[ashtonian]

This morning I suddenly began getting AVG virus alert messages, all of which were apparently 'healed'. I suddenly realised that the firewall was no longer switched on, so I switched it back on and ran a full system scan. Worm/Delf.DDQ and PSW.OnlineGames.(various extensions) were found with over 500 files infected, which were then healed.

I then tried to run Spybot but the file wasn't found. I re-downloaded it and the computer rebooted immediately after installation. It would not then reconnect to the net. Again, trying to run Spybot returned a 'file not found'. Subsequent investigation proved that ALL the exe files of various anti-malware software (Ccleaner, RegistryMechanic, TrojanHunter, Microsoft AntiSpyware, Ad-aware) were all missing.

I then tried copying the spybot exe file from my laptop onto floppy with the intention of copying it across to the infected computer .... only to find that whilst device manager shows both the floppy drive and combo drives are present and working correctly, neither is operational and don't show up as drives on explorer.

Thankfully, Hijackthis is still operational. The following is an abridged version of the log (known safe entries omitted to save typing)

02 BHO: (no name) {F5938714-BD46-408A-9842-4058206D37E3} - C:\PROGR~default\LOCALS~1\Temp\~00754.tmp (file missing)
010 - Broken Internet access because of LSP provider 'c:\windows\system32\ispair.dll' missing
020 - AppInit_DLLs:zxfpri.dll
023 - Service: Remote Help Session Manager(Rasautol) - unknown owner - C:|Windows\system32\ntsokele.exe (file missing)
023 - Service:Windows Media Conect Service (WMConnectCDS) - Unknown owner - C:\Program Files\Windows Media Conect 2\wmccds.exe (file missing)

I've tried 'fixing' all those entries (running in safe mode) but without success.


AVG's advice forum suggests running spybot, ccleaner etc in safe mode, but obviously I can't do this if I've got no method of loading/downloading the necessary files onto the machine .... any ideas please?

Edit: Further investigations suggests that AVG is operating incorrectly in that all the 'missing' files are actually in the virus vault - 'restoring' them, after 'healing' just brings back the virus alert and 'healing' then simply moves the file back to the virus vault, without any further notification.

Edited by ashtonian, 04 August 2007 - 12:33 PM.

[Advertisements]

Hello ashtonian, sorry for the delay. I'm just looking over your log and will get back to you soon.

[Rorschach112]

Hello ashtonian, sorry for the delay. I'm just looking over your log and will get back to you soon.

[Rorschach112]

Hello ashtonian, my name is Rorschach and I'll be helping you with your problems.


Download win32delfkil.exe.
Save it on your desktop.
Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil.
Close all windows, open the win32delfkil folder and double click on fix.bat.
The computer will reboot automatically.
Post the contents of the logfile c:\windelf.txt


Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

So in your next reply please post the following : the windelf text, the two DSS texts in full, and tell me how your PC is running now and if you had any problems.

[ashtonian]

Slight problem .. (or several of them, to be exact) .....

I can't download anything because, although I've managed to install another broadband modem (the software for my wireless router being totally messed up), there's obviously a problem with either the links to my isp or IE itself, as I'm getting 'page cannot be displayed' constantly - incidentally, OE doesn't work either, neither do any of my FTP programs, which makes me suspect the break in the chain is the ISP link.


My other obvious option, to download to the laptop and then transfer by floppy, won't work because the pc isn't recognising the floppy or Combo drive within windows (they're recognised on BIOS).

The more I think about it, the more I'm coming around to accepting that I'm looking at a reformat - as none of the other exe files which AVG has moved to the Virus Vault (and that's everything from Excel/Word/Access to Photoshop, Yim and even an ancient copy of TreeSizePro) are recoverable. Using the AVG 'recover from virus vault' facility isn't working because the process also seems to have destroyed the DLL files, so there are no paths to anything!

Interestingly, when I turned the pc on today, to start moving data files across to the second HD, within minutes I had no fewer than 18 'dialup connections' running in the background (not a problem because there are no modems attached).

My plan of campaign, unless you have any better ideas, is to copy as much as possible onto the second HD, format the main one and reinstall XP Pro, then run the programs you've suggested through the second drive in the hope of cleaning it before I move anything back . does that make sense??

[Rorschach112]

Hello ashtonian

A reformat would be the best idea as the infections seem to have done a lot of damage. Let me know how all that goes and if you are still having troubles after you have done it.

[ashtonian]

Thank you so much - it helps no end to have someone to bounce ideas off (rather than solitary flapping).

What's worrying me most of all at the moment is just how safe it is to trust AVG (which I've always been a great believer in) because most of the problems seem to have been caused by that.

I should add that, having put the laptop online when the problem occurred, and having updated AVG on that immediately, within hours I was hit by the Bube virus, which got through AVG and a firewall and I've had the same problem with AVG moving explorer.exe into the virus vault without notification, so that I've now got no desktop on that Windows 2k system. Is this likely to be an on-going problem?

[Rorschach112]

Hello Ashtonian

What's worrying me most of all at the moment is just how safe it is to trust AVG

AVG is quite good, the fact is that you have some really bad infections on your PC that I don't think many anti-virus programs could deal with. Once they get on your PC, your firewall is going to have trouble also.

Is this likely to be an on-going problem?

Well if you can get the tools we need onto your PC, then I am quite sure we can fix you up