I'm gonna let it run overnight and last I checked it found 300 items, so yeah.... If I have time before work I'll post that list from ESET. If not it'll be later in the day tomorrow. Thanks again for all your assistance everyone.

 

[VistaKing]

Take your time we are here to help

 

[cottonball]

Quadra,

Whenever you are ready, just attach the results.

Just make sure that the option Remove found threats is not checked. We need to make sure there are no crucial system files removed!

Sometimes scans take a Windows file in their sweep, and then there is a problem bigger than what you had before.

Will take a look at the results whe you provide them, and we'll go from there.

 

[Quadra]

Hello again,

ESET finished up. Looked over the log and just wanted to point out there are a bunch of false-positive hits that look like this: E:\Users\Administrator\Desktop\tesv-Squall17.exe a variant of Win32/GameHack.BE application

These are modifications for the games I own. Other than that I don't really recognize the rest of this stuff.

@VistaKing About to start SPTD

Thanks again.


Edit: SPTD came back greyed out as you have depicted VistaKing.

 

[VistaKing]

Good the SPTD tool didn't find any left over files when you uninstalled daemon tools .

 

[cottonball]

Quadra,

Please download CKScanner:
http://downloads.malwareremoval.com/CKScanner.exe

Important: - Save it to your Desktop

Double-click CKScanner.exe, then, click: Search For Files
When a list appears, click: Save List To File
A message box verifies the file saved.

Double-click the CKFiles.txt on your Desktop, and copy/paste the contents in your reply.

Thanks.

 

[Quadra]

@Cottonball Everytime I try to run CKScanner it does not respond. My mouse pointer turns into that aquamarine ring when a program doesn't respond. When I click on the CKScanner window it says "not responding." Is this one of those scans where I shouldn't touch the keyboard or mouse?

Edit: Managed to get it to work.

CKScanner 2.1 - Additional Security Risks - These are not necessarily bad
c:\program files (x86)\dragon age 2\addins\da2_prc_eye\module\audio\vo\de-de\facialanimations\fxe_eye400_cave_crack.crf
c:\program files (x86)\dragon age 2\addins\da2_prc_eye\module\audio\vo\en-us\facialanimations\fxe_eye400_cave_crack.crf
c:\program files (x86)\dragon age 2\addins\da2_prc_eye\module\audio\vo\fr-fr\facialanimations\fxe_eye400_cave_crack.crf
c:\program files (x86)\dragon age 2\addins\da2_prc_eye\module\data\cln_eye400_cave_crack.crf
c:\program files (x86)\steam\steamapps\chaoz14\counter-strike source\cstrike\materials\sprites\store\crackedbeam.vmt
c:\program files (x86)\steam\steamapps\chaoz14\counter-strike source\cstrike\materials\sprites\store\crackedbeam.vtf
c:\program files (x86)\steam\steamapps\common\arma 2 operation arrowhead\@acex_sm\.rsync\.pack\addons\acex_sm_c_sound_wep_crack.pbo.acex_sm.bisign.gz
c:\program files (x86)\steam\steamapps\common\arma 2 operation arrowhead\@acex_sm\.rsync\.pack\addons\acex_sm_c_sound_wep_crack.pbo.gz
c:\program files (x86)\steam\steamapps\common\arma 2 operation arrowhead\@acex_sm\.rsync\.pack\addons\acex_sm_s_wep_crack.pbo.acex_sm.bisign.gz
c:\program files (x86)\steam\steamapps\common\arma 2 operation arrowhead\@acex_sm\.rsync\.pack\addons\acex_sm_s_wep_crack.pbo.gz
c:\program files (x86)\steam\steamapps\common\arma 2 operation arrowhead\@acex_sm\addons\acex_sm_c_sound_wep_crack.pbo
c:\program files (x86)\steam\steamapps\common\arma 2 operation arrowhead\@acex_sm\addons\acex_sm_c_sound_wep_crack.pbo.acex_sm.bisign
c:\program files (x86)\steam\steamapps\common\arma 2 operation arrowhead\@acex_sm\addons\acex_sm_s_wep_crack.pbo
c:\program files (x86)\steam\steamapps\common\arma 2 operation arrowhead\@acex_sm\addons\acex_sm_s_wep_crack.pbo.acex_sm.bisign
c:\program files (x86)\steam\steamapps\common\mount & blade with fire and sword\sounds\fire_small_crackle_slick_op.ogg
scanner sequence 3.DK.11.AEAPTI
----- EOF -----