[not curable - Ramnit] Help! Infected with Win32/Heur trojan/virus!

Status
Not open for further replies.

Blaggins

Posts: 15   +0
Hi Guys,

Really hate just hitting up forums for help without having had any input, but I'm at the end of my tether!

the night before last my Sony Vaio laptop (running Windows XP Media Center) became infected with what I believe is the Win32/Heur virus. In the interest of being succinct, timeline is as follows: -
  • unknown file auto-downloaded from forum in google chrome
  • AVG Free pops up informing of some threats in known programs - moved to vault
  • AVG pops up more and more, with new infected files being discovered at an exponential rate (quicker than I can move to vault!)
  • disabled wifi, switched off computer and restarted in safe mode. ran Spybot, Ad-Aware and AVG scans overnight
  • Ad-Aware & Spybot uncover very little, AVG uncovers some 5000 infected objects - all moved to vault.
  • found recommendations online for Malwarebytes - downloaded this and ran quick scan. discovered a few infected items, all removed.
  • discovered this forum and the "8 step guide". downloaded TFC and ran (after some errors with java, resolved by removing and resinstalling) - some 6GB of space freed up!
  • subsequent Malwarebytes scans continue to discover 3 infected items (2xReg, 1xFile) - Removes them, but discovers them again on next scan
  • downloaded GMER and DDS as per your quide.
  • could not get GMER to run. twice caused PC to freeze with black screen (safe mode), 3rd attempt (normal login) running several hours while I was at work and returned to VERY sluggish computer tonight (maxed out performance) but seemingly no activity - killed GMER.
  • Performed DDS scan.
  • wrote this post!

Seem to be having trouble with a few programs since infection. ItunesHelper.exe fails on launch (don't know why I need this!), and java is having problems. my WinRar randomly disappeared as well.

Really really appreciate any help you guys can give me. I've attached some of the logs I have generated. Attached is my original AVG report (Zipped due to file size) when scanned in Safe Mode, my first Malwarebytes log, as well as a recent one, and the 2 DDS logs . Please ask if you need any more info.

many thanks,

Phil
 

Attachments

  • avgrep1.zip
    32.2 KB · Views: 0
  • mbam-log-2010-10-11 (20-45-42).txt
    1.9 KB · Views: 2
  • mbam-log-2010-10-12 (19-12-49).txt
    1.3 KB · Views: 3
  • Attach.txt
    24.6 KB · Views: 0
  • DDS.txt
    16.3 KB · Views: 1
Welcome aboard
yahooo.gif


We don't use HJT around here anymore, so I removed 2 of your posts.

Any particular reason, why you ram all scans in Safe Mode?
 
erm... i thought it was the safest thing?! :eek:

Do you want me to run some of them in normal mode?

EDIT: Sorry, where are my manners?! Thanks for the welcome, and the reply! ;)
 
Okay, I've just run DDS in normal mode, logs attached!
 

Attachments

  • DDS (normal mode).txt
    18.2 KB · Views: 0
  • Attach (normal mode).txt
    25.4 KB · Views: 0
tried GMER again in normal mode, and it wouldn't even start the scan this time, just froze. Left it while i've been at work all day and had made no progress when i returned, so killed it.

Anyone got any advice for what i can try?
 
Okay, I've run MBAM in normal mode now, and have attached the log. After running this and rebooting, STOPzilla (which I have subsequently downloaded) discovered another 12 infections. Seem to have a few different variants now, as well as the Heur :(

Once again, any help greatly appreciated!

Also, the viruses seem to have infected a lot of my programs now - I get Windows Installer pop up whenever I try and do pretty much anything! trying to install office, because of a missing component. When AVG was going crazy, it was quarantining seemingly every exe or dll file on my computer! I have since thought perhaps it was picking them up when an MBAM scan was running, and so have restored all the files from the AVG virus vault. Not sure if this was the right thing to do or not, but none of my scans are picking them all up now?
 

Attachments

  • mbam-log-2010-10-14 (20-28-20).txt
    1.3 KB · Views: 1
:(
Have just seen there's a couple of other similar threads to mine that have got some bad news (not curable). as per Broni's instructions in those logs, i've downloaded combofix and MBRcheck, but am waiting for a STOPzilla scan to finish before i run them (likely tomorrow now). However, the STOPzilla scan has already found 18 x Trojanspy.Zbot.AOJW (all of these were in the 'c:\volume information\_restore...' folders) and 2 x Win32.Ramnit.Gen (these were found shortly after, in one of the windows subfolders i believe) , so it's not looking good.
Also, previous scans made reference to windows\desktoplayer, so it's looking highly likely that i'm going to have to reformat.

Along those lines, a few things...
1. fearing the worst, i have archived off my photos, mp3s, videos and documents into .rar files on an external HDD. Is this safe to do so, or is there a safer way to recover these files? I can't face losing it all - especially our photos :(
But equally, i don't want to reformat and rebuild my laptop, just to copy these files across along with a virus!

2. I'm pretty sure i didn't get an OS disc with my latop (sony vaio vgn-fe28b). It was purchased new, from an online store, but i remember thinking at the time it was odd, but stupidly never chased the retailer up on it. How can i reinstall my os without a disc?!

Sorry for being such a noob. keeping everything crossed that it is salvageable, or that i can at least save my files...

thanks again. will post the combofix and mbrcheck logs when i can run them.
 
okay, the STOPzilla scan has finished, and removed the infected items (alledgedly, though i'm sure they'll return). Don't know if it means anything, but all were found in the following location: -
c:\system volume information\_restore{c935eb81-2ffe-4df6-8ba5-7a2255300913}\rp0\

will run the other checks now.
 
MBRCheck results: -


MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0080003c

Kernel Drivers (total 142):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xBA0A8000 szkg.sys
0xBA0B8000 szkgfs.sys
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0D8000 isapnp.sys
0xBA0E8000 ohci1394.sys
0xBA0F8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA4BC000 compbatt.sys
0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xB9F4A000 pcmcia.sys
0xBA108000 MountMgr.sys
0xB9F2B000 ftdisk.sys
0xBA4C4000 ACPIEC.sys
0xBA671000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xBA330000 PartMgr.sys
0xBA118000 VolSnap.sys
0xB9F13000 atapi.sys
0xB9EEA000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xBA128000 disk.sys
0xBA138000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9ECA000 fltmgr.sys
0xB9EB8000 sr.sys
0xBA338000 PxHelp20.sys
0xBA4C8000 SiWinAcc.sys
0xB9EA1000 KSecDD.sys
0xB9E14000 Ntfs.sys
0xB9DE7000 NDIS.sys
0xBA5AC000 SiRemFil.sys
0xB9DCD000 Mup.sys
0xBA340000 BTHidMgr.sys
0xBA0C8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xBA594000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xB9312000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB92FE000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB92D6000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB9179000 \SystemRoot\system32\DRIVERS\w39n51.sys
0xBA3E0000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB9155000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA3E8000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB971C000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xB908B000 \SystemRoot\system32\drivers\ti21sony.sys
0xBA3F0000 \SystemRoot\System32\Drivers\SonyNC.sys
0xB970C000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA3F8000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB9071000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
0xBA400000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB96FC000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB96EC000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB96DC000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB904E000 \SystemRoot\system32\DRIVERS\ks.sys
0xB96CC000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xB96BC000 \SystemRoot\System32\Drivers\tosrfcom.sys
0xB96AC000 \SystemRoot\System32\Drivers\VcommMgr.sys
0xB9DA1000 \SystemRoot\system32\DRIVERS\vbtenum.sys
0xBA408000 \SystemRoot\system32\DRIVERS\blueletaudio.sys
0xB902A000 \SystemRoot\system32\DRIVERS\portcls.sys
0xB969C000 \SystemRoot\system32\DRIVERS\drmk.sys
0xBA787000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA5D0000 \SystemRoot\System32\Drivers\RootMdm.sys
0xBA410000 \SystemRoot\System32\Drivers\Modem.SYS
0xB968C000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB9D9D000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB9013000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA158000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA168000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA418000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB9002000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA178000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA420000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA428000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA430000 \SystemRoot\system32\DRIVERS\VComm.sys
0xB9D8D000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB8FAA000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA188000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA5D4000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB8F4C000 \SystemRoot\system32\DRIVERS\update.sys
0xB9A0D000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA198000 \SystemRoot\system32\DRIVERS\tosporte.sys
0xBA1A8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB6DAE000 \SystemRoot\system32\drivers\sthda.sys
0xB6D7C000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys
0xB6C88000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xB6BD7000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xBA1C8000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5DE000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA5FE000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA757000 \SystemRoot\System32\Drivers\Null.SYS
0xBA600000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA460000 \SystemRoot\System32\drivers\vga.sys
0xBA602000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA604000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA468000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA470000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA588000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB6BA4000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB6B4B000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB6B25000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB6AEB000 \SystemRoot\System32\Drivers\avgtdix.sys
0xBA1F8000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xBA208000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xB6A23000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB6A01000 \SystemRoot\System32\drivers\afd.sys
0xBA218000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB8FEE000 \??\C:\WINDOWS\system32\drivers\VCdRom.sys
0xB69D6000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xBA228000 \SystemRoot\System32\Drivers\PrivateDiskM.sys
0xB6966000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA238000 \SystemRoot\System32\Drivers\Fips.SYS
0xBA78D000 \SystemRoot\system32\DRIVERS\DMICall.sys
0xBA478000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xB6932000 \SystemRoot\System32\Drivers\avgldx86.sys
0xBA268000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB691A000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA606000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB8EE3000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA480000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA6E3000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xBA490000 \SystemRoot\system32\DRIVERS\AegisP.sys
0xB5EB9000 \SystemRoot\system32\DRIVERS\fssfltr_tdi.sys
0xB5E01000 \SystemRoot\system32\DRIVERS\s24trans.sys
0xB5DFD000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB52C4000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB50A3000 \SystemRoot\System32\Drivers\HTTP.sys
0xB4FAC000 \SystemRoot\system32\DRIVERS\srv.sys
0xB51E0000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xB4E54000 \??\C:\WINDOWS\system32\Drivers\SBKUPNT.SYS
0xB4EBC000 \SystemRoot\system32\DRIVERS\secdrv.sys
0xB4A97000 \SystemRoot\system32\drivers\wdmaud.sys
0xB53F9000 \SystemRoot\system32\drivers\sysaudio.sys
0xB3EAE000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 57):
0 System Idle Process
4 System
652 C:\WINDOWS\system32\smss.exe
720 csrss.exe
744 C:\WINDOWS\system32\winlogon.exe
788 C:\WINDOWS\system32\services.exe
800 C:\WINDOWS\system32\lsass.exe
952 C:\WINDOWS\system32\svchost.exe
1024 C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
1108 svchost.exe
1148 C:\WINDOWS\system32\svchost.exe
1224 svchost.exe
1248 C:\Program Files\AVG\AVG9\avgchsvx.exe
1256 C:\Program Files\AVG\AVG9\avgrsx.exe
1364 svchost.exe
1380 C:\Program Files\AVG\AVG9\avgcsrvx.exe
1856 C:\WINDOWS\system32\spoolsv.exe
1932 svchost.exe
1964 C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
2000 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
2012 C:\Program Files\AVG\AVG9\avgwdsvc.exe
144 C:\Program Files\Bonjour\mDNSResponder.exe
192 C:\WINDOWS\ehome\ehrecvr.exe
228 C:\WINDOWS\ehome\ehSched.exe
348 C:\WINDOWS\system32\svchost.exe
524 C:\Program Files\Java\jre6\bin\jqs.exe
592 C:\Program Files\AVG\AVG9\avgnsx.exe
704 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
1168 C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
2092 C:\WINDOWS\system32\nvsvc32.exe
2200 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
2320 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
2584 svchost.exe
2628 C:\WINDOWS\system32\svchost.exe
2828 C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
3392 mcrdsvc.exe
3536 C:\WINDOWS\system32\wuauclt.exe
536 C:\WINDOWS\system32\dllhost.exe
2820 alg.exe
3188 C:\WINDOWS\explorer.exe
2612 C:\WINDOWS\ehome\ehtray.exe
2624 C:\WINDOWS\system32\ico.exe
2664 C:\Program Files\Utimaco\SafeGuard PrivateDisk\pdservice.exe
3128 C:\Program Files\iTunes\iTunesHelper.exe
3240 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2276 C:\WINDOWS\system32\ctfmon.exe
360 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
3928 C:\PROGRA~1\Sony\SONICS~1\SSAAD.exe
4024 C:\WINDOWS\ehome\ehmsas.exe
520 C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
2164 C:\WINDOWS\system32\wuauclt.exe
3184 C:\Program Files\iPod\bin\iPodService.exe
3952 C:\Documents and Settings\Philbo\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
1724 C:\Documents and Settings\Philbo\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
2136 C:\Program Files\AVG\AVG9\avgscanx.exe
3168 C:\Program Files\AVG\AVG9\avgcsrvx.exe
3220 C:\Documents and Settings\Philbo\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`bf1f2000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000018`3f3ee800 (NTFS)

PhysicalDrive0 Model Number: WDCWD3200BEVT-00ZCT0, Rev: 11.01A11

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!
 
Combofix isn't working - launching the program caused an "Error - Win32 only" message box to pop up, saying "Incompatible OS. Combofix only works for workstations with Windows 2000 and XP".

But I'm running XP (albeit the Media Centre Edition)?!

will try running in safemode, but i suspect this is a side-effect of the virus.
 
Combofix ran successfully in Safe Mode (had to download recovery console): -

ComboFix 10-10-12.03 - Philbo 15/10/2010 2:39.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2046.1749 [GMT 1:00]
Running from: c:\documents and settings\Philbo\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Philbo\Application Data\Desktopicon
c:\windows\system32\dmlconf.dat
c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2010-09-15 to 2010-10-15 )))))))))))))))))))))))))))))))
.

2010-10-15 01:12 . 2010-10-15 01:14 -------- d--h--w- c:\windows\$hf_mig$
2010-10-15 01:12 . 2010-10-15 01:12 -------- d-----w- c:\windows\LastGood
2010-10-13 19:55 . 2010-10-14 21:19 -------- d-----w- c:\program files\STOPzilla!
2010-10-13 19:55 . 2010-10-15 01:27 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-10-13 19:55 . 2010-10-13 19:55 -------- d-----w- c:\program files\Common Files\iS3
2010-10-12 22:12 . 2010-10-12 22:12 -------- d-----w- c:\program files\Trend Micro
2010-10-12 18:33 . 2010-10-13 00:07 -------- d-----w- c:\program files\system
2010-10-12 07:54 . 2010-10-12 07:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-10-11 22:31 . 2010-10-14 19:30 -------- d-----w- c:\windows\system32\wbem\Logs
2010-10-11 22:02 . 2010-10-11 22:02 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-10-11 22:02 . 2010-10-11 22:02 0 ----a-w- c:\windows\system32\REN119.tmp
2010-10-11 22:02 . 2010-10-11 22:02 0 ----a-w- c:\windows\system32\REN118.tmp
2010-10-11 22:02 . 2010-10-11 22:02 0 ----a-w- c:\windows\system32\REN117.tmp
2010-10-11 21:59 . 2010-10-11 22:02 423656 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-10-11 21:59 . 2010-10-11 22:02 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-10-11 20:04 . 2010-10-11 20:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-10-11 20:02 . 2010-10-11 20:02 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-10-11 19:56 . 2010-10-11 19:56 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-10-11 19:50 . 2010-10-11 19:50 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-10-11 19:20 . 2010-10-11 19:20 -------- d-----w- c:\documents and settings\Philbo\Application Data\Malwarebytes
2010-10-11 19:19 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-11 19:19 . 2010-10-11 19:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-11 19:19 . 2010-10-11 19:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-11 19:19 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-11 16:58 . 2010-10-11 16:58 546256 ----a-r- c:\windows\system32\SZComp5.dll
2010-10-11 16:58 . 2010-10-11 16:58 452048 ----a-r- c:\windows\system32\SZBase5.dll
2010-10-11 16:58 . 2010-10-11 16:58 22992 ----a-r- c:\windows\system32\SZIO5.dll
2010-10-11 16:58 . 2010-10-11 16:58 132560 ----a-r- c:\windows\system32\IS3HTUI5.dll
2010-10-11 16:58 . 2010-10-11 16:58 99792 ----a-r- c:\windows\system32\IS3Svc5.dll
2010-10-11 16:58 . 2010-10-11 16:58 99792 ----a-r- c:\windows\system32\IS3Inet5.dll
2010-10-11 16:58 . 2010-10-11 16:58 67024 ----a-r- c:\windows\system32\IS3Hks5.dll
2010-10-11 16:58 . 2010-10-11 16:58 398800 ----a-r- c:\windows\system32\IS3DBA5.dll
2010-10-11 16:58 . 2010-10-11 16:58 28624 ----a-r- c:\windows\system32\IS3XDat5.dll
2010-10-11 16:58 . 2010-10-11 16:58 738768 ----a-r- c:\windows\system32\IS3Base5.dll
2010-10-11 16:58 . 2010-10-11 16:58 390608 ----a-r- c:\windows\system32\IS3UI5.dll
2010-10-11 16:58 . 2010-10-11 16:58 230864 ----a-r- c:\windows\system32\IS3Win325.dll
2010-10-11 00:36 . 2010-10-13 23:43 7680 -c--a-w- c:\windows\system32\dllcache\wmm2ext.dll
2010-10-11 00:36 . 2010-10-13 23:43 7680 ----a-w- c:\program files\Movie Maker\WMM2EXT.dll
2010-10-10 23:28 . 2010-10-13 00:07 -------- d-----w- c:\program files\tmp
2010-10-09 19:07 . 2010-10-09 19:15 -------- d-----w- c:\program files\RapidShareManager
2010-10-02 14:17 . 2010-10-02 14:17 -------- d-----w- c:\program files\iPod
2010-10-02 14:14 . 2010-10-02 14:14 -------- d-----w- c:\program files\Bonjour
2010-09-17 21:51 . 2010-10-11 06:18 -------- d-----w- c:\program files\QuickTime
2010-09-17 21:43 . 2010-10-02 14:18 -------- d-----w- c:\program files\iTunes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 09:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-15 68856]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2006-05-08 81920]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Google Update"="c:\documents and settings\Philbo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-05-20 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"Mouse Suite 98 Daemon"="ICO.EXE" [2002-03-14 45056]
"PDService.exe"="c:\program files\Utimaco\SafeGuard PrivateDisk\pdservice.exe" [2004-07-06 40960]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-09-21 47904]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-10-04 2067808]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-24 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-06 7557120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 16:57 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-20 17:42 73728 ------w- c:\windows\system32\VESWinlogon.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [07/12/2009 17:59 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [12/05/2010 18:01 59280]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [13/06/2009 19:24 243024]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [07/12/2009 17:59 61328]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [13/06/2009 19:24 216400]
S1 PrivateDisk;PrivateDisk;c:\windows\system32\drivers\privatediskm.sys [06/07/2004 15:07 45627]
S1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [03/04/2008 00:17 8576]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [15/07/2010 17:57 308136]
S2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
S2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [04/06/2008 00:46 14976]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [23/04/2009 00:23 8704]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [23/04/2009 00:23 3072]
S3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [16/03/2006 03:55 29184]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [16/03/2006 03:55 808448]
S3 VUAgent;VUAgent;c:\program files\Sony\VAIO Update 5\VUAgent.exe [24/01/2010 17:55 722288]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MDMXSDK
.
Contents of the 'Scheduled Tasks' folder

2010-10-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-10-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1371400613-2662471398-2956716847-1006Core.job
- c:\documents and settings\Philbo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-20 21:07]

2010-10-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1371400613-2662471398-2956716847-1006UA.job
- c:\documents and settings\Philbo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-05-20 21:07]

2010-10-15 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2006-11-09 15:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.one.com/en_GB/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.club-vaio.com/en/
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?a9c13202697c4cb39a63c757ecee4120
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?a9c13202697c4cb39a63c757ecee4120
IE: Transfer by Image Converter 2 Plus - c:\program files\Sony\Image Converter 2\menu.htm
Trusted Zone: sony-europe.com
Trusted Zone: sonystyle-europe.com
Trusted Zone: vaio-link.com
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Philbo\Application Data\Mozilla\Firefox\Profiles\w6lcjp8i.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.mr2oc.co.uk/forums/search/newposts.html
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\Philbo\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\Philbo\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
AddRemove-Ad-Aware SE Personal - c:\progra~1\AD-AWA~1\UNWISE.EXE
AddRemove-AFPL Ghostscript 8.53 - c:\program files\GhostScript\uninstgs.exe
AddRemove-AFPL Ghostscript Fonts - c:\program files\GhostScript\uninstgs.exe
AddRemove-CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_20030003 - c:\program files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_20030003\HXFSETUP.EXE
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe
AddRemove-InstallShield_{06F80017-8F98-4C94-B868-52358569FC32} - c:\progra~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe
AddRemove-InstallShield_{23BE930B-6AC4-4D0D-B5C3-03062A2BF2A3} - c:\progra~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1\IDriver.exe
AddRemove-InstallShield_{3633BA28-67CE-4AC8-A677-3406CA84C3D8} - c:\progra~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1\IDriver.exe
AddRemove-InstallShield_{668B1BD6-4593-4959-970E-249AFFE6F35C} - c:\program files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe
AddRemove-InstallShield_{9080C5D2-82FA-452A-87FA-CBB4B05D67A5} - c:\program files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe
AddRemove-InstallShield_{F3E9C243-122E-4D6B-ACC1-E1FEC02F6CA1} - c:\progra~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe
AddRemove-InstallShield_{F743886D-AC2E-4FDB-A29C-E654C58C03DE} - c:\program files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe
AddRemove-WinRAR archiver - c:\program files\WinRAR\uninstall.exe


.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(604)
c:\windows\system32\VESWinlogon.dll
.
Completion time: 2010-10-15 02:46:06
ComboFix-quarantined-files.txt 2010-10-15 01:46

Pre-Run: 29,463,744,512 bytes free
Post-Run: 29,520,797,696 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 94C0FBC12091A33EC7ECF42B1B6D821F
 
I'm afraid I have very bad news.

You're infected with Ramnit file infector virus.

Win32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer. Using this backdoor, a remote attacker can access and instruct the infected computer to download and execute more malicious files. The infected .HTML or .HTM files may be detected as Virus:VBS/Ramnit.A. Win32/Ramnit.A!dll is a related file infector often seen with this infection. It too has IRCBot functionality which infects .exe, .dll and .HTML/HTM files and opens a back door that compromises your computer. This component is injected into the default web browser by Worm:Win32/Ramnit.A which is dropped by a Ramnit infected executable file.

-- Note: As with most malware infections, the threat name may be different depending on the anti-virus or anti-malware program which detected it. Each security vendor uses their own naming conventions to identify various types of malware.
With this particular infection the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

Why? The malware injects code in legitimate files similar to the Virut virus and in many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus. When disinfection is attempted, the files often become corrupted and the system may become unstable or irreparable. The longer Ramnit.A remains on a computer, the more files it infects and corrupts so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies Worm:Win32/Ramnit.A with a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are infested with a smörgåsbord of malware and a major source of system infection.

In my opinion, Ramnit.A is not effectively disinfectable, so your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. Further, your machine has likely been compromised by the backdoor Trojan and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if your anti-virus reports that the malware appears to have been removed.

Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system
Backdoors and What They Mean to You

This is what Jesper M. Johansson at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.
The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).


Important Note:: If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity.
 
curses, as i feared :(

thanks very much for your time nad help though Broni, i really appreciate it.

I'm very keen not to lose some of my content (as per the below excerpt from one of my above posts), do you have any advice in that regard?

fearing the worst, i have archived off my photos, mp3s, videos and documents into .rar files on an external HDD. Is this safe to do so, or is there a safer way to recover these files? I can't face losing it all - especially our photos
But equally, i don't want to reformat and rebuild my laptop, just to copy these files across along with a virus!

There might be some html files in the "My Documents" rar that i created - from a website i'd built. would i be better of deleting these from the archive? (i can recover the html files from their online host). Or could i possibly change them to .txt files? they were all written in notepad.

Sorry if these questions are niaive, i've never had this happen before, so am not sure what i should do!

Thanks again.
 
I'm sorry for not having better news :(

You can use any data, you backed up on two conditions:

1. On a computer, you're planning to plug your external hard drive in, do this...

Download, and run Flash Disinfector, and save it to your desktop (Windows Vista and Windows 7 users, scroll down)

*Please disable any AV / ScriptBlockers as they might detect Flash Disinfector to be malicious and block it. Hence, the failure in executing. You can enable them back after the cleaning process*

  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Windows Vista and Windows 7 users
Flash Disinfector is not compatible with the above Windows version.
Please, use Panda USB Vaccine

2. Scan your external drive with at least two tools, your updated AV program and one of online scanners, like Eset: http://www.eset.com/onlinescan


Good luck :)
 
that's great news, thanks!

Do i run both steps 1&2 on my infected machine AND the "new machine" (which in reality will be the same machine, rebuilt), or do i only do them on the new machine?

Luckily I upgraded my HDD this year by cloning the OEM HDD onto my new bigger one, so i shouldstill have the original HDD with OS and most of my uninfected files on there, so i'm thinking it should just be a case of formatting this one, swapping in the old one and then re-cloning it to my newly formatted drive? and therefore i should only lose things i've added in the last 6 months or so, many of which (including my honeymoon photos!) i can try to backup to my external drive and recover when i've rebuilt.
Does that seem like a feasible option? Otherwise i'm not sure what i'll do - i don't believe I received an XP disc with the laptop :(

thanks again, you've really been SO helpful!!
 
i don't believe I received an XP disc with the laptop
You may have recovery partition?
Cloning would work, if you're sure, that image is clean.
If you're not sure, use it, install AV, scan the new installation. Scan online for a good measure.
Install Flash Disinfector.
Now, you're ready to hook up your external drive.
Scan it as I described.
 
Well, the good news is I do still have the original hard drive, and the image seems clean.

Weirdly, my "infected" drive is no longer finding any issues when i scan, but i'm sure the virus is still lurking there somewhere, so think i should format to be sure.

I have been able to use my original hard drive to create a recovery disk. will using this on my "infected" drive remove the virus, or do i need to completely format the hard drive, removing the partitions, and then re-partition it and clone from my original?
IF i need to format it, how do i go about doing that? do i need some sort of boot disc? I know i could connect the drive externally with my caddy, but wasn't sure i should do that in case it copies across the virus when i hook it up?!

Sorry to keep asking questions! thanks!
 
I have been able to use my original hard drive to create a recovery disk. will using this remove the virus
Recovery disk will return your computer to its original state, so any infection will be gone.
 
Status
Not open for further replies.
Back