Can't access C Drive

May 15, 2009 at 20:50:34
Specs: Windows XP
I foolishly opened a virus and now I have pop-ups and can't access the C Drive. I ran AVG (free version) and this is all that turned up.

[img=http://img41.imageshack.us/img41/9514/53748761.jpg]

Also, in my Windows temporary folder are 4 files called PartialTrustWpfCallingWcf_TemporaryKey. Don't know if that's important.

Thanks for any help.


See More: Cant access C Drive

Report •


#1
May 15, 2009 at 20:55:43
Hi,
Can you please post your AVZ log:

1) To create the logfile, download AVZ by clicking HERE(http://www.z-oleg.com/avz4.zip). Please save this file to your desktop or "My Documents" folder.

2) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

3) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteStdScr(3);
RebootWindows(true);
end.

Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.


Report •

#2
May 15, 2009 at 21:04:04
Uh, how do I use that link?

Report •

#3
May 15, 2009 at 21:09:37
This is the message when I try to access the C Drive:

Windows cannot find 'RECYCLER/S-3-5-27-100032528-100020612-100013709-3551.com'. Make sure you typed the name correctly, and then try again. To serach for a file, click the Start button, and then click Search.


Report •

Related Solutions

#4
May 15, 2009 at 21:11:41
copy and paste the link?

Report •

#5
May 15, 2009 at 21:13:27

Report •

#6
May 15, 2009 at 21:19:14
My computer times out before it's able to open the file.

Report •

#7
May 15, 2009 at 21:25:30
Try: http://malwarecrawler.com/a-v-z.exe

Report •

#8
May 15, 2009 at 21:38:21
http://rapidshare.com/files/2335060...

I realized that I can actually access the C Drive when I first log on until a process called "tempo-137515.tmp" starts running. Also, all the bookmarks I just made before I restarted are gone.


Report •

#9
May 15, 2009 at 22:10:25
Run this script in AVZ same way you did before:

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 QuarantineFile('C:\autorun.inf','');
 QuarantineFile('spnm.sys','');
 QuarantineFile('\\?\globalroot\systemroot\system32\gxvxcrpycnrueynpkmlgijnlvtnicanlaijbm.dll','');
 DeleteFile('\\?\globalroot\systemroot\system32\gxvxcrpycnrueynpkmlgijnlvtnicanlaijbm.dll');
 DeleteFile('spnm.sys');
 DeleteFile('C:\autorun.inf');
BC_ImportDeletedList;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

Your computer will reboot after which check and see if you can access C drive if you can run full scan with AVG.

Also once you reboot can you send me copy of this file C:\WINDOWS\system32\drivers\udffsrec.sys to check, upload it to rapidshare and private message me the link. Thanks


Report •

#10
May 15, 2009 at 22:24:44
http://rapidshare.com/files/2335141...

Thanks, I can get onto the C drive now and I'm not having pop-ups. I'm going to bed right now so I won't do a scan, but I'll do it in the morning.

So this is basically fixed now?


Report •

#11
May 15, 2009 at 22:31:45
There are few more steps i will tell you after you post your scan results.

Report •

#12
May 16, 2009 at 10:02:30
Ugh, it took a real long time to load up Windows. I tried 4 times and ended up stuck on the loading screen. I gave up hope and left the room but when I came back 15 minutes later it was working.

Starting scan with AVG free now.


Report •

#13
May 16, 2009 at 10:05:42
And I can still access the C drive but the pop-ups have started again.

Also, yesterday my Recycle Bin emptied without me telling it to. (But that was before I ran that AVZ code.)


Report •

#14
May 16, 2009 at 11:44:29
All right, here's the result of the scan:

[File;
Infection;
Result]

"\\?\globalroot\systemroot\system32\gxvxcrpycnrueynpkmlgijnlvtnicanlaijbm.dll";
"Trojan horse Agent2.GUF";
"Infected"

"C:\Documents and Settings\Jake\Desktop\Firefox\firefox.exe (1984)";
"Trojan horse Agent2.GUF";
"Infected"

"C:\Documents and Settings\Jake\Desktop\Quarantine\2009-05-16\avz00001.dta";
"Virus found Worm/AutoRun";
"Moved to Virus Vault"

"C:\Documents and Settings\Jake\Desktop\Quarantine\2009-05-16\avz00002.dta";
"Trojan horse Agent2.GUF";
"Moved to Virus Vault"

"C:\WINDOWS\Temp\tempo-137515.tmp";
"Trojan horse FakeAlert.KH";
"Moved to Virus Vault"

"C:\WINDOWS\Temp\tempo-1432296.tmp";
"Trojan horse FakeAlert.KH";
"Moved to Virus Vault"


Report •

#15
May 16, 2009 at 11:49:32
Attach a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.co...

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause ANTIVIRUS/SPYWARE PROGRAMS until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post.


Report •

#16
May 16, 2009 at 11:53:04
Thanks for responding so quickly. First a couple of questions:

1. To make sure no other programs are running, can I just close all my windows and disable Steam and IPodService?

2. To shut down my antivirus, can I just right-click it and select "Exit" from the bottom toolbar?


Report •

#17
May 16, 2009 at 11:56:53
1) Yes
2) Just disable on-access/file scanning in AVG.

Report •

#18
May 16, 2009 at 12:38:40
Do you have any ideas on how to disable the scanner?

Windows Task Manager just ignores the command.
I can't find any options in the application itself.
AVG help doesn't have anything.
I even disabled AVG8_TRAY at start-up with Startup Inspector but there's still AVG tasks running. (Restarted the computer.)

I'll keep looking.


Report •

#19
May 16, 2009 at 12:43:01
That's fine combo fix will disable the rest. If you are on vista run it as admin or run it from administrative account.

Report •

#20
May 16, 2009 at 12:48:30
Never mind, I got it disabled.

But,
First ComboFix asked me whether I wanted to update it. I said "yes". Afterwards, it restarted and a program called pevFind.exe failed. After that, a message came up and told me that my copy of ComboFix may be tainted and for peace of mind I should get a fresh one. I stopped there.

Help?


Report •

#21
May 16, 2009 at 12:50:13
Make AVZ log again. Response Number 1 paste me the link.

Report •

#22
May 16, 2009 at 12:53:05
Also try to re-download Combo fix don't use firefox to download.

Report •

#23
May 16, 2009 at 13:03:50
Sorry for being slow, system stalled restarting.

Assuming the new log rewrote the old one, this is the one you need:

http://rapidshare.com/files/2337662...


Report •

#24
May 16, 2009 at 13:06:39
I'm trying to download Internet Explorer 8 from the Microsoft Download Center but only 0 kb files get downloaded.

Report •

#25
May 16, 2009 at 13:10:33
All right, I've got ComboFix downloaded with Google Chrome.

Report •

#26
May 16, 2009 at 13:17:07
Try to run it.

Report •

#27
May 16, 2009 at 13:23:36
Got the same message.

pev.cfexe failed and then I was cautioned to cancel:

http://img43.imageshack.us/my.php?i...


Report •

#28
May 16, 2009 at 13:31:59
Send me these files to inspect:
c:\windows\system32\dll.dll
C:\WINDOWS\system32\MsSip1.dll
C:\WINDOWS\system32\MsSip2.dll
C:\WINDOWS\system32\MsSip3.dll
C:\WINDOWS\system32\stisvc.exe

Copy those files to desktop and private message me the download link.

Also if you have another computer near by download combox on it and transfer it via USB drive.


Report •

#29
May 16, 2009 at 13:39:51
I don't have any of those files. (nor a windows folder in lower case
letters)

I do have a "mssip32.dll" though.

I have another computer so I'll download combox onto a zip drive.


Report •

#30
May 16, 2009 at 13:42:21
I also have a "sti.dll" and a "sti_ci.dll".

BTW, thank you so much for the help you've given me so far.


Report •

#31
May 16, 2009 at 13:42:32
Case insensitive for directories. Look again properly go to folder option --> show hidden files. All those files should be under C:\WINDOWS\system32\

Report •

#32
May 16, 2009 at 13:57:16
I "ctrl+F" searched system32 with "Search hidden files and
folders enabled" and none of those files turned up. Plus, I already have
hidden files visible. (There aren't any I that I can see in
system32.)

Where should I download combox from?


Report •

#33
May 16, 2009 at 13:59:16
From: http://download.bleepingcomputer.co...

Report •

#34
May 16, 2009 at 14:19:54
Same thing happened. Think I should just go ahead with it?

Report •

#35
May 16, 2009 at 14:25:58
Go ahead?

Report •

#36
May 16, 2009 at 14:28:01
Try to run combofix in safe mode. Here is tutorial:
http://www.bleepingcomputer.com/com...

Report •

#37
May 16, 2009 at 14:28:18
I still have the option to continue but I've been ending it. Should I
say yes, continue?

Report •

#38
May 16, 2009 at 14:32:05
First try to run combo fix in safe mode and see if it gives you any problems. Post of screen shot of that continue window.

Report •

#39
May 16, 2009 at 14:39:12
I ran it in safe mode and I got the same error+caution+continue window.

The continue window looks just like the one in the tutorial you linked.


Report •

#40
May 16, 2009 at 14:40:44
The continue window is the "Combofix Disclaimer".

Report •

#41
May 16, 2009 at 14:43:46
OK continue.

Report •

#42
May 16, 2009 at 14:44:50
I'm in safe mode right now. Should I keep going or switch back to normal mode?

Report •

#43
May 16, 2009 at 14:50:40
Safe mode is ok.

Report •

#44
May 16, 2009 at 15:06:05
It says I don't have the "Microsoft Windows recovery console" installed and without it the program won't attempt to fix serious problems.

ComboFix also gives me the option to download it. For nox I'm going to switch out of safe mode so I have internet and then download it.


Report •

#45
May 16, 2009 at 15:07:12
Yes. Make sure you install recovery console.

Report •

#46
May 16, 2009 at 15:11:00
Ack. I clicked no thinking it would exit but it kept going. Now it's saying it's detecting rootkit activity and needs to reboot the machine. It also gave me two files to copy onto paper.

The only option it gave me is OK. I assume that I should keep going and not turn off the machine.


Report •

#47
May 16, 2009 at 15:15:25
Whatever happens do not hard reboot let it finish what its doing. What were the file names?

Report •

#48
May 16, 2009 at 15:28:10
C:\WINDOWS\system32\drivers\gxvxcoesowykmxobhcttypdrgrrshkdbqlrvi.sys

C:\WINDOWS\system32\gxvxcrpycnrueynpkmlgijnlvtnicanlaijbm.dll


Report •

#49
May 16, 2009 at 15:28:58
Looks like it's done. Here's the log:

http://rapidshare.com/files/2338069...


Report •

#50
May 16, 2009 at 15:29:50
Still have the pop-up problem.

Think I should install the recovery console and try again?


Report •

#51
May 16, 2009 at 15:30:18
Is combo fix still running? What stage is it at?

Report •

#52
May 16, 2009 at 15:34:59
There's nothing related to ComboFix visible on my computer so I
assume it's over.

I'm trying to install the recovery console right now but using the
CD doesn't work since my copy of Windows is "newer" than the
one on the CD. I'll keep looking.


Report •

#53
May 16, 2009 at 15:43:03
Did it reboot? Re-read Response Number 15. "... Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post."

Report •

#54
May 16, 2009 at 15:48:27
I posted the log in Response Number 49.

Report •

#55
May 16, 2009 at 16:02:03
Right now I'm trying to download the recovery console, but every
image file I find seems to be missing the "winnt32.exe" I'm
getting told to use.

Report •

#56
May 16, 2009 at 16:12:44
Leave recovery console for now. Seems i overlooked your post about the log. Follow these steps:

Run this script in AVZ:


begin
CreateQurantineArchive('c:\quarantine.zip');
end.

A file called quarantine.zip should be created in C:\. Then please zip up C:\qoobox\quarantine and upload both it and C:\quarantine.zip to a filehost such as http://rapidshare.com/ Then, Private Message me the Download link to the uploaded file.

Lastly, uninstall Combofix by: pause AV > Start > run > type Metroid.exe /u > ok. Or Start > run > type Metroid /u > ok.

Also, scan with Malwarebytes' Anti-Malware and attach its log, but Please Don't fix anything yet, until the log is reviewed.


Report •

#57
May 16, 2009 at 16:25:54
http://rapidshare.com/files/2338199...
http://rapidshare.com/files/2338200...

I can't seem to uninstall Combofix. The Run program says it
can't find Metroid.exe or Metroid, and if I add "C:\Documents
and Settings\ yaddayaddayadda" to the beginning it says it's
can't find "C:\Documents".

Scanning with Anti-Malware now.


Report •

#58
May 16, 2009 at 16:31:01
You named Combofix Metroid.exe correct? Try it from safe mode since you ran combofix from safe mode. Continue with Malwarebytes scan and post the log once it finishes.

Report •

#59
May 16, 2009 at 16:51:20
Log file from malwarebytes:
http://rapidshare.com/files/2338283...

As for ComboFix, you're saying I should type "Metroid.exe /u"
from the Run program in Safe mode?


Report •

#60
May 16, 2009 at 16:58:43
Yes for 59 safe mode. Fix what malware byte detected.

1) If you use Windows System restore, turn it off > reboot

2) Do a full scan with Kaspersky AVP tool. http://devbuilds.kaspersky-labs.com...
Once you download and start the tool select all the objects to be scanned and hit Scan

Post me log/Screen shot of what it detects(detected window) once it finished and fix what it recommends.

3) Then turn system restore back on, if you wish; this to remove malware from system volume information files. How to turn it off/on: http://support.kaspersky.com/faq/?q...

4) Uninstall AVP tool.


Report •

#61
May 16, 2009 at 17:04:19
Edit- Never mind. On it.

Report •

#62
May 17, 2009 at 15:41:35
I can't post the entire log since it was 100+ MB, but here's the
important stuff. I deleted all the infected files. (It says 84%
complete because I had to turn off the computer, but when I
restarted and rescanned the entire hard drive it didn't pick up
any viruses.)

84% - Scan
----------
Scanned: 1129384
Detected: 3
Untreated: 3
Start time: 5/16/2009 7:34:07 PM
Duration: 03:09:46
Finish time: 5/16/2009 11:15:44 PM


Detected
--------
Status Object
------ ------
detected: Trojan program Trojan.Win32.Tdss.acdc File:
C:\Qoobox\Quarantine.zip/Quarantine/C/WINDOWS/system3
2/gxvxcrpycnrueynpkmlgijnlvtnicanlaijbm.dll.vir
detected: Trojan program Trojan.Win32.Tdss.acdc File:
C:\Qoobox\Quarantine\C\WINDOWS\system32\gxvxcrpycnru
eynpkmlgijnlvtnicanlaijbm.dll.vir
detected: Trojan program Trojan.Win32.Tdss.acdc File:
C:\WINDOWS\system32\gxvxcrpycnrueynpkmlgijnlvtnicanlaij
bm.bak


Report •

#63
May 17, 2009 at 15:53:20
Right now my recycle bin is emptying without me telling it to, but
other than that I'm not noticing any weird behavior.

Report •

#64
May 17, 2009 at 15:54:47
ok it seems virus is removed. Those are just combofix quarantined files.

Report •

#65
May 17, 2009 at 15:56:26
All right, thanks a lot!!!

Report •

#66
May 17, 2009 at 16:22:56
The bolded file below does not appear to be in the Combofix quarantine folder, C:\Qoobox and should be deleted manually.

detected: Trojan program Trojan.Win32.Tdss.acdc File:
C:\Qoobox\Quarantine.zip/Quarantine/C/WINDOWS/system3
2/gxvxcrpycnrueynpkmlgijnlvtnicanlaijbm.dll.vir
detected: Trojan program Trojan.Win32.Tdss.acdc File:
C:\Qoobox\Quarantine\C\WINDOWS\system32\gxvxcrpycnru
eynpkmlgijnlvtnicanlaijbm.dll.vir
detected: Trojan program Trojan.Win32.Tdss.acdc File:
C:\WINDOWS\system32\gxvxcrpycnrueynpkmlgijnlvtnicanlaij
bm.bak


Report •

#67
May 17, 2009 at 16:57:00
C:\WINDOWS\system32\gxvxcrpycnrueynpkmlgijnlvtnicanlaij
bm.bak <-- that file is bak/residual it wasn't running on your system AVP tool took care of it. You fixed all the stuff that AVP tool detected correct? Also try to uninstall combofix.

Report •


Ask Question