Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

External HDD inaccessible + google redirect


  • Please log in to reply
11 replies to this topic

#1 IkanaCaptain

IkanaCaptain

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 10 May 2009 - 07:07 PM

Hi all, several problems experienced recently. Perhaps some are better to suited to other forums, but here's a list anyway:

• Google redirect virus in effect, status bar shows many links going through "google-redirect.com"
• External HDD not working (works fine on other computers), displays the following message,

"E:\ is not accessible.
The maximum number of secrets that may be stored in a single volume has been exceeded"

• USB drives not recognised (again, fine on other computers)
• Several instances of iexplore.exe in task manager, when it isn't open, hogging cpu upto 100%
• Far more svchost.exe instances than is surely required here also
• Internet speed reduced since problems started, whole computer seems to be suffering too at times

So far, i have used the following:

• Avast
• Malwarebytes Anti-Malware
• Ad-Aware
• CCleaner
• IObit Advanced SystemCare

Running firefox, windows xp service pack 3.

Any help at all would be greatly appreciated.

Thanks.

Edited by IkanaCaptain, 10 May 2009 - 10:09 PM.


BC AdBot (Login to Remove)

 


#2 RavenPhoenix

RavenPhoenix

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Everywhere, Nowhere
  • Local time:09:48 AM

Posted 10 May 2009 - 11:00 PM

Hello and welcome to BC.
I am pretty new to helping here at BC, but I assure you I am quite competent. If you would like to wait for a more experienced helper please let me know and I will notify a mod to remove my posts so someone else can assist you. I know you may have done some of the following but please follow these instructions as I have listed them out and hopefully we will get you taken care of. From the message you EHDD is giving you it is probably being caused by the malware.


Malwarebytes Anti-Malware
  • Launch Malwarebytes' Anti-Malware
  • Update Malwarebytes' Anti-Malware
    If you encounter any problems while downloading the updates, manually download them from here or here and just double-click on mbam-rules.exe to install.
  • Then click Finish.
  • On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.[/list]
Also run

ATF
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
    Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".
and last but not least

SAS,may take a long time to scan
Please download and scan with SUPERAntiSpyware Free
  • If you cannot download from the link above, please download it here: Super AntiSpyware
    [list]
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):[list]
  • Close browsers before scanning.
  • Scan for tracking cookies.
  • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
    Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.[list]
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Now post your logs for MBAM and SAS.

Edited by RavenPhoenix, 10 May 2009 - 11:00 PM.

Forum Skulker. Preventing Comp Nukes everywhere. :-)

#3 IkanaCaptain

IkanaCaptain
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 11 May 2009 - 09:38 PM

Hi, thanks for responding. Sorry for the delay also, but i've followed the above steps. Mbam log follows:

Malwarebytes' Anti-Malware 1.36
Database version: 2060
Windows 5.1.2600 Service Pack 3

11/05/2009 21:13:49
mbam-log-2009-05-11 (21-13-49).txt

Scan type: Quick Scan
Objects scanned: 80884
Time elapsed: 5 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 16

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\autochk.dll (Worm.Autorun) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Alex\Application Data\pidle (Trojan.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556 (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\796525 (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\autochk.dll (Worm.Autorun) -> Delete on reboot.
C:\Documents and Settings\LocalService\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\SystemProfile\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\msb.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Start Menu\Programs\Startup\ChkDisk.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-0243636035-3055115376-381863306-1556\Desktop.ini (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\pdtivk.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nepivoyi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ak1.exe (Virus.Virut) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winglsetup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

#4 IkanaCaptain

IkanaCaptain
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 11 May 2009 - 09:40 PM

SAS log next:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/12/2009 at 01:18 AM

Application Version : 4.26.1002

Core Rules Database Version : 3886
Trace Rules Database Version: 1834

Scan type : Complete Scan
Total Scan Time : 03:36:42

Memory items scanned : 243
Memory threats detected : 0
Registry items scanned : 6892
Registry threats detected : 0
File items scanned : 96171
File threats detected : 9

Trojan.Smitfraud Variant-Gen/Bensorty
C:\WINDOWS\SYSTEM32\AFNOINKDSFE.DLL

Adware.Tracking Cookie
C:\WINDOWS\system32\config\systemprofile\Cookies\system@ads.bridgetrack[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@ads.pointroll[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@atdmt[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@doubleclick[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@msnaccountservices.112.2o7[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@msnportal.112.2o7[1].txt

Rootkit.MagicPniz
C:\WINDOWS\SYSTEM32\DRIVERS\F7EC5271.SYS

Adware.Vundo/Variant-EC
C:\WINDOWS\SYSTEM32\WIGIMOGO.DLL

#5 RavenPhoenix

RavenPhoenix

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Everywhere, Nowhere
  • Local time:09:48 AM

Posted 11 May 2009 - 10:07 PM

MBAM & SAS need to be updated, your DB's are out of date.

MBAM
Current DB Version: 2112

SAS
Current Core: 3887
Current Trace: 1835

Please update and rerun your scans as I listed above and repost your logs.

Edited by RavenPhoenix, 11 May 2009 - 10:11 PM.

Forum Skulker. Preventing Comp Nukes everywhere. :-)

#6 IkanaCaptain

IkanaCaptain
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 11 May 2009 - 10:51 PM

Ah, didn't see that. Odd though, as i downloaded and ran the updates for both programs - neither will update using the built-in utility. MBAM seems to be at database version 2110, which both your download links show to be the most recent. I'll run current version of SAS and get back to you. In the meantime:

Malwarebytes' Anti-Malware 1.36
Database version: 2110
Windows 5.1.2600 Service Pack 3

12/05/2009 04:38:51
mbam-log-2009-05-12 (04-38-51).txt

Scan type: Quick Scan
Objects scanned: 82938
Time elapsed: 8 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c2ba40a1-74f3-42bd-f434-12345a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\pdtivk.exe.dat (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lmn_setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

#7 RavenPhoenix

RavenPhoenix

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Everywhere, Nowhere
  • Local time:09:48 AM

Posted 12 May 2009 - 12:10 AM

Please run the ESET Online Scanner, and post the log afterwords, I believe I know what we are dealing with I just want to be sure.
Forum Skulker. Preventing Comp Nukes everywhere. :-)

#8 cosmo_wanda

cosmo_wanda

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:48 PM

Posted 12 May 2009 - 12:25 AM

You can try disconect your connection, Then use GMER from gmer.net , Autoruns from systernal and Trojan remover.and Hijack this:)

I had tried these tool and help to kill Conficker on my PC :thumbsup:

but cannot so clean (only deleted main files and registry)..


Try first ( Im almost unboot my computer when deleted my svchost.exe files :flowers:)

#9 RavenPhoenix

RavenPhoenix

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Everywhere, Nowhere
  • Local time:09:48 AM

Posted 12 May 2009 - 12:26 AM

Please negate the advice of the member above, he may be unaware but the advice he posted is against the rules. Please follow my advice and run the scanner.
EDIT: after consulting with a staff member you have W32/Virut infection, please see boopme's post below.

Edited by RavenPhoenix, 12 May 2009 - 12:46 PM.

Forum Skulker. Preventing Comp Nukes everywhere. :-)

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,759 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:48 PM

Posted 12 May 2009 - 10:55 AM

Hello you still have an active Virut malware infection.. I have to give you this advce here.
Your system is infected with a nasty variant of Virut, a polymorphic file infector with IRCBot functionality which infects .exe, .scr files, downloads more malicious files to your system, and opens a back door that compromises your computer. Virux is an even more complex file infector which also infects script files (.php, .asp, and .html). When Virut creates infected files, it also creates non-functional files that are corrupted beyond repair. In many cases the infected files cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files become corrupted and the system may become irreparable.

The virus has a number of bugs in its code, and as a result it may misinfect a proportion of executable files....some W32/Virut.h infections are corrupted beyond repair.

McAfee Risk Assessment and Overview of W32/Virut
This kind of infection is contracted and spread by visiting remote, crack and keygen sites. These type of sites are infested with a smφrgεsbord of malware and an increasing source of system infection. However, the CA Security Advisor Research Blog says they have found MySpace user pages carrying the malicious Virut URL. Either way you can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling the OS.

...warez and crack web pages are being used by cybercriminals as download sites for malware related to VIRUT and VIRUX. Searches for serial numbers, cracks, and even antivirus products like Trend Micro yield malcodes that come in the form of executables or self-extracting files...quick links in these sites also lead to malicious files. Ads and banners are also infection vectors...

Keygen and Crack Sites Distribute VIRUX and FakeAV

If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:There is no guarantee this infection can be completely removed. In some instances it may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:
If they still insist on trying to fix the infection, then let them go for it at their own risk:
------------------------------------------------------------------------------------------------------------------------------------------------

If you insist on trying to fix this infection instead of following our advice to reformat and reinstall your operating system, there are various rescue disks available from major anti-virus vendors which you can try. Keep in mind, even the vendors like Kaspersky say there is no quarantee that some files will not get corrupted during the disinfection process. In the end most folks end up reformatting out of frustration after spending hours attempting to repair and remove infected files. IMO the safest and easiest thing to do is just reformat and reinstall Windows.

Bleeping Computer DOES NOT assume any responsibility for your attempt to repair this infection using any of the following tools. You do this at your own risk and against our advice.

These are links to Anti-virus vendors that offer free LiveCD or Rescue CD files that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. Burn it as an image to a disk to get a bootable CD. All (except Avira) are in the ISO Image file format. Avira uses an EXE that has built-in CD burning capability.
Avira AntiVir Rescue System - Avira's download page.
If you encounter problems running the Rescue Disk, you can get further assistance at the Avira Tools Support Forum.
Dr Web LiveCD. Be sure to print out and follow the instructions provided in the User Manual.
F-Secure Rescue CD - Rescue CD 3.01 released.
Video: How to Remove Malware with F-Secure Rescue CD
If you encounter problems running the Rescue CD, you can get further assistance at the F-Secure Support Forum.
BitDefender LiveCD - Index of /rescue_cd
If you encounter problems running the Rescue CD, you can get further assistance at the BitDefender Support Forum.
Kaspersky RescueDisk - Index of /devbuilds/RescueDisk/
If you encounter problems running the RescueDisk, you can get further assistance at the Kaspersky Support Forum.
If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.



If you insist on trying to fix this infection instead of following our advice to reformat and reinstall your operating system, there are various rescue disks available from major anti-virus vendors which you can try. Keep in mind, even the vendors like Kaspersky say there is no quarantee that some files will not get corrupted during the disinfection process. In the end most folks end up reformatting out of frustration after spending hours attempting to repair and remove infected files. IMO the safest and easiest thing to do is just reformat and reinstall Windows.

Bleeping Computer DOES NOT assume any responsibility for your attempt to repair this infection using any of the following tools. You do this at your own risk and against our advice.

These are links to Anti-virus vendors that offer free LiveCD or Rescue CD files that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. Burn it as an image to a disk to get a bootable CD. All (except Avira) are in the ISO Image file format. Avira uses an EXE that has built-in CD burning capability.If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 IkanaCaptain

IkanaCaptain
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:48 PM

Posted 12 May 2009 - 11:17 AM

Thanks for the heads-up, even if the verdict is less than great. I'd expected i may need to reinstall the OS eventually anyway. This is not a problem, though i would like to be able to extract some files from the computer before the clean sweep. Not being able to access the external drive doesn't help however. Any suggestions? I have access to another pc, but i'd rather not network to that one and risk infecting it also. Burn it all to disc perhaps?

Hope you can help.

#12 RavenPhoenix

RavenPhoenix

  • Members
  • 137 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Everywhere, Nowhere
  • Local time:09:48 AM

Posted 12 May 2009 - 11:56 AM

You can try burning them to a disc, however the files that you are referring MAY be infected, I would suggest scanning each of them with an online V-scan like
http://www.virustotal.com
Its a pain to do each individually i know, but it will prbably save you a headache of reinfecting your system again.
Forum Skulker. Preventing Comp Nukes everywhere. :-)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users