Author Topic: Virus removed, appears blank, hard drive still full of data  (Read 17596 times)

0 Members and 1 Guest are viewing this topic.

Infected

  • Guest
Update #7
« Reply #15 on: June 05, 2011, 08:48:56 PM »
Computer is behaving accordingly. Any thoughts how it got infected or how to prevent future infections?

9. OTS scan, see attached.


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Virus removed, appears blank, hard drive still full of data
« Reply #16 on: June 06, 2011, 12:17:14 AM »
Could you retry the OTS fix from the previous post please after running MBAM.  Then run the computer for a while and when you are happy I will remove my tools and give some help on that aspect 



Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

ebozzz

  • Guest
Re: Virus removed, appears blank, hard drive still full of data
« Reply #17 on: June 06, 2011, 01:55:35 AM »
I've basically got the same issue. Here's what I have done thus far. When this machine was brought to me there was no security software installed other than what was provided by Windows. The OS is Windows XP Ultimate. Booting into the primary user account resulted in numerous popups and one windows which states that problems have been detected and suggests that I scan using the tools in that window.

The laptop was basically unresponsive at that point. I downloaded MBAM, Avast Free the Comodo Firewall. I then performed the following....

1. Booted into Safe Mode.
2. Installed MBAM and ran a full scan. Over 300 infections were detected.
3. Removed infected items with MBAM and rebooted.
4. Booted into Safe Mode with Networking.
5. Updated MBAM and ran a second full scan. Over 60 infected items were detected.
6. Removed infected items with MBAM and rebooted.
7. Booted into Safe Mode with Networking.
8. Ran a full scan for the third time. No infected items detected.
9. Installed Avast Free, Comodo Firewall, scheduled a boot scan with Avast and rebooted.
10. Currently completing the boot scan.

I would welcome any assistance. If my issue is better served by opening a new thread, please say so.

   

ebozzz

  • Guest
Re: Virus removed, appears blank, hard drive still full of data
« Reply #18 on: June 06, 2011, 02:04:20 AM »
Boot scan has now completed. 14 infections were detected and removed.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Virus removed, appears blank, hard drive still full of data
« Reply #19 on: June 06, 2011, 12:22:13 PM »
: ebozzz could you start your own topic please

ebozzz

  • Guest
Re: Virus removed, appears blank, hard drive still full of data
« Reply #20 on: June 06, 2011, 03:34:36 PM »
: ebozzz could you start your own topic please

I did and you have already been a WORLD of help to me. At this point I am just waiting for any additional information that you might have to add and I will act on it after returning home...

emirbravo

  • Guest
Re: Virus removed, appears blank, hard drive still full of data
« Reply #21 on: June 26, 2011, 03:48:16 PM »
I've got similar problem, I have deleted viruses found by Avast start-up scanner and still i've got task manager disabled and can't run regedit...

I have done all of the scans mentioned by essex boy and here are the results:
ROGUE KILLER

Quote
RogueKiller V5.2.5 [06/24/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: user [Admin rights]
Mode: Scan -- Date : 06/26/2011 14:41:33

Bad processes: 0

Registry Entries: 7
[HJPOL] HKCU\[...]\System : DisableTaskMgr (1) -> FOUND
[HJPOL] HKCU\[...]\System : DisableRegistryTools (1) -> FOUND
[HJ] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : UpdatesDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

HOSTS File:
127.0.0.1       localhost


Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

ASWBR

Quote
aswMBR version 0.9.7.675 Copyright(c) 2011 AVAST Software
Run date: 2011-06-25 17:24:03
-----------------------------
17:24:03.609    OS Version: Windows 5.1.2600 Service Pack 3
17:24:03.609    Number of processors: 2 586 0x1C02
17:24:03.609    ComputerName: USER-B1CP97MA1D  UserName: user
17:24:04.515    Initialize success
17:24:13.437    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-6
17:24:13.437    Disk 0 Vendor: WDC_WD1600AAJS-08WAA0 58.01D58 Size: 152627MB BusType: 3
17:24:15.515    Disk 0 MBR read successfully
17:24:15.515    Disk 0 MBR scan
17:24:15.515    Disk 0 Windows XP default MBR code
17:24:17.515    Disk 0 scanning sectors +312560640
17:24:17.546    Disk 0 scanning C:\WINDOWS\system32\drivers
17:24:24.828    Service scanning
17:24:25.906    Disk 0 trace - called modules:
17:24:25.906    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
17:24:25.906    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86d89ab8]
17:24:25.906    3 CLASSPNP.SYS[f7508fd7] -> nt!IofCallDriver -> \Device\00000064[0x86da5d70]
17:24:25.906    5 ACPI.sys[f739f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-6[0x86d77940]
17:24:25.906    Scan finished successfully
17:37:55.625    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\user\Desktop\MBR.dat"
17:37:55.625    The log file has been saved successfully to "C:\Documents and Settings\user\Desktop\aswMBR.txt"


aswMBR version 0.9.7.675 Copyright(c) 2011 AVAST Software
Run date: 2011-06-26 14:41:58
-----------------------------
14:41:58.937    OS Version: Windows 5.1.2600 Service Pack 3
14:41:58.937    Number of processors: 2 586 0x1C02
14:41:58.937    ComputerName: USER-B1CP97MA1D  UserName: user
14:41:59.562    Initialize success
14:42:19.703    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-6
14:42:19.703    Disk 0 Vendor: WDC_WD1600AAJS-08WAA0 58.01D58 Size: 152627MB BusType: 3
14:42:21.734    Disk 0 MBR read successfully
14:42:21.750    Disk 0 MBR scan
14:42:21.750    Disk 0 Windows XP default MBR code
14:42:23.750    Disk 0 scanning sectors +312560640
14:42:23.828    Disk 0 scanning C:\WINDOWS\system32\drivers
14:42:34.718    Service scanning
14:42:35.843    Disk 0 trace - called modules:
14:42:35.859    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
14:42:35.875    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86d89ab8]
14:42:35.875    3 CLASSPNP.SYS[f7508fd7] -> nt!IofCallDriver -> \Device\00000064[0x86da5d70]
14:42:35.890    5 ACPI.sys[f739f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-6[0x86d77940]
14:42:35.890    Scan finished successfully
14:42:42.703    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\user\Desktop\MBR.dat"
14:42:42.750    The log file has been saved successfully to "C:\Documents and Settings\user\Desktop\aswMBR.txt"


NEXT POST IS WITH OTS REPORT





emirbravo

  • Guest
Re: Virus removed, appears blank, hard drive still full of data
« Reply #22 on: June 26, 2011, 03:52:11 PM »
OTS report

please download my OTS report from this link as it exceedds the maximum allowed length and max attachment size

https://rapidshare.com/files/1764686472/OTS.Txt
« Last Edit: June 26, 2011, 03:54:54 PM by emirbravo »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Virus removed, appears blank, hard drive still full of data
« Reply #23 on: June 26, 2011, 04:05:45 PM »
What are your current problems ?

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Unregister Dlls]
[Registry - Safe List]
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
YN -> \\"DisableTaskMgr" -> [1]
YN -> \\"DisableRegistryTools" -> [1]
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
YN -> \\"DisableTaskMgr" -> [1]
YN -> \\"DisableRegistryTools" -> [1]
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-1547161642-796845957-725345543-1003] > -> HKEY_USERS\S-1-5-21-1547161642-796845957-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
YN -> \\"DisableTaskMgr" -> [1]
YN -> \\"DisableRegistryTools" -> [1]
[Files/Folders - Created Within 30 Days]
NY ->  New Folder -> C:\Documents and Settings\user\My Documents\New Folder
[Files/Folders - Modified Within 30 Days]
NY ->  ~temp.html -> C:\~temp.html
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

emirbravo

  • Guest
Re: Virus removed, appears blank, hard drive still full of data
« Reply #24 on: June 26, 2011, 07:10:47 PM »
The main thing is that i am annoyed by disabled task manager and regedit and being unable to use system restore...

I am not sure if the virus or any other malware is still present and i cannot check my processes or shut some of them down...

I will try your code when i am near my problematic pc again. Thanks a lot in advance essexboy!!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Virus removed, appears blank, hard drive still full of data
« Reply #25 on: June 26, 2011, 07:31:15 PM »
This fix will reset task manager and regedit once done let me know if the problem persists

emirbravo

  • Guest
Re: Virus removed, appears blank, hard drive still full of data
« Reply #26 on: June 26, 2011, 10:19:52 PM »
Here is the OTS log after applying fix:

Quote
[Registry - Safe List]
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr deleted successfully.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools deleted successfully.
Registry value HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr not found.
Registry value HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools not found.
Registry value HKEY_USERS\S-1-5-21-1547161642-796845957-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1547161642-796845957-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools deleted successfully.
[Files/Folders - Created Within 30 Days]
C:\Documents and Settings\user\My Documents\New Folder folder moved successfully.
[Files/Folders - Modified Within 30 Days]
C:\~temp.html moved successfully.
 
[EMPTYFLASH]
 
User: All Users
 
User: Default User
->Flash cache emptied: 56466 bytes
 
User: LocalService
 
User: NetworkService
 
User: user
->Flash cache emptied: 19422 bytes
 
Total Flash Files Cleaned = 0,00 mb
 
Restore point Set: OTS Restore Point (0)
< End of fix log >
OTS by OldTimer - Version 3.1.44.0 fix logfile created on 06262011_220817


Everything seems to be working fine now.
THANX A LOT FOR YOUR ASSISTANCE ON THIS MATTER essexboy, MUCH APPRECIATED!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Virus removed, appears blank, hard drive still full of data
« Reply #27 on: June 26, 2011, 10:40:11 PM »
No further problems ?  Is so then run OTS and hit the cleanup button  ;D

emirbravo

  • Guest
Re: Virus removed, appears blank, hard drive still full of data
« Reply #28 on: June 26, 2011, 11:58:13 PM »
roger that! will do

tnx again mate :)