Questions

cannot connect to microsoft or symantec

Tags:
+
0 Votes
Locked

cannot connect to microsoft or symantec

rodmanbrowning
Background;
For the past week or so I'v been plaqued by this virus that places three links on the desktop to some sort of adult site. From then on I cannot connect to MS sites or AV sites. Instead I'm redirected to someplace with an address a mile long that begins "clicker_cn"(replace the '_' with a '.'). Frustrated, I preformed a clean install of WinXP. The instant I install the NIC driver and connect, I'm infected again. I tried to startup in safe mode and cleanup with various AV and anti-spyware programs. Of course since I could not access AV sites I had to rely on out-of-date copies I had on my external HD which contains my software and driver download stores that I've aquired over the years, all 250Gb of it. After taking a break and clearing my head it dawned on me that the ExtHD might be the problem, duh! Sure enough after removing it from the equation I now have a working clean install.

Delima;
All my software, documents, software keys, data backups, etc. are on the ExtHD!

Question or Confimation of next step:
How do I clean the ExtHD without contracting the virus again? My plan is to disconnect from the internet, connect the ExtHD and clean from Safe Mode with SpyBot S&D and Avast. I also thought of making the "hosts" file read only first. Will this work or just infect me again? I invite any an all suggestions, precautions, proceedures, etc. Anything that will prevent reinfestation!

With regards and respect,
Rodman
  • +
    0 Votes
    OH Smeg

    Need to Wipe the HDD with a Utility like Kill Disc. This will take several hours depending on the size of the HDD and it's Speed.

    http://www.killdisk.com/downloadfree.htm

    If you have a IDE Drive use Boot & Nuke from here as it does a better job of wiping the HDD but if you have a SATA Drive use Kill Disc.

    http://www.dban.org/

    Then after you have wiped the HDD you need to perform a new install tot he Blank HDD. After this is finished and the drivers are installed you should install the AV Product and Update it then you can proceed to the Windows Update Servers and update the OS. The install Malware Bytes and update as required

    http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol&cdlPid=10878968

    Spy Bot S&D

    http://www.safer-networking.org/en/download/index.html

    After this is finished you can first connect the External Drive scan it with all AV & Malware Products installed and then import the Documents & Settings from your Backup but make sure that you have a Working & Upgraded AV Product In Place before starting the Import of the Documents & Settings.

    Col

    +
    0 Votes
    rodmanbrowning

    Here in lies the Delimma!

    Wiping the drive mean fixing the problem but losing about 10 years of work. Not mention extremely valuable and irreplaceable scripts, templates, graphics, software and thier keys. I'd rather connect the External HD, re-infect the root drive and do without updates from Microsoft before I even contimplate wiping the drive. I've already updated AV and Anti-Spyware to the root drive.
    Thanxs for the suggestion, but No Thanxs

    +
    0 Votes
    OH Smeg

    All my software, documents, software keys, data backups, etc. are on the ExtHD!

    So there is nothing important that you can not afford to loose on the Boot Drive so how will you wipe out 10 years of work?

    Here you need to wipe the Boot Drive and reload. I very much doubt that you have a clean Boot drive as you think you have

    Frustrated, I preformed a clean install of WinXP

    If you did a clean install of XP you formatted the drive which isn't good enough to kill some infections. Just because it doesn't show doesn't mean that it's clean, just that you have yet to trigger the reinfection routine which appears to happen when you install the NIC Drivers if your description is correct. The instant I install the NIC driver and connect, I'm infected again

    So you need to start with a Known Clean system. Of course if you have not done a Clean Install and just a Repair Install that is a different story as you have not really attempted to kill the Infection.

    If you have another computer you could fully update that install the necessary AV and Malware Removal Tools and scan the Boot Drive which you would need to remove from this computer and the external drive to Kill Any infections that you may have.

    if you do not have another computer you could just by a new HDD that suits your computer remove the current Boot Drive and load the new Drive with the OS and tools so that you can do the same thing as you would with a different computer.

    Either way you need Up To Date AV, Spyware and Malware products installed to kill the infection if it is possible or at the very least identify the Infection so you can then take steps to kill it.

    Failing that if you have not actually done a New Clean Install follow Jacky's Instructions below. They are exactly what I would have suggested if you had not of said that you where reinfecting a New Clean Install of XP.

    Col

    +
    0 Votes
    rodmanbrowning

    I developed a root drive 'wipe' as standard procedure for a "clean install" in these cases long ago. So, I thought you were speaking of the External. In any case I proceeded, and it appears the problem has been resolved. However, I do greatly appreaciate you taking the time and effort to respond to the post. Have a great day

    Gratefully,
    Rodman

    +
    0 Votes
    Jacky Howe

    update them and your Antivirus before connecting the external drive. Try this and then MBAM, Spybot.

    Better disable the autorun first.

    Copy and paste this into Notepad and save it as NoAutINF.reg

    ---->copy below<----

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
    @="@SYS:DoesNotExist"

    ---->copy above<----

    Navigate to the location that you saved it to and double click on it and select Merge. Restart the System for it to take effect.

    Open a Command Prompt by pressing the WinKey + r and then typing <b>cmd</b> in the run box. At the command prompt type the (drive letter): and press Enter.

    drive letter is the drive letter that you are connecting to.

    type dir /ah and press Enter.

    This will display a list of the Hidden files on the Drive. Check whether the following file is there Autorun.inf and also look for suspicious .exe files.

    If the file is there

    type notepad autorun.inf and press Enter.

    Save the file to another location with an extension .txt as this will contain the executable file that is being invoked.

    Type attrib -h -r -s (drive letter):\autorun.inf and press Enter.

    Type del (drive letter):\autorun.inf


    To remove the files from the Registry and the Locations that they are invoked from follow these instructions.

    Tip! The executable file will be named in the file that you previously saved with Notepad.


    Press the WinKey + r and type in <b>msconfig</b> and press Enter. Click on the startup Tab.

    Check the list to find the file that you are looking for, expand the <u>Location</u> column to see where it is loading from in the registry.

    Press the WinKey + r and type in <b>regedt32</b> and click OK. Browse to the key listed in the <u>Location</u> column for Msconfig.

    Delete the key on the right hand side only, that specifically matches that startup file.

    Note the <b>Command</b> folder in msconfig. Browse to the folder, and delete the .exe file.

    :::::eXample:::::

    The Startup TAB of Msconfig will show you the directory where pop.exe loads from:

    <b>Command</b> c:\Windows\system32\pop.exe

    and

    <u>Location</u> will guide you to it's location in the Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    With the registry editor open find the Run key in the left window. On the right hand pane you'll see each file that is in the Run key, pop.exe will be there. Right click and Delete the entry for pop.exe.

    Browse to the c:\Windows\system32 folder, and select the pop.exe file, hold down the Shift Key and press the Del Key.

    Repeat these steps for each item that you want to remove.

    Let us know how you get on.

    Edit: to add disable the autorun

    +
    0 Votes
    rodmanbrowning

    Because, the instant I connect the External Hard Drive and it spins up, I'm going to re-infect the root drive. Are the instructions you're giving a fix to the re-infestation? I've already updated the AV and AntiSpy software on the clean root drive in addition to MS updates.
    Is the infection this "POP.EXE" and these instruction you're giveing the fix to that infection? If so, then I guess reinfection is unavoidable. Is this correct?

    +
    0 Votes

    NO!

    Jacky Howe

    What I'm suggesting is to try and avoid a reinfection. The registry fix will disable the autorun file from running and possibly reinfecting your System. This is assuming it is that type of Virus.

    Checking for the autorun.inf and checking the contents will tell you the name of the executable file that is on your external hard drive that is causing the infection. The contents of the file could include any one of these files.

    Ravmon.exe
    New Folder.exe
    svchost.exe
    Heap41a

    If it is the autorun Virus you would be able to delete the referenced file before it can do any damage.

    eXample:
    attrib -s -h -r /s /d will remove the file attributes to expose them as they are normally hidden.

    If you find ravmon.exe you would then

    type del ravmon.exe

    You would only have to run msconfig if the System was reinfected. pop.exe is only an eXample of what you are looking for. It could be one of the above files or something else altogether.

    When you have checked for, found and deleted the file it is time to scan the drive with your other Antiviral/Malware software.

    +
    0 Votes
    rodmanbrowning

    Thanks for clarifing, I was confused. I proceded with connecting the Ext. Drive and Checked

    "whether the following file is there Autorun.inf and also look for suspicious .exe files."

    and found no such files. I've since completed full scans and am back up and running. With respect and gratitude I thank you for your time and effort in helping me resolving my delimma. Have a great day and may things always go your way!

    Rodman

    +
    0 Votes
    rodmanbrowning

    my problem is back. I tried to execute you previous instructions but, had problems
    First when I dblClick noautoinf.reg it just opens notepad. samething if I rtClick and merge

    C:\>dir /ah
    Volume in drive C is OS DRIVE
    Volume Serial Number is D84D-3529

    Directory of C:\

    09/11/2009 10:43 PM 211 boot.ini
    09/11/2009 10:51 PM 0 IO.SYS
    09/11/2009 10:51 PM 0 MSDOS.SYS
    09/13/2009 10:10 AM <DIR> MSOCache
    08/04/2004 07:00 AM 47,564 NTDETECT.COM
    09/12/2009 09:40 AM 250,048 ntldr
    09/15/2009 07:42 PM 805,306,368 pagefile.sys
    09/12/2009 05:04 AM <DIR> RECYCLER
    09/11/2009 10:57 PM <DIR> System Volume Information
    6 File(s) 805,604,191 bytes
    3 Dir(s) 33,107,988,480 bytes free
    ----------------------------------------------------
    D:\>dir /ah
    Volume in drive D is DATA DRIVE
    Volume Serial Number is D490-FE7C

    Directory of D:\

    09/12/2009 05:05 AM <DIR> RECYCLER
    09/12/2009 06:10 AM <DIR> System Volume Information
    0 File(s) 0 bytes
    2 Dir(s) 38,028,722,176 bytes free
    ----------------------------------------------------
    E:\>dir /ah
    Volume in drive E is EXT. DRIVE
    Volume Serial Number is A033-AD76

    Directory of E:\

    09/13/2009 09:55 AM <DIR> RECYCLER
    08/31/2009 08:44 PM <DIR> System Volume Information
    0 File(s) 0 bytes
    2 Dir(s) 40,064,401,408 bytes free
    ----------------------------------------------------


    Don't see anything suspect. Do You?
    avast! has sent "i4j.exe" to the virus chest

    Rodman

    +
    0 Votes
    seanferd

    Expand the tree under regfile to /open/command and see that the default value is type REG_SZ with data regedit.exe "%1"

    An infection may have tried to disable registry merging for you.

    +
    0 Votes
    rodmanbrowning

    Has a data value of:NOTEPAD.EXE %1.

    Is this correct?

    +
    0 Votes
    seanferd

    As stated previously, it should be
    regedit.exe "%1"

    This is why you cannot merge .reg files to the registry. Edit the entry accordingly, and you can then merge the .reg file. :)

    +
    0 Votes
    Jacky Howe

    Have you enabled Hidden files and file extensions, your .reg file may have a .txt extension.

    In Explorer go to the Menu and select Tools, Folders Options, View. Uncheck "Show hidden files and folders".
    Hide extensions for known types and Hide protected operating system files. Click OK. Now check the extension on your .reg file.

    I don't think that it's related to the autorun virus looking at your post.

    Press the WinKey + r type regedt32 and press Enter. Can you access the registry?


    Download HijackThis and run it and then go to the site below to analyze it.

    http://aumha.org/downloads/hijackthis.exe

    HijackThis log file analysis

    Hijack This opens you a possibility to find and fix nasty entries on your computer easier. Therefore it will scan special parts in the registry and on your harddisk and compare them with the default settings. If there is some abnormality detected on your computer HijackThis will save them into a logfile. In order to find out what entries are nasty and what are installed by the user, you need some background information.

    A logfile is not so easy to analyze. Even for an advanced computer user. With the help of this automatic analyzer you are able to get some additional support. Just paste your complete logfile into the textbox at the bottom of this page. Due to a few misunderstandings, I just want to make it clear that this site provides only an online analysis, and not HijackThis the program.

    http://hijackthis.de/

    Let us know the results of the scan and what it detects. You could also post the HJT log file for us to have a look at.

    Did you download, install, update MalwareBytes, and then run it?

    +
    0 Votes
    rodmanbrowning

    Files and extensions are hidden.

    NoAutINF has an extention of .reg.

    Yes, I can open regedit32. But, NoAutINF.reg still will not merge.

    Yes, I have current versions of avast!, MalwareBytes, and SpyBot S&D

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:52:10 PM, on 9/14/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16876)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AskBarDis\bar\bin\AskService.exe
    C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
    C:\Program Files\iolo\common\lib\ioloServiceManager.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hotmail.msn.com/cgi-bin/sbox?action=inbox
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
    O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-21-343818398-651377827-682003330-500\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User 'Administrator')
    O4 - HKUS\S-1-5-21-343818398-651377827-682003330-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1252762969718
    O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
    O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
    O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe

    I really appreciate this help!
    Rodman

    +
    0 Votes
    seanferd

    But my eyes are killing me.

    +
    0 Votes
    Jacky Howe

    run HJT after running MBAM. It looks like MBAM is set to run on the next boot.

    If so restart the System and let MBAM run through. Check the log file and let us know what the files were that it removed. There maybe files with different extensions EG: .dll .exe

    Could you go back to your OOPs post and rearrange the dir's to < dir > with a space between < dir it is causing the following posts to cascade.

    +
    0 Votes

    LOL

    Jacky Howe

    should have ran a HJT after installing MBAM on a clean System before posting. It's normal for that reference to be there.

    +
    0 Votes
    rodmanbrowning

    Nothing seems to resolve the problem with the exception of wiping the drive and re-installing. I've gotten so confused I don't know if I'm coming or going. So, I'm going to do the wipe and start anew with the external drive disconnected. make sure all the Anti-this and Anti-that is up to date and in the paranoid state before attempting to turn it on. I greatly appreciate all the time attention all of you have given. If there are any suggestions to keep the external drive from reinfecting my new clean-install please feel free. Just keep in mind I don't do this every day so keep it simple

    Again Thank a lot,
    Rodman

    P.S. Whom ever wrote this dastardly piece of code(the Virus) should be prosecuted. It is akin to kidnapping and torture and should be dealt with appropriately. OK I'm off the box

    +
    0 Votes
    seanferd

    Just remember that "wipe" means "nuke & pave". See
    http://techrepublic.com.com/5208-6230-0.html?forumID=101&threadID=317102&messageID=3158855
    for OH Smeg's notes on this. A reformat or deleting partitions may not be enough.

    Also note that any writable, removable media should be scanned before use (with autorun disabled) if it has been attached to the problem machine. (USB flash devices, floppies, etc.) Otherwise, they may re-infect the computer, or any other they come into contact with.

    Again, good luck. Maybe take a couple aspirin.

    +
    0 Votes
    Jacky Howe

    just let us know. Start a new thread and give us the details. You are correct in keeping the external drive disconnected.

    When you have reinstalled the Operating System install your Antivirus and let it Update before connecting to the internet. Install MalwareBytes and Spybot again and update them.

    Turn off System Restore before connecting the external drive and when you do connect the external drive check in System Restore and stop monitoring the external drive if it is being monitored. The nastys like to hide in restore points. Good luck.

  • +
    0 Votes
    OH Smeg

    Need to Wipe the HDD with a Utility like Kill Disc. This will take several hours depending on the size of the HDD and it's Speed.

    http://www.killdisk.com/downloadfree.htm

    If you have a IDE Drive use Boot & Nuke from here as it does a better job of wiping the HDD but if you have a SATA Drive use Kill Disc.

    http://www.dban.org/

    Then after you have wiped the HDD you need to perform a new install tot he Blank HDD. After this is finished and the drivers are installed you should install the AV Product and Update it then you can proceed to the Windows Update Servers and update the OS. The install Malware Bytes and update as required

    http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol&cdlPid=10878968

    Spy Bot S&D

    http://www.safer-networking.org/en/download/index.html

    After this is finished you can first connect the External Drive scan it with all AV & Malware Products installed and then import the Documents & Settings from your Backup but make sure that you have a Working & Upgraded AV Product In Place before starting the Import of the Documents & Settings.

    Col

    +
    0 Votes
    rodmanbrowning

    Here in lies the Delimma!

    Wiping the drive mean fixing the problem but losing about 10 years of work. Not mention extremely valuable and irreplaceable scripts, templates, graphics, software and thier keys. I'd rather connect the External HD, re-infect the root drive and do without updates from Microsoft before I even contimplate wiping the drive. I've already updated AV and Anti-Spyware to the root drive.
    Thanxs for the suggestion, but No Thanxs

    +
    0 Votes
    OH Smeg

    All my software, documents, software keys, data backups, etc. are on the ExtHD!

    So there is nothing important that you can not afford to loose on the Boot Drive so how will you wipe out 10 years of work?

    Here you need to wipe the Boot Drive and reload. I very much doubt that you have a clean Boot drive as you think you have

    Frustrated, I preformed a clean install of WinXP

    If you did a clean install of XP you formatted the drive which isn't good enough to kill some infections. Just because it doesn't show doesn't mean that it's clean, just that you have yet to trigger the reinfection routine which appears to happen when you install the NIC Drivers if your description is correct. The instant I install the NIC driver and connect, I'm infected again

    So you need to start with a Known Clean system. Of course if you have not done a Clean Install and just a Repair Install that is a different story as you have not really attempted to kill the Infection.

    If you have another computer you could fully update that install the necessary AV and Malware Removal Tools and scan the Boot Drive which you would need to remove from this computer and the external drive to Kill Any infections that you may have.

    if you do not have another computer you could just by a new HDD that suits your computer remove the current Boot Drive and load the new Drive with the OS and tools so that you can do the same thing as you would with a different computer.

    Either way you need Up To Date AV, Spyware and Malware products installed to kill the infection if it is possible or at the very least identify the Infection so you can then take steps to kill it.

    Failing that if you have not actually done a New Clean Install follow Jacky's Instructions below. They are exactly what I would have suggested if you had not of said that you where reinfecting a New Clean Install of XP.

    Col

    +
    0 Votes
    rodmanbrowning

    I developed a root drive 'wipe' as standard procedure for a "clean install" in these cases long ago. So, I thought you were speaking of the External. In any case I proceeded, and it appears the problem has been resolved. However, I do greatly appreaciate you taking the time and effort to respond to the post. Have a great day

    Gratefully,
    Rodman

    +
    0 Votes
    Jacky Howe

    update them and your Antivirus before connecting the external drive. Try this and then MBAM, Spybot.

    Better disable the autorun first.

    Copy and paste this into Notepad and save it as NoAutINF.reg

    ---->copy below<----

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
    @="@SYS:DoesNotExist"

    ---->copy above<----

    Navigate to the location that you saved it to and double click on it and select Merge. Restart the System for it to take effect.

    Open a Command Prompt by pressing the WinKey + r and then typing <b>cmd</b> in the run box. At the command prompt type the (drive letter): and press Enter.

    drive letter is the drive letter that you are connecting to.

    type dir /ah and press Enter.

    This will display a list of the Hidden files on the Drive. Check whether the following file is there Autorun.inf and also look for suspicious .exe files.

    If the file is there

    type notepad autorun.inf and press Enter.

    Save the file to another location with an extension .txt as this will contain the executable file that is being invoked.

    Type attrib -h -r -s (drive letter):\autorun.inf and press Enter.

    Type del (drive letter):\autorun.inf


    To remove the files from the Registry and the Locations that they are invoked from follow these instructions.

    Tip! The executable file will be named in the file that you previously saved with Notepad.


    Press the WinKey + r and type in <b>msconfig</b> and press Enter. Click on the startup Tab.

    Check the list to find the file that you are looking for, expand the <u>Location</u> column to see where it is loading from in the registry.

    Press the WinKey + r and type in <b>regedt32</b> and click OK. Browse to the key listed in the <u>Location</u> column for Msconfig.

    Delete the key on the right hand side only, that specifically matches that startup file.

    Note the <b>Command</b> folder in msconfig. Browse to the folder, and delete the .exe file.

    :::::eXample:::::

    The Startup TAB of Msconfig will show you the directory where pop.exe loads from:

    <b>Command</b> c:\Windows\system32\pop.exe

    and

    <u>Location</u> will guide you to it's location in the Registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    With the registry editor open find the Run key in the left window. On the right hand pane you'll see each file that is in the Run key, pop.exe will be there. Right click and Delete the entry for pop.exe.

    Browse to the c:\Windows\system32 folder, and select the pop.exe file, hold down the Shift Key and press the Del Key.

    Repeat these steps for each item that you want to remove.

    Let us know how you get on.

    Edit: to add disable the autorun

    +
    0 Votes
    rodmanbrowning

    Because, the instant I connect the External Hard Drive and it spins up, I'm going to re-infect the root drive. Are the instructions you're giving a fix to the re-infestation? I've already updated the AV and AntiSpy software on the clean root drive in addition to MS updates.
    Is the infection this "POP.EXE" and these instruction you're giveing the fix to that infection? If so, then I guess reinfection is unavoidable. Is this correct?

    +
    0 Votes

    NO!

    Jacky Howe

    What I'm suggesting is to try and avoid a reinfection. The registry fix will disable the autorun file from running and possibly reinfecting your System. This is assuming it is that type of Virus.

    Checking for the autorun.inf and checking the contents will tell you the name of the executable file that is on your external hard drive that is causing the infection. The contents of the file could include any one of these files.

    Ravmon.exe
    New Folder.exe
    svchost.exe
    Heap41a

    If it is the autorun Virus you would be able to delete the referenced file before it can do any damage.

    eXample:
    attrib -s -h -r /s /d will remove the file attributes to expose them as they are normally hidden.

    If you find ravmon.exe you would then

    type del ravmon.exe

    You would only have to run msconfig if the System was reinfected. pop.exe is only an eXample of what you are looking for. It could be one of the above files or something else altogether.

    When you have checked for, found and deleted the file it is time to scan the drive with your other Antiviral/Malware software.

    +
    0 Votes
    rodmanbrowning

    Thanks for clarifing, I was confused. I proceded with connecting the Ext. Drive and Checked

    "whether the following file is there Autorun.inf and also look for suspicious .exe files."

    and found no such files. I've since completed full scans and am back up and running. With respect and gratitude I thank you for your time and effort in helping me resolving my delimma. Have a great day and may things always go your way!

    Rodman

    +
    0 Votes
    rodmanbrowning

    my problem is back. I tried to execute you previous instructions but, had problems
    First when I dblClick noautoinf.reg it just opens notepad. samething if I rtClick and merge

    C:\>dir /ah
    Volume in drive C is OS DRIVE
    Volume Serial Number is D84D-3529

    Directory of C:\

    09/11/2009 10:43 PM 211 boot.ini
    09/11/2009 10:51 PM 0 IO.SYS
    09/11/2009 10:51 PM 0 MSDOS.SYS
    09/13/2009 10:10 AM <DIR> MSOCache
    08/04/2004 07:00 AM 47,564 NTDETECT.COM
    09/12/2009 09:40 AM 250,048 ntldr
    09/15/2009 07:42 PM 805,306,368 pagefile.sys
    09/12/2009 05:04 AM <DIR> RECYCLER
    09/11/2009 10:57 PM <DIR> System Volume Information
    6 File(s) 805,604,191 bytes
    3 Dir(s) 33,107,988,480 bytes free
    ----------------------------------------------------
    D:\>dir /ah
    Volume in drive D is DATA DRIVE
    Volume Serial Number is D490-FE7C

    Directory of D:\

    09/12/2009 05:05 AM <DIR> RECYCLER
    09/12/2009 06:10 AM <DIR> System Volume Information
    0 File(s) 0 bytes
    2 Dir(s) 38,028,722,176 bytes free
    ----------------------------------------------------
    E:\>dir /ah
    Volume in drive E is EXT. DRIVE
    Volume Serial Number is A033-AD76

    Directory of E:\

    09/13/2009 09:55 AM <DIR> RECYCLER
    08/31/2009 08:44 PM <DIR> System Volume Information
    0 File(s) 0 bytes
    2 Dir(s) 40,064,401,408 bytes free
    ----------------------------------------------------


    Don't see anything suspect. Do You?
    avast! has sent "i4j.exe" to the virus chest

    Rodman

    +
    0 Votes
    seanferd

    Expand the tree under regfile to /open/command and see that the default value is type REG_SZ with data regedit.exe "%1"

    An infection may have tried to disable registry merging for you.

    +
    0 Votes
    rodmanbrowning

    Has a data value of:NOTEPAD.EXE %1.

    Is this correct?

    +
    0 Votes
    seanferd

    As stated previously, it should be
    regedit.exe "%1"

    This is why you cannot merge .reg files to the registry. Edit the entry accordingly, and you can then merge the .reg file. :)

    +
    0 Votes
    Jacky Howe

    Have you enabled Hidden files and file extensions, your .reg file may have a .txt extension.

    In Explorer go to the Menu and select Tools, Folders Options, View. Uncheck "Show hidden files and folders".
    Hide extensions for known types and Hide protected operating system files. Click OK. Now check the extension on your .reg file.

    I don't think that it's related to the autorun virus looking at your post.

    Press the WinKey + r type regedt32 and press Enter. Can you access the registry?


    Download HijackThis and run it and then go to the site below to analyze it.

    http://aumha.org/downloads/hijackthis.exe

    HijackThis log file analysis

    Hijack This opens you a possibility to find and fix nasty entries on your computer easier. Therefore it will scan special parts in the registry and on your harddisk and compare them with the default settings. If there is some abnormality detected on your computer HijackThis will save them into a logfile. In order to find out what entries are nasty and what are installed by the user, you need some background information.

    A logfile is not so easy to analyze. Even for an advanced computer user. With the help of this automatic analyzer you are able to get some additional support. Just paste your complete logfile into the textbox at the bottom of this page. Due to a few misunderstandings, I just want to make it clear that this site provides only an online analysis, and not HijackThis the program.

    http://hijackthis.de/

    Let us know the results of the scan and what it detects. You could also post the HJT log file for us to have a look at.

    Did you download, install, update MalwareBytes, and then run it?

    +
    0 Votes
    rodmanbrowning

    Files and extensions are hidden.

    NoAutINF has an extention of .reg.

    Yes, I can open regedit32. But, NoAutINF.reg still will not merge.

    Yes, I have current versions of avast!, MalwareBytes, and SpyBot S&D

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:52:10 PM, on 9/14/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16876)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\AskBarDis\bar\bin\AskService.exe
    C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
    C:\Program Files\iolo\common\lib\ioloServiceManager.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hotmail.msn.com/cgi-bin/sbox?action=inbox
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
    O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-21-343818398-651377827-682003330-500\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User 'Administrator')
    O4 - HKUS\S-1-5-21-343818398-651377827-682003330-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1252762969718
    O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
    O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
    O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe

    I really appreciate this help!
    Rodman

    +
    0 Votes
    seanferd

    But my eyes are killing me.

    +
    0 Votes
    Jacky Howe

    run HJT after running MBAM. It looks like MBAM is set to run on the next boot.

    If so restart the System and let MBAM run through. Check the log file and let us know what the files were that it removed. There maybe files with different extensions EG: .dll .exe

    Could you go back to your OOPs post and rearrange the dir's to < dir > with a space between < dir it is causing the following posts to cascade.

    +
    0 Votes

    LOL

    Jacky Howe

    should have ran a HJT after installing MBAM on a clean System before posting. It's normal for that reference to be there.

    +
    0 Votes
    rodmanbrowning

    Nothing seems to resolve the problem with the exception of wiping the drive and re-installing. I've gotten so confused I don't know if I'm coming or going. So, I'm going to do the wipe and start anew with the external drive disconnected. make sure all the Anti-this and Anti-that is up to date and in the paranoid state before attempting to turn it on. I greatly appreciate all the time attention all of you have given. If there are any suggestions to keep the external drive from reinfecting my new clean-install please feel free. Just keep in mind I don't do this every day so keep it simple

    Again Thank a lot,
    Rodman

    P.S. Whom ever wrote this dastardly piece of code(the Virus) should be prosecuted. It is akin to kidnapping and torture and should be dealt with appropriately. OK I'm off the box

    +
    0 Votes
    seanferd

    Just remember that "wipe" means "nuke & pave". See
    http://techrepublic.com.com/5208-6230-0.html?forumID=101&threadID=317102&messageID=3158855
    for OH Smeg's notes on this. A reformat or deleting partitions may not be enough.

    Also note that any writable, removable media should be scanned before use (with autorun disabled) if it has been attached to the problem machine. (USB flash devices, floppies, etc.) Otherwise, they may re-infect the computer, or any other they come into contact with.

    Again, good luck. Maybe take a couple aspirin.

    +
    0 Votes
    Jacky Howe

    just let us know. Start a new thread and give us the details. You are correct in keeping the external drive disconnected.

    When you have reinstalled the Operating System install your Antivirus and let it Update before connecting to the internet. Install MalwareBytes and Spybot again and update them.

    Turn off System Restore before connecting the external drive and when you do connect the external drive check in System Restore and stop monitoring the external drive if it is being monitored. The nastys like to hide in restore points. Good luck.