Tech Support Forum banner
Status
Not open for further replies.
1 - 20 of 35 Posts

·
Registered
Joined
·
20 Posts
Discussion Starter · #1 ·
First of all , congrats & hats off to u all helping others. One of my freind told me about ur website for any kind of technical reference .

Now second thing , my Laptop got virus yesterday . It all happened due to a pen drive.

I used an infected pen drive , mistakenly , on next restart , it remained inserted. On restart , My laptop started scandisk (Of Pen drive) . As soon as I realized , I immediately removed the pen drive. And on startup , some 47 MB data was sent within 10minutes of start. I disconnected the LAN cable afterwards.

First , the virus/trojan did something , due to which , every drive other than C: was not opening . On opening any drive , it says Drive is not formatted , Format Now ?


Somehow , I ran computer through safe mode & scanned , then logged in normal mode. now E: & F: Drives are visible opening . But not D:

Though the two drives E & F open now , but non of the folder present on these drives is accessible. I was having a folder named "Official Data" in E: That folder too says not accessible

Most probably , Data folder may be recovered , but D: drive is still not accessible .

On every scan from updated AVG , it shows following three infections , out of which one is not healed/Moved to Vault :





Info on System :
OS - XP Prof Version 2002 Service Pack -2
Antivirus - AVG Free (Updated)
Anti Spyware : Spybot (Updated)
Total partitions - 4 ( C: D: E: F: )


presently , I am keeping Laptop off with fingers crossed for removing that virus. Task manager & Reg editor are opening & working fine.

Screen Shots of error message on every startup & of my Task manager are :









Please, help needed.
 

·
Registered
Joined
·
20 Posts
Discussion Starter · #2 ·
Sorry , it might look breaking rules by making a post before 72 hours , but I am forced as there is no edit option in post . I need to update the status of problem , so posting this post .


Now at present , none drive other than C is visible. if I try to open any other drive, a blue screen of DOS with written some error message appears for fraction of second & my laptop restarts .



I have attached the scan results of DDS & GMER with this post.


Here is the DDS result :


DDS (Ver_09-09-24.01) - FAT32x86
Run by Vikrant Arora at 23:01:11.32 on 27/09/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1918.1370 [GMT 5.5:30]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
SVCHOST.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\eTSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
"C:\WINDOWS\system32\SVCHOST.EXE"
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\eTCrtMng.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
svchost
svchost
C:\Documents and Settings\Vikrant Arora\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mWinlogon: Shell=Explorer.exe rundll32.exe tftp.nfo beforegllav
mWinlogon: Taskman=c:\recycler\s-1-5-21-9697868923-9974933581-189209406-9819\wnzip32.exe
uWinlogon: Shell=c:\recycler\s-1-5-21-4211578448-6423166331-674674045-2641\czzi.exe,explorer.exe,c:\recycler\s-1-5-21-9697868923-9974933581-189209406-9819\wnzip32.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [eTCertManger] c:\windows\system32\eTCrtMng.exe
mRun: [DataLayer] c:\program files\common files\pcsuite\datalayer\DataLayer.exe
mRun: [<NO NAME>]
mRun: [Nokia Tray Application] c:\program files\common files\nokia\tools\NclTray.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
StartupFolder: c:\documents and settings\vikrant arora\start menu\programs\startup\uecupd32.exe
StartupFolder: c:\documents and settings\vikrant arora\start menu\programs\startup\nhaupd32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
TCP: {0E3241A2-3541-4FB9-A0A8-7BA9802644F8} = 202.56.215.55,202.56.215.54
TCP: {5774BD73-C749-4539-B0B0-02FE37BDE5FD} = 202.56.215.54,202.56.215.55
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\vikran~1\applic~1\mozilla\firefox\profiles\5onrulyt.default\
FF - prefs.js: browser.search.selectedEngine - IMDB

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-12 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-7-12 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-7-12 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-7-12 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-12 297752]
R3 VIACRX86;VIACRX86;c:\windows\system32\drivers\viacr.sys [2009-7-12 59264]
S1 31707713;31707713;c:\windows\system32\drivers\31707713.sys --> c:\windows\system32\drivers\31707713.sys [?]
S1 a7704edf;a7704edf;c:\windows\system32\drivers\a7704edf.sys --> c:\windows\system32\drivers\a7704edf.sys [?]
S1 d356a19d;d356a19d;c:\windows\system32\drivers\d356a19d.sys --> c:\windows\system32\drivers\d356a19d.sys [?]
S3 AKSUP;AKSUP;c:\windows\system32\drivers\aksup.sys [2009-9-8 32472]
S3 usb2vcom;USB to Serial Bridge Controller;c:\windows\system32\drivers\usb2vcom.sys [2009-9-19 30368]

=============== Created Last 30 ================

2009-09-27 00:26 2,262 a------- c:\windows\bthservsdp.dat
2009-09-27 00:24 38,016 a------- c:\windows\system32\drivers\bthmodem.sys
2009-09-27 00:24 38,016 a------- c:\windows\system32\dllcache\bthmodem.sys
2009-09-26 19:39 89,344 a------- c:\windows\system32\drivers\d1655f41.sys
2009-09-25 16:49 <DIR> --d----- C:\spoolerlogs
2009-09-25 16:32 31,232 a------- c:\windows\system32\mssrv32.exe
2009-09-25 16:32 24,576 a------- c:\windows\system32\stu2.exe
2009-09-23 19:48 <DIR> --d----- C:\tally5.4
2009-09-23 19:47 1,686,365 a------- C:\tally5.zip
2009-09-19 17:43 8,192 a------- c:\windows\REGULOCS.OLD
2009-09-19 15:15 <DIR> --d----- c:\documents and settings\vikrant arora\Phone Browser
2009-09-19 15:09 <DIR> --d----- c:\program files\Nokia
2009-09-19 15:09 <DIR> --d----- c:\program files\common files\PCSuite
2009-09-19 15:09 <DIR> --d----- c:\program files\common files\Nokia
2009-09-19 15:08 <DIR> --d----- c:\windows\Downloaded Installations
2009-09-19 15:03 <DIR> --d----- c:\windows\system32\appmgmt
2009-09-19 14:58 30,368 a----r-- c:\windows\system32\drivers\usb2vcom.sys
2009-09-14 18:13 <DIR> --d----- C:\back
2009-09-14 16:47 <DIR> --d----- C:\Tally7.2
2009-09-08 15:10 88 a------- c:\windows\Entrust.ini
2009-09-08 15:10 84,636 a------- c:\windows\system32\drivers\aksifdh.sys
2009-09-08 15:10 32,472 a------- c:\windows\system32\drivers\aksup.sys
2009-09-08 15:10 <DIR> --d----- c:\program files\common files\Aladdin Shared
2009-09-01 09:44 227 a------- c:\windows\system.ini.bak

==================== Find3M ====================

2009-09-25 16:32 19,968 a------- c:\windows\system32\userinit.exe
2009-08-25 12:45 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-25 12:45 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-12 12:50 21,192 a------- c:\windows\system32\dopdfmn6.dll
2009-08-12 12:50 18,632 a------- c:\windows\system32\dopdfmi6.dll
2009-07-13 08:33 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-07-12 07:56 319,488 a------- c:\windows\HideWin.exe
2009-07-12 07:20 21,640 a------- c:\windows\system32\emptyregdb.dat

============= FINISH: 23:02:26.46 ===============
 

Attachments

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Hello john_abraham and welcome.

This is seriously infected, including malware patched Windows files. Ensure you stay with me until given the all clear.

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================


Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal.

Open the AVG 8.5 Control Center, by right clicking on the AVG icon on task bar.
  • Click on Open AVG Interface.
  • Double click on Resident Shield
  • Deselect the option to "Enable Resident Shield."
  • Save changes, and exit the application.
  • To re-enable AVG 8.5, please select "Enable Resident Shield" again.

====================================================


Double click on combofix.exe & follow the prompts.


  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
As per your PM....


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: If you have SP3, use the SP2 package.


---------------------------------------------------------------------

Transfer the file you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools




  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.




  • At the next prompt, click 'Yes' to run the full ComboFix scan.
  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.
 

·
Registered
Joined
·
20 Posts
Discussion Starter · #5 ·
I asked the method for offline download of Recovery console I was afraid of more data loss due to it. And I think my fear is gonna come true.


As u told the procedure for offline donwload , I did the same. Copied the files of ComboFix & RC MWRC on Desktop. It successfully installed the Recovery console , then started the scanning. after 20-30 seconds (None of stages were completed yet) , same kind of DOS screen appeared for fraction of second and my laptop got restarted.

However , all the drives (Except D:) are visible again , though , none of the folders opens (Says - ... is not readable. The file or directory is corrupted and unreadable)

Now after restart , I tried running combofix again , it gets loaded , but in task bar , an error message appeare (Yellow triangle) saying "The file or directory \ComboFix\Vipev0a is corrupted and unreadable. please run the Chkdsk utility."

Chkdsk utility don't open

i am unable to delete the Folder Combofix in C:\

Anything u can suggest :sad:
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
What procedure are you using to run chkdsk utility?
 

·
Registered
Joined
·
20 Posts
Discussion Starter · #7 ·
What procedure are you using to run chkdsk utility?
Well , for chkdsk , I right click on drive & Choose Properties\Tools\Check Now.


C:\ - On pressing start , it says Windows was unable to complete the Disk check.
D:\ After I press Start , nothing happens. Check disk simply disappears.
E:\ & D:\ - same it says for C:\

AVG now don't find any infection (which means has become useless)

On every start , message come :
Windows can't find C:\ComboFix\HIDEC.exe

Presently , I am trying a scan with AVG from Safe Mode.
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
I don't mean to be rude, but if you want my help, you need to stop doing all this stuff in between replies. I replied quite quickly to your last post, but you didn't come back or respond to my question for almost 20 hours. If you run into a problem, please post here and wait for my response.

A scan with AVG in safe mode won't do any good.

Run chkdsk first. Try it this way:

Make sure you do not need your computer for at least 12 hours before proceeding with this step. This scan may take that long and cannot be aborted. I reccomend you run it overnight.

Click Start>Run and type in chkdsk /r

If it asks you to run chkdsk on restart please click yes, and restart your computer. This will check your hard drive for errors, and correct any minor errors it finds.

Let me know if that worked or not.
 

·
Registered
Joined
·
20 Posts
Discussion Starter · #9 · (Edited)
I don't mean to be rude, but if you want my help, you need to stop doing all this stuff in between replies. I replied quite quickly to your last post, but you didn't come back or respond to my question for almost 20 hours. If you run into a problem, please post here and wait for my response.

A scan with AVG in safe mode won't do any good.

Run chkdsk first. Try it this way:

Make sure you do not need your computer for at least 12 hours before proceeding with this step. This scan may take that long and cannot be aborted. I reccomend you run it overnight.

Click Start>Run and type in chkdsk /r

If it asks you to run chkdsk on restart please click yes, and restart your computer. This will check your hard drive for errors, and correct any minor errors it finds.

Let me know if that worked or not.
I have two Internet connections , one only runs on my Laptop , which is not working at present. Other one is a Night only package. So its a compulsion on me to come online only from night 9 PM to 10 AM ( Indian Standard Time which is GMT +5.30). I can be awake whole night if u say yes , total 13 hrs.

Gonna run chkdsk as u suggested now.

Update on Chkdsk :
Message in DOS window appeared : Chkdsk caanot run because the volume is in use by another process .
i have scheduled it for next restart & restarted the machine.
 

·
Registered
Joined
·
20 Posts
Discussion Starter · #10 ·
Chkdsk started on next restart and within a fraction of second , disappeared . And windows got loaded as usual. I have FreeDOS on C:\ as well. I tried the same command though DOS too , it says bad command name .
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Hi John,

Boot into the Recovery Console that was installed by ComboFix. It may go past too quickly for you to highlight it, so first do this:

  • On your keyboard, press the Windows Logo key and the pause/break key. The System Properties dialog box should have popped open.
  • Click the Advanced Tab and look toward the bottom and you'll see Startup and Recovery.
  • Click the Edit button.
  • You'll see 'Time to display operating systems'. Use the arrow key to increase the time from 2 seconds to about 10 seconds. Ok your way out.
  • Reboot and as it's booting, use the arrow key on your keyboard to select the second Microsoft Recovery Console.

You must enter which Windows installation to log onto. Type 1 and press enter.

At the C:\Windows prompt, type the following bolded text, and press Enter:

CHKDSK

Let me know if that worked for you.
 

·
Registered
Joined
·
20 Posts
Discussion Starter · #12 ·
Thanks for Reply Ried.

On Bootup , 3 options appear :

1. Recovery Console
2 Win Xp Pro
3. Free DOS

If I choose Recovery Console , the same Menu of these 3 choices open again. Pressing enter on Recovery console opens the same Menu again. And finally , i have to enter the option for Win XP to open.
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Download BootCheck.exe to your desktop.
  • Double click BootCheck.exe to run the check
  • When complete, a Notepad window will open with some text in it
  • Save the Notepad file to your desktop as BootCheck.txt
  • Copy the contents of BootCheck.txt and post it in your next reply
 

·
Registered
Joined
·
20 Posts
Discussion Starter · #14 ·
Here is the scan result , it just took 3-4 seconds :

CMDCONS Folder exists!

Contents of C:\boot.ini:

[boot loader]
timeout=10
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\ = "Unidentified operating system on drive C."


-----------------------------------

My Laptop remains totally non-responsive for first 4-5 minutes , even the startup sound comes after that .
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Delete the existing ComboFix.exe from the desktop. Don't worry about the ComboFix folder.

Download a fresh copy of ComboFix from here.

Boot into Safe Mode and run ComboFix.exe again. Post the log it produces.
 

·
Registered
Joined
·
20 Posts
Discussion Starter · #16 ·
I tried as u suggested, logged in Safe Mode & copied a fresh copyof ComboFix on Desktop. First problem I faced was how to disable the AVG in safe mode . Ignoring it to disable , I continued scan with ComboFix. It showed an error message of corrupt file in ComboFix folder. I have attached the screen shot of that error message & programs running in safe mode :




 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
You need to run chkdsk. Do you have the Windows Install disc?

Also, navigat to c:\windows\system.ini.bak

Open it with Notepad and post the contents here.
 

·
Registered
Joined
·
20 Posts
Contents of system.ini.bak


; for 16-bit app support
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
[driver32]
[386enh]
woafont=dosapp.FON
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON


===========================

contents of system.ini


; for 16-bit app support
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
[driver32]
[386enh]
woafont=dosapp.FON
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON
[TLPM]
CacheId=X86-F15-M2332Z_2

===========================

Yes , I have my Win XP cd
 

·
TSF Security Manager, Emeritus
Joined
·
42,836 Posts
Insert the Install Disc and reboot. You are going to boot into the Recovery Console from the disc - do NOT attempt a Repair install at this time.

This is what you'll see...







Select Repair using Recovery Console.

Once it has loaded, follow the screen prompts and enter the number that corresponds to where Windows is installed.


Once the Recovery Console has loaded, type in CHKDSK and press enter.

Let me know how that worked out for you. Understand that this can take 12 hours or more to complete - you must NOT terminate it.
 
1 - 20 of 35 Posts
This is an older thread, you may not receive a response, and could be reviving an old thread. Please consider creating a new thread.
Status
Not open for further replies.
Top