Hi
I really need help. My Avast subscription had expired and even though I renewed I didn’t update. Now I have a virus that tells me I have a critical hard drive error and wants me to buy something. I googled it and according to many many posts its a virus. I can’t access anything to update my system. I got a rescue disc but can’t get the computer to boot from it. I can’t open my task manager as it says that it has been disabled by the administrator.

Could someone take pity and offer help? I have windows XP on this computer.
As with all issues computer related, I am beside myself not wanting to loose whats on my hard drive.

Thanks!

Hi no need for a rescue disc, but do not use any temporary file cleaners

Download RogueKiller to your desktop

[*]Quit all running programs
[*]For Vista/Seven, right click → run as administrator, for XP simply run RogueKiller.exe
[*]When prompted, type 2 and validate
[]The RKreport.txt shall be generated next to the executable.
[]If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

THEN

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

[*]Close ALL OTHER PROGRAMS.
[*]Double-click on OTS.exe to start the program.
[*]Check the box that says Scan All Users
[*]Check the box that says 64 bit
[*]Under Additional Scans check the following:

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in

%USERPROFILE%..|smtmp;true;true;true /FP
%SYSTEMDRIVE%*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

FINALLY

Download aswMBR.exe ( 1.8mb ) to your desktop.

Double click the aswMBR.exe to run it

Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR2-1.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

http://public.avast.com/~gmerek/aswMBR2.png

Why can’t you boot from the rescue cd, which is the error?
Which is the virus name and a good Google link (among the ones you’ve find info)?
Can you post the latest 400-500 lines of C:\ProgramData\AVAST Software\Avast\log\setup.log ?

Sounds like the hard drive recovery malware Tech, this hides all files and folders, disables task manager, and inserts itself in the exe classid of the registry

Once stopped then it is fairly easy to clean, probably has a TDL type rootkit with it which will enable it to to disable avast from the MBR/kernel level

I can’t do anything from problem computer. I am using my laptop now. When I put the disc in and start the computer it starts as it always has but goes right to a screen that says" PC Performance & stability analysis report" 5 errors detected" When I hit to fix the problem it comes back that it fails to fix: read time of hard drive cluster less than 500 ms-, 38% of HDD space unreadable, bad sectors, boot sector
Then I get a new window with this “detected a problem whit on or more installed IDE/SATA hard disc”
Then it tells me I need to buy a windows XP recovery systems

These are some of the google links
http://www.softsailor.com/how-to/81855-how-to-uninstall-remove-windows-xp-recovery-virus-removal-guide.html
http://www.precisesecurity.com/rogue/windows-xp-recovery/

Essexboy,
If I can’t access internet how do I proceed? Am I to follow that same instructions?

Do you have a USB that you could copy the programmes to - or are you unable to get into any part of windows ?

When you insert the disc have you changed the boot sequence to cdrom as first

I tried to change the stting to boot from cdrom, and it won’t let me.

I went to the link to download and it’s in french, I clicked what I thought was the link and it started to check out my laptop… how can I download it to a thumb drive?

Press this button and download the file then copy to a USB drive, insert that in the poorly computer and run the programme from the USB ( I would recommend that you rename it to winlogon.exe first)

I am watching this one to learn - I hope
I do not understand the inability to boot from a ‘live’ CD due to an infestion of the ‘C’ drive.
The ‘C’ drive is not accessed so how can it stop the boot order unless it has changed the setup (bios)

I must admit that it is confusing as the boot order is derived from the BIOS

I tried to change the stting to boot from cdrom, and it won’t let me

I don’t buy this either. You should be able to boot from a CD/DVD without even entering the BIOS.

As you boot, pay attention to the CMOS flash messages that appear. One of them should indicate which keyboard key to press to select a device to boot from. On Gigabyte motherboards, it is F12. Once the boot device selection screen is displayed, scroll down to the selection for CD/DVD using the down arrow or Tab key on the keyboard, insert the bootable CD/DVD into the drive, and then press the Enter key.

Once the PC starts booting from the CD/DVD drive, you might see a message that ends in “…CD/DVD:” Just press the space bar. Keep paying attention to the screen since you might receive additional messages where you might be required to enter “Y” for yes to continue the CD/DVD boot process.

Not unless you have your CD/DVD set as the first boot drive, then whatever order you want, HDD0 or HDD1, etc. Other wise it will try to boot from the HDD in the order of the listed in the BIOS.

I have always set my BIOS to boot from the CD/DVD drive first, that way if you need it you don’t have to enter the BIOS, just input the boot CD/DVD and reboot.

Not correct. Most but not all PCs will allow you to override the default BIOS boot order by the method I described.

ok…I can’t get rogue killer to run…
These are the reports that I was able to copy and paste for the other two.

http://www.mediafire.com/?gz87em66to5pddf

http://www.mediafire.com/file/z41q7b479zllrbw/aswMBR%20log%20report%2006.22.2011.docx

Fun part is that I can log in to AOL and send and receive email on that computer, thus the copy and paste. It won’t let me access the internet though.

I haven’t come across this (other than some note/netbooks) on any desktops yet, hence my comment. I have an MSI motherboard now (2.5 years old), last system was Gigabyte, but that would be much older.

thought I posted this…lost in space?
RogueKIller report

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Dawn [Admin rights]
Mode: Scan – Date : 06/22/2011 20:04:08

Bad processes: 3
[SUSP PATH] wanmpsvc.exe – c:\windows\wanmpsvc.exe → KILLED
[SUSP PATH] NHWLAtOuAjw.exe – c:\documents and settings\all users\application data\nhwlatouajw.exe → KILLED
[ROGUE ST] 14147364.exe – c:\documents and settings\all users\application data\14147364.exe → KILLED

Registry Entries: 9
[SUSP PATH] HKCU[…]\Run : NHWLAtOuAjw (C:\Documents and Settings\All Users\Application Data\NHWLAtOuAjw.exe) → FOUND
[SUSP PATH] HKUS\S-1-5-21-2934302069-2821556552-4076869261-1009[…]\Run : NHWLAtOuAjw (C:\Documents and Settings\All Users\Application Data\NHWLAtOuAjw.exe) → FOUND
[PROXY IE] HKCU[…]\Internet Settings : ProxyServer (:0) → FOUND
[HJPOL] HKCU[…]\System : DisableTaskMgr (1) → FOUND
[HJPOL] HKLM[…]\System : DisableTaskMgr (1) → FOUND
[HJPOL] HKCU[…]\Explorer : NoDesktop (1) → FOUND
[HJ] HKCU[…]\ActiveDesktop : NoChangingWallPaper (1) → FOUND
[WallPP] HKCU[…]\Desktop : Wallpaper () → FOUND
[HJ] HKLM[…]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → FOUND

HOSTS File:
127.0.0.1 localhost

Finished : << RKreport[1].txt >>
RKreport[1].txt

Those files that were killed by RogueKiller (Bad processes: 3), I would suggest manually adding them to the avast chest (see below) and send them to the avast virus labs for analysis as potential malware.

• Send the sample/s to avast as a Undetected Malware:
  Open the chest and right click in the Chest and select Add, navigate to where you have the sample and add it to the chest (see image). Once in the chest, right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update. Note: manually adding to the chest doesn’t remove them from the original location, so they still have to be dealt with in that location.
  Or
• Send the sample to virus (at) avast (dot) com zipped and password protected with the password in email body, a link to this topic might help and false positive/undetected malware in the subject.

You have a TDL3 infection as well - the files will be stored in the RKQuarantine folder as well as C:_OTS\Moved files folder

Run roguekiller again selecting option 2

THEN

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Processes - Safe List]
YY -> 14147364.exe -> C:\Documents and Settings\All Users\Application Data\14147364.exe
YY -> nhwlatouajw.exe -> C:\Documents and Settings\All Users\Application Data\NHWLAtOuAjw.exe
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> 
YN -> HKEY_USERS\S-1-5-18\: SearchURL\\"provider" -> gogl
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-2934302069-2821556552-4076869261-1009\] > -> 
YN -> HKEY_USERS\S-1-5-21-2934302069-2821556552-4076869261-1009\: SearchURL\\"provider" -> gogl
< FireFox Settings [Prefs.js] > -> C:\Documents and Settings\Dawn\Application Data\Mozilla\FireFox\Profiles\e9ijy1u0.default\prefs.js
YN -> extensions.enabledItems -> {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {299AF565-D2CB-4ED8-921F-59430FF2ED36} [HKLM] -> [Reg Error: Value error.]
YN -> {460CCA35-CD82-4696-BED8-DFB6A2552717} [HKLM] -> [Reg Error: Value error.]
YN -> {90C0B680-E001-460E-BDFA-2C2ECA7C77DC} [HKLM] -> [Reg Error: Value error.]
YN -> {A03B8D6C-89AD-49E8-B004-542A3CC5F7D2} [HKLM] -> [Reg Error: Value error.]
YN -> {F1858500-31E9-3664-BFAA-106405DC18C1} [HKLM] -> [Reg Error: Value error.]
YN -> {F84949D8-8247-4E06-A8E8-ADFD51F09346} [HKLM] -> [Reg Error: Value error.]
YN -> {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{DE9C389F-3316-41A7-809B-AA305ED9D922}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{DE9C389F-3316-41A7-809B-AA305ED9D922}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-2934302069-2821556552-4076869261-1009\] > -> HKEY_USERS\S-1-5-21-2934302069-2821556552-4076869261-1009\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{DE9C389F-3316-41A7-809B-AA305ED9D922}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_USERS\S-1-5-21-2934302069-2821556552-4076869261-1009\] > -> HKEY_USERS\S-1-5-21-2934302069-2821556552-4076869261-1009\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> "NHWLAtOuAjw" -> C:\Documents and Settings\All Users\Application Data\NHWLAtOuAjw.exe [C:\Documents and Settings\All Users\Application Data\NHWLAtOuAjw.exe]
[Files/Folders - Created Within 30 Days]
NY ->  Windows XP Recovery -> C:\Documents and Settings\Dawn\Start Menu\Programs\Windows XP Recovery
NY ->  14147364.exe -> C:\Documents and Settings\All Users\Application Data\14147364.exe
NY ->  NHWLAtOuAjw.exe -> C:\Documents and Settings\All Users\Application Data\NHWLAtOuAjw.exe
[Files/Folders - Modified Within 30 Days]
NY ->  ~14147364 -> C:\Documents and Settings\All Users\Application Data\~14147364
NY ->  Windows XP Recovery.lnk -> C:\Documents and Settings\Dawn\Desktop\Windows XP Recovery.lnk
NY ->  14147364.exe -> C:\Documents and Settings\All Users\Application Data\14147364.exe
NY ->  NHWLAtOuAjw.exe -> C:\Documents and Settings\All Users\Application Data\NHWLAtOuAjw.exe
[Files - No Company Name]
NY ->  ~14147364 -> C:\Documents and Settings\All Users\Application Data\~14147364
NY ->  ~14147364r -> C:\Documents and Settings\All Users\Application Data\~14147364r
NY ->  Windows XP Recovery.lnk -> C:\Documents and Settings\Dawn\Desktop\Windows XP Recovery.lnk
NY ->  14147364 -> C:\Documents and Settings\All Users\Application Data\14147364
NY ->  nefrltj.exe -> C:\WINDOWS\System32\nefrltj.exe
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

FINALLY

Please read carefully and follow these steps.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.