Author Topic: Super malicious root kit virus Trojan.msil  (Read 18172 times)

0 Members and 1 Guest are viewing this topic.

Offline Elrammstein

  • Newbie
  • *
  • Join Date: Jan 2015
  • Posts: 6
  • Karma: 0
    • View Profile
Super malicious root kit virus Trojan.msil
« on: January 14, 2015, 10:30:01 pm »
I recently started noticing my PC not having access to control panel options, such as security, windows update trouble shooter, and most of the control panel options. The system would not shut down, I left it on for 24 hours once before I manually shut it down by holding the power cord.


Fixing the issue :
In safe mode
I ran malwarebyte root beta, the program only found one file a .jpg file with Trojan.passwords.msil which I cleaned up. Assuming my system was clean I proceeded to do a normal boot and log in. Turns out I was wrong, removing the Trojan and booting in normal now only returned a black screen with my cursor on it. After some researched I read that Ctrl alt del would still work, so I made it so that I could at least restart in safe mode.

I'm on 2 small solid state drives so there is no chance I can start in safe mode by pressing the f8 key

I ran tweaking.com windows repair and everything seemed ok it went thru the entire process, however, I am receiving the black screen with only a cursor and Ctrl alt del capability.

I'll try to post my specs if I can get a follow up

Pls note I wrote this on an iPhone so spelling might be off

Offline jraju

  • Hero Member
  • *****
  • Join Date: Feb 2013
  • Posts: 2323
  • Location: india
  • Karma: 17
    • View Profile
Re: Super malicious root kit virus Trojan.msil
« Reply #1 on: January 15, 2015, 04:48:27 am »
Hi,
            After fixing with malware bytes, you should have let it clean the entire drives. There is an option to select to scan entire system before normal reboot. Because, malware bytes normal scan run only in c: drive. I hope you understand.
               Now, if you could start computer in safe mode, do this and then try to boot normal. Then if the problem is  not fixed, then you could try to download JRT tools from bleeping computer.com or thisusu.org, and then run it. It will fix most of the third party attacks.
                   If those steps could not fix, then, it is better to boot in safe mode, download aswmbr from the avast site or reputed site and then run it on safe mode, and then wait. It will fix some hidden rootkit.
                          If it prompts to some corruption and asked you to run fixmbr, run it. You could safely run this command in that program. It will fix any master boot error.
                               Try and then post your progress
The Bottom line is "Check your hardware first if it supports the task you try".

Offline Shane

  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9281
  • Location: USA
  • Karma: 137
  • "Knowledge should be shared not hidden."
    • View Profile
Re: Super malicious root kit virus Trojan.msil
« Reply #2 on: January 15, 2015, 05:20:12 pm »
If you can ctrl alt delete can you open task manager and start explorer.exe?

Shane

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
Re: Super malicious root kit virus Trojan.msil
« Reply #3 on: January 16, 2015, 01:15:23 am »
I once had the black screen with just the white cursor but it wasn't because of an infection and the only way I could get back in was with a Kaspersky Rescue Disk which you can create if you have access to another computer or you may be able to do it in Safe Mode with Networking. http://support.kaspersky.co.uk/viruses/rescuedisk/

As you can boot into Safe Mode you could also manually run a full scan with MSRT by going Start - type mrt.exe and press enter, then select the Full scan option.

I assume you have your OS on one of the SSDs and your programs on the other ?

If that is the case then disconnect the programs one and see how it boots either in normal mode or with F8 and run the scans on that.
« Last Edit: January 16, 2015, 08:41:01 am by Boggin »

Offline Rick

  • Hero Member
  • *****
  • Join Date: May 2013
  • Posts: 829
  • Karma: 2
    • View Profile
Re: Super malicious root kit virus Trojan.msil
« Reply #4 on: January 16, 2015, 03:55:57 am »
If you can ctrl alt delete can you open task manager and start explorer.exe?

Suggestion; Can he remove the hard drive and connect it on a USB port; then run Malware-bytes on another computer?

In my humble opinion, any infected hard drive should only be checked on a clean system...

I have also found using 360 to be very helpful recently

That program you sent for the phone is working great, thank you!

best regards,
rick

Shane

Offline Shane

  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9281
  • Location: USA
  • Karma: 137
  • "Knowledge should be shared not hidden."
    • View Profile
Re: Super malicious root kit virus Trojan.msil
« Reply #5 on: January 16, 2015, 02:24:47 pm »
A blank screen with just a mouse cursor is actually very easy to replicate. You just remove or change the userinit.exe from the registry and you will have a blank screen like that. So if task manager can open and he can start explorer.exe then the desktop would show up. And then we can go check that registry location :-)

Shane

Offline jraju

  • Hero Member
  • *****
  • Join Date: Feb 2013
  • Posts: 2323
  • Location: india
  • Karma: 17
    • View Profile
Re: Super malicious root kit virus Trojan.msil
« Reply #6 on: January 24, 2015, 12:22:02 am »
Hi, elram,
                     Immediate reply would give you quick solution. For shanes 16th dated post, your interim reply in 24th.
The Bottom line is "Check your hardware first if it supports the task you try".

Offline Elrammstein

  • Newbie
  • *
  • Join Date: Jan 2015
  • Posts: 6
  • Karma: 0
    • View Profile
Re: Super malicious root kit virus Trojan.msil
« Reply #7 on: January 24, 2015, 12:26:50 am »
Hi, elram,
                     Immediate reply would give you quick solution. For shanes 16th dated post, your interim reply in 24th.

Srry I have been moving and busy at work.

Offline Elrammstein

  • Newbie
  • *
  • Join Date: Jan 2015
  • Posts: 6
  • Karma: 0
    • View Profile
Re: Super malicious root kit virus Trojan.msil
« Reply #8 on: January 24, 2015, 12:36:39 am »
Update: ran explorer thru command run command, I then had 2 explorer.exe I ended the task of one and now I have my desktop back.

I know Shane is prob with his fam, do u guys have any suggestions? What kind of system diagnostic can I provide?

I am still having the same symptoms as before :/
« Last Edit: January 24, 2015, 08:11:11 am by Elrammstein »

Offline Elrammstein

  • Newbie
  • *
  • Join Date: Jan 2015
  • Posts: 6
  • Karma: 0
    • View Profile
Re: Super malicious root kit virus Trojan.msil
« Reply #9 on: January 25, 2015, 10:41:06 am »
Attempted to run windows defender offline beta, I received an error message. My windows is corrupted I'm assuming so I'll attend a fresh install.

Update downloaded the win 8.1 media file to a usb. My win 8.1 was a download so I don't have a disk.

Here are the results.

« Last Edit: January 25, 2015, 03:07:59 pm by Elrammstein »

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
Re: Super malicious root kit virus Trojan.msil
« Reply #10 on: January 25, 2015, 04:34:59 pm »
Let's see if a couple of commands will nail things down a bit more.

Boot up into Safe Mode with Networking and open Command Prompt (Admin) and enter dism /online /cleanup-image /checkhealth

That command will tell you if Windows is repairable.

Repeating the command and swapping /checkhealth for /scanhealth may show what is wrong.

Finally using the switch /restorehealth may fix what's wrong or you could run this first, but you may glean more info from the other two.

Depending upon what those commands give, enter sfc /scannow to see what that reports.

There are other options to a reinstall and they are Refresh or Reset.

As you now have an install USB, give the Refresh option a whirl if none of the above resolve, but if/when you're back up and running, create the Custom refresh image as this article advises. http://www.davescomputertips.com/how-to-perform-a-windows-8-1-refresh/

Offline Elrammstein

  • Newbie
  • *
  • Join Date: Jan 2015
  • Posts: 6
  • Karma: 0
    • View Profile
Re: Super malicious root kit virus Trojan.msil
« Reply #11 on: January 25, 2015, 05:45:09 pm »
Let's see if a couple of commands will nail things down a bit more.

Boot up into Safe Mode with Networking and open Command Prompt (Admin) and enter dism /online /cleanup-image /checkhealth

That command will tell you if Windows is repairable.

Repeating the command and swapping /checkhealth for /scanhealth may show what is wrong.

Finally using the switch /restorehealth may fix what's wrong or you could run this first, but you may glean more info from the other two.

Depending upon what those commands give, enter sfc /scannow to see what that reports.

There are other options to a reinstall and they are Refresh or Reset.

As you now have an install USB, give the Refresh option a whirl if none of the above resolve, but if/when you're back up and running, create the Custom refresh image as this article advises.
http://www.davescomputertips.com/how-to-perform-a-windows-8-1-refresh/

Might be a bit too late for that I formatted the ssds for a clean install. Now I'm just trying to figure out how to convert them to GPT.

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
Re: Super malicious root kit virus Trojan.msil
« Reply #12 on: January 26, 2015, 01:17:58 am »
Ah well....

Don't suppose you created a full external system image before proceeding with that in case of problems....

Offline Shane

  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9281
  • Location: USA
  • Karma: 137
  • "Knowledge should be shared not hidden."
    • View Profile
Re: Super malicious root kit virus Trojan.msil
« Reply #13 on: January 26, 2015, 03:10:51 pm »
Yeah, sorry it was a busy weekend with the family. Just not getting to the emails and posts.

I was going to have you check the registry location, but you did a reinstall before I could get to you lol

Well at least you are up and working, if you need help with anything else, just ask  :wink:

Shane

Offline Elrammstein

  • Newbie
  • *
  • Join Date: Jan 2015
  • Posts: 6
  • Karma: 0
    • View Profile
Re: Super malicious root kit virus Trojan.msil
« Reply #14 on: January 26, 2015, 06:54:58 pm »
Thank you guys, I will come back if I do have questions.

Nvm I guess I claimed victory too soon. Windows 8.1 asked if I wanted to start from the last saved configuration which was elrammstein system manufacturer(I built this pc) 01/14/2015. Is it possible that the corrupted registry was uploaded there as well?

Shane, how do I upload the registry log?just In case

Update: restarted the updates and they are loading now

System required restart, system is locked in restart pic attached

System restarted normally and installed updates
« Last Edit: January 26, 2015, 07:35:18 pm by Elrammstein »

Offline Shane

  • Administrator
  • Hero Member
  • *****
  • Join Date: Sep 2011
  • Posts: 9281
  • Location: USA
  • Karma: 137
  • "Knowledge should be shared not hidden."
    • View Profile
Re: Super malicious root kit virus Trojan.msil
« Reply #15 on: January 27, 2015, 12:17:06 am »
Windows 8 will be a big pain on the updates. So just keep doing them, rebooting and then checking for more updates until it says there is no more.

On a fresh install of 8.1 I had to do that 4 times in a row, each time it was very large updates which when all combined where over 3 GB in size. MS has really dropped the ball on update sizes in 8.1 for some reason.

Shane

Offline jraju

  • Hero Member
  • *****
  • Join Date: Feb 2013
  • Posts: 2323
  • Location: india
  • Karma: 17
    • View Profile
Re: Super malicious root kit virus Trojan.msil
« Reply #16 on: January 29, 2015, 01:39:10 am »
Hi, Prefering the introduction of latest version of msoft really has some issue. Even, when they are attending updates for windows 7 and IE 11, i think going for 8.1 at its initial stage baffles me. i read so many problems in win 8 and 8.1, which you have some fixes in your latest repair, be the updates, or other things.
                   Now huge balls of updates.
The Bottom line is "Check your hardware first if it supports the task you try".