Vista disaster

[Li'l Abner]

I've got someone's badly infected HP Media Center PC here that is showing
me all kinds of new symptoms. First of all, in normal mode, it only boots
as far as the welcome screen, then reboots. It will boot OK in Safe Mode.
Internet access is OK so I downloaded MBAM and it installed OK and updated,
something popped up and went away, the program never started. The icon on
the desktop didn't show the normal MBAM logo. mbam.exe was present in the
program folder but corrupt. I tried renaming the installation file and
reinstalling. Also tried copying a good mbam.exe from my own machine under
a different name. No dice. I ran hitmanpro and it found all kinds of
infected files (mbam.exe was one of them) and a rootkit.
I should interject another strange behavior. Every time I boot into Safe
Mode, it asks to choose the network type and I always choose Home, but not
until my "new device", the mouse, has been found which takes almost a
minute. This is every time. I uncheck almost everything in msconfig,
reboot, and when it reboots and does all the above mentioned stuff again, I
go into msconfig and everything is checked again. I created a new user
"Joe" and was able to log off and log in to "Joe", but I couldn't do
anything in that account than I could in the original. Hitman fixed enough
that I could install and run MBAM which found a trojan downloader. When I
rebooted back to Safe Mode, "Joe" was gone, and it went through all the
above rigamarole again and msconfig was filled up with checkmarks again.
I've copied all his documents and pictures off and there's a restore
partition which I fully intend to use.

But if there's still a rootkit in there, will a restore get rid of it? It
will format the windows partition and reinstall, but will formatting be
enough to get rid of it?

Another thing I did was run ComboFix which claimed it needed administrative
privileges to use the selected options but it ran anyway and ran into a
rootkit and required a reboot. On reboot it never resumed but went through
all the aboved named stuff again. When it finally settled down, I ran
ComboFix again (it still wanted administrative privileges) but ran all the
way through, so it must have gotten rid of the rootkit it found the first
time when it rebooted. So I ran it one more time and it found nothing. But
everything remains the same. No changes in mscofig will stick. A newly
created user won't stick and it still reboots at the welcome screen in
normal mode.

Sorry I got carried away like that again, but I tried to cover everything I
can remember.

--
--- A dyslexic man walks into a bra ---

[Li'l Abner]

"Li'l Abner" <blvstk@dogpatch.com> wrote in
news:Xns9F6D2880F7C64butter@wefb973cbe498:

> I've got someone's badly infected HP Media Center PC here that is
> showing me all kinds of new symptoms. First of all, in normal mode, it
> only boots as far as the welcome screen, then reboots. It will boot OK
> in Safe Mode. Internet access is OK so I downloaded MBAM and it
> installed OK and updated, something popped up and went away, the
> program never started. The icon on the desktop didn't show the normal
> MBAM logo. mbam.exe was present in the program folder but corrupt. I
> tried renaming the installation file and reinstalling. Also tried
> copying a good mbam.exe from my own machine under a different name. No
> dice. I ran hitmanpro and it found all kinds of infected files
> (mbam.exe was one of them) and a rootkit. I should interject another
> strange behavior. Every time I boot into Safe Mode, it asks to choose
> the network type and I always choose Home, but not until my "new
> device", the mouse, has been found which takes almost a minute. This
> is every time. I uncheck almost everything in msconfig, reboot, and
> when it reboots and does all the above mentioned stuff again, I go
> into msconfig and everything is checked again. I created a new user
> "Joe" and was able to log off and log in to "Joe", but I couldn't do
> anything in that account than I could in the original. Hitman fixed
> enough that I could install and run MBAM which found a trojan
> downloader. When I rebooted back to Safe Mode, "Joe" was gone, and it
> went through all the above rigamarole again and msconfig was filled up
> with checkmarks again. I've copied all his documents and pictures off
> and there's a restore partition which I fully intend to use.
>
> But if there's still a rootkit in there, will a restore get rid of it?
> It will format the windows partition and reinstall, but will
> formatting be enough to get rid of it?
>
> Another thing I did was run ComboFix which claimed it needed
> administrative privileges to use the selected options but it ran
> anyway and ran into a rootkit and required a reboot. On reboot it
> never resumed but went through all the aboved named stuff again. When
> it finally settled down, I ran ComboFix again (it still wanted
> administrative privileges) but ran all the way through, so it must
> have gotten rid of the rootkit it found the first time when it
> rebooted. So I ran it one more time and it found nothing. But
> everything remains the same. No changes in mscofig will stick. A newly
> created user won't stick and it still reboots at the welcome screen in
> normal mode.
>
> Sorry I got carried away like that again, but I tried to cover
> everything I can remember.

I did the back to factory restore. Will spend the rest of the day
installing the two service packs and all the subsequent updates.
So far, so good.

--
--- A dyslexic man walks into a bra ---

[FromTheRafters]

"Li'l Abner" <blvstk@dogpatch.com> wrote in message
news:Xns9F6D78C2CD54Cbutter@wefb973cbe498...
> "Li'l Abner" <blvstk@dogpatch.com> wrote in
> news:Xns9F6D2880F7C64butter@wefb973cbe498:
>
>> I've got someone's badly infected HP Media Center PC here that is
>> showing me all kinds of new symptoms. First of all, in normal mode, it
>> only boots as far as the welcome screen, then reboots. It will boot OK
>> in Safe Mode. Internet access is OK so I downloaded MBAM and it
>> installed OK and updated, something popped up and went away, the
>> program never started. The icon on the desktop didn't show the normal
>> MBAM logo. mbam.exe was present in the program folder but corrupt. I
>> tried renaming the installation file and reinstalling. Also tried
>> copying a good mbam.exe from my own machine under a different name. No
>> dice. I ran hitmanpro and it found all kinds of infected files
>> (mbam.exe was one of them) and a rootkit. I should interject another
>> strange behavior. Every time I boot into Safe Mode, it asks to choose
>> the network type and I always choose Home, but not until my "new
>> device", the mouse, has been found which takes almost a minute. This
>> is every time. I uncheck almost everything in msconfig, reboot, and
>> when it reboots and does all the above mentioned stuff again, I go
>> into msconfig and everything is checked again. I created a new user
>> "Joe" and was able to log off and log in to "Joe", but I couldn't do
>> anything in that account than I could in the original. Hitman fixed
>> enough that I could install and run MBAM which found a trojan
>> downloader. When I rebooted back to Safe Mode, "Joe" was gone, and it
>> went through all the above rigamarole again and msconfig was filled up
>> with checkmarks again. I've copied all his documents and pictures off
>> and there's a restore partition which I fully intend to use.
>>
>> But if there's still a rootkit in there, will a restore get rid of it?
>> It will format the windows partition and reinstall, but will
>> formatting be enough to get rid of it?
>>
>> Another thing I did was run ComboFix which claimed it needed
>> administrative privileges to use the selected options but it ran
>> anyway and ran into a rootkit and required a reboot. On reboot it
>> never resumed but went through all the aboved named stuff again. When
>> it finally settled down, I ran ComboFix again (it still wanted
>> administrative privileges) but ran all the way through, so it must
>> have gotten rid of the rootkit it found the first time when it
>> rebooted. So I ran it one more time and it found nothing. But
>> everything remains the same. No changes in mscofig will stick. A newly
>> created user won't stick and it still reboots at the welcome screen in
>> normal mode.
>>
>> Sorry I got carried away like that again, but I tried to cover
>> everything I can remember.
>
> I did the back to factory restore. Will spend the rest of the day
> installing the two service packs and all the subsequent updates.
> So far, so good.

That's probably the best course of action anyway, as far as having
having confidence in the results.

Whenever "Safe Mode" isn't minimal enough to prevent malware from
running, you might consider Vista's recovery options (similar to the XP
"Recovery Console" - only better) on the installation disc.

If no disc was supplied, the tools may be installed on the harddrive and
you may have a 'recovery partition' instead of an installation disc.

Many vendors now offer Linux based recovery toolkits on 'live cd' for
a good clean boot and scan for malware.

[Li'l Abner]

"FromTheRafters" <erratic.howard@gmail.com> wrote in
news:j5tdcn$3ej$1@dont-email.me:

> "Li'l Abner" <blvstk@dogpatch.com> wrote in message
> news:Xns9F6D78C2CD54Cbutter@wefb973cbe498...
>> "Li'l Abner" <blvstk@dogpatch.com> wrote in
>> news:Xns9F6D2880F7C64butter@wefb973cbe498:
>>
>>> I've got someone's badly infected HP Media Center PC here that is
>>> showing me all kinds of new symptoms. First of all, in normal mode,
>>> it only boots as far as the welcome screen, then reboots. It will
>>> boot OK in Safe Mode. Internet access is OK so I downloaded MBAM and
>>> it installed OK and updated, something popped up and went away, the
>>> program never started. The icon on the desktop didn't show the
>>> normal MBAM logo. mbam.exe was present in the program folder but
>>> corrupt. I tried renaming the installation file and reinstalling.
>>> Also tried copying a good mbam.exe from my own machine under a
>>> different name. No dice. I ran hitmanpro and it found all kinds of
>>> infected files (mbam.exe was one of them) and a rootkit. I should
>>> interject another strange behavior. Every time I boot into Safe
>>> Mode, it asks to choose the network type and I always choose Home,
>>> but not until my "new device", the mouse, has been found which takes
>>> almost a minute. This is every time. I uncheck almost everything in
>>> msconfig, reboot, and when it reboots and does all the above
>>> mentioned stuff again, I go into msconfig and everything is checked
>>> again. I created a new user "Joe" and was able to log off and log in
>>> to "Joe", but I couldn't do anything in that account than I could in
>>> the original. Hitman fixed enough that I could install and run MBAM
>>> which found a trojan downloader. When I rebooted back to Safe Mode,
>>> "Joe" was gone, and it went through all the above rigamarole again
>>> and msconfig was filled up with checkmarks again. I've copied all
>>> his documents and pictures off and there's a restore partition which
>>> I fully intend to use.
>>>
>>> But if there's still a rootkit in there, will a restore get rid of
>>> it? It will format the windows partition and reinstall, but will
>>> formatting be enough to get rid of it?
>>>
>>> Another thing I did was run ComboFix which claimed it needed
>>> administrative privileges to use the selected options but it ran
>>> anyway and ran into a rootkit and required a reboot. On reboot it
>>> never resumed but went through all the aboved named stuff again.
>>> When it finally settled down, I ran ComboFix again (it still wanted
>>> administrative privileges) but ran all the way through, so it must
>>> have gotten rid of the rootkit it found the first time when it
>>> rebooted. So I ran it one more time and it found nothing. But
>>> everything remains the same. No changes in mscofig will stick. A
>>> newly created user won't stick and it still reboots at the welcome
>>> screen in normal mode.
>>>
>>> Sorry I got carried away like that again, but I tried to cover
>>> everything I can remember.
>>
>> I did the back to factory restore. Will spend the rest of the day
>> installing the two service packs and all the subsequent updates.
>> So far, so good.
>
> That's probably the best course of action anyway, as far as having
> having confidence in the results.
>
> Whenever "Safe Mode" isn't minimal enough to prevent malware from
> running, you might consider Vista's recovery options (similar to the
> XP "Recovery Console" - only better) on the installation disc.
>
> If no disc was supplied, the tools may be installed on the harddrive
> and you may have a 'recovery partition' instead of an installation
> disc.
>
> Many vendors now offer Linux based recovery toolkits on 'live cd' for
> a good clean boot and scan for malware.

This one had a recovery partition. It also had an MS recovery option.
The newest restore point was back in July. I tried going back to one a
few days earlier than that. It did the restore successfully but it
didn't fix anything. So I did the recover and have just now got done. 2
service packs (which I already had in my collection) and about 120 more
updates after that. Then I had to copy his documents back, set up his
email, and put Avira on it.

--
--- A dyslexic man walks into a bra ---