Super Bug? Still problems after Clean Installed Windows

[gpawula]

Just looking for a little advice.

I thought a clean Windows install formats the disk and wipes out all programs.

This is what I did. All programs and files gone, just new version of Windows 7.

Yet computer still acts infected.

1. At the last stages of Windows install, when it was asking for computer name, the setup program froze.

2. First program I tried to load was McAfee AV. The web load froze. so I downloaded onto desktop and then loaded.

3. Computer still freezes up when trying to launch Internet Explorer

4. Even tried to launch a Windows solitaire game from the Games menu and it also froze.

Thought whole disk was reformatted during the clean install. how is this possible?

Do I have a virus or malware in the Bios? Or imbedded in some firmware?

Crazy....

I would very much appreciate some comments to shed some possible insight.

I would like to format the the entire C drive from the Dos C prompt, but there does not seem to be any tutorials for that out there.

My advance thanks goes out to the broader community for your help and advice.

GP

[AdvancedSetup]

Actually some infections reside on the Master Boot Record and can survive a disk format.  It really depends on what's going on.  It's possible that the computer got reinfected during the building, updating process.

 

Please run the following steps and post back all the logs as ATTACHMENTS by clicking on the More Reply Options button.
Please don't put logs in code or quote tags or copy/paste them into your reply unless you're unable to attach them.
Please enable your system to show hidden files: How to see hidden files in Windows

P2P/Piracy Warning:

• If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.
• Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
• If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.
  

STEP 01
Backup the Registry:
Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

• Please download ERUNT from one of the following links: Link1 | Link2 | Link3
• ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
• Double click on erunt-setup.exe to Install ERUNT by following the prompts.
• NOTE: Do not choose to allow ERUNT to add an Entry to the Startup folder. Click NO.
• Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
• Choose a location for the backup.
  
  • Note: the default location is C:\Windows\ERDNT which is acceptable.
    

  [*]Make sure that at least the first two check boxes are selected. [*]Click on OK [*]Then click on YES to create the folder. [*]Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe
  

STEP 02
Please download RogueKiller and save it to your desktop.

You can check here if you're not sure if your computer is 32-bit or 64-bit

• RogueKiller 32-bit | RogueKiller 64-bit
• Quit all running programs.
• For Windows XP, double-click to start.
• For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
• Read and accept the EULA (End User Licene Agreement)
• Click Scan to scan the system.
• When the scan completes Close the program > Don't Fix anything!
• Don't run any other options, they're not all bad!!
• Post back the report which should be located on your desktop.
  

STEP 03
Please download Malwarebytes Anti-Rootkit from here

• Unzip the contents to a folder in a convenient location.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Click on the Cleanup button to remove any threats and reboot if prompted to do so.
• Wait while the system shuts down and the cleanup process is performed.
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
• When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt
  

STEP 04
Please download Junkware Removal Tool to your desktop.

• Shutdown your antivirus to avoid any conflicts.
• Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next reply message
• When completed make sure to re-enable your antivirus
  

STEP 05
Please download AdwCleaner by Xplode to your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
• If prompted by the User Account Control click Yes to allow it to run.
• Under Actions click on the Delete button.
• Click OK on all prompts.
• You will be prompted to restart your computer. A text file will open after the restart.
• Please post the entire contents of that logfile to your next reply.
• You can find the logfile at C:\AdwCleaner[s1].txt where the number in brackets indicates how often it was run.
  

STEP 06


Please go here to run the online antivirus scannner from ESET.

• Turn off the real time scanner of any existing antivirus program while performing the online scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is unticked
• Click on Advanced Settings and ensure these options are ticked:
  
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
    

  [*]Click Scan [*]Wait for the scan to finish [*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.
  

STEP 07
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.
  

 

[gpawula]

Thank you very much for the reply

I have begun working on the steps

I ask for your patience as I have to do this after working hours and have to frequently reboot the computer as Internet Explorer will not launch or sometimes the downloads do not complete or actual installation of executables is stopped or frozen prior to completion.

My goal is to finish all steps this evening.

Thanks,

GP

[AdvancedSetup]

No problem as long as you're able to complete them within a couple of days.   Go ahead and post when you're ready.

 

Thanks

[gpawula]

Step 01

Erunt was run successfully

 

Step 02

First attempt run Rogue Killer was not successful, computer froze.

Program stopped responding during the Finding Detection Patterns portion of the scan.

Needed to physically unplug computer from power source to reboot.

Second attempt to run Rogue Killer was successful.

2 reports were generated, both are attached.

 

RKreport0_S_08132013_072833.txtRKreport0_S_08132013_190104.txt

 

Step 03

First attempt run Anti-RootKit was not successful, computer froze.

Program stopped responding at some point during the Cleanup process

Needed to physically unplug computer from power source to reboot.

Second attempt to run Anti-RootKit was successful.

It found Malware both times it was run

3 reports were generated, all are attached.

 

mbar-log-2013-08-13 (20-00-38).txt

mbar-log-2013-08-13 (20-18-37).txt

system-log.txt

 

Step 04

Junkware Removal Tool ran successfully

File attached.

 

JRT.txt

 

Step 05

AdwCleaner ran successfully

File attached

 

AdwCleaner0.txt

 

Step 06

Eset

No threats were found

 

Step 07

Farbar Recovery Scan Tool ran successfully

Files attached.

 

FRST.txt

Addition.txt

 

Sorry for the delay in response, but the Eset AV program ran close to 4 hours , so I had to run over night, otherwise would have sent response last night.

 

Thanks for your help

GP

 

 

[AdvancedSetup]

Please download the following scanner from Kaspersky and save it to your computer: TDSSkiller

Then watch the following video on how to use the tool and make sure to temporarily disable your security applications before running TDSSkiller.

If any infection is found please make sure to choose SKIP and post back the log in case of a False Positive detection.

Once the tool has completed scanning make sure to re-enable your other security applications.
 

[gpawula]

TDSS Killer did not find any threats/

Not sure if you need the output files, but attaching just in case.

GP

 

TDSSKiller.2.8.18.0_14.08.2013_16.16.55_log.txt

TDSSKiller.2.8.18.0_14.08.2013_17.05.17_log.txt

 

[AdvancedSetup]

Okay that's good.  So how is the computer running now?   Are there still any signs of an infection?

 

Getting late here so I'll check back on you tomorrow some time.

[gpawula]

Everything seems to work well.

There is one small anomaly that you may be able to comment on.

Every step of the process went well, except for Eset AV step.

I reported that no threat was found. But I did not watch the process as it took hours.

I was suspicious because of past AV

For example, before your help in this forum, I ran McAfee and I was watching it run. It found two viruses, but then I walked away. When I came back the computer was rebooted with a message that an unexpected shut down happened. When I ran the McAfee again, it showed no virus. Maybe McAfee forced a restart and this may be OK.

Eset showed no threats. But I was suspicious, as I did not watch the run over night.

I reran Eset again just to make sure and it does not complete the scan.

For example.

The second time I ran it I thought it timed out because it ran for a couple hours and was stuck at 46%.

So I ran it a third time and let it run over night. In the am it clocked 10 hours of scan time and was still at 47%.

Eset showed that it scanned 500,000 files at the 47% level. I did a quick cursory check of number of files, and came up with about 350,000 files. Unless there are some files that are deeply hidden from explorer.

On the second scan it found no infection

On the third scan it found one threat, but I was unable to get a report because the scan did not finish.

I do remember the infected file was in Windows.old, which is where windows moved all my files when I did the clean install on new Windows.

Is there another AV we can use to double check the Eset?

Or I can simply delete my entire Windows.old directory...

Gene

[AdvancedSetup]

We can run the following antivirus scanner.  Please make sure you disable your local antivirus first and then run this one.

 

1. Please download Dr.Web CureIt! antivirus and save it to your computer. The file size is in excess of 100MB
2. NOTE: Free usage of Dr.Web CureIt! for business purposes is illegal.
3. Internet Explorer may show a warning when downloading - the file is safe to download from the provided link.
4. Shutdown your antivirus to avoid any conflicts while scanning.
5. Once the scans have completed please re-enable your antivirus.
6. If using Malwarebytes Anti-Malware PRO you can right click over the tray icon and disable the Protection Modules
7. If needed you can also temporarily disable it from starting with Windows
8. Temporarily turn off any other security add-ons or applications you may also have.
9. Once you have downloaded Dr.Web CureIt! you should right click over it and choose Properties and verify it has a Digital Signature.
10. If it does not have a Digital Signature then do not run it.
11. Close all open programs including all Web browsers and then double-click on drweb-cureit.exe to start the installer.
12. You should have your User Account Control (UAC) enabled for improved security and which should then produce a dialog box asking for approval to run the installer.
13. Click on the Yes button to start the installer.
14. Click OK to scan your computer in the Enhanced Protection Mode
15. Click on the check box to agree to participate in their software improvement program.
16. Then if needed choose your Language by clicking on the small globe like icon in the upper right corner by the wrench.
17. Then click on the Continue button and then click on the Select objects for scanning link just below the "Start scanning" button.
18. Place a check mark on all the items except for Temporary files and System restore points - those items should not have a check mark on them.
19. Then click on the Start scanning button.
20. If a threat is found you can click on the Action column in the program.
21. Your options will be Cure or Ignore
22. If you see an item that you are absolutely sure is OK, then un-check the check box for that item, otherwise keep it on Cure.
23. Then click on the Neutralize button.
24. Once completed click on the green Open Report link. It will open the report in NOTEPAD
25. Save the report to your desktop. The report will be called Cureit.log
26. Close Dr.Web Cureit!
27. Reboot your computer to allow files that were in use to be moved/deleted during reboot.
28. After reboot, attach the log Cureit.log you saved previously in your next reply.
29. Re-Enable your antivirus and other security programs when all done.
    

 

[gpawula]

Sorry for the delayed response.

I was out of town for the weekend.

Also, upon return i discivered that my NetGear wireless router does not work (which less than year old).

Finally converted back to wired router and was able to ge back on line.

 

As far as the latest recommendation. The Drwed-CureIt process. It does not seem to work.

I get tp the part when sotware asks if I would like Enhanced Protection Mode, which I say Yes.

The screen gets a bit darker and in the four corners of the screen is shows the following text: Drweb-CureIt Enhanced Protection Mode, but this is where program stops. There are no further dialogue boxes and no keyboard strokes work.

This happened twice. The 2nd time I left it for 30 minutes. There was no change and no evidence of activity.

 

This may sound naive, but can't we just re-format the whole C: drive and any other partiioned drive and reload Windows.

 

In the mean time, I nwill try to delete all files in my Windows.old directory (and the whole directory if possible).

 

GP

[AdvancedSetup]

Yes we certainly can and in fact I think that would be a better solution - but often users either can't or don't want to format and reinstall Windows.

 

Obtain all the required drivers from the MFG website for items like the network card, audio, video, etc and save them to a USB stick.  

 

Backup all your data, then boot to a Windows install DVD and Delete the current partition and install Windows. 

 

As soon as possible install antivirus on the computer and then all the Windows updates.

Do not install Java

[gpawula]

Is fromatting the C drive the same as a Clean Install?

Becasue that is what I did before I even came to this forum.

 

It did not solve the probelm because there was a Master Boot Record virus that you helped solve.

 

Should I do the same Clean Windows Install as before?

or

Is there still an option to go to a DOS prompt and just type C:\ Format?

[AdvancedSetup]

Delete the current partition and install Windows. 

 

 

You missed the part where I said to remove the current partition.  That removes any MBR infection

 

This topic should provide more information on doing a clean install.  When it comes to the drive steps select your current partition and delete it.  Then use it to install Windows on.

 

How to Do a Clean Installation with Windows 7

[gpawula]

Sorry, did not understand the connection between removing partion and MBR.

Thanks for your advise.

Much appreciated.

[AdvancedSetup]

No problem, you're quite welcome.

 

Take care

[AdvancedSetup]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.