Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Hd And Boot Files Going To Be Corrupted


  • Please log in to reply
5 replies to this topic

#1 casanova218

casanova218

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 26 September 2008 - 03:46 AM

Hi there,
just recently I have dowloaded a program (unfortunatley I have forgotten this) off a unknown site. Just after this my computer began to run extremely slow and both my browsers (Firefox and IE) were not working also my computer would not shut down; it would get to the point where it says windows is shutting down (on the blue screen) and just freeze, I would have to hold down the power button to switch off. At the time I was Using Norton as my AV and it did jack-all. I then removed Norton and replaced it with AVG 8.0. Unfortunatley AVG would not update (i'm guessing a virus was blocking it from updating?) so i had to do a directory update which was successful. Then after installing Spybot Search & Destroy both Spybot and AVG managed to remove a whole lot of trojans and malware. Now my computer will successfully shutdown and both my browsers began to work (although not 100%). After many repeated scans every day AVG and Spybot pick up trojans (which never seem to go away); "Virtuemonde" and "Win32.BHO.df" always show up and will not successfully be removed (and yes i have tried to scan and remove with internet disabled). Also if I goto My Computer and double click C: drive (local disk) it says:
---------------------------
resycled\boot.com
---------------------------
Windows cannot find 'resycled\boot.com'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.
--------------------------
OK
--------------------------
So i can not access my C: via double click, however if i right click and click explore all is good.

From the previous night i seem to recall that AVG removed this (resycled\boot.com). After talking to my friend he said that AVG removed it because the boot files may have become corrupt. He also said that my HD will die and my boot files will become fully corrupt over time and i would need a new HD and new OS.

Finally there are two trojans (upon connection to internet) that AVG picks up everytime i turn on my computer. After clicking remove threats it says cannot remove threats.

As obvious as it would be i don't want this to happen. Can someone please help me remove the threats and also a solution to the C: Boot problem if there is one. I would be much appreciated if someone could help me.
Cheers

Edited by KoanYorel, 26 September 2008 - 05:34 AM.
Moved from XP Home forum to AII


BC AdBot (Login to Remove)

 


#2 iisjman07

iisjman07

  • Members
  • 94 posts
  • OFFLINE
  •  
  • Local time:03:55 AM

Posted 26 September 2008 - 06:10 AM

Download MalwareBytes from here: http://www.malwarebytes.org/mbam.php . If for some reason you can't access this site, you can download it and its updates on a clean computer and transfer them over on a cd or memory stick. Run a full scan but make sure you update first. This is the free version by the way and you wonm't have to pay to remove anything.

Edited by iisjman07, 26 September 2008 - 06:11 AM.


#3 casanova218

casanova218
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 27 September 2008 - 02:43 AM

Download MalwareBytes from here: http://www.malwarebytes.org/mbam.php . If for some reason you can't access this site, you can download it and its updates on a clean computer and transfer them over on a cd or memory stick. Run a full scan but make sure you update first. This is the free version by the way and you wonm't have to pay to remove anything.

Ok i downloaded it and it removed a great deal. But i still have the problem with my C: drive.
Can anyone Help me with my Boot files problem?
Cheers

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:55 AM

Posted 27 September 2008 - 10:41 AM

Would you please post the MBAM scan log.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 casanova218

casanova218
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:55 PM

Posted 29 September 2008 - 05:44 AM

Would you please post the MBAM scan log.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.


Here is the log:

Malwarebytes' Anti-Malware 1.28
Database version: 1211
Windows 5.1.2600 Service Pack 2

27/09/2008 5:53:56 PM
mbam-log-2008-09-27 (17-53-56).txt

Scan type: Full Scan (C:\|)
Objects scanned: 161043
Time elapsed: 1 hour(s), 28 minute(s), 54 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 12
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 20

Memory Processes Infected:
C:\WINDOWS\system32\rs32net.exe (Trojan.Dropper) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\kzlthj.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9fe5de3c-40ae-459f-b90d-cc7bbb832963} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9fe5de3c-40ae-459f-b90d-cc7bbb832963} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winwly32 (Dialer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\restore (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rs32net (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Folders Infected:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\kzlthj.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\rs32net.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\mark\Local Settings\Temporary Internet Files\Content.IE5\5VUSBN6H\nd82m0[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\mark\Local Settings\Temporary Internet Files\Content.IE5\S59GHSDT\nd82m0[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\mark\Local Settings\Temporary Internet Files\Content.IE5\BQPT9NFM\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\mark\Local Settings\Temporary Internet Files\Content.IE5\IYU52RP4\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP185\A0050352.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP186\A0053354.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP189\A0059941.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP190\A0060006.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tabggu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\epasmymr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kkzupu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gughtamc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wetvfgik.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winwly32.dll (Dialer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\BM57d13ff0.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM57d13ff0.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\mark\Desktop\Lsass.txt (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

I had a reply from another person who had the same or near experience as me. They suggested i try Combo Fix and that worked like a charm. So at the moment my computer is pretty much clean, C: drive is working like it should and not saying the resycled\boot.com error message but just now I have discovered the same Boot file problem with my F: drive (Removable Disk); when i double click the F: drive to access my storage device it comes up with the same boot message:
---------------------------
resycled\boot.com
---------------------------
Windows cannot find 'resycled\boot.com'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.
--------------------------
OK
--------------------------

Hope you or someone can help.
Cheers

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:55 AM

Posted 30 September 2008 - 08:59 PM

Hello OK ,well I'm glad it worked. We at BC do not recommend using ComboFix without supervision It is not a toy..but it did work so good. Please read the Blue Text at the top of this page.

A "Cannot find...", "Could not run...", "Error loading... or "specific module could not be found" message is usually related to malware that was set to run at startup but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.
Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click HERE if you're not sure how to do this.)
Open the folder and double-click on autoruns.exe to launch it.
Please be patient as it scans and populates the entries.
When done scanning, it will say Ready at the bottom.
Scroll through the list and look for a startup entry related to the file(s) in the error message.
Right-click on the entry and choose delete.
Reboot your computer and see if the startup error returns.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users