Author Topic: Virus removed, appears blank, hard drive still full of data  (Read 7743 times)

Offline Infected

  • Newbie
  • *
  • Posts: 9
    • Personal Message (Offline)
Hi guys,

I am not expert but I think my computer is still ok just can't figure out how to make it look ok. Virus was removed (sorry I deleted all files from chest thought it would fix the problem) When I boot up my desktop is black and my start all programs is blank. If I open my computer all my stuff is still there. I did all the scans and everything is ok. How do I restore my settings?

Blank,
~RUTH~

Windows XP
Threat:
Win32: Alureon-ADW [Tri]
Win32: Alureon-AEF [Tri]
Win32: Olmarik-F [Tri]



Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29082
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Virus removed, appears blank, hard drive still full of data
« Reply #1 on: June 05, 2011, 04:03:03 PM »
Please do not run any temporary file cleaners until I say it is OK

Download Unhide.exe to your desktop and run

THEN

Download RogueKiller to your desktop
 
  • Quit all running programs
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • When prompted, type 1 and validate
  • The RKreport.txt shall be generated next to the executable.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe 

Please post the contents of the RKreport.txt in your next Reply.

NEXT

Download aswMBR.exe ( 511KB ) to your desktop.
 
Double click the aswMBR.exe to run it
 
Click the "Scan" button to start scan

 
On completion of the scan click save log, save it to your desktop and post in your next reply

 


FINALLY

Download OTS to your Desktop and double-click on it to run it
  • Make sure you close all other programs and don't use the PC while the scan runs.
  • Select All Users
  • Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

  • Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

  • Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Please attach the log in your next post.

Offline Infected

  • Newbie
  • *
  • Posts: 9
    • Personal Message (Offline)
Update #1
« Reply #2 on: June 05, 2011, 04:58:06 PM »
Thanks for the quick reply essex boy!

Here is the update.

1. Done - Unhide.exe - start menu has programs, desktop still black. Need a restart?
2. RogueKiller
RKreport.txt

Quote
RogueKiller V5.2.2 [06/05/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User: Ruthie [Admin rights]
Mode: Scan -- Date : 06/05/2011 12:54:15

Bad processes: 0

Registry Entries: 10
[SUSP PATH] HKCU\[...]\Run : OxDyPOOgxbNHvA (C:\Documents and Settings\All Users\Application Data\OxDyPOOgxbNHvA.exe) -> FOUND
[SUSP PATH] HKUS\S-1-5-21-73586283-1343024091-725345543-1003[...]\Run : OxDyPOOgxbNHvA (C:\Documents and Settings\All Users\Application Data\OxDyPOOgxbNHvA.exe) -> FOUND
[] HKLM\[...]\Root :  () -> ACCESS DENIED
[] HKLM\[...]\Root :  () -> ACCESS DENIED
[HJPOL] HKCU\[...]\System : DisableTaskMgr (1) -> FOUND
[HJPOL] HKLM\[...]\System : DisableTaskMgr (1) -> FOUND
[HJ] HKLM\[...]\SystemRestore : DisableSR (1) -> FOUND
[HJ] HKCU\[...]\ActiveDesktop : NoChangingWallPaper (1) -> FOUND
[WallPP] HKCU\[...]\Desktop : Wallpaper () -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

HOSTS File:
127.0.0.1       localhost


Finished : << RKreport[1].txt >>
RKreport[1].txt

3. aswMBR.exe
Log aswMBR.txt

Quote
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-06-05 12:59:56
-----------------------------
12:59:56.031    OS Version: Windows 5.1.2600 Service Pack 2
12:59:56.031    Number of processors: 1 586 0x204
12:59:56.031    ComputerName: RUTH  UserName:
12:59:56.265    Initialize success
13:00:16.359    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
13:00:16.359    Disk 0 Vendor: WDC_WD400BB-00DEA0 05.03E05 Size: 38166MB BusType: 3
13:00:18.375    Disk 0 MBR read successfully
13:00:18.375    Disk 0 MBR scan
13:00:18.375    Disk 0 Windows XP default MBR code
13:00:20.390    Disk 0 scanning sectors +78140160
13:00:20.406    Disk 0 scanning C:\WINDOWS\system32\drivers
13:00:26.328    Service scanning
13:00:27.437    Disk 0 trace - called modules:
13:00:27.453    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
13:00:27.453    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82382ab8]
13:00:27.453    3 CLASSPNP.SYS[f857605b] -> nt!IofCallDriver -> \Device\0000005b[0x8238cf18]
13:00:27.468    5 ACPI.sys[f84ec620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x82385940]
13:00:27.468    Scan finished successfully
13:00:53.187    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Ruthie\Desktop\MBR.dat"
13:00:53.203    The log file has been saved successfully to "C:\Documents and Settings\Ruthie\Desktop\aswMBR.txt"
4. OTS
See attached.

« Last Edit: June 05, 2011, 05:15:50 PM by Infected »

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29082
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Virus removed, appears blank, hard drive still full of data
« Reply #3 on: June 05, 2011, 05:04:03 PM »
Ok prior to running the next two programmes - or when you can fit it in

Re-run RogueKiller and select option 2

Offline Infected

  • Newbie
  • *
  • Posts: 9
    • Personal Message (Offline)
Update # 2
« Reply #4 on: June 05, 2011, 05:18:02 PM »
RogueKiller #2 - Background has been restored, desktop icons are still missing.

Quote
RogueKiller V5.2.2 [06/05/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User: Ruthie [Admin rights]
Mode: Remove -- Date : 06/05/2011 13:18:02

Bad processes: 0

Registry Entries: 7
[SUSP PATH] HKCU\[...]\Run : OxDyPOOgxbNHvA (C:\Documents and Settings\All Users\Application Data\OxDyPOOgxbNHvA.exe) -> DELETED
[HJPOL] HKCU\[...]\System : DisableTaskMgr (1) -> DELETED
[HJPOL] HKLM\[...]\System : DisableTaskMgr (1) -> DELETED
[HJ] HKLM\[...]\SystemRestore : DisableSR (1) -> REPLACED (0)
[HJ] HKCU\[...]\ActiveDesktop : NoChangingWallPaper (1) -> REPLACED (0)
[WallPP] HKCU\[...]\Desktop : Wallpaper () -> REPLACED (C:\Documents and Settings\Ruthie\Local Settings\Application Data\Microsoft\Wallpaper1.bmp)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

HOSTS File:
127.0.0.1       localhost


Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt
« Last Edit: June 05, 2011, 05:20:02 PM by Infected »

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29082
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Virus removed, appears blank, hard drive still full of data
« Reply #5 on: June 05, 2011, 05:26:15 PM »
Getting there  ;D

Last run for RogueKiller - this time select option 6

Then we will remove the remaining nasties with aswMBR and OTS

Offline Infected

  • Newbie
  • *
  • Posts: 9
    • Personal Message (Offline)
Update # 3
« Reply #6 on: June 05, 2011, 05:28:46 PM »
6. RogueKiller option 6

Quote
RogueKiller V5.2.2 [06/05/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User: Ruthie [Admin rights]
Mode: Shortcuts HJfix -- Date : 06/05/2011 13:33:28

Bad processes: 0

File attributes restored:
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 1 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 20 / Fail 0
My documents: Success 4 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 79 / Fail 0
Backup: [FOUND] Success 183 / Fail 12

Drives:
[A:] \Device\Floppy0 -- 0x2 --> Skipped
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[E:] \Device\CdRom1 -- 0x5 --> Skipped
[F:] \Device\CdRom0 -- 0x5 --> Skipped

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt
« Last Edit: June 05, 2011, 05:34:19 PM by Infected »

Offline Infected

  • Newbie
  • *
  • Posts: 9
    • Personal Message (Offline)
Re: Virus removed, appears blank, hard drive still full of data
« Reply #7 on: June 05, 2011, 05:36:16 PM »
Then we will remove the remaining nasties with aswMBR and OTS

essexboy, aswMBR scan or fix?

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29082
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Virus removed, appears blank, hard drive still full of data
« Reply #8 on: June 05, 2011, 05:37:47 PM »
Just scan please as I will need to see what is there.  Your desktop, files etc.. should be back now and the main start elements of the malware are dead.  So now it is time to hunt for the remainder 

Offline Infected

  • Newbie
  • *
  • Posts: 9
    • Personal Message (Offline)
Update # 4
« Reply #9 on: June 05, 2011, 05:41:17 PM »
7. asqMBR scan - desktop icons still missing, reboot?

Quote
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-06-05 13:35:58
-----------------------------
13:35:58.656    OS Version: Windows 5.1.2600 Service Pack 2
13:35:58.656    Number of processors: 1 586 0x204
13:35:58.656    ComputerName: RUTH  UserName:
13:35:58.828    Initialize success
13:39:30.531    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
13:39:30.531    Disk 0 Vendor: WDC_WD400BB-00DEA0 05.03E05 Size: 38166MB BusType: 3
13:39:32.546    Disk 0 MBR read successfully
13:39:32.546    Disk 0 MBR scan
13:39:32.546    Disk 0 Windows XP default MBR code
13:39:34.546    Disk 0 scanning sectors +78140160
13:39:34.578    Disk 0 scanning C:\WINDOWS\system32\drivers
13:39:39.859    Service scanning
13:39:40.937    Disk 0 trace - called modules:
13:39:40.953    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
13:39:40.953    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82382ab8]
13:39:40.953    3 CLASSPNP.SYS[f857605b] -> nt!IofCallDriver -> \Device\0000005b[0x8238cf18]
13:39:40.953    5 ACPI.sys[f84ec620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x82385940]
13:39:40.968    Scan finished successfully
13:39:50.765    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Ruthie\Desktop\MBR.dat"
13:39:50.765    The log file has been saved successfully to "C:\Documents and Settings\Ruthie\Desktop\aswMBR-2.txt"

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29082
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Virus removed, appears blank, hard drive still full of data
« Reply #10 on: June 05, 2011, 05:46:48 PM »
MBR clean  ;D

No the reboot will be done with OTS

Offline Infected

  • Newbie
  • *
  • Posts: 9
    • Personal Message (Offline)
Update # 5
« Reply #11 on: June 05, 2011, 06:01:09 PM »
7. OTS scan, see attached.

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29082
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Virus removed, appears blank, hard drive still full of data
« Reply #12 on: June 05, 2011, 06:10:44 PM »
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]
[Unregister Dlls]
[Registry - Safe List]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "Cmaudio" -> [RunDll32 cmicnfg.cpl,CMICtrlWnd]
YN -> "KernelFaultCheck" -> [%systemroot%\system32\dumprep 0 -k]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\Program Files\AIM\aim.exe" -> [C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger]
YN -> "C:\Program Files\Common Files\AOL\1156969393\ee\aim6.exe" -> [C:\Program Files\Common Files\AOL\1156969393\ee\aim6.exe:*:Enabled:AIM]
YN -> "C:\Program Files\Common Files\AOL\1156969393\ee\aolsoftware.exe" -> [C:\Program Files\Common Files\AOL\1156969393\ee\aolsoftware.exe:*:Disabled:AOL Services]
YN -> "C:\Program Files\Common Files\AOL\Loader\aolload.exe" -> [C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Disabled:AOL Loader]
YN -> "C:\Program Files\Gaim\gaim.exe" -> [C:\Program Files\Gaim\gaim.exe:*:Enabled:gaim]
YN -> "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -> [C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger]
YN -> "C:\Program Files\Yahoo!\Messenger\YPager.exe" -> [C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger]
YN -> "C:\Program Files\Yahoo!\Messenger\YServer.exe" -> [C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server]
YN -> "E:\PortableApps\Xming\Xming.exe" -> [E:\PortableApps\Xming\Xming.exe:*:Enabled:Xming X Server]
[Files/Folders - Created Within 30 Days]
NY ->  Windows XP Recovery -> C:\Documents and Settings\Ruthie\Start Menu\Programs\Windows XP Recovery
[Files/Folders - Modified Within 30 Days]
NY ->  ~15916836r -> C:\Documents and Settings\All Users\Application Data\~15916836r
NY ->  ~15916836 -> C:\Documents and Settings\All Users\Application Data\~15916836
NY ->  Windows XP Recovery.lnk -> C:\Documents and Settings\Ruthie\Desktop\Windows XP Recovery.lnk
NY ->  15916836 -> C:\Documents and Settings\All Users\Application Data\15916836
[Files - No Company Name]
NY ->  ~15916836r -> C:\Documents and Settings\All Users\Application Data\~15916836r
NY ->  ~15916836 -> C:\Documents and Settings\All Users\Application Data\~15916836
NY ->  Windows XP Recovery.lnk -> C:\Documents and Settings\Ruthie\Desktop\Windows XP Recovery.lnk
NY ->  15916836 -> C:\Documents and Settings\All Users\Application Data\15916836
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

Offline Infected

  • Newbie
  • *
  • Posts: 9
    • Personal Message (Offline)
Update #6 - finished?
« Reply #13 on: June 05, 2011, 06:31:14 PM »
8. OTS fix - ran, froze, icons have returned, no new txt was created.

Do you think it needs another scan?

Thanks for all your help!
~RUTH~

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29082
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: Virus removed, appears blank, hard drive still full of data
« Reply #14 on: June 05, 2011, 06:32:38 PM »
Yep if you could run a fresh scan after rebooting

When you scan please ensure all users is ticked

How is the computer behaving now ?

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now