Something bad just happened [FIXED]

Alright so I was gone for a day and I put this thing in it’s case to ensure it would be fine. I get back today and when I power it on and log in it says “Prepairing desktop” at first I thought nothing of it then I saw a message box that said “System 32 path not specified” [Found out the actual message please scroll to near the bottom. There should be a link to a Microsoft message board.] and I shut down the system and restarted and everything worked. I’m running all logs now will update with them. I don’t know what happened I’m more spooked than ever and right now I’m assuming my PC might have been compromised. Also for added detail the background was black and only the recycle bin appeared and the whole computer was in Windows 95 mode.

Edit: Also checking the Event Viewer I’ll show you what it tells me:

The IP Helper service failed to start due to the following error:
The system cannot find the path specified.

The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the IKE and AuthIP IPsec Keying Modules service, but this action failed with the following error:
An instance of the service is already running.

The Extensible Authentication Protocol service failed to start due to the following error:
The system cannot find the path specified.

The System Event Notification Service service failed to start due to the following error:
The system cannot find the path specified.

The User Profile Service service failed to start due to the following error:
The system cannot find the path specified.

The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error:
An instance of the service is already running.

The Multimedia Class Scheduler service failed to start due to the following error:
The system cannot find the path specified.

Fox

Hi YellowFox,

I assume you need help from a qualified removal expert here, so fire up the logs mentioned on the sticky here.

polonus

Currently running the scans and such might take a bit. Also a techie friend of mine says this is a User Environment failure meaning either the user environment broke or got corrupted and fixed itself on restart. However I’m not ruling out malicious files just yet Malwarebytes is running as we speak and soon aswMBR will be too.

Fox

Edit: Found the issue ( http://answers.microsoft.com/en-us/windows/forum/windows_7-system/windows-7-preparing-your/1c7f77b5-4bbd-4426-9b87-e705690ddc4f ) It seems that my user profile managed to corrupt itself. But like I said earlier this doesn’t rule out a malicious hand so I’ll continue my scans.

MBAM is complete here is that log. aswMBR is next.

Here is the aswMBR log.

Here is the OTL log.

Hi,
Try to fix services with this tool;

Download the ESET services repair tool, extract the file to your desktop.

[*]Double-click ServicesRepair.exe.
[*]If security notifications appear, click Continue or Run and then click Yes when asked if you want to proceed.
[*]Once the tool has finished, you will be prompted to restart your computer. Click Yes to restart.
[*]A log will be saved in the CCSupport folder the tool created on your desktop, please post the content in your next reply.


Are you using multiboot? Additional check;

Download TDSSKiller and save it to your desktop

Execute [b]TDSSKiller.exe[/b] by doubleclicking on it.

[*] Press Start Scan

[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, [b]C:\TDSSKiller.<version_date_time>log.txt[/b]

Please post the contents of that log in your next reply.

TDSSkiller conflicts with my AV. I just want to know I’m clean.

I just want to know I'm clean.
OTL log shows no signs of infection. But at the kernel level I need an additional check ( TDSSKiller as aswMBR works at kernel level ) to be 100% sure you are clean.

Ok, thanks for letting me know. How do you mean TDSSKiller conflicts with your AV? What happend when you try to run TDSSK?

Once the computer restarts the AV labels it as a virus. Using heuristic detection. I’ll give it another try though.

But TDSSKiller did run right? TDSSKiller will start system_reboot if active rootkit is detected. Can you attach TDSSKiller log?

Now I saw your edit. Feel free and try again. :wink:

When TDSS killer restarted it was to do boot monitoring to run the driver it had. That’s when my AV labeled it when it tried to start before everything else.

Well, TDSSKiller did find some nasty thing…

We need to use other AntiRootkit Tool.

Please download Malwarebytes AntiRootkit and save it to your desktop.
http://www.malwarebytes.org/products/mbar/

Full instructions how to use MBAR
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit
Please note: This is a beta version so please be sure to read the disclaimer and note of it.

[*] Unzip/unrar MBAR in a folder to your Desktop
[*] Open the folder where the contents were unzipped to run mbar.exe

[*] Click on Next > then on Update button to download fresh definitions.
[*] When database updates click Next
[*] In the following window ensure “Targets” scan for Drivers; Sectors; System are ticked. Then select “Scan button”

[*] If an infection/s are found ensure “Create Restore Point” is checked, then select the “Cleanup Button” to remove threats.
Or if you are sure any entries should not be kept, just untick them. A list of infected files will be listed.

[*] The Clean up procedure will be Scheduled for process.
[*] When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.

Please attach the two following logs from the mbar folder:

system-log.txt
and
mbar-log-year-month-day (hour-minute-second).txt.

Dude I’m saying the last time I ran it (which was a while back) I clicked scan and I chose boot monitoring and it needed to restart to start the scan. Before it could even scan it was shot down by my AV.

Edit: TDSS killer completed this time without interference by my AV. Uploading log.

Hi YelllowFox,

You do not use 2 resident av solutions or an av solution with an incompatible on-demand scanner?
Cannot you exclude it in the av solution you use?
Do I get it right you are not an avast user?
You can also temporarily disable your av for the duration of that scan,

polonus

Here is the TDSS killer log.

You can remove used tools. Re-run OTL and click on CleanUp! button

So I’m clean then? This was just a very very rare glitch? I’ve already cleaned.

I don’t see any signs of malware in logs.