David F. M.

Boot Virus Malmo, Just One Problem out of Many

Recommended Posts

Hello Mr. Worsar & Everyone in the Emsisoft Team & Community,

After Hearty Greetings,

It is a pleasure for me to be here as one of the users not a mere guest. Thank You Very Much for your Generous Aids and Hard Valuable Work. Also, Hands Up for your endless efforts and superb products and ransomware decryptors. I knew about your respected company only this December [2016] when I was crying and dying for a solution for damned Cerber encryption dilemma. Not to detail about this now.

Introductory Note: Lord Have Mercy

==========================

I have been plagued with catastrophic events in my computer. The first event which saddened me alot was the falling of a 2-TB Western Digital Green HDD on the room floor and it was damaged [Then diagnosed with corrupt header and God Knows]. Then, more dramatic, I have been stunned with the infamous infection of the badly notorious Cerber 4/5 version in the course of a night (sleeping and waking up to see the damage). The problem is multifaced because 1. No Decryptor Available Now, 2. No Decryptor will Be Sent After Ransom or it will cause further trouble & 3. I'm nearly Bankrupt to pay any ransoms and this is the bare truth. Of course I'm waiting for a solution soon.

 

The Main Problem To Discuss Now
==========================


The third problem which is persistent and that is related to my questions is "Boot Virus Malmo". Here is all info I collected to you to diagnose.

Part I:  "Boot Virus Malmo" Notes:

- The error is deeply rooted on my disk , as Emsisoft told me, as it is present and persists before and after installing a bundle of security programs and two or three Windows 7 [32 & 64] in the course of a year now.
- Boot Virus Malmo in one of my disk which was detected but not removed by:
a) Avast Internet Security Suite which was installed for months  (All the Time, long ago)
b) IObit Advanced System Care Ver. 9 Full Version (All the Time, long ago)
c) Malwarebytes Antimalware Free & Registered Versions Multiple Times ( inc. 7 Days ago) before reinstalling the plagued system.
d) Kaspersky Internet Security 17.0.0.  .... Free Trial Activated Multiple Times (Months ago & before installing EIS)
e) Norton Internet Security Free Edition (7 Days ago) before reinstalling the plagued system (& installing EIS)
f) Emisoft Antimalware Ver. 12 (5 Days ago) before reinstalling the plagued system
g)  Emisoft Internet Security Ver. 12 of which I post the photos and is currently installed AND UPDATED

Part II: System Notes:

The System
- Windows 7 [x64] running [ Installed a week ago & KIS was removed due to blocking the  internet access and annoying me desite knowing it is an excellent package.
- No other Antivirus or IS Suites are installed [Neither Free, nor Cracked Nor Legit Purchased]
- The computer was plagued with Cerber 4 / 5 Ransomware and the damage has been done and it is a fresh Win.
- I removed any malware types previously detected by d), e) & f) above before reinstalling the system to install Emisoft Internet Security  in a cleaner more respectable environment instead of the very old deteriorated system
- All of my HDDs are Western Digital SATA 1 TB w/ System Installed + 1 TB + 3TB + 500 TB

Part III: Reports & Sreenshots

1 Here are the Emsisoft Scan Note:

\DosDevices\PhysicalDrive1      Rootkit.MBR.Malmo.A (Boot image) (B) [krnl.xmd]

- Attached Scans & Screenshots-

2 Here is part of the Kasper Advanced Disinfection with my notes:

09.12.2016 13.43.28    Object (physical disk) not processed    \Device\Harddisk2\DR5    Physical disk: \Device\Harddisk2\DR5    Object name: Virus.Boot.Malmo    Reason: Disinfection impossible

- Attached Sreenshots -

Part IV:

I have a lot of questions and suggestions concerning your Internet Security Suite. If you welcome them, I'd post them separately in a post entitled "Thoughts, Questions & Suggestions on EIS Ver. 12"
Tell me where to share such a personal opinion.

Part V:
Thank You Very Much Again & Again
Much Appreciated In Advance
Greetings & Prayers for You from Egypt

Yours,
David

NB

Attached file contains scan reports and screenshots of what I mentioned

I did not attach the cmd & ini files I found in a photo folder while cleaning an encrypted photo folder from cerber, just photos.

I rare them and kept them !!!!!!!!!

Best for message.rar

Share this post


Link to post
Share on other sites

Hello David,

Welcome to the Emsisoft Support Forums. My name is Kevin, and I will be helping you with fixing your problems.

Take note of some guidelines for this support request:

  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Furthermore, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean." We do not want to clean you part-way, only to have the system re-infect itself.
  • Do not start a new topic.
  • The logs that you post should be attached to the reply
  • Set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.


The procedures contained in this thread are for this user and this user only.  Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair.  Do not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

Read and follow these instructions carefully.

Download to your Desktop:
- Emsisoft Emergency Kit
- Farbar Recovery Scan Tool

  • NOTE: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


NOTE: If you are unable to download the tools from the infected system, the tools can be saved to and run from a USB flash drive.

All scans are to be run in Normal Mode. Do not run anything in "Safe Mode", unless you are instructed to do so by the Malware Removal Specialist handling your case.

Do not force Safe Mode. Instructions on How to Boot to "Safe Mode" can be found at: http://www.malwarete...kb/SafeMode.php

Let's get started:

  1. Install and Run Emsisoft Emergency Kit (EEK):
    • Double click EmergencyKitScanner.exe to install EEK
    • When the installation of EEK is complete the Emergency Kit scanner will run.
      NOTE: Make sure to enable PUPs detection.
    • Click "Yes" to Update Emsisoft Emergency Kit
    • Under "Scan" click-on "Malware Scan".
      IMPORTANT: Do not quarantine or delete anything. We just want the scan log without anything being quarantined or deleted.
    • Save the scan log somewhere that you can find it.
    • Exit Emsisoft Emergency Kit.

  2. Run Farbar Recovery Scan Tool (FRST):
    • Double-click to run it. When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • Farbar Recovery Scan Tool will produce the following logs:
    • FRST.txt
    • Addition.txt

  3. Create a new topic in our Help, my PC is infected! forum and attach the following logs to your post:
    • Emsisoft Emergency Kit log (C:\EEK\Reports\)
    • FRST.txt
    • Addition.txt

    (NOTE: if you need to attach the logs to a reply to an existing topic, then you will need to use the More Reply Options button to the lower-right of where you type in your reply in order to see the controls for attaching files)

Share this post


Link to post
Share on other sites

Dear Mr. Kevin Zoll,

   First of all, Thank You for your Quick Reply & Interest in Aiding Inexperienced Users. This is Awesome. Although I'm

very new to your products, do not own a license key to the EIS and away from where you are, you spared no efforts

to help and  because God knows I need such experienced assistance more that any other time, He made me know Who are behind Emsisoft.

I followed the instructions fully  [Also included Sreenshots]

1 - As you did not tell me to do or not to do:
- I did NOT run the two tools NEITHER in Safe Mode NOR as Admin
- Internet Connection is on

- I will not put any other HDD or USB Storage Devices as well, I got what you intent as removing the physical disk 500 HDD caused the reading of the physical drive change between the diagnostic reports of KIS & EIS and both were correct at the time of scan.

- I will not add or remove any other security programs at all.

- I installed and immediately removed WinMerge Open Source program because a friend programmer wanted to see what the ransomware did in a PDF file by comparing  a newer donload with the corrupt one when he came to visit me yesterday and he said that the virus caused damage to the file header and data is turned upside down due to the alghorism. [Added]

- What is more important for me is Data Safety After the Removal Process on the Three Disks. As for the system drive, I can re-install it and the most important software in 1 hour. [Added]

- EIS installs updates regualry [Added]

2  I included Sreenshots of what I did:
- Also included extra screens of some programs
- Also, the [cmd & pmp_usb ] I found within a picture folder on the 3-TB HDD!!

2 - I made all hidden categories undidden as the sreenshot will shows you.

3 - Running the EEK, as follows:
-  It is already downloaded on my HDD nearly 12 days ago and has been used before on the old now-replaced system
- I Updated it before the scan in , say, ten minutes
- I Used the Malware Scanner Function as you will see the report.
- I Saved the Scan Report on Desktop

4 - Running the bleebingcomputer.com Farbar Scanner Tool

- I Downloaded the tool as it is lost with other files.
- I Scanned [ included two optional criterias which I do not know what they are!!].
- I Saved the two reports on the Desktop.

OMG
These two files include all what has happened and are on the system!!!!!!!!!!!!!!!!!!!!!!!!
Hahahahah

5 - I collected the sreenshots and the scans in the message in a disinfection first steps .rar file

6 - Notes
 -  I noticed that this damned infection is always spotted very fast by all scanners I mentioned in my message as it

appears the first in the results [EIS, EEK, EAM {Your 3 Releases} , MBA Free, previously by KIS , S Norton, Iobit ASC

& Avast]!!!!!!!!!!!!

- Protected Folder (HKLM-x32\...\Protected Folder_is1) (Version:  - IObit) is outdated and I do not use it at all

- KIS is not on the system anymore because its firewall is extremely agressive , the newly known to me Anti-

Ransomware Tool, installed before downloading the new EIS. The logs will prove this

- When I tried to rescan using Farbar Tool, EIS told me it wants to install ON MY SYSTEM ALTHOUGH IT DID NOT

NOTE IT IN FIRST USE!!!!!!!!!!!!!!!

- As a means of visual feedback, I'm compiling, not posting now, screens of EIS to show you how the suite is working

[and some ads that were allowed]

                                                                                               Thank You Mr. Zoll

                                                                                                                                                     Yours,

                                                                                                                                                     David.

 

disinfection first steps.rar

cmd.rar

pmp_usb.rar

Edited by David F. M.
For precise language & Important Additions

Share this post


Link to post
Share on other sites

This is an older MBR bootkit

\DosDevices\PhysicalDrive1     detected: Rootkit.MBR.Malmo.A (Boot image) (B) [krnl.xmd]

and is very likey a false positive based on what I can see in your logs.

However, I did see a few thing sin your FRST log that should be fixed.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

GroupPolicy: Restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
BHO-x32: No Name -> {2E38825B-8815-42CF-9126-C58BC28D4591} -> No File
Toolbar: HKLM-x32 - No Name - {093F479D-712E-46CD-9E06-62E734A05F68} -  No File
Toolbar: HKU\S-1-5-21-3679666152-2273879828-4256068978-1000 -> Kaspersky Protection Toolbar - {093F479D-712E-46CD-9E06-62E734A05F68} -  No File
2016-12-11 10:38 - 2016-12-11 10:38 - 00000000 ____D C:\ProgramData\{ACBCD40A-42A8-4FF9-BD42-ABCD14998CBA}
2016-12-11 06:19 - 2016-12-11 06:19 - 00000000 ____D C:\Windows\SysWOW64\%ProductFolder%
2016-12-11 04:33 - 2016-12-11 07:36 - 00000000 ____D C:\Windows\AF54923662584AC6A0435B5B89C6EB61.TMP
2016-12-09 11:39 - 2016-12-09 11:39 - 00000000 ____D C:\Windows\SysWOW64\%PersonalRootCertificateFolder%

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

 

What I did is exactly as follows:

- I copied the code as requested.

- I put in in the same folder with the Farbar Tool.

- I launched the tool and clicked fix.

- It required a restart and I did.

- The "Fixlog.txt" file was created in the same directory as the tool in: D:\Tool for decrypting files\- Tools\Farbar Recovery Scan Tool

- The log is attached to the reply as I copied it to & uploaded it from the desktop.

NB

- The Internet connection is on.

Fixlog.txt

Now, if it turned out to be a real false positive, the question of how I get rid of it by replacing the MBR raise tough questions for me:

How do I get it eliminated for any future scans or fresh Windows installations?

How can I get a fresh copy of MBR by replacing it?

Here I find a lot of methods presented online for MBR Sample Collection & Replacing which will necessitates full understanding and a much higher expertise than mine.

What do I do if it was detected on another HDD from those which are not connected now? Will I follow the same procedures of what preceded and what will follow?

Will Reformatting & Recreating  the HHD it is spotted on after I empty them using Acronis Disk Director Suite {Bootable on Installed on the System} clear this problem?

 

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Lack of Response

PM either Kevin, Elise, or Arthur to have this thread reopened.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.
 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.