Question

Locked

cannot connect to microsoft or symantec

By rodmanbrowning ·
Background;
For the past week or so I'v been plaqued by this virus that places three links on the desktop to some sort of adult site. From then on I cannot connect to MS sites or AV sites. Instead I'm redirected to someplace with an address a mile long that begins "clicker_cn"(replace the '_' with a '.'). Frustrated, I preformed a clean install of WinXP. The instant I install the NIC driver and connect, I'm infected again. I tried to startup in safe mode and cleanup with various AV and anti-spyware programs. Of course since I could not access AV sites I had to rely on out-of-date copies I had on my external HD which contains my software and driver download stores that I've aquired over the years, all 250Gb of it. After taking a break and clearing my head it dawned on me that the ExtHD might be the problem, duh! Sure enough after removing it from the equation I now have a working clean install.

Delima;
All my software, documents, software keys, data backups, etc. are on the ExtHD!

Question or Confimation of next step:
How do I clean the ExtHD without contracting the virus again? My plan is to disconnect from the internet, connect the ExtHD and clean from Safe Mode with SpyBot S&D and Avast. I also thought of making the "hosts" file read only first. Will this work or just infect me again? I invite any an all suggestions, precautions, proceedures, etc. Anything that will prevent reinfestation!

With regards and respect,
Rodman

This conversation is currently closed to new comments.

21 total posts (Page 1 of 3)   01 | 02 | 03   Next
| Thread display: Collapse - | Expand +

All Answers

Collapse -

OK as you have already performed a Clean Install you

by OH Smeg In reply to cannot connect to microso ...

Need to Wipe the HDD with a Utility like Kill Disc. This will take several hours depending on the size of the HDD and it's Speed.

http://www.killdisk.com/downloadfree.htm

If you have a IDE Drive use Boot & Nuke from here as it does a better job of wiping the HDD but if you have a SATA Drive use Kill Disc.

http://www.dban.org/

Then after you have wiped the HDD you need to perform a new install tot he Blank HDD. After this is finished and the drivers are installed you should install the AV Product and Update it then you can proceed to the Windows Update Servers and update the OS. The install Malware Bytes and update as required

http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol&cdlPid=10878968

Spy Bot S&D

http://www.safer-networking.org/en/download/index.html

After this is finished you can first connect the External Drive scan it with all AV & Malware Products installed and then import the Documents & Settings from your Backup but make sure that you have a Working & Upgraded AV Product In Place before starting the Import of the Documents & Settings.

Col

Collapse -

!! "Need to Wipe the HD" !!!

by rodmanbrowning In reply to OK as you have already pe ...

Here in lies the Delimma!

Wiping the drive mean fixing the problem but losing about 10 years of work. Not mention extremely valuable and irreplaceable scripts, templates, graphics, software and thier keys. I'd rather connect the External HD, re-infect the root drive and do without updates from Microsoft before I even contimplate wiping the drive. I've already updated AV and Anti-Spyware to the root drive.
Thanxs for the suggestion, but No Thanxs

Collapse -

Well I'm at a loss as you have previously said

by OH Smeg In reply to !! "Need to Wipe the HD ...

All my software, documents, software keys, data backups, etc. are on the ExtHD!

So there is nothing important that you can not afford to loose on the Boot Drive so how will you wipe out 10 years of work?

Here you need to wipe the Boot Drive and reload. I very much doubt that you have a clean Boot drive as you think you have

Frustrated, I preformed a clean install of WinXP

If you did a clean install of XP you formatted the drive which isn't good enough to kill some infections. Just because it doesn't show doesn't mean that it's clean, just that you have yet to trigger the reinfection routine which appears to happen when you install the NIC Drivers if your description is correct. The instant I install the NIC driver and connect, I'm infected again

So you need to start with a Known Clean system. Of course if you have not done a Clean Install and just a Repair Install that is a different story as you have not really attempted to kill the Infection.

If you have another computer you could fully update that install the necessary AV and Malware Removal Tools and scan the Boot Drive which you would need to remove from this computer and the external drive to Kill Any infections that you may have.

if you do not have another computer you could just by a new HDD that suits your computer remove the current Boot Drive and load the new Drive with the OS and tools so that you can do the same thing as you would with a different computer.

Either way you need Up To Date AV, Spyware and Malware products installed to kill the infection if it is possible or at the very least identify the Infection so you can then take steps to kill it.

Failing that if you have not actually done a New Clean Install follow Jacky's Instructions below. They are exactly what I would have suggested if you had not of said that you where reinfecting a New Clean Install of XP.

Col

Collapse -

Sorry, I misunderstood

by rodmanbrowning In reply to Well I'm at a loss as you ...

I developed a root drive 'wipe' as standard procedure for a "clean install" in these cases long ago. So, I thought you were speaking of the External. In any case I proceeded, and it appears the problem has been resolved. However, I do greatly appreaciate you taking the time and effort to respond to the post. Have a great day

Gratefully,
Rodman

Collapse -

Install MalwareBytes and Spybot as suggested

by Jacky Howe In reply to cannot connect to microso ...

update them and your Antivirus before connecting the external drive. Try this and then MBAM, Spybot.

Better disable the autorun first.

Copy and paste this into Notepad and save it as NoAutINF.reg

---->copy below<----

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

---->copy above<----

Navigate to the location that you saved it to and double click on it and select Merge. Restart the System for it to take effect.

Open a Command Prompt by pressing the WinKey + r and then typing <b>cmd</b> in the run box. At the command prompt type the (drive letter): and press Enter.

drive letter is the drive letter that you are connecting to.

type dir /ah and press Enter.

This will display a list of the Hidden files on the Drive. Check whether the following file is there Autorun.inf and also look for suspicious .exe files.

If the file is there

type notepad autorun.inf and press Enter.

Save the file to another location with an extension .txt as this will contain the executable file that is being invoked.

Type attrib -h -r -s (drive letter):\autorun.inf and press Enter.

Type del (drive letter):\autorun.inf


To remove the files from the Registry and the Locations that they are invoked from follow these instructions.

Tip! The executable file will be named in the file that you previously saved with Notepad.


Press the WinKey + r and type in <b>msconfig</b> and press Enter. Click on the startup Tab.

Check the list to find the file that you are looking for, expand the <u>Location</u> column to see where it is loading from in the registry.

Press the WinKey + r and type in <b>regedt32</b> and click OK. Browse to the key listed in the <u>Location</u> column for Msconfig.

Delete the key on the right hand side only, that specifically matches that startup file.

Note the <b>Command</b> folder in msconfig. Browse to the folder, and delete the .exe file.

:::::eXample:::::

The Startup TAB of Msconfig will show you the directory where pop.exe loads from:

<b>Command</b> c:\Windows\system32\pop.exe

and

<u>Location</u> will guide you to it's location in the Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

With the registry editor open find the Run key in the left window. On the right hand pane you'll see each file that is in the Run key, pop.exe will be there. Right click and Delete the entry for pop.exe.

Browse to the c:\Windows\system32 folder, and select the pop.exe file, hold down the Shift Key and press the Del Key.

Repeat these steps for each item that you want to remove.

Let us know how you get on.

Edit: to add disable the autorun

Collapse -

OK, Let me see if I understand

by rodmanbrowning In reply to Install MalwareBytes and ...

Because, the instant I connect the External Hard Drive and it spins up, I'm going to re-infect the root drive. Are the instructions you're giving a fix to the re-infestation? I've already updated the AV and AntiSpy software on the clean root drive in addition to MS updates.
Is the infection this "POP.EXE" and these instruction you're giveing the fix to that infection? If so, then I guess reinfection is unavoidable. Is this correct?

Collapse -

NO!

by Jacky Howe In reply to OK, Let me see if I under ...

What I'm suggesting is to try and avoid a reinfection. The registry fix will disable the autorun file from running and possibly reinfecting your System. This is assuming it is that type of Virus.

Checking for the autorun.inf and checking the contents will tell you the name of the executable file that is on your external hard drive that is causing the infection. The contents of the file could include any one of these files.

Ravmon.exe
New Folder.exe
svchost.exe
Heap41a

If it is the autorun Virus you would be able to delete the referenced file before it can do any damage.

eXample:
attrib -s -h -r /s /d will remove the file attributes to expose them as they are normally hidden.

If you find ravmon.exe you would then

type del ravmon.exe

You would only have to run msconfig if the System was reinfected. pop.exe is only an eXample of what you are looking for. It could be one of the above files or something else altogether.

When you have checked for, found and deleted the file it is time to scan the drive with your other Antiviral/Malware software.

Collapse -

Problem resolved!

by rodmanbrowning In reply to NO!

Thanks for clarifing, I was confused. I proceded with connecting the Ext. Drive and Checked

"whether the following file is there Autorun.inf and also look for suspicious .exe files."

and found no such files. I've since completed full scans and am back up and running. With respect and gratitude I thank you for your time and effort in helping me resolving my delimma. Have a great day and may things always go your way!

Rodman

Collapse -

Opps! I spoke too soon

by rodmanbrowning In reply to Problem resolved!

my problem is back. I tried to execute you previous instructions but, had problems
First when I dblClick noautoinf.reg it just opens notepad. samething if I rtClick and merge

C:\>dir /ah
Volume in drive C is OS DRIVE
Volume Serial Number is D84D-3529

Directory of C:\

09/11/2009 10:43 PM 211 boot.ini
09/11/2009 10:51 PM 0 IO.SYS
09/11/2009 10:51 PM 0 MSDOS.SYS
09/13/2009 10:10 AM <DIR> MSOCache
08/04/2004 07:00 AM 47,564 NTDETECT.COM
09/12/2009 09:40 AM 250,048 ntldr
09/15/2009 07:42 PM 805,306,368 pagefile.sys
09/12/2009 05:04 AM <DIR> RECYCLER
09/11/2009 10:57 PM <DIR> System Volume Information
6 File(s) 805,604,191 bytes
3 Dir(s) 33,107,988,480 bytes free
----------------------------------------------------
D:\>dir /ah
Volume in drive D is DATA DRIVE
Volume Serial Number is D490-FE7C

Directory of D:\

09/12/2009 05:05 AM <DIR> RECYCLER
09/12/2009 06:10 AM <DIR> System Volume Information
0 File(s) 0 bytes
2 Dir(s) 38,028,722,176 bytes free
----------------------------------------------------
E:\>dir /ah
Volume in drive E is EXT. DRIVE
Volume Serial Number is A033-AD76

Directory of E:\

09/13/2009 09:55 AM <DIR> RECYCLER
08/31/2009 08:44 PM <DIR> System Volume Information
0 File(s) 0 bytes
2 Dir(s) 40,064,401,408 bytes free
----------------------------------------------------


Don't see anything suspect. Do You?
avast! has sent "i4j.exe" to the virus chest

Rodman

Collapse -

Check in the registry for HKCR\regfile

by seanferd In reply to Opps! I spoke too soon

Expand the tree under regfile to /open/command and see that the default value is type REG_SZ with data regedit.exe "%1"

An infection may have tried to disable registry merging for you.

Back to Malware Forum
21 total posts (Page 1 of 3)   01 | 02 | 03   Next

Security Forums