I suspect it's a virus

[enrimaiden]

I've decided to get help before driving myself completly mad...
it's been two days now of complete frustration since the problem started. At first I thought that my HD was dead, but after performing various surface tests I'm considering other options. Altough some programs believe my disk has actually bad sectors I've read on the internet that some viruses can write on the disk to emulate bad sectors on it.
Anyhow, the main issue that makes me think it's a virus playing with my disc is the fact that every Antivirus scanner I've ran hangs before completing the operation. (windows won't boot so I perform a DOS scan using Mcaffe form Hiren's boot cd 9.4 which ends in an unexpected "Insufficient memory" warning; I've also tried AVIRA using UBCD4WIN which hangs after a hundred warnings saying "couln't wrtie report file") Stinger doesn't find anything and Panda online scanner removed a large amount of virus. Avira found some virus but I'm sure that the worm manages to "kill" my antivirus scan everytime I run it.
Another strange thing is that I can't move nor delete certain files on the disk using Volkov commander, but when I drop to NTFS for DOS pro (or sthg similar) I gain partial access to them. For example: Volkov didn't allow me to delete the "Macromedia" folder inside Windows-System32, but I could erase it using the other tool...
My big big problem is that I can't format the drive because i keep precious data on it and I don't own another HD large enough to even try copying the files to it.
Any suggestion is completely welcomed.:doh:

 

[donkey42]

get Avast and update it then scan, also use Ad-Aware & Spybot S & D

and after you update the definitions scan with both, all three programs should be run about once a week (depending on the computer use)

if you ever have any weird problems run all three programs

all software posted here is free, but Avast is only free for non commercial use & you are required to reregister it every 14 months, IMO, Avast is the best antivirus software out there closely followed by AVG (also free) but that a debatable point

BTW: what Firewall are you using ?

 

[enrimaiden]

get Avast and update it then scan, also use Ad-Aware & Spybot S & D

and after you update the definitions scan with both, all three programs should be run about once a week (depending on the computer use)

if you ever have any weird problems run all three programs

all software posted here is free, but Avast is only free for non commercial use & you are required to reregister it every 14 months, IMO, Avast is the best antivirus software out there closely followed by AVG (also free) but that a debatable point

BTW: what Firewall are you using ?

Thanks for the reply.
I forgt to mention that I've checked the system with Ad aware and Spy Bot and removed everything that both programas found. The first found some cookies and a Dialer and the latter fixed two registry entries.
I've managed to make a new install of windows and i'm going to run Avast as you recommend and inform the results, tough I don't know how many more times i'm going to be able to boot... (I did something similar when I got to perform a Panda online scan)
Any other opinion is welcomed.

P.S: I was using (until this disaster) Windows Xp built in firewall and Nod 32 completely up to date (but I've had several problems already with this AV so I'm planning to change it)
Thank you

 

[donkey42]

Windows Xp built in firewall

Windoze XPs built it Firewall is crap & also stay away from NIS (norton internet security) because

1) it is owned by symantec, symantec always re engineer software they acquire from companies they buy, because they always think they know best

for example partition magic (PM) was good when powerquest owned it, but, symantec took over powerquest in about 2003, they re-wrote PM and loads of people have lost data by using PM including me (before i came to HWF)

2) it is almost impossible to completely remove from your system once it's being on, the only way i know to completely remove it it a complete format

BTW: i've actually seen symantec being referred to as evil on the net

Edit:

perform a Panda online scan

running online scans on Windoze is not a good idea, i use Linux with a hardware firewall built into my ethernet router & an online scan would require me to tell them my password, which is probably why there is no online scans available for Linux systems (i presume)

 

[enrimaiden]

Windoze XPs built it Firewall is crap & also stay away from NIS (norton internet security) because

1) it is owned by symantec, symantec always re engineer software they acquire from companies they buy, because they always think they know best

for example partition magic (PM) was good when powerquest owned it, but, symantec took over powerquest in about 2003, they re-wrote PM and loads of people have lost data by using PM including me (before i came to HWF)

2) it is almost impossible to completely remove from your system once it's being on, the only way i know to completely remove it it a complete format

BTW: i've actually seen symantec being referred to as evil on the net

Edit: running online scans on Windoze is not a good idea, i use Linux with a hardware firewall built into my ethernet router & an online scan would require me to tell them my password, which is probably why there is no online scans available for Linux systems (i presume)

Ok, I see you're very concerned about security and I thank you for the advice but I'm not planning to learn how to use a new OS like linux (tough i know they say it's better than windows in many aspects).
I have some good news, I've ran AVAST scan and found some more viruses, they had spread like the plague all over my disk!! I set it to delete every single thread it found, but couldn't do it with every file... some of them where corrupted or password protected. And because I'm not taking any chances, I took the job to manually delete every path that the AV couldn't handle.
All except some DVD isos I wouldn't like to erase, at least until you give me some advice. AVAST recognizes them as "decompression bomb" is it true? or is it because of the ".vob" extension?? I'm confused at this point
I've found also that the virus hides in the "System volume information", directory I believe was created by himself in both C and D partitions, I'm going to delete them from DOS.

Ok, I've made some progress and i think i'm going to recover most of my data. Here is AVAST Warning logs (i couldn't generate Scanner report)

02/03/2008 22:25:55 Administrador 1336 Function setifaceUpdatePackages() has failed. Return code is 0x000004C7, dwRes is 000004C7.
02/03/2008 23:01:30 Administrador 1336 Sign of "Win32:Agent-ROB [Trj]" has been found in "C:\Archivos de programa\Ares\Ares.exe" file.
02/03/2008 23:23:37 Administrador 1336 Sign of "Win32:Nimosw [Trj]" has been found in "C:\Archivos de programa\KONAMI\Pro Evolution Soccer 6\dat\0_text.afs" file.
02/03/2008 23:26:47 Administrador 1336 Sign of "Win32:Nimosw [Trj]" has been found in "C:\Archivos de programa\KONAMI\Pro Evolution Soccer 6\dat\e_sound.afs" file.
02/03/2008 23:27:00 Administrador 1336 Sign of "Win32:Nimosw [Trj]" has been found in "C:\Archivos de programa\KONAMI\Pro Evolution Soccer 6\dat\s_sound.afs" file.
03/03/2008 0:39:59 Administrador 1336 Sign of "Win32:Agent-ROB [Trj]" has been found in "C:\System Volume Information\_restore{DDF1DFBA-8163-4098-BA7E-CF4EF0018BE5}\RP1\A0000672.exe" file.
03/03/2008 3:05:19 Administrador 1336 Sign of "Win32:Trojan-gen {Other}" has been found in "D:\My Shared Folder\NOD32.FiX.v2.2-nsane.exe" file.
03/03/2008 3:13:51 Administrador 1336 Sign of "Win32:Trojan-gen {Other}" has been found in "D:\My Shared Folder\WinXP_Sp2_uE_v7_-_Bj_-_Spanish.iso\INSTALL\NOD32\NOD32F~1.EXE" file.
03/03/2008 3:18:22 Administrador 1336 Sign of "Win32:Rbot-ETN [Trj]" has been found in "D:\Software\Alcohol.120.v1.9.6.4719.Retail.Multilangages.Incl-Crack.rar\Alcohol120_retail_1.9.6.4719.exe" file.
03/03/2008 3:18:22 Administrador 1336 Sign of "Win32:Trojan-gen {Other}" has been found in "D:\Software\Alcohol.120.v1.9.6.4719.Retail.Multilangages.Incl-Crack.rar\Crack\keymaker.exe\[PECompact]\[Embedded#BLACKHOLE2]" file.
03/03/2008 3:18:38 Administrador 1336 Sign of "Win32:Agent-ROB [Trj]" has been found in "D:\Software\aresregular201_installer.exe" file.
03/03/2008 3:19:23 Administrador 1336 Sign of "Win32:Theef-H [Trj]" has been found in "D:\Software\Cracks n Serials\All My Keys and Serials!!\000-All Serials\Super Cracks\TNT-000-Pack-31-12-2001\TNT-F-Prot.Antivirus.v3.11b_CRK.ZIP\patch.exe" file.
03/03/2008 3:19:24 Administrador 1336 Sign of "Win32:Theef-H [Trj]" has been found in "D:\Software\Cracks n Serials\All My Keys and Serials!!\000-All Serials\Super Cracks\TNT-3DVista.Studio.Pro.v1.8_CRK\patch.exe" file.
03/03/2008 3:19:24 Administrador 1336 Sign of "Win32:Theef-H [Trj]" has been found in "D:\Software\Cracks n Serials\All My Keys and Serials!!\000-All Serials\Super Cracks\TNT-Banner.Maker.Pro.v.4.0.0.1_CRK\patch.exe" file.
03/03/2008 3:19:24 Administrador 1336 Sign of "Win32:Theef-H [Trj]" has been found in "D:\Software\Cracks n Serials\All My Keys and Serials!!\000-All Serials\Super Cracks\TNT-CheckSum.Guard.v3.0_CRK\patch.exe" file.
03/03/2008 3:19:24 Administrador 1336 Sign of "Win32:Theef-H [Trj]" has been found in "D:\Software\Cracks n Serials\All My Keys and Serials!!\000-All Serials\Super Cracks\TNT-Easy.Resource.Planner.1.0.0.2_CRK\patch.exe" file.
03/03/2008 3:19:25 Administrador 1336 Sign of "Win32:Theef-H [Trj]" has been found in "D:\Software\Cracks n Serials\All My Keys and Serials!!\000-All Serials\Super Cracks\TNT-Pc.Guardian.Encryption.Plus.Cd-Rom.v.4.0.Build.051_CRK\patch.exe" file.
03/03/2008 3:19:25 Administrador 1336 Sign of "Win32:Theef-H [Trj]" has been found in "D:\Software\Cracks n Serials\All My Keys and Serials!!\000-All Serials\Super Cracks\TNT-Stealther.v2.7_CRK\patch.exe" file.
03/03/2008 3:19:25 Administrador 1336 Sign of "Win32:Theef-H [Trj]" has been found in "D:\Software\Cracks n Serials\All My Keys and Serials!!\000-All Serials\Super Cracks\TNT-Zero.Popup.1.35_CRK\patch.exe" file.
03/03/2008 3:19:26 Administrador 1336 Sign of "Win32:Trojan-gen {UPX}" has been found in "D:\Software\Cracks n Serials\All My Keys and Serials!!\Microsoft\Microsoft office\Microsoft Office 2000 Serial # & Expir. Utility\MsOfCrack.exe" file.
03/03/2008 3:29:08 Administrador 1336 Sign of "Win32:Spyware-gen [Trj]" has been found in "D:\System Volume Information\_restore{996AC251-E901-4FF9-8A0A-30E141C5DE7E}\RP3\A0000705.exe\%SYS%\amcis.dll" file.
03/03/2008 3:29:10 Administrador 1336 Sign of "Win32:Trojan-gen {Other}" has been found in "D:\System Volume Information\_restore{DDF1DFBA-8163-4098-BA7E-CF4EF0018BE5}\RP1\A0000673.exe" file.
03/03/2008 3:29:10 Administrador 1336 Sign of "Win32:Agent-ROB [Trj]" has been found in "D:\System Volume Information\_restore{DDF1DFBA-8163-4098-BA7E-CF4EF0018BE5}\RP1\A0000674.exe" file.
03/03/2008 3:29:10 Administrador 1336 Sign of "Win32:Theef-H [Trj]" has been found in "D:\System Volume Information\_restore{DDF1DFBA-8163-4098-BA7E-CF4EF0018BE5}\RP1\A0000675.exe" file.
03/03/2008 3:29:10 Administrador 1336 Sign of "Win32:Theef-H [Trj]" has been found in "D:\System Volume Information\_restore{DDF1DFBA-8163-4098-BA7E-CF4EF0018BE5}\RP1\A0000676.exe" file.
03/03/2008 3:29:10 Administrador 1336 Sign of "Win32:Theef-H [Trj]" has been found in "D:\System Volume Information\_restore{DDF1DFBA-8163-4098-BA7E-CF4EF0018BE5}\RP1\A0000677.exe" file.
03/03/2008 3:29:10 Administrador 1336 Sign of "Win32:Theef-H [Trj]" has been found in "D:\System Volume Information\_restore{DDF1DFBA-8163-4098-BA7E-CF4EF0018BE5}\RP1\A0000678.exe" file.
03/03/2008 3:29:10 Administrador 1336 Sign of "Win32:Theef-H [Trj]" has been found in "D:\System Volume Information\_restore{DDF1DFBA-8163-4098-BA7E-CF4EF0018BE5}\RP1\A0000679.exe" file.
03/03/2008 3:29:10 Administrador 1336 Sign of "Win32:Theef-H [Trj]" has been found in "D:\System Volume Information\_restore{DDF1DFBA-8163-4098-BA7E-CF4EF0018BE5}\RP1\A0000680.exe" file.
03/03/2008 3:29:10 Administrador 1336 Sign of "Win32:Theef-H [Trj]" has been found in "D:\System Volume Information\_restore{DDF1DFBA-8163-4098-BA7E-CF4EF0018BE5}\RP1\A0000681.exe" file.
03/03/2008 3:29:10 Administrador 1336 Sign of "Win32:Trojan-gen {UPX}" has been found in "D:\System Volume Information\_restore{DDF1DFBA-8163-4098-BA7E-CF4EF0018BE5}\RP1\A0000682.exe" file.

 

[Net Jockey]

I just cleaned a teenagers computer. I did it with AVG, Ad-Aware, and SpyBot.

The computer had 4 or five different Trojan Horses that infected 19 different files...That AVG could not heal, which had to be deleted.

I found that you need to do more than one scan with each program.

Spyware Blaster is an excellent program that keeps a lot of junk off of your computer.

 

[donkey42]

AVAST recognizes them as "decompression bomb" is it true? or is it because of the ".vob" extension?

yeah, it's just the .vob files, Avast / AV just reports "decompression bomb" when it encounters a compressed file with a high compression ratio (about 45% - 50%) & .vob files apparently use too efficient compression ratios, if in doubt, put files in the virus vault as they can do no damage from there, that's why the virus vault is there

I'm confused at this point

don't worry, i've just found out what decompression bombs are

I've found also that the virus hides in the "System volume information" directory I believe was created by himself in both C and D partitions, I'm going to delete them from DOS.

no, don't delete them, just run scandisk (thorough) on both drives, & defrag just for the hell of it then scan again with Avast and just uninstall & reinstall all software reported in results of Avast (probably not many of none)

Ok, I've made some progress and i think i'm going to recover most of my data. Here is AVAST Warning logs (i couldn't generate Scanner report)

<load of crap>

BTW: decompression bomb are DoS (denial of service attack) and work by decompressing a file sized about 6k to over 100Gb (to eat your resources) although, it is possible to compress an image containing just one colour repeated over and over or a text file containing just one character could with a compression ratio of 1000 to 1

Source

 

[enrimaiden]

yeah, it's just the .vob files, Avast / AV just reports "decompression bomb" when it encounters a compressed file with a high compression ratio (about 45% - 50%) & .vob files apparently use too efficient compression ratios, if in doubt, put files in the virus vault as they can do no damage from there, that's why the virus vault is there

don't worry, i've just found out what decompression bombs are

no, don't delete them, just run scandisk (thorough) on both drives, & defrag just for the hell of it then scan again with Avast and just uninstall & reinstall all software reported in results of Avast (probably not many of none)





BTW: decompression bomb are DoS (denial of service attack) and work by decompressing a file sized about 6k to over 100Gb (to eat your resources) although, it is possible to compress an image containing just one colour repeated over and over or a text file containing just one character could with a compression ratio of 1000 to 1

Source

OK. That's useful information. Thank you.
I've made two more thorough scans with avast, the last result being only two corrupted rar files which I deleted. I've formatted my three partitions but always keeping one of them with my backup data; so I believe that if there's a virus it must be hiding in that backup folder.
Two strange behaviours after all this work:
1) Every time I boot my new Windows Xp installation, chkdsk is ran and always find something to correct: files references, etc.
2) Altough AVAST performs a complete system scan, when I try a DOS Mcaffee or Fropt scan they are either interrupted or hanged at a point (this using Hiren's boot cd 9.4 with updated virus defs.)
This last two items are what worry me the most, what do you think about this?
Thanks again for your help.

 

[donkey42]

1) Every time I boot my new Windows Xp installation, chkdsk is ran and always find something to correct: files references, etc.

not sure about this, but, you may be better running chkdsk from the recovery console, try

chkdsk /f

if chkdsk errors are not fixed, enter the recovery console & try it again

• /f = thorough check & fix errors found
• /r = find bad sectors & recover readable data
• /x = Forces a volume to dismount to close open file handles on non-system volumes so it can be checked immediately and eliminates the need to reboot.
• /p = does the same as /f but it doesn't fix anything (for diagnostic purposes only)

BTW: put a <space> between chkdsk options

2) Altough AVAST performs a complete system scan, when I try a DOS Mcaffee or Fropt scan they are either interrupted or hanged at a point (this using Hiren's boot cd 9.4 with updated virus defs.)
This last two items are what worry me the most, what do you think about this?

only use 1 AV because using multiple AVs is causing the problems you are experiencing, use only 1 AV then it'll make diagnosing a LOT easier

Thanks again for your help.

no probs

Edit: what firewall are you using ?

 

[AJAI]

Hi,
First of all you may select "RUN" from start menu and type "MSCONFIG" and click "OK". Now select the "STARTUP" tab and remove all unwanted and suspecious applications from the start-up. Now restart your pc and just log on in safe mode. After logon start command prompt and task manager. In the task manager end "EXPLORER.EXE". Now use the command prompt. Change your directory to your backup drive.Then type "ATTRIB -A -H -S *.* /S /D" and click enter. Then again type "DIR" and click enter. Now you can see the contents of that drive in command prompt. Just delete all unwanted and suspecious files using the "DEL" command in command prompt. Now exit command prompt and restart your pc. After log on in "NORMAL MODE" you may have some through scanning (complete pc) using your AVAST anti-virus, hope it will bring an end to your problems....