Jump to content

Recommended Posts

I am posting this to help others like me who run into the following problem and cannot find help anywhere on the web.

A family member brought me a laptop that was infected with a virus.

Following a successful install, update, scan, and removal, and reboot using MBAM, I installed Microsoft Security Essentials, updated definitions, and ran a scan on drive C:. MSE found several "threats", most of which were in the c:\windows\assembly\temp folder. I opted to remove the threats and restart Windows. When Windows tried to boot, however, it never made it past the loading screen. It was at this point that Windows entered a boot loop.

I first tried to perform a Startup Repair, but no luck. Next, I tried to perform a System Restore to a point from before the installation of MSE. The system still refused to boot to Windows.

So, I popped in my Ubuntu 10 live CD and decided to inspect MSE's logs (located in c:\programdata\microsoft\microsoft antimalware\support). The following entries are located in the MPLog file at this location which I have attached to this post:


(From the file: MPLog-12272011-192939.log)
Resource Path:C:\Windows\assembly\temp\kwrd.dll
Result Count:1
Threat Name:Program:Win32/CoinMiner
Resource Path:C:\Windows\assembly\temp\U\80000032.@
Result Count:1
Threat Name:Trojan:Win32/Alureon.TK
Resource Schema:file
Resource Path:C:\Windows\assembly\temp\U\80000032.@
Extended Info:79810502744203

2011-12-28T03:42:11.379Z DETECTIONEVENT Trojan:Win32/Alureon.TK file:C:\Windows\assembly\temp\U\80000032.@
2011-12-28T03:42:11.395Z DETECTION_ADD Trojan:Win32/Alureon.TK file:C:\Windows\assembly\temp\U\80000032.@
2011-12-28T03:43:48.442Z Process scan completed.
2011-12-28T03:46:17.735Z DETECTIONEVENT TrojanDownloader:Win32/Unruy.H file:C:\Windows\SysWOW64\7t4G2.com
2011-12-28T03:46:17.735Z DETECTION_ADD TrojanDownloader:Win32/Unruy.H file:C:\Windows\SysWOW64\7t4G2.com
2011-12-28T03:47:13.973Z Process scan started.

I had reason to believe that whatever caused Windows to enter this boot loop started with the removal of these entries from the c:\windows\assembly folder. I did not possess a Windows 7 Home Premium 64bit installation CD, but I did have a working laptop with that exact version of the OS.

My proposed solution: Copy the assembly folder from my laptop to the borked laptop using the Ubuntu live-cd and see if it works.

Outcome: The borked laptop booted successfully on the first try.

Additional information

Just before Christmas, I received another computer with a similar infection, followed the same steps as above, removed an infection from the Assembly folder, and the computer entered an identical bootloop that I could recover from. Things I tried:

  • Startup repair
  • Last known good config
  • System restore to several different points
  • Restore registry from working copy
  • chkdsk /f /r
  • sfc /scannow

None of these things worked, so I backed up files and reimaged the system. However, if I had simply copied the assembly folder like I did just now, I believe the laptop would have booted successfully just like this one did.

Conclusion and request:

I am hoping some of you with more experience and knowledge than I possess could make more sense of this situation by viewing the attached log files. Hopefully these findings will help sometime else out there. I have included the following:

  • MBAM Scan log, created on the first and only MBAM scan of the system.
  • MSE Scan log, created right before the system entered the boot loop.
  • EventViewer log, showing the events of that night from 4:00pm to 11:00pm CST. Most work done around 6-8pm CST.

Logs.zip

Link to post
Share on other sites

  • 2 weeks later...

Just to reiterate some important points about my findings:

Another PC failed to boot today because MSE removed files in C:\windows\assembly. I copied the C:\windows\assembly folder from my working laptop to the non-booting laptop using a linux live CD and the laptop booted on the next reboot. I am not sure if it matters if I use the same version of Windows; I have not tested it from other sources. Good luck to anyone else who runs into this problem.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.