TechSpot

[not curable - Ramnit] Help! Infected with Win32/Heur trojan/virus!

By Blaggins
Oct 12, 2010
  1. Hi Guys,

    Really hate just hitting up forums for help without having had any input, but i'm at the end of my tether!

    the night before last my Sony Vaio laptop (running Windows XP Media Center) became infected with what i believe is the Win32/Heur virus. In the interest of being succinct, timeline is as follows: -
    • unknown file auto-downloaded from forum in google chrome
    • AVG Free pops up informing of some threats in known programs - moved to vault
    • AVG pops up more and more, with new infected files being discovered at an exponential rate (quicker than i can move to vault!)
    • disabled wifi, switched off computer and restarted in safe mode. ran Spybot, Ad-Aware and AVG scans overnight
    • Ad-Aware & Spybot uncover very little, AVG uncovers some 5000 infected objects - all moved to vault.
    • found recommendations online for Malwarebytes - downloaded this and ran quick scan. discovered a few infected items, all removed.
    • discovered this forum and the "8 step guide". downloaded TFC and ran (after some errors with java, resolved by removing and resinstalling) - some 6GB of space freed up!
    • subsequent Malwarebytes scans continue to discover 3 infected items (2xReg, 1xFile) - Removes them, but discovers them again on next scan
    • downloaded GMER and DDS as per your quide.
    • could not get GMER to run. twice caused PC to freeze with black screen (safe mode), 3rd attempt (normal login) running several hours while i was at work and returned to VERY sluggish computer tonight (maxed out performance) but seemingly no activity - killed GMER.
    • Performed DDS scan.
    • wrote this post!

    Seem to be having trouble with a few programs since infection. ItunesHelper.exe fails on launch (don't know why i need this!), and java is having problems. my WinRar randomly disappeared as well.

    Really really appreciate any help you guys can give me. I've attached some of the logs I have generated. Attached is my original AVG report (Zipped due to file size) when scanned in Safe Mode, my first Malwarebytes log, as well as a recent one, and the 2 DDS logs . Please ask if you need any more info.

    many thanks,

    Phil
     

    Attached Files:

  2. Blaggins

    Blaggins TS Rookie Topic Starter

    Latest avg report also now attached.
     

    Attached Files:

  3. Broni

    Broni Malware Annihilator Posts: 47,668   +267

    Welcome aboard [​IMG]

    We don't use HJT around here anymore, so I removed 2 of your posts.

    Any particular reason, why you ram all scans in Safe Mode?
     
  4. Blaggins

    Blaggins TS Rookie Topic Starter

    erm... i thought it was the safest thing?! :eek:

    Do you want me to run some of them in normal mode?

    EDIT: Sorry, where are my manners?! Thanks for the welcome, and the reply! ;)
     
  5. Blaggins

    Blaggins TS Rookie Topic Starter

    Okay, I've just run DDS in normal mode, logs attached!
     

    Attached Files:

  6. Blaggins

    Blaggins TS Rookie Topic Starter

    tried GMER again in normal mode, and it wouldn't even start the scan this time, just froze. Left it while i've been at work all day and had made no progress when i returned, so killed it.

    Anyone got any advice for what i can try?
     
  7. Broni

    Broni Malware Annihilator Posts: 47,668   +267

    Please rerun MBAM in normal mode.
     
  8. Blaggins

    Blaggins TS Rookie Topic Starter

    okay, i've run MBAM in normal mode now, and have attached the log. After running this and rebooting, STOPzilla (which i have subsequently downloaded) discovered another 12 infections. Seem to have a few different variants now, as well as the Heur :(

    Once again, any help greatly appreciated!

    Also, the viruses seem to have infected a lot of my programs now - i get Windows Installer pop up whenever i try and do pretty much anything! trying to install office, because of a missing component. When AVG was going crazy, it was quarantining seemingly every exe or dll file on my computer! I have since thought perhaps it was picking them up when an MBAM scan was running, and so have restored all the files from the AVG virus vault. Not sure if this was the right thing to do or not, but none of my scans are picking them all up now?
     

    Attached Files:

  9. Blaggins

    Blaggins TS Rookie Topic Starter

    :(
    Have just seen there's a couple of other similar threads to mine that have got some bad news (not curable). as per Broni's instructions in those logs, i've downloaded combofix and MBRcheck, but am waiting for a STOPzilla scan to finish before i run them (likely tomorrow now). However, the STOPzilla scan has already found 18 x Trojanspy.Zbot.AOJW (all of these were in the 'c:\volume information\_restore...' folders) and 2 x Win32.Ramnit.Gen (these were found shortly after, in one of the windows subfolders i believe) , so it's not looking good.
    Also, previous scans made reference to windows\desktoplayer, so it's looking highly likely that i'm going to have to reformat.

    Along those lines, a few things...
    1. fearing the worst, i have archived off my photos, mp3s, videos and documents into .rar files on an external HDD. Is this safe to do so, or is there a safer way to recover these files? I can't face losing it all - especially our photos :(
    But equally, i don't want to reformat and rebuild my laptop, just to copy these files across along with a virus!

    2. I'm pretty sure i didn't get an OS disc with my latop (sony vaio vgn-fe28b). It was purchased new, from an online store, but i remember thinking at the time it was odd, but stupidly never chased the retailer up on it. How can i reinstall my os without a disc?!

    Sorry for being such a noob. keeping everything crossed that it is salvageable, or that i can at least save my files...

    thanks again. will post the combofix and mbrcheck logs when i can run them.
     
  10. Blaggins

    Blaggins TS Rookie Topic Starter

    okay, the STOPzilla scan has finished, and removed the infected items (alledgedly, though i'm sure they'll return). Don't know if it means anything, but all were found in the following location: -
    c:\system volume information\_restore{c935eb81-2ffe-4df6-8ba5-7a2255300913}\rp0\

    will run the other checks now.
     
  11. Blaggins

    Blaggins TS Rookie Topic Starter

    MBRCheck results: -


    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0080003c

    Kernel Drivers (total 142):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E4000 \WINDOWS\system32\hal.dll
    0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
    0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
    0xBA0A8000 szkg.sys
    0xBA0B8000 szkgfs.sys
    0xB9F79000 ACPI.sys
    0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xB9F68000 pci.sys
    0xBA0D8000 isapnp.sys
    0xBA0E8000 ohci1394.sys
    0xBA0F8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
    0xBA4BC000 compbatt.sys
    0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
    0xBA670000 pciide.sys
    0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xB9F4A000 pcmcia.sys
    0xBA108000 MountMgr.sys
    0xB9F2B000 ftdisk.sys
    0xBA4C4000 ACPIEC.sys
    0xBA671000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
    0xBA330000 PartMgr.sys
    0xBA118000 VolSnap.sys
    0xB9F13000 atapi.sys
    0xB9EEA000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
    0xBA128000 disk.sys
    0xBA138000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xB9ECA000 fltmgr.sys
    0xB9EB8000 sr.sys
    0xBA338000 PxHelp20.sys
    0xBA4C8000 SiWinAcc.sys
    0xB9EA1000 KSecDD.sys
    0xB9E14000 Ntfs.sys
    0xB9DE7000 NDIS.sys
    0xBA5AC000 SiRemFil.sys
    0xB9DCD000 Mup.sys
    0xBA340000 BTHidMgr.sys
    0xBA0C8000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xBA594000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0xB9312000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
    0xB92FE000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xB92D6000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xB9179000 \SystemRoot\system32\DRIVERS\w39n51.sys
    0xBA3E0000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xB9155000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xBA3E8000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xB971C000 \SystemRoot\system32\DRIVERS\nic1394.sys
    0xB908B000 \SystemRoot\system32\drivers\ti21sony.sys
    0xBA3F0000 \SystemRoot\System32\Drivers\SonyNC.sys
    0xB970C000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xBA3F8000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xB9071000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
    0xBA400000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xB96FC000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xB96EC000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xB96DC000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xB904E000 \SystemRoot\system32\DRIVERS\ks.sys
    0xB96CC000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
    0xB96BC000 \SystemRoot\System32\Drivers\tosrfcom.sys
    0xB96AC000 \SystemRoot\System32\Drivers\VcommMgr.sys
    0xB9DA1000 \SystemRoot\system32\DRIVERS\vbtenum.sys
    0xBA408000 \SystemRoot\system32\DRIVERS\blueletaudio.sys
    0xB902A000 \SystemRoot\system32\DRIVERS\portcls.sys
    0xB969C000 \SystemRoot\system32\DRIVERS\drmk.sys
    0xBA787000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xBA5D0000 \SystemRoot\System32\Drivers\RootMdm.sys
    0xBA410000 \SystemRoot\System32\Drivers\Modem.SYS
    0xB968C000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xB9D9D000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xB9013000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xBA158000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xBA168000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xBA418000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xB9002000 \SystemRoot\system32\DRIVERS\psched.sys
    0xBA178000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xBA420000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xBA428000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xBA430000 \SystemRoot\system32\DRIVERS\VComm.sys
    0xB9D8D000 \SystemRoot\system32\DRIVERS\serenum.sys
    0xB8FAA000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xBA188000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xBA5D4000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xB8F4C000 \SystemRoot\system32\DRIVERS\update.sys
    0xB9A0D000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xBA198000 \SystemRoot\system32\DRIVERS\tosporte.sys
    0xBA1A8000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xB6DAE000 \SystemRoot\system32\drivers\sthda.sys
    0xB6D7C000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys
    0xB6C88000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
    0xB6BD7000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
    0xBA1C8000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xBA5DE000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xBA5FE000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xBA757000 \SystemRoot\System32\Drivers\Null.SYS
    0xBA600000 \SystemRoot\System32\Drivers\Beep.SYS
    0xBA460000 \SystemRoot\System32\drivers\vga.sys
    0xBA602000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xBA604000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xBA468000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xBA470000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xBA588000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xB6BA4000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xB6B4B000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xB6B25000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xB6AEB000 \SystemRoot\System32\Drivers\avgtdix.sys
    0xBA1F8000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xBA208000 \SystemRoot\system32\DRIVERS\arp1394.sys
    0xB6A23000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xB6A01000 \SystemRoot\System32\drivers\afd.sys
    0xBA218000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xB8FEE000 \??\C:\WINDOWS\system32\drivers\VCdRom.sys
    0xB69D6000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xBA228000 \SystemRoot\System32\Drivers\PrivateDiskM.sys
    0xB6966000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xBA238000 \SystemRoot\System32\Drivers\Fips.SYS
    0xBA78D000 \SystemRoot\system32\DRIVERS\DMICall.sys
    0xBA478000 \SystemRoot\System32\Drivers\avgmfx86.sys
    0xB6932000 \SystemRoot\System32\Drivers\avgldx86.sys
    0xBA268000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xB691A000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xBA606000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xB8EE3000 \SystemRoot\System32\drivers\Dxapi.sys
    0xBA480000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xBA6E3000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\nv4_disp.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xBA490000 \SystemRoot\system32\DRIVERS\AegisP.sys
    0xB5EB9000 \SystemRoot\system32\DRIVERS\fssfltr_tdi.sys
    0xB5E01000 \SystemRoot\system32\DRIVERS\s24trans.sys
    0xB5DFD000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xB52C4000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xB50A3000 \SystemRoot\System32\Drivers\HTTP.sys
    0xB4FAC000 \SystemRoot\system32\DRIVERS\srv.sys
    0xB51E0000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
    0xB4E54000 \??\C:\WINDOWS\system32\Drivers\SBKUPNT.SYS
    0xB4EBC000 \SystemRoot\system32\DRIVERS\secdrv.sys
    0xB4A97000 \SystemRoot\system32\drivers\wdmaud.sys
    0xB53F9000 \SystemRoot\system32\drivers\sysaudio.sys
    0xB3EAE000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 57):
    0 System Idle Process
    4 System
    652 C:\WINDOWS\system32\smss.exe
    720 csrss.exe
    744 C:\WINDOWS\system32\winlogon.exe
    788 C:\WINDOWS\system32\services.exe
    800 C:\WINDOWS\system32\lsass.exe
    952 C:\WINDOWS\system32\svchost.exe
    1024 C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
    1108 svchost.exe
    1148 C:\WINDOWS\system32\svchost.exe
    1224 svchost.exe
    1248 C:\Program Files\AVG\AVG9\avgchsvx.exe
    1256 C:\Program Files\AVG\AVG9\avgrsx.exe
    1364 svchost.exe
    1380 C:\Program Files\AVG\AVG9\avgcsrvx.exe
    1856 C:\WINDOWS\system32\spoolsv.exe
    1932 svchost.exe
    1964 C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
    2000 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    2012 C:\Program Files\AVG\AVG9\avgwdsvc.exe
    144 C:\Program Files\Bonjour\mDNSResponder.exe
    192 C:\WINDOWS\ehome\ehrecvr.exe
    228 C:\WINDOWS\ehome\ehSched.exe
    348 C:\WINDOWS\system32\svchost.exe
    524 C:\Program Files\Java\jre6\bin\jqs.exe
    592 C:\Program Files\AVG\AVG9\avgnsx.exe
    704 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    1168 C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
    2092 C:\WINDOWS\system32\nvsvc32.exe
    2200 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    2320 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    2584 svchost.exe
    2628 C:\WINDOWS\system32\svchost.exe
    2828 C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
    3392 mcrdsvc.exe
    3536 C:\WINDOWS\system32\wuauclt.exe
    536 C:\WINDOWS\system32\dllhost.exe
    2820 alg.exe
    3188 C:\WINDOWS\explorer.exe
    2612 C:\WINDOWS\ehome\ehtray.exe
    2624 C:\WINDOWS\system32\ico.exe
    2664 C:\Program Files\Utimaco\SafeGuard PrivateDisk\pdservice.exe
    3128 C:\Program Files\iTunes\iTunesHelper.exe
    3240 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    2276 C:\WINDOWS\system32\ctfmon.exe
    360 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    3928 C:\PROGRA~1\Sony\SONICS~1\SSAAD.exe
    4024 C:\WINDOWS\ehome\ehmsas.exe
    520 C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    2164 C:\WINDOWS\system32\wuauclt.exe
    3184 C:\Program Files\iPod\bin\iPodService.exe
    3952 C:\Documents and Settings\Philbo\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    1724 C:\Documents and Settings\Philbo\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
    2136 C:\Program Files\AVG\AVG9\avgscanx.exe
    3168 C:\Program Files\AVG\AVG9\avgcsrvx.exe
    3220 C:\Documents and Settings\Philbo\My Documents\Downloads\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`bf1f2000 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000018`3f3ee800 (NTFS)

    PhysicalDrive0 Model Number: WDCWD3200BEVT-00ZCT0, Rev: 11.01A11

    Size Device Name MBR Status
    --------------------------------------------
    298 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!
     
     
  12. Blaggins

    Blaggins TS Rookie Topic Starter

    Combofix isn't working - launching the program caused an "Error - Win32 only" message box to pop up, saying "Incompatible OS. Combofix only works for workstations with Windows 2000 and XP".

    But I'm running XP (albeit the Media Centre Edition)?!

    will try running in safemode, but i suspect this is a side-effect of the virus.
     
  13. Blaggins

    Blaggins TS Rookie Topic Starter

    Combofix ran successfully in Safe Mode (had to download recovery console): -

    ComboFix 10-10-12.03 - Philbo 15/10/2010 2:39.1.2 - x86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1749 [GMT 1:00]
    Running from: c:\documents and settings\Philbo\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Philbo\Application Data\Desktopicon
    c:\windows\system32\dmlconf.dat
    c:\windows\system32\Thumbs.db

    .
    ((((((((((((((((((((((((( Files Created from 2010-09-15 to 2010-10-15 )))))))))))))))))))))))))))))))
    .

    2010-10-15 01:12 . 2010-10-15 01:14 -------- d--h--w- c:\windows\$hf_mig$
    2010-10-15 01:12 . 2010-10-15 01:12 -------- d-----w- c:\windows\LastGood
    2010-10-13 19:55 . 2010-10-14 21:19 -------- d-----w- c:\program files\STOPzilla!
    2010-10-13 19:55 . 2010-10-15 01:27 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
    2010-10-13 19:55 . 2010-10-13 19:55 -------- d-----w- c:\program files\Common Files\iS3
    2010-10-12 22:12 . 2010-10-12 22:12 -------- d-----w- c:\program files\Trend Micro
    2010-10-12 18:33 . 2010-10-13 00:07 -------- d-----w- c:\program files\system
    2010-10-12 07:54 . 2010-10-12 07:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-10-11 22:31 . 2010-10-14 19:30 -------- d-----w- c:\windows\system32\wbem\Logs
    2010-10-11 22:02 . 2010-10-11 22:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
    2010-10-11 22:02 . 2010-10-11 22:02 0 ----a-w- c:\windows\system32\REN119.tmp
    2010-10-11 22:02 . 2010-10-11 22:02 0 ----a-w- c:\windows\system32\REN118.tmp
    2010-10-11 22:02 . 2010-10-11 22:02 0 ----a-w- c:\windows\system32\REN117.tmp
    2010-10-11 21:59 . 2010-10-11 22:02 423656 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    2010-10-11 21:59 . 2010-10-11 22:02 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-10-11 20:04 . 2010-10-11 20:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-10-11 20:02 . 2010-10-11 20:02 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
    2010-10-11 19:56 . 2010-10-11 19:56 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
    2010-10-11 19:50 . 2010-10-11 19:50 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
    2010-10-11 19:20 . 2010-10-11 19:20 -------- d-----w- c:\documents and settings\Philbo\Application Data\Malwarebytes
    2010-10-11 19:19 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-11 19:19 . 2010-10-11 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-10-11 19:19 . 2010-10-11 19:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-11 19:19 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-11 16:58 . 2010-10-11 16:58 546256 ----a-r- c:\windows\system32\SZComp5.dll
    2010-10-11 16:58 . 2010-10-11 16:58 452048 ----a-r- c:\windows\system32\SZBase5.dll
    2010-10-11 16:58 . 2010-10-11 16:58 22992 ----a-r- c:\windows\system32\SZIO5.dll
    2010-10-11 16:58 . 2010-10-11 16:58 132560 ----a-r- c:\windows\system32\IS3HTUI5.dll
    2010-10-11 16:58 . 2010-10-11 16:58 99792 ----a-r- c:\windows\system32\IS3Svc5.dll
    2010-10-11 16:58 . 2010-10-11 16:58 99792 ----a-r- c:\windows\system32\IS3Inet5.dll
    2010-10-11 16:58 . 2010-10-11 16:58 67024 ----a-r- c:\windows\system32\IS3Hks5.dll
    2010-10-11 16:58 . 2010-10-11 16:58 398800 ----a-r- c:\windows\system32\IS3DBA5.dll
    2010-10-11 16:58 . 2010-10-11 16:58 28624 ----a-r- c:\windows\system32\IS3XDat5.dll
    2010-10-11 16:58 . 2010-10-11 16:58 738768 ----a-r- c:\windows\system32\IS3Base5.dll
    2010-10-11 16:58 . 2010-10-11 16:58 390608 ----a-r- c:\windows\system32\IS3UI5.dll
    2010-10-11 16:58 . 2010-10-11 16:58 230864 ----a-r- c:\windows\system32\IS3Win325.dll
    2010-10-11 00:36 . 2010-10-13 23:43 7680 -c--a-w- c:\windows\system32\dllcache\wmm2ext.dll
    2010-10-11 00:36 . 2010-10-13 23:43 7680 ----a-w- c:\program files\Movie Maker\WMM2EXT.dll
    2010-10-10 23:28 . 2010-10-13 00:07 -------- d-----w- c:\program files\tmp
    2010-10-09 19:07 . 2010-10-09 19:15 -------- d-----w- c:\program files\RapidShareManager
    2010-10-02 14:17 . 2010-10-02 14:17 -------- d-----w- c:\program files\iPod
    2010-10-02 14:14 . 2010-10-02 14:14 -------- d-----w- c:\program files\Bonjour
    2010-09-17 21:51 . 2010-10-11 06:18 -------- d-----w- c:\program files\QuickTime
    2010-09-17 21:43 . 2010-10-02 14:18 -------- d-----w- c:\program files\iTunes

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

    [HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
    2010-04-19 09:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

    [HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-15 68856]
    "SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-05-08 81920]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "Google Update"="c:\documents and settings\Philbo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-05-20 136176]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
    "Mouse Suite 98 Daemon"="ICO.EXE" [2002-03-14 45056]
    "PDService.exe"="c:\program files\Utimaco\SafeGuard PrivateDisk\pdservice.exe" [2004-07-06 40960]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-21 47904]
    "AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-10-04 2067808]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-06 7557120]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
    2010-07-15 16:57 12536 ----a-w- c:\windows\system32\avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
    2005-05-20 17:42 73728 ------w- c:\windows\system32\VESWinlogon.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [07/12/2009 17:59 61328]
    R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [12/05/2010 18:01 59280]
    R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [13/06/2009 19:24 243024]
    S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [07/12/2009 17:59 61328]
    S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [13/06/2009 19:24 216400]
    S1 PrivateDisk;PrivateDisk;c:\windows\system32\drivers\privatediskm.sys [06/07/2004 15:07 45627]
    S1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [03/04/2008 00:17 8576]
    S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [15/07/2010 17:57 308136]
    S2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
    S2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [04/06/2008 00:46 14976]
    S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [23/04/2009 00:23 8704]
    S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [23/04/2009 00:23 3072]
    S3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [16/03/2006 03:55 29184]
    S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
    S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [16/03/2006 03:55 808448]
    S3 VUAgent;VUAgent;c:\program files\Sony\VAIO Update 5\VUAgent.exe [24/01/2010 17:55 722288]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - MDMXSDK
    .
    Contents of the 'Scheduled Tasks' folder

    2010-10-09 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

    2010-10-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1371400613-2662471398-2956716847-1006Core.job
    - c:\documents and settings\Philbo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-20 21:07]

    2010-10-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1371400613-2662471398-2956716847-1006UA.job
    - c:\documents and settings\Philbo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-20 21:07]

    2010-10-15 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
    - c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2006-11-09 15:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.one.com/en_GB/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Connection Wizard,ShellNext = hxxp://www.club-vaio.com/en/
    uInternet Settings,ProxyOverride = 127.0.0.1;*.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?a9c13202697c4cb39a63c757ecee4120
    IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?a9c13202697c4cb39a63c757ecee4120
    IE: Transfer by Image Converter 2 Plus - c:\program files\Sony\Image Converter 2\menu.htm
    Trusted Zone: sony-europe.com
    Trusted Zone: sonystyle-europe.com
    Trusted Zone: vaio-link.com
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    FF - ProfilePath - c:\documents and settings\Philbo\Application Data\Mozilla\Firefox\Profiles\w6lcjp8i.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.mr2oc.co.uk/forums/search/newposts.html
    FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
    FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
    FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
    FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
    FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
    FF - plugin: c:\documents and settings\Philbo\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\documents and settings\Philbo\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
    FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
    FF - plugin: c:\program files\RealPlayer\Netscape6\nppl3260.dll
    FF - plugin: c:\program files\RealPlayer\Netscape6\nprjplug.dll
    FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    .
    - - - - ORPHANS REMOVED - - - -

    HKU-Default-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
    AddRemove-Ad-Aware SE Personal - c:\progra~1\AD-AWA~1\UNWISE.EXE
    AddRemove-AFPL Ghostscript 8.53 - c:\program files\GhostScript\uninstgs.exe
    AddRemove-AFPL Ghostscript Fonts - c:\program files\GhostScript\uninstgs.exe
    AddRemove-CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_20030003 - c:\program files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_20030003\HXFSETUP.EXE
    AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe
    AddRemove-InstallShield_{06F80017-8F98-4C94-B868-52358569FC32} - c:\progra~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe
    AddRemove-InstallShield_{23BE930B-6AC4-4D0D-B5C3-03062A2BF2A3} - c:\progra~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1\IDriver.exe
    AddRemove-InstallShield_{3633BA28-67CE-4AC8-A677-3406CA84C3D8} - c:\progra~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1\IDriver.exe
    AddRemove-InstallShield_{668B1BD6-4593-4959-970E-249AFFE6F35C} - c:\program files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe
    AddRemove-InstallShield_{9080C5D2-82FA-452A-87FA-CBB4B05D67A5} - c:\program files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe
    AddRemove-InstallShield_{F3E9C243-122E-4D6B-ACC1-E1FEC02F6CA1} - c:\progra~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe
    AddRemove-InstallShield_{F743886D-AC2E-4FDB-A29C-E654C58C03DE} - c:\program files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe
    AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe
    AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe
    AddRemove-WinRAR archiver - c:\program files\WinRAR\uninstall.exe


    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(604)
    c:\windows\system32\VESWinlogon.dll
    .
    Completion time: 2010-10-15 02:46:06
    ComboFix-quarantined-files.txt 2010-10-15 01:46

    Pre-Run: 29,463,744,512 bytes free
    Post-Run: 29,520,797,696 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

    - - End Of File - - 94C0FBC12091A33EC7ECF42B1B6D821F
     
  14. Broni

    Broni Malware Annihilator Posts: 47,668   +267

    I'm afraid I have very bad news.

    You're infected with Ramnit file infector virus.

    Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

    -- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.
    With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

    Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

    Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

    In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

    Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
    Backdoors and What They Mean to You

    This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.

    Important Note:: If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.
     
  15. Blaggins

    Blaggins TS Rookie Topic Starter

    curses, as i feared :(

    thanks very much for your time nad help though Broni, i really appreciate it.

    I'm very keen not to lose some of my content (as per the below excerpt from one of my above posts), do you have any advice in that regard?

    There might be some html files in the "My Documents" rar that i created - from a website i'd built. would i be better of deleting these from the archive? (i can recover the html files from their online host). Or could i possibly change them to .txt files? they were all written in notepad.

    Sorry if these questions are niaive, i've never had this happen before, so am not sure what i should do!

    Thanks again.
     
  16. Broni

    Broni Malware Annihilator Posts: 47,668   +267

    I'm sorry for not having better news :(

    You can use any data, you backed up on two conditions:

    1. On a computer, you're planning to plug your external hard drive in, do this...

    Download, and run Flash Disinfector, and save it to your desktop (Windows Vista and Windows 7 users, scroll down)

    *Please disable any AV / ScriptBlockers as they might detect Flash Disinfector to be malicious and block it. Hence, the failure in executing. You can enable them back after the cleaning process*

    • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
    • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
    • Wait until it has finished scanning and then exit the program.
    • Reboot your computer when done.
    Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

    Windows Vista and Windows 7 users
    Flash Disinfector is not compatible with the above Windows version.
    Please, use Panda USB Vaccine

    2. Scan your external drive with at least two tools, your updated AV program and one of online scanners, like Eset: http://www.eset.com/onlinescan


    Good luck :)
     
  17. Blaggins

    Blaggins TS Rookie Topic Starter

    that's great news, thanks!

    Do i run both steps 1&2 on my infected machine AND the "new machine" (which in reality will be the same machine, rebuilt), or do i only do them on the new machine?

    Luckily I upgraded my HDD this year by cloning the OEM HDD onto my new bigger one, so i shouldstill have the original HDD with OS and most of my uninfected files on there, so i'm thinking it should just be a case of formatting this one, swapping in the old one and then re-cloning it to my newly formatted drive? and therefore i should only lose things i've added in the last 6 months or so, many of which (including my honeymoon photos!) i can try to backup to my external drive and recover when i've rebuilt.
    Does that seem like a feasible option? Otherwise i'm not sure what i'll do - i don't believe I received an XP disc with the laptop :(

    thanks again, you've really been SO helpful!!
     
  18. Broni

    Broni Malware Annihilator Posts: 47,668   +267

    You may have recovery partition?
    Cloning would work, if you're sure, that image is clean.
    If you're not sure, use it, install AV, scan the new installation. Scan online for a good measure.
    Install Flash Disinfector.
    Now, you're ready to hook up your external drive.
    Scan it as I described.
     
  19. Broni

    Broni Malware Annihilator Posts: 47,668   +267

    Oh....You're very welcome [​IMG]
     
  20. Blaggins

    Blaggins TS Rookie Topic Starter

    Well, the good news is I do still have the original hard drive, and the image seems clean.

    Weirdly, my "infected" drive is no longer finding any issues when i scan, but i'm sure the virus is still lurking there somewhere, so think i should format to be sure.

    I have been able to use my original hard drive to create a recovery disk. will using this on my "infected" drive remove the virus, or do i need to completely format the hard drive, removing the partitions, and then re-partition it and clone from my original?
    IF i need to format it, how do i go about doing that? do i need some sort of boot disc? I know i could connect the drive externally with my caddy, but wasn't sure i should do that in case it copies across the virus when i hook it up?!

    Sorry to keep asking questions! thanks!
     
  21. Broni

    Broni Malware Annihilator Posts: 47,668   +267

    Recovery disk will return your computer to its original state, so any infection will be gone.
     
  22. Blaggins

    Blaggins TS Rookie Topic Starter

    Sweet, thanks, i'll give it a try!
     
  23. Broni

    Broni Malware Annihilator Posts: 47,668   +267

    Good luck :)
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.