Need Help Possible Windows Recovery Center Malware

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Horus7, Mar 17, 2012.

  1. Horus7

    Horus7 Private E-2

    I'm working on a HP Pavilion tx 2100us with Windows Vista SP2 32-bit with ATI Radeon 3200 Graphics Card.

    This is my mom's computer and I'm not 100% sure of when this problem began, but I know that the latest symptoms (garbled/pixelated video ,blank screen, blue screen) began about 2 months ago. I've also experienced disappearing icons on the desktop and when I tried to remove this bug with a Dr. Web complete scan, the virus shuts the computer down before the scan can complete.

    (Note: When the display begins to act weird it sometimes displays a message stating that the display driver has recovered and Microsoft will follow up with a solution. I've done some research on this and the symptoms seem like the Windows Recovery Console Malware.)

    Initially I thought it was the video card so I updated the video drivers with the ones provided on the hp support site. The video problem continued so I flashed/updated the BIOS. The problem persisted so I've completed the READ & RUN ME FIRST Malware Removal Guide. During step 7 the following happend:
    Root Repeal Scan - completed but couldn't scan boot sector
    MGTools - App generated exception


    Now the desktop shows some strange looking additional icons such as desktop.ini, ~SainWave Network, ~SO Script.docx that were not there before.

    I've attached the logs as instructed. Your help is greatly appreciated.
     

    Attached Files:

    Horus7, Mar 17, 2012
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please click Start, All Program, Accessories and you will see ( among other things ) a Command Prompt entry.

    • Right click the Command Prompt entry and select Run As Administrator.
      • It is critical that you run it this way.

    • If you do this properly, a command prompt window will open with a title of Administrator Command Prompt.
    • Enter the below commands at the command prompt each followed by the enter key. The bold black are commands. The purple/brown is merely informational.

    cd \MGtools <-- this changes to the MGtools folder and the prompt should change to C:\MGtools>
    GetRunKey<-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
    ShowNew<-- this will try to run all one scan from MGtools. Tell me what error messages, if any, you see.
     
    TimW, Mar 17, 2012
    #2
  3. Horus7

    Horus7 Private E-2

    Thanks for the help TimW.
    I followed your instructions and I've attached the logs produced.
    I've also attached my MGlogs.zip

    I also have a quick question regarding my flash drive. Is it ok to plug in the drive before the cleaning process is complete? And if not how do I go about cleaning the flash drive as well?
     

    Attached Files:

    Horus7, Mar 17, 2012
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Tim wants you to run TDSSKiller so refer to the below for how to do so.

    TDSSkiller - How to run


    Please also download MBRCheck to your desktop
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
     
    Kestrel13!, Mar 18, 2012
    #4
  5. Horus7

    Horus7 Private E-2

    Ok thanks Kestrel13.

    TDSSkiller came out clean, but MBRCheck did not. I've attached the logs.
     

    Attached Files:

    Horus7, Mar 18, 2012
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Use windows explorer to find and delete:
    C:\Users\soulsista\AppData\Roaming\Microsoft\Windows\Templates\0qo6n56dqg7b12mtrqt6221tv781hsx41s5q

    Do you know what this is:
    C:\Windows\System32\sda ????

    Your MBR may be infected. Do you have your Vista install disc?
     
    TimW, Mar 18, 2012
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    If you don't have your install disc, you can purchase a Recovery Environment here:
    http://neosmart.net/blog/2008/windows-vista-recovery-disc-download/

    To run the Bootrec.exe tool, you must start Windows RE. To do this, follow these steps:

    1. Put the Windows Vista or Windows 7 installation disc in the disc drive, and then start the computer.
    2. Press a key when you are prompted.
    3. Select a language, a time, a currency, a keyboard or an input method, and then click Next.
    4. Click Repair your computer.
    5. Click the operating system that you want to repair, and then click Next.
    6. In the System Recovery Options dialog box, click Command Prompt.
    7. Type Bootrec.exe /fixmbr, and then press ENTER.

    Reboot to normal mode and re-run MBRCheck and attach the new log.
     
    TimW, Mar 18, 2012
    #7
  8. Horus7

    Horus7 Private E-2

    Now, the virus is causing the strange screen again and after that, I could no longer boot from the HD. I downloaded the Vista Recovery Disk, attempted auto repair to no avail, and I tried the command prompt method of repairing and re-creating the MBR. For some reason the system shows that the HD is formatted as FAT now and I cannot rebuild the MBR.

    Then, things went from bad to worse. Now I can't even run the recovery disk, the computer blue screens and I get a fatal error.

    Does this mean that I now have to completely re-install Vista?
     
    Horus7, Mar 19, 2012
    #8
  9. Horus7

    Horus7 Private E-2

    Correction: The file system of the HD is now RAW.
     
    Horus7, Mar 19, 2012
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes, I am afraid it sounds like it.
     
    TimW, Mar 19, 2012
    #10
  11. Horus7

    Horus7 Private E-2

    I downloaded Avira's AntiVir and it managed to solve the blue screen fatal error issue somehow. Then, I downloaded the Hiren Boot CD and I used it to boot vista up again. I've backed up the important files and I'm ready for a factory reset.

    The thing is, I don't have HP's Recovery Disk and I know this computer has a recovery partition, but the recovery manager claims that it's not present. Even though, the partition can be seen in My Computer. I think the recovery partition is still good, but the malware is preventing it to be accessed.

    Any suggestions?
     
    Horus7, Mar 20, 2012
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I can only suggest that you post in the software forum and see if someone can help you get into the recovery partition.
     
    TimW, Mar 20, 2012
    #12
  13. Horus7

    Horus7 Private E-2

    Alright, that's what I'll do. Thanks for all of your help.
     
    Horus7, Mar 20, 2012
    #13
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good luck.
     
    TimW, Mar 20, 2012
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds