problems after reinstall

Discussion in 'Malware Help (A Specialist Will Reply)' started by ploizzo, Nov 27, 2010.

  1. ploizzo

    ploizzo Private E-2

    Hello,

    i just did a fresh format and reinstall of windows xp due to a previous virus that could not be fixed.

    Everything was going well until I started to move files from the old system to the new one. I scanned each file with Malware bytes before moving it to try and avoid moving any virus's with them. Apparently this did not work.

    I followed the instructions and the logs are posted. Here are some additional notes:

    Could not turn on view hidden files or folders from the start which led me to believe I was infected; Combofix detected rootkit activity - rebooted - and then PEV.exe closed 2 times during stage 3 & 48; ran rootrepeal and it stopped suddenyl saying there is an error on disk and to run chkdisk; Mgtools hit error "the application failed to initializeproperly - due to not having .net installed.

    PLease let me know where to go from here. As always, I appreciate the help!! Thanks!

    Pete
     

    Attached Files:

    ploizzo, Nov 27, 2010
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you are reinfected like this right after a proper clean reinstall, then what you are copying back to this PC is the infection. Your backups are infected. Based on these logs you have infected external media that you are probable transferring the infection around from. Every PC that you inserted this infected media into is likely infected. You have one of the AutoRuns family of infections which automatically runs when you insert this USB drives, flash cards, cameras.... etc into the PC. You can see ComboFix's log showing you the autorun.inf file being delete from drives C thru K ( all infected ).

    You need to install the Microsoft .NET Framework application so that we can get one additional log from MGtools to work properly. You can install the early version from the below link:

    http://www.microsoft.com/Downloads/details.aspx?FamilyId=262D25E3-F589-4842-8157-034D1E7CF3A3&displaylang=en


    You are way out of date with your version of SUPERAntiSpyware.
    • Please uninstall your current version (this is necessary).
    • Then download this SUPERAntiSpyware
    • Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
    • After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
    • Now run a new full scan of your system. And attach this new log.
    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the new SUPERAntiSpyware log
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Nov 28, 2010
    chaslang, Nov 28, 2010
    #2
  3. ploizzo

    ploizzo Private E-2

    OK, I did as much as I couls and ran into some problems:

    I installed .NET

    I uninstalled the outdated SuperAntiSpyware and installed the current version with the updates and ran a full system scan.

    I ran the Combofix script just as you asked. It needed to be updated which I did, it started and a message came up saying that it found rootkit activity and needed to reboot. I manually had to reboot as it would not do it by itself after 15 mins. Used the reset button on the front of the PC. Combofix started upon logon and ran through the 50 stages. After about 2 mins on the no. 50 stage, another mesage popped up with a top bar heading of "Desktop" and the computer completely shutoff. It happened so quickly I couldnt see what it said in the message box. I restarted and got a loud beeping sound right after I pushed the power button. The Intel screen came up saying the computer was shutdown due to a thermal event. I continued to boot up and got to Windows logon on and logged in. Just as the desktop was loading, it shutoff again same as last time. I restarted and the same beeping happened and the Intel screen saying thermal event. I continued into Safe mode and could log in and Combofix started again and in the blue box it said "it was loading and that it should take 10 mins or double depending on how infected the computer is". Then it shutdown same as before.

    This is where I am now. I didnt know if I should try to copy the SAS log to my laptop with a new flashstick or if that would copy the virus to this computer.

    Seeing that I just did a reinstall, I dont mind doing it again if it makes sense. My only concern is that I need most of the files on the external harddrive that I backed up the old files too. Is there any way to clean those drives? Or can I copy these files to the infected computer, burn the files I need to DVD and do another reinstall and copy the files from the DVD?

    I am not sure which would be easier at this point. Let me know what you think.

    Thanks!!

    Pete
     
    ploizzo, Nov 28, 2010
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I suggest that you reinstall and DO NOT use anything from your backups. At least not initially. You should download new copies of all necessary protection software using a different clean PC and brun them to CD for use on the PC you are trying to fix after you do the new reinstall. Only install Windows itself, then install your protection software from the CD. DO NOT connect internet cable until the PC has been protected. Then after running for awhile with no problems with just base Windows and your protection in place, start downloading from Microsoft Update all of the updates required for your system. Again do not install anything from your backups yet because they are likely where you are getting reinfected from.


    Things you should put on the CD to install after the Windows reinstall and before connection to the internet are the below:
    • antivirus protection
    • antispyware protection ( which could be part of the above program, like with Avast, Avira, or Comodo )
    • a real firewall ( that is, not the Windows firewall which is inadequate )
    • You can get a list of example antivirus, antispyware, and firewalls from How to Protect yourself from malware!
    • Also I recommend you have the below installed before connecting to the internet:
    • One all protection is installed, the FIRST order of business is to go to the below link and get all priority Windows Updates and then reboot
    • Second get additional updates for your antivirus, antispyware....etc.
    • Now make sure you PC is runing okay for awhile without adding anything else.
    • After you verify it is okay and is free from malware. Start downloading/installing software that you want. Again I warn you against using things you have backed up already. Don't use them unless absolutely necessary. It is better to get new/clean copies. If you keep reinfecting your PC, by installing from backups, you are just wasting your time and ours because we will just be telling you to do this all over again. ;)
    Once your PC has been up and running clean, and all your protection software and Windows are fully up to date. You can start scanning your backup media for malware. DO NOT run/install anything from your backups. Scan all of them first to verify there are no problems. Use your AV to scan them and also scan them with SUPERAntiSpyware and Malwarebytes. Also use an online scanner to triple check them. See the online scanners here > Alternative Scans And only copy/install a couple things at a time from your backups and reboot afterwards. Verify all is still good before continuing the process.
     
    chaslang, Nov 29, 2010
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds