Solved Virus locked hard disk

June 7, 2011 at 10:54:38
Specs: Windows XP, Intel(R) Core(TM) 2 CPU
Due to a virus I am unable to see any files on my harddisk either by Windows XP or DOS (accessed by pressing F8 on restart), though I know they are there. I have managed to get rid of the effects of the virus except that it is still blocking my hard disk. Is there any way of seeing these files and deleting those which were created on the day the virus struck?

See More: Virus locked hard disk

Report •

#1
June 7, 2011 at 11:17:34
✔ Best Answer
Kevin_Straw,

Let's give this a try...

Please download RogueKiller
http://tigzy.geekstogo.com/Tools/Ro...
Save it to your Desktop.

Now, close all open programs.

For XP, simply double-click RogueKiller.exe

When prompted, type 1 and hit Enter.

An RKreport.txt should appear on your Desktop.

Note: If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to >winlogon.exe<

Please post the contents of the RKreport.txt in your reply.


Report •

#2
June 7, 2011 at 14:01:26
Nothing seems to have happened.

RogueKiller V5.2.2 [06/05/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discuss...

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Administrator2 [Admin rights]
Mode: Scan -- Date : 06/07/2011 21:59:19

Bad processes: 0

Registry Entries: 5
[SUSP PATH] {BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job : c:\docume~1\admini~1\locals~1\temp\mxr.exe -> FOUND
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> FOUND
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> FOUND
[WallPP] HKCU\[...]\Desktop : Wallpaper () -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

HOSTS File:
127.0.0.1 localhost


Report •

#3
June 7, 2011 at 14:39:37
Nothing happened yet; that was just a scan to find out info.


Now, please run RougeKiller once again, and use option 2 (To remove malicious entries)

Press: Enter, and post the new RKreport.txt that should appear on your Desktop.


Once again, run RougeKiller, this time use option 6 (For shortcuts and diasapeared Desktop files/folders, startup menu/etc.)

Press: Enter, and post the new RKreport.txt that should appear on your Desktop.



Report •

Related Solutions

#4
June 8, 2011 at 08:28:58
It seems to have worked! Option2 reinstated the desktop graphic, and option 6 reinstated all the files. Thank you very much indeed.

It stalled a few times, but then I realised it was looking at drives with no disks in, and I skipped those points.

OPTION 2...

RogueKiller V5.2.2 [06/05/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discuss...

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Administrator2 [Admin rights]
Mode: Remove -- Date : 06/08/2011 16:13:44

Bad processes: 0

Registry Entries: 5
[SUSP PATH] {BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job : c:\docume~1\admini~1\locals~1\temp\mxr.exe -> DELETED
[HJ] HKLM\[...]\Security Center : AntiVirusDisableNotify (1) -> REPLACED (0)
[HJ] HKLM\[...]\Security Center : FirewallDisableNotify (1) -> REPLACED (0)
[WallPP] HKCU\[...]\Desktop : Wallpaper () -> REPLACED (C:\Documents and Settings\Administrator2\Local Settings\Application Data\Microsoft\Wallpaper1.bmp)
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

HOSTS File:
127.0.0.1 localhost

OPTION 6

RogueKiller V5.2.2 [06/05/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discuss...

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Administrator2 [Admin rights]
Mode: Shortcuts HJfix -- Date : 06/08/2011 16:21:44

Bad processes: 0

File attributes restored:
Desktop: Success 3 / Fail 0
Quick launch: Success 5 / Fail 0
Programs: Success 21673 / Fail 0
Start menu: Success 207 / Fail 0
User folder: Success 4555 / Fail 0
My documents: Success 1400 / Fail 0
My favorites: Success 85 / Fail 0
My pictures: Success 0 / Fail 0
My music: Success 0 / Fail 0
My videos: Success 0 / Fail 0
Local drives: Success 34221 / Fail 0
Backup: [FOUND] Success 134 / Fail 3

Drives:
[C:] \Device\HarddiskVolume1 -- 0x3 --> Restored
[D:] \Device\HarddiskVolume2 -- 0x3 --> Restored
[E:] \Device\CdRom0 -- 0x5 --> Skipped
[F:] \Device\Harddisk2\DP(1)0-0+9 -- 0x2 --> Restored
[G:] \Device\Harddisk3\DP(1)0-0+a -- 0x2 --> Restored
[H:] \Device\Harddisk4\DP(1)0-0+b -- 0x2 --> Restored
[I:] \Device\Harddisk5\DP(1)0-0+c -- 0x2 --> Restored
[J:] \Device\Harddisk1\DP(1)0-0+8 -- 0x2 --> Restored

Finished : << \RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt


Report •

#5
June 8, 2011 at 10:28:41
Good job, Kevin_Straw!! ;-)

It would be agood idea to run Malwarebytes' Anti-Malware at this point. Just to make sure there are no stragglers left behind...

Please download Malwarebytes’ Anti-Malware (black button with green and white icon) Save to the Desktop:
http://download.cnet.com/Malwarebyt...

Double-click mbam-setup.exe and follow the prompts to install the program.
Run Malwarfebytes’ AntiMalware and update the program.
Once updated, select Perform Full Scan and click the scan button.

When the scan finishes, click OK in the message box, and you will see the results of the scan.

Click the Remove Selected button to get rid of the malware.

When Malwarebytes finishes, you may be prompted to reboot. If so, reboot.


Please post the Malwarebytes log in your reply so we can see where we are at, and plan any additional removal strategy, if necessary.


Report •

#6
June 9, 2011 at 11:27:08
Ther are still some problems, but I am reluctant to run Malware because I have had two occasion when I have been charged much more than the advertised price for security software. Is the price advertised what I will be charged?

Report •

#7
June 9, 2011 at 14:19:37
Malwarebytes' Anti-Malware should be free of charge!

Retired - Doin' Dis, Dat, and slapping malware.


Report •

#8
August 6, 2011 at 07:43:59
I am having the same problem and plan to follow your advice do hope it helps gonna select one now

Report •

#9
August 6, 2011 at 07:48:15
My problem is my external 500g drive has the problem is the process the same

Report •

#10
August 6, 2011 at 07:54:32
RogueKiller V5.3.1 [08/06/2011] by Tigzy
contact at http://www.sur-la-toile.com
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.sur-la-toile.com/discuss...

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User: Dina [Admin rights]
Mode: Scan -- Date : 08/06/2011 09:51:06

Bad processes: 2
[SUSP PATH] DCService.exe -- c:\documents and settings\all users\application data\datacardservice\dcservice.exe -> KILLED [TermProc]
[SUSP PATH] rpchrome10browserrecordhelper.dll -- C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchrome10browserrecordhelper.dll -> UNLOADED

Registry Entries: 1
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

HOSTS File:
127.0.0.1 localhost


Finished : << RKreport[1].txt >>
RKreport[1].txt


Report •

#11
August 6, 2011 at 08:24:39
dinarich,

Please start your own topic.

Will be glad to help you when you do.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.


Report •

Ask Question