Virus removed, appears blank, hard drive still full of data

Viruses and worms
1

Hi guys,

I am not expert but I think my computer is still ok just can’t figure out how to make it look ok. Virus was removed (sorry I deleted all files from chest thought it would fix the problem) When I boot up my desktop is black and my start all programs is blank. If I open my computer all my stuff is still there. I did all the scans and everything is ok. How do I restore my settings?

Blank,
~RUTH~

Windows XP
Threat:
Win32: Alureon-ADW [Tri]
Win32: Alureon-AEF [Tri]
Win32: Olmarik-F [Tri]

2

Please do not run any temporary file cleaners until I say it is OK

Download Unhide.exe to your desktop and run

THEN

Download RogueKiller to your desktop

[]Quit all running programs
[]For Vista/Seven, right click → run as administrator, for XP simply run RogueKiller.exe
[]When prompted, type 1 and validate
[]The RKreport.txt shall be generated next to the executable.
[*]If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

NEXT

Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the “Scan” button to start scan

http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply

http://public.avast.com/~gmerek/aswMBR2.png

FINALLY

Download OTS to your Desktop and double-click on it to run it

[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.

3

Thanks for the quick reply essex boy!

Here is the update.

  1. Done - Unhide.exe - start menu has programs, desktop still black. Need a restart?
  2. RogueKiller
    RKreport.txt
RogueKiller V5.2.2 [06/05/2011] by Tigzy contact at http://www.sur-la-toile.com mail: tigzyRKgmailcom Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User: Ruthie [Admin rights]
Mode: Scan – Date : 06/05/2011 12:54:15

Bad processes: 0

Registry Entries: 10
[SUSP PATH] HKCU[…]\Run : OxDyPOOgxbNHvA (C:\Documents and Settings\All Users\Application Data\OxDyPOOgxbNHvA.exe) → FOUND
[SUSP PATH] HKUS\S-1-5-21-73586283-1343024091-725345543-1003[…]\Run : OxDyPOOgxbNHvA (C:\Documents and Settings\All Users\Application Data\OxDyPOOgxbNHvA.exe) → FOUND
HKLM[…]\Root : () → ACCESS DENIED
HKLM[…]\Root : () → ACCESS DENIED
[HJPOL] HKCU[…]\System : DisableTaskMgr (1) → FOUND
[HJPOL] HKLM[…]\System : DisableTaskMgr (1) → FOUND
[HJ] HKLM[…]\SystemRestore : DisableSR (1) → FOUND
[HJ] HKCU[…]\ActiveDesktop : NoChangingWallPaper (1) → FOUND
[WallPP] HKCU[…]\Desktop : Wallpaper () → FOUND
[HJ] HKLM[…]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → FOUND

HOSTS File:
127.0.0.1 localhost

Finished : << RKreport[1].txt >>
RKreport[1].txt

  1. aswMBR.exe
    Log aswMBR.txt
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software Run date: 2011-06-05 12:59:56 ----------------------------- 12:59:56.031 OS Version: Windows 5.1.2600 Service Pack 2 12:59:56.031 Number of processors: 1 586 0x204 12:59:56.031 ComputerName: RUTH UserName: 12:59:56.265 Initialize success 13:00:16.359 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 13:00:16.359 Disk 0 Vendor: WDC_WD400BB-00DEA0 05.03E05 Size: 38166MB BusType: 3 13:00:18.375 Disk 0 MBR read successfully 13:00:18.375 Disk 0 MBR scan 13:00:18.375 Disk 0 Windows XP default MBR code 13:00:20.390 Disk 0 scanning sectors +78140160 13:00:20.406 Disk 0 scanning C:\WINDOWS\system32\drivers 13:00:26.328 Service scanning 13:00:27.437 Disk 0 trace - called modules: 13:00:27.453 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS 13:00:27.453 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82382ab8] 13:00:27.453 3 CLASSPNP.SYS[f857605b] -> nt!IofCallDriver -> \Device\0000005b[0x8238cf18] 13:00:27.468 5 ACPI.sys[f84ec620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x82385940] 13:00:27.468 Scan finished successfully 13:00:53.187 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Ruthie\Desktop\MBR.dat" 13:00:53.203 The log file has been saved successfully to "C:\Documents and Settings\Ruthie\Desktop\aswMBR.txt"
4. OTS See attached.
4

Ok prior to running the next two programmes - or when you can fit it in

Re-run RogueKiller and select option 2

5

RogueKiller #2 - Background has been restored, desktop icons are still missing.

RogueKiller V5.2.2 [06/05/2011] by Tigzy contact at http://www.sur-la-toile.com mail: tigzyRKgmailcom Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User: Ruthie [Admin rights]
Mode: Remove – Date : 06/05/2011 13:18:02

Bad processes: 0

Registry Entries: 7
[SUSP PATH] HKCU[…]\Run : OxDyPOOgxbNHvA (C:\Documents and Settings\All Users\Application Data\OxDyPOOgxbNHvA.exe) → DELETED
[HJPOL] HKCU[…]\System : DisableTaskMgr (1) → DELETED
[HJPOL] HKLM[…]\System : DisableTaskMgr (1) → DELETED
[HJ] HKLM[…]\SystemRestore : DisableSR (1) → REPLACED (0)
[HJ] HKCU[…]\ActiveDesktop : NoChangingWallPaper (1) → REPLACED (0)
[WallPP] HKCU[…]\Desktop : Wallpaper () → REPLACED (C:\Documents and Settings\Ruthie\Local Settings\Application Data\Microsoft\Wallpaper1.bmp)
[HJ] HKLM[…]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) → REPLACED (0)

HOSTS File:
127.0.0.1 localhost

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

6

Getting there ;D

Last run for RogueKiller - this time select option 6

Then we will remove the remaining nasties with aswMBR and OTS

7
  1. RogueKiller option 6
RogueKiller V5.2.2 [06/05/2011] by Tigzy contact at http://www.sur-la-toile.com mail: tigzyRKgmailcom Feedback: http://www.sur-la-toile.com/discussion-193725-1-BRogueKillerD-Remontees.html

Operating System: Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User: Ruthie [Admin rights]
Mode: Shortcuts HJfix – Date : 06/05/2011 13:33:28

Bad processes: 0

File attributes restored:
Desktop: Success 0 / Fail 0
Quick launch: Success 0 / Fail 0
Programs: Success 1 / Fail 0
Start menu: Success 0 / Fail 0
User folder: Success 20 / Fail 0
My documents: Success 4 / Fail 0
My favorites: Success 0 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 79 / Fail 0
Backup: [FOUND] Success 183 / Fail 12

Drives:
[A:] \Device\Floppy0 – 0x2 → Skipped
[C:] \Device\HarddiskVolume1 – 0x3 → Restored
[D:] \Device\HarddiskVolume2 – 0x3 → Restored
[E:] \Device\CdRom1 – 0x5 → Skipped
[F:] \Device\CdRom0 – 0x5 → Skipped

Finished : << RKreport[3].txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt

8

essexboy, aswMBR scan or fix?

9

Just scan please as I will need to see what is there. Your desktop, files etc… should be back now and the main start elements of the malware are dead. So now it is time to hunt for the remainder

10
  1. asqMBR scan - desktop icons still missing, reboot?
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software Run date: 2011-06-05 13:35:58 ----------------------------- 13:35:58.656 OS Version: Windows 5.1.2600 Service Pack 2 13:35:58.656 Number of processors: 1 586 0x204 13:35:58.656 ComputerName: RUTH UserName: 13:35:58.828 Initialize success 13:39:30.531 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 13:39:30.531 Disk 0 Vendor: WDC_WD400BB-00DEA0 05.03E05 Size: 38166MB BusType: 3 13:39:32.546 Disk 0 MBR read successfully 13:39:32.546 Disk 0 MBR scan 13:39:32.546 Disk 0 Windows XP default MBR code 13:39:34.546 Disk 0 scanning sectors +78140160 13:39:34.578 Disk 0 scanning C:\WINDOWS\system32\drivers 13:39:39.859 Service scanning 13:39:40.937 Disk 0 trace - called modules: 13:39:40.953 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS 13:39:40.953 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82382ab8] 13:39:40.953 3 CLASSPNP.SYS[f857605b] -> nt!IofCallDriver -> \Device\0000005b[0x8238cf18] 13:39:40.953 5 ACPI.sys[f84ec620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x82385940] 13:39:40.968 Scan finished successfully 13:39:50.765 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Ruthie\Desktop\MBR.dat" 13:39:50.765 The log file has been saved successfully to "C:\Documents and Settings\Ruthie\Desktop\aswMBR-2.txt"
11

MBR clean ;D

No the reboot will be done with OTS

12
  1. OTS scan, see attached.
13

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "Cmaudio" -> [RunDll32 cmicnfg.cpl,CMICtrlWnd]
YN -> "KernelFaultCheck" -> [%systemroot%\system32\dumprep 0 -k]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\Program Files\AIM\aim.exe" -> [C:\Program Files\AIM\aim.exe:*:Enabled:AOL Instant Messenger]
YN -> "C:\Program Files\Common Files\AOL\1156969393\ee\aim6.exe" -> [C:\Program Files\Common Files\AOL\1156969393\ee\aim6.exe:*:Enabled:AIM]
YN -> "C:\Program Files\Common Files\AOL\1156969393\ee\aolsoftware.exe" -> [C:\Program Files\Common Files\AOL\1156969393\ee\aolsoftware.exe:*:Disabled:AOL Services]
YN -> "C:\Program Files\Common Files\AOL\Loader\aolload.exe" -> [C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Disabled:AOL Loader]
YN -> "C:\Program Files\Gaim\gaim.exe" -> [C:\Program Files\Gaim\gaim.exe:*:Enabled:gaim]
YN -> "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -> [C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger]
YN -> "C:\Program Files\Yahoo!\Messenger\YPager.exe" -> [C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Enabled:Yahoo! Messenger]
YN -> "C:\Program Files\Yahoo!\Messenger\YServer.exe" -> [C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server]
YN -> "E:\PortableApps\Xming\Xming.exe" -> [E:\PortableApps\Xming\Xming.exe:*:Enabled:Xming X Server]
[Files/Folders - Created Within 30 Days]
NY ->  Windows XP Recovery -> C:\Documents and Settings\Ruthie\Start Menu\Programs\Windows XP Recovery
[Files/Folders - Modified Within 30 Days]
NY ->  ~15916836r -> C:\Documents and Settings\All Users\Application Data\~15916836r
NY ->  ~15916836 -> C:\Documents and Settings\All Users\Application Data\~15916836
NY ->  Windows XP Recovery.lnk -> C:\Documents and Settings\Ruthie\Desktop\Windows XP Recovery.lnk
NY ->  15916836 -> C:\Documents and Settings\All Users\Application Data\15916836
[Files - No Company Name]
NY ->  ~15916836r -> C:\Documents and Settings\All Users\Application Data\~15916836r
NY ->  ~15916836 -> C:\Documents and Settings\All Users\Application Data\~15916836
NY ->  Windows XP Recovery.lnk -> C:\Documents and Settings\Ruthie\Desktop\Windows XP Recovery.lnk
NY ->  15916836 -> C:\Documents and Settings\All Users\Application Data\15916836
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

14
  1. OTS fix - ran, froze, icons have returned, no new txt was created.

Do you think it needs another scan?

Thanks for all your help!
~RUTH~

15

Yep if you could run a fresh scan after rebooting

When you scan please ensure all users is ticked

How is the computer behaving now ?

16

Computer is behaving accordingly. Any thoughts how it got infected or how to prevent future infections?

  1. OTS scan, see attached.
17

Could you retry the OTS fix from the previous post please after running MBAM. Then run the computer for a while and when you are happy I will remove my tools and give some help on that aspect

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

18

I’ve basically got the same issue. Here’s what I have done thus far. When this machine was brought to me there was no security software installed other than what was provided by Windows. The OS is Windows XP Ultimate. Booting into the primary user account resulted in numerous popups and one windows which states that problems have been detected and suggests that I scan using the tools in that window.

The laptop was basically unresponsive at that point. I downloaded MBAM, Avast Free the Comodo Firewall. I then performed the following…

  1. Booted into Safe Mode.
  2. Installed MBAM and ran a full scan. Over 300 infections were detected.
  3. Removed infected items with MBAM and rebooted.
  4. Booted into Safe Mode with Networking.
  5. Updated MBAM and ran a second full scan. Over 60 infected items were detected.
  6. Removed infected items with MBAM and rebooted.
  7. Booted into Safe Mode with Networking.
  8. Ran a full scan for the third time. No infected items detected.
  9. Installed Avast Free, Comodo Firewall, scheduled a boot scan with Avast and rebooted.
  10. Currently completing the boot scan.

I would welcome any assistance. If my issue is better served by opening a new thread, please say so.

19

Boot scan has now completed. 14 infections were detected and removed.

20

: ebozzz could you start your own topic please