Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Unknown Problem with Malware or Virus


  • Please log in to reply

#16
Panda10

Panda10

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Even after OTL the file was still there. The only way to get rid of any of the folders is to change the permission manually. When I ran diskpart it shows only one disk as Disk 0.
  • 0

Advertisements


#17
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
So were you able to get rid of the folder?
  • 0

#18
Panda10

Panda10

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
I had to manually remove the folder changing permissions in each folder and/or file but was finally able to remove it completely. Have you figured out what the VSS error is? The AVAST Quick Scan is still showing that the file c:\users\all users isn't able to be scan. It also pulled the folder that I deleted as not able to be scanned. I don't know what's going on or where to go from here.
  • 0

#19
Panda10

Panda10

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Question. I found somewhere else how to grant permission the root volume using the following command under the command prompt run as administrator:

icacls \\?\Volume{1362b7d2-f6a5-11e0-9cfe-e02a82d31bf9}\/grant system:f

Should I do this to try and get rid of the VSS error or is it not a problem so should I just leave it alone. I'm not going to do anything without hearing from you.
  • 0

#20
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
I'm not convinced we want to back up this strange thing.

Let's run an Avast Boot-time scan.

Click on the Avast ball. Then click on Scan Computer, then on
Boot-Time Scan then on Settings. Change the Ask at the bottom to Move to Chest. OK then Schedule Now. Reboot and let it run a scan. It may take hours.
Once it finishes it should load windows. Click on the Avast ball and then on Scan Logs, select the Boot-time scan report then View Results. How many did it find?
I expect this is like Vista and the text copy is C:\ProgramData\Alwil Software\Avast5\report\aswboot.txt. Copy and paste that in your reply.

Ron
  • 0

#21
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Thanks to one of my fellow helpers I now know how to find out where the strange thing is hiding.

Copy this line:

reg query HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices > \junk.txt

Start, All Programs, Accessories then right click on Command Prompt and Run As Admin.

right click and Paste or Edit then Paste and the copied line should appear. Hit Enter.

notepad \junk.txt

copy and paste the text from notepad into a reply.

Ron

PS you haven't installed Office 2010 have you?
  • 0

#22
Panda10

Panda10

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
I will run a boot scan and perform the other scan this afternoon/evening. A startup version of Office 2010 was on the computer (not the full version). It is being used for her schoolwork etc. Why?
  • 0

#23
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
The VSS error is linked to Office 2010:

http://answers.micro...38-28ab2343ff45

so it's probably not left over from the ZA infection.

Ron
  • 0

#24
Panda10

Panda10

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
The aswboot log is below:

10/17/2011 1:54
Scan of all local drives

File c:\HP\Bin\EndProcess.exe is infected by Win32:KillApp-w [PUP], Moved to chest
Number of searched folders: 32809
Number of tested files: 682668
Number of infected files: 1

----------------------------------------------
10/20/2011 11:52
Scan of all local drives

Number of searched folders: 32316
Number of tested files: 697439
Number of infected files: 0
  • 0

#25
Panda10

Panda10

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
The junk.txt is below:

HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
\??\Volume{1362b6b8-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY A7A3AEF40000100000000000
\??\Volume{1362b6b9-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY A7A3AEF40000800C00000000
\??\Volume{1362b6ba-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY A7A3AEF4000060C670000000
\??\Volume{1362b6bb-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY A7A3AEF40000406A74000000
\DosDevices\C: REG_BINARY A7A3AEF40000800C00000000
\??\Volume{1362b6c6-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY 5C003F003F005C0049004400450023004300640052006F006D00680070005F004300440044005600440057005F00540053002D004C0036003300330052005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F0030003300300030005F005F005F005F002300340026003100640033003600370035006100650026003000260030002E0031002E00300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
\??\Volume{1362b6c8-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY 5F003F003F005F00500043004900530054004F00520023004400690073006B002600560065006E005F005200450041004C00530049004C002600500072006F0064005F0052005400530035003200300038004C0055004E00300026005200650076005F0031002E00300030002300300030003000300023007B00350033006600350036003300300037002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
\DosDevices\D: REG_BINARY A7A3AEF4000060C670000000
\DosDevices\F: REG_BINARY 5F003F003F005F00500043004900530054004F00520023004400690073006B002600560065006E005F005200450041004C00530049004C002600500072006F0064005F0052005400530035003200300038004C0055004E00300026005200650076005F0031002E00300030002300300030003000300023007B00350033006600350036003300300037002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
#{1362b6d0-f6a5-11e0-9cfe-e02a82d31bf9} REG_BINARY A7A3AEF40000406A74000000
\DosDevices\E: REG_BINARY 5C003F003F005C0049004400450023004300640052006F006D00680070005F004300440044005600440057005F00540053002D004C0036003300330052005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F0030003300300030005F005F005F005F002300340026003100640033003600370035006100650026003000260030002E0031002E00300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
\??\Volume{1362b781-f6a5-11e0-9cfe-e02a82d31bf9} REG_BINARY 5F003F003F005F00550053004200530054004F00520023004400690073006B002600560065006E005F00530061006E004400690073006B002600500072006F0064005F004300720075007A006500720026005200650076005F0031002E00300030002300320030003000350031003000330031003800330030004300410036003200300032003800350031002600300023007B00350033006600350036003300300037002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
\??\Volume{1362b7d2-f6a5-11e0-9cfe-e02a82d31bf9} REG_BINARY 5C003F003F005C0056006F006C0075006D0065007B00610030003800380038003800300034002D0033003000370033002D0034006500660032002D0062003700660065002D003800370064003300340034003300630066003500390066007D00
\DosDevices\Q: REG_BINARY 5C003F003F005C0056006F006C0075006D0065007B00610030003800380038003800300034002D0033003000370033002D0034006500660032002D0062003700660065002D003800370064003300340034003300630066003500390066007D00
\DosDevices\G: REG_BINARY 5F003F003F005F00550053004200530054004F00520023004400690073006B002600560065006E005F00530061006E004400690073006B002600500072006F0064005F004300720075007A006500720026005200650076005F0031002E00300030002300320030003000350031003000330031003800330030004300410036003200300032003800350031002600300023007B00350033006600350036003300300037002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
\??\Volume{33f76ed1-f93a-11e0-9f55-984be1a62e47} REG_BINARY 5F003F003F005F00550053004200530054004F00520023004400690073006B002600560065006E005F004800540043002600500072006F0064005F0041006E00640072006F00690064005F00500068006F006E00650026005200650076005F003000310030003000230048005400310032004B0048005600300030003000300037002600300023007B00350033006600350036003300300037002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
  • 0

Advertisements


#26
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Copy the next line:

wmic diskdrive list > \junk.txt

Start, All Programs, Accessories then right click on Command Prompt and Run As Admin.

Right click and Paste or Edit then Paste. Hit Enter.

This should create a file C:\junk.txt. Please ATTACH it to your next post.

Ron
  • 0

#27
Panda10

Panda10

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Ron,

Here is the log attached as you requested.

Thanks,

Attached Files

  • Attached File  junk.txt   3.34KB   44 downloads

  • 0

#28
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
I've just switched to a Win 7 PC and now I'm starting to make some sense of your output. Vista apparently does things differently.

You have four partitions and that is what we see at the beginning of the output from the first junk.txt:

\??\Volume{1362b6b8-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY A7A3AEF40000100000000000 = partition 1
\??\Volume{1362b6b9-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY A7A3AEF40000800C00000000 = partition 2
\??\Volume{1362b6ba-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY A7A3AEF4000060C670000000 = partition 3
\??\Volume{1362b6bb-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY A7A3AEF40000406A74000000 = partition 4

{1362b6b8-f6a5-11e0-9cfe-806e6f6e6963} is the whole hard drive.

Your C drive information:

\DosDevices\C: REG_BINARY A7A3AEF40000800C00000000 <==Refers to partition 2. (This is where Windows lives)

D drive:
\DosDevices\D: REG_BINARY A7A3AEF4000060C670000000 <=Refers to partition 3. (Usually the Recovery Partition 10-16G)

F drive:
\DosDevices\F: REG_BINARY A7A3AEF40000406A74000000 <=Refers to partition 4. (Mystery partition)

Partition 1 is usually the leftover stuff (100M on mine) that doesn't fit with the rest. Windows calls it System on mine.

I guess the question is do you have an F: drive?

OTL did not see it. Right click on Computer and select Manage then Disk Management (Under Storage). This should show you your hard drive broken up into 4 partitions.

Does it? What does it say about the 4th partition?
  • 0

#29
Panda10

Panda10

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
It has 4 partitions as follows:

C:\ NTFS Status Healthy (Boot, Page File, Crash Dump, Primary Partition)
HP_Tools FAT32 Status Healthy (Primary Partition)
Recovery D:\ NTFS Status Healthy (Primary Partition)
System NTFS Status Healthy (System Active, Primary Partition)
  • 0

#30
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
I think you are OK then. I expect that your Recovery drive or your HP tools are not letting themselves get backed up or it could be that the Q:\ drive created by Office 2010 is the problem. Not ZA anyway.

Ron
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP