[Formatting] Safe?

Hi there,

[I've already searched if there was any similar thread, but without results]

Recently I've been experiencing some issues with my pc, for example odd events such as weird crashes/trojan detection pop ups/infostealer detection pop ups etc.
Ok so I went to this forum and as we speak I'm running all of the standard tests to see if there is anything left. My antivirus, Symantec, has already quarantined a couple of these files (see attachment below, note that the list doesn't include all of the [there were 39] infostealer.gampass files, I deleted all of them).

Anyway, it's tempting to just format my pc and start with a clean Windows XP SP3. I've wanted this for quite a while now but haven't had the time to do it yet.

However, with all these creepy virus/infections popping up I'm not sure anymore if its save to format my computer, and to be specific I mean the backing up of files I'd like to keep. All of my pictures/documents etc, I'd like to put the onto a portable hard drive.

Main question: How can I be sure that I can safely transport all of these files to my portable HDD without bringing any malicious software along with it?

I'm sure i've forgotten something here, so if you guys need more info feel free to ask it. I'll be here

Thanks in advance!!

 

Edit:
You can find all of the logs in the attachments below

Also, I had another question.
Are Infostealers capable of retrieving your saved passwords, so the ones which are automatically entered in your browser?

 

Formatting is a very reliable way to clean a computer. But as you have pointed out it's the back-ups that might contain malware and you can re-infect the new install.

You can easily scan your backups with an antivirus from a clean computer before putting them back on the new install. If you are trying to save files from an infected computer it's usually best to onlt save what you can not replace by downloading from the Internet like personal photos, documents and such. The more you try to save the more risk of saving malware.

Yes, that's what they do.

Could you get the Malwarebytes log?

 

[mbam log attached, however it detected nothing so i dont think it will be of much help]

About the backups, my main concern was that some virus/trojan whatever would attach to the files I transfered to the harddrive, or that it would transfer itself to the drive automatically. If that were to be the case, backuping wouldn't be safe at all.

Secondly, there are many many virusscanners out there, and currently I'm using Symantec (which is fine by me), but based on my experience with previous scanners (AVG / Avast / NOD32) I'm afraid that scanning the portable HDD on a clean pc will not guarantee that there's no malicous software because not every scanner detects every virus. (if you catch my drift).
Also, if I hook up a portable HDD to a clean pc to scan it, wouldn't it be possible that IF there are infected files on the HDD that they will copy themselves to the clean pc?

The files I included in my previous post, however, did contain some warnings/reports of various infections. Maybe you could check those out and see if they can have any influence on my backup?

combofix even said something about a rootkit which kinda scared me!

 

When plugging in USB drives. Hold down the Shift key when inserting the drive until Windows detects it to bypass the autorun feature. This will keep an autorun.inf infection from executing automatically. Then you can scan the drive with your antivirus.

Yes. Just making sure you haven't started reformatting or are going to. No need putting all the time into the logs if it isn't needed.

Give me a few minutes to look them over.

 

Ok thanks a bunch!

(Btw do I need to hold shift the entire time until I've booted up my virus scan? )

 

No. You should only have to hold it for 10 - 20 seconds. You can also run this to help keep autoruns under control.

Panda USB and AutoRun Vaccine

Insert your flash drive before we begin. Hold down the Shift key when inserting the flash drive until Windows detects it to bypass the autorun feature. This will keep the autorun.inf from executing automatically.

Download Panda USB and AutoRun Vaccine and save it to your desktop.

* Extract (unzip) the file to your desktop and a folder named USBVaccine will be created.
* Open that folder and double-click on USBVaccine.exe to start the program.
* Click Run
* Click the button to Vaccinate computer.
* Insert your USB flash drive.
* When the name of the drive appears in the dialog box, click the button to Vaccinate USB drive(s).
* Exit Panda USB and AutoRun Vaccine when done.

Note: Computer AutoRun Vaccination will prevent any AutoRun file from running, regardless of whether the removable device is infected or not. USB Vaccination disables the autorun file so it cannot be read, modified or replaced by malicious code. The Panda Resarch Blog advises that once USB drives have been vaccinated, they cannot be reversed except with a format. If you do this, be sure to back up your data files first or they will be lost during the formatting process.



Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX Checked until you exit all browser sessions including the one you are reading in right now:

• O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

After clicking Fix checked, exit HijackThis.



1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

MBR::

MIA::
e:\windows\System32\wscntfy.exe

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

 

Ok I've done as you asked.
What exactly have I just done by the way?

 

Trying to replace the missing file.


Please download SystemLook from one of the links below and save it to your desktop.

Link #1
Link #2

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

• Double-click SystemLook.exe to run it.
• Copy the contents of the following codebox into the main textfield.

Code:

:filefind 
wscntfy.exe

• Click the Look button to start the scan.
• Note: The scan may take some time so please just let it do its work and be patient (or do something else unrelated to the computer).
• When finished, a notepad window will open with the results of the scan. Please post the log. The log can also be found on your desktop entitled SystemLook.txt

 

That's weird, the file isn't present at all. And unlike you said, the scan was done extremely quick :s I've disabled Symantec Auto protect, dunno how to shutdown the entire program, cant seem to find the option and I shutdown Superantispyware:

Code:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 20:57 on 13/12/2009 by Administrator (Administrator - Elevation successful)

========== filefind ==========

Searching for "wscntfy.exe"
No files found.

-=End Of File=-

What kind of file is it btw? I've googled it, but is the reason for it being absent virus-related?

 

It is part of Windows Security Center.

Not sure how it was lost/deleted but it needs to be replaced.

Can you go into your user profile and turn on your Private Messages please. I need to send you a PM.

http://forums.majorgeeks.com/profile.php?do=editoptions Place a check mark next to Enable Private Messaging and then go to the bottom and select Save Changes.

 

Done.

 

Ok I followed the instructions in your PM. Attached the log.
I noticed something whilst looking at the Avenger look, it said that no rootkits had been found. Earlier, when I looked at the combofix log (and both times I ran combofix) it said that it had to reboot because a rootkit had been found.

So I guess this is a good thing?
Furthermore, I presume I've fixed something here, but what exactly did I fix (if I didn't fix all of the problems yet, I'm just curious )?

As you may have noticed, I did have quite a number of nasty software on my pc when I ran all of the basic test (the ones in post 1 & 2), hence the above question ^

Sorry if I ask too may questions,, I'm kind of a newbie on this area, despite the fact that I'm capable of doing internet research on how to remove these things I still worry kinda much about these things. It's just a computer but it can have a big impact on your important activities when something's wrong :<

 

We replaced the missing Security Center file.

Code:

File move operation "e:\documents and settings\Administrator\Desktop\wscntfy.exe|e:\windows\System32\wscntfy.exe" completed successfully.

The ComboFix results can be confusing which is why it has the warnings about not running it unless instructed to by an approved forum. The rootkit warnings were false positives.

Let's do an online scan just to be sure nothing else is hiding.

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please attach the ESET Online Scan Log

 

It's scanning as we speak. Curious to see what the results are! Hopefully, if it comes back clean, I can backup all my files without all the hassle of scanning it on another PC.

 

Weird, the scan is stalling at some .nzb file from a download. I'll check if I can disable the particular folder so it can continue scanning.

 

http://www.wisegeek.com/what-is-an-nzb-file.htm

If it's a large file I've seen online scanners get "stuck" on them before. Has the scanner found anything?

 

Damn that scan took a long time haha.
It found 2 threats, none of which I had seen before (in other scanners)

Does it mean that the rest of my computer is clean as a whistle?

 

As far as I can tell your logs are clean.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

 

Ok thanks a lot for all your help!! I guess I can soon move on to backing up the data I want on a portable HDD. Maybe it will be good to scan it for malware on another pc, but it should be clean right? Seeing the fact that my logs are good.

Thanks again !

 

As far as I can see this computer is clean.

We try not to give 100% clean bills of health. There is always a chance that even a brand new computer has something unwanted on it so it's irresponsible to tell people that they are 100% clean. But as far as I can see, there is no malware.