reimaged computer shutting down on virus scan

Greetings,

It may be too late for me, and I have thoroughly chastised myself for not contacting you sooner and for not writing down the names of the viruses/keeping logs before I reformatted the drives and reinstalled from factory image and dell media center DVD. I’ve always had good luck just using forums posts first with XP systems thanks to you!

My mother-in-law has a 32 bit Vista Home Dell with plenty of memory. I uninstalled:

My Web Search
Inbox
Incredimail
Adobe Reader 9.0
Older java 6.7

AVG Free had been uninstalled by someone else and replaced with Microsoft Security Essentials (MSE). MSE history showed a previous Trojan dropper.

MBAM full scan showed 15 infections when I inherited the beast and cleared them all, showing a clean run the second time. MSE says it successfully removed the Trojan Dropper. Ran CCleaner and CCleaner Registry fix. Toggled system restore.

Rebooted and went to run MSE again and computer shut down. Tried to run combofix and computer shut down. Uninstalled all varieties of java and re-ran MSE and combofix and computer shut down on both. Renamed combofix, ran it in safe mode and computer shut down. Turned off hibernation and set sleep to 360 minutes. MSE shut down. GMER shut down after showing rootkit activity. Sophos rootkit detected no problem.

Reimaged computer from Dell factory image drive, flashed BIOS from 15 to 16 from Dell site per service tag, reseated memory modules. Turned off hibernation and set sleep to 360 minutes. MSE still shut down. Formatted C: & Dell Media Direct: drives using Vista disk. Reimaged from factory image and Media Direct Disk. Turned off hibernation and set sleep to 360 minutes. MSE shut down on run again.

Finally decided I needed professional help – sorry. So I ran the read me and run me first.

Accidentally (really) ran MG tools first attached as MGtoolsFirst.zip.
Ran Super Anti-spyware on both C: and D: (factory image). Results: Clean/no threats found. Attached Saslog.txt
Ran MBAM Quick Scan No objects detected. MBAM.txt attached
Ran combofix successfully for the first time! Combofix.txt attached

Could not open rootrepeal.rar and no link from MG in Zip format. Downloaded ZIP from Google beta site.(Oddly, when I went to find the ZIP version of root repeal, IE8 kept telling me I was entering a secure site so I hit OK though no https:// was in in address bar and these were not secure sites).
Went to extract RootRepeal, and machine said "illegal operation on a registry key that has been marked for deletion". Got same message when I went to start – control panel or try to run MGtools, so rebooted and finally ran extracted Root Repeal file from google beta site and ran MG tools per instructions. Attached as RRlog.txt and MGLogs.Zip

Wishing I had kept the MBAM log from the first time when I thought it was fixed. Like I said, I may be beyond help here. But I humbly request your help and thank you for taking the time to read this. Logs attached.

Mo

P.S. Have yet to update Vista since re-install. Figured best to stay offline till I had a clean bill of health. Also, Microsoft security essentials just finally successfully ran -- came back with "No Threats". What do I do?

 

Both of these are clean as well as the rest of your logs. Let's just do a few more scans to be sure.

I want you to read and follow these instructions: TDSSKiller - How to run


Please download MBRCheck by clicking here and save it to your desktop.

• Double-click on the file to run it. (Vista/7 right-click and select Run as Administrator)
• A window will open on your desktop.
• If an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
• If nothing unusual is found just press Enter.
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.txt should appear on your desktop.
• Attach this file to your next message. (How to attach)

Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (Vista/7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  netsvcs
  /md5start
  atapi.sys
  csrss.exe
  explorer.exe
  lsass.exe
  regedit.exe
  services.exe
  svchost.exe
  userinit.exe
  winlogon.exe
  /md5stop
  %systemroot%\*. /mp /s
  %systemroot%\system32\*.sys /90
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %allusersprofile%\application data\*.exe
  

• Now click the button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach both OTL.txt and Extras.txt to your next message. (How to attach)

 

Thank you, Thisisu!

I have attached the requested logs.

I did find a named virus on the flash drive that I moved mom's documents to beofre reimaging and scanning this system. Do you want the specifics on that when we finish this?

You have my undying gratitude, for what it's worth.

Mo

 

thank you!

 

Thanks very very much, Thisisu. My reply did not show up with attachments --here it is again.

Also, found a fake recycler ctfmon on the flash drive contatining the documents removed from the sick computer. Not sure where to go with that once this system has its ok.

You have my undying gratitude, for what it's worth.
Mo

 

You're welcome. These logs are clean as well.

Hold down the Shift key and then insert your flash drive until Windows detects it to bypass the autorun feature. This will keep the autorun.inf from executing automatically.

Please have all your removable storage devices ready for disinfection.

Download Flash Disinfector by sUBs and save it to your desktop.

• Double-click Flash_Disinfector.exe to run it.
• Your desktop and icons may disappear. This is normal.
• It will do a cleanup of removable storage devices, and write a protected Autorun.inf file to help prevent re-infection.
• Follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
• Wait until it has finished scanning and then exit the program.
• There will be no GUI interface or log file produced.
• Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.

Then I would also run a scan with MBAM on the entire flash drive in question. (My Computer -> "My Flash Drive" (F: ) -> Right-mouse click -> Scan with MalwareBytes' Anti-Malware.
Feel free to attach the report for analysis.

 

Good to know they are clean. A big thanks! Since it was a network virus do I need to worry about my wireless network and wireless home network? It only showed up on the flash drive, I checked all the other computers with MSE and MBAM.

This is what MSE had to say yesterday about the virus on the flash drive of saved docs:

WORM: WIN32/Fakerecy.A

Category: Worm

Description: This program is dangerous and self-propagates over a network connection.

Recommended action: Remove this software immediately.

Security Essentials detected programs that may compromise your privacy or damage your computer. You can still access the files that these programs use without removing them (not recommended). To access these files, select the Allow action and click Apply actions. If this option is not available, log on as administrator or ask the security administrator for help.

Items:
file:\Recycled\ctfmon.exe
filelocalcopy:\\?\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\LocalCopy\{FC81F6E2-F8CA-47D7-99CA-D6A232B2A2C4}-ctfmon.exe

Best,
Mo

 

To be safe yes. If MSE and MBAM did not find anything on the other PCs you are most likely safe. These types of worms are not too bad and MBAM alone deals with them quite well.

Just make sure these are actually deleted. I would recommend checking the entire D:\Recycled folder for any other files that may be there. It's not a legitimate folder, especially for a flash drive so it would be safe to remove the entire "Recycled" folder. This is not to be confused with the $RECYCLE.BIN folder that may be visible if you have system files showing in the root of C:

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Take care and be safe!

 

A million thanks -- everything came back clean. I followed the instructions and am now updating the machine. I guess the registry key one of the programs marked for deletion must have been the culprit, all the antivirus programs ran this time.

Thanks!
Mo

 

You're welcome