
Unknown Problem with Malware or Virus
Started by
Panda10
, Oct 08 2011 08:21 PM
#16
Posted 17 October 2011 - 11:08 PM

#17
Posted 17 October 2011 - 11:28 PM

So were you able to get rid of the folder?
#18
Posted 18 October 2011 - 06:45 PM

I had to manually remove the folder changing permissions in each folder and/or file but was finally able to remove it completely. Have you figured out what the VSS error is? The AVAST Quick Scan is still showing that the file c:\users\all users isn't able to be scan. It also pulled the folder that I deleted as not able to be scanned. I don't know what's going on or where to go from here.
#19
Posted 18 October 2011 - 06:58 PM

Question. I found somewhere else how to grant permission the root volume using the following command under the command prompt run as administrator:
icacls \\?\Volume{1362b7d2-f6a5-11e0-9cfe-e02a82d31bf9}\/grant system:f
Should I do this to try and get rid of the VSS error or is it not a problem so should I just leave it alone. I'm not going to do anything without hearing from you.
icacls \\?\Volume{1362b7d2-f6a5-11e0-9cfe-e02a82d31bf9}\/grant system:f
Should I do this to try and get rid of the VSS error or is it not a problem so should I just leave it alone. I'm not going to do anything without hearing from you.
#20
Posted 18 October 2011 - 07:19 PM

I'm not convinced we want to back up this strange thing.
Let's run an Avast Boot-time scan.
Click on the Avast ball. Then click on Scan Computer, then on
Boot-Time Scan then on Settings. Change the Ask at the bottom to Move to Chest. OK then Schedule Now. Reboot and let it run a scan. It may take hours.
Once it finishes it should load windows. Click on the Avast ball and then on Scan Logs, select the Boot-time scan report then View Results. How many did it find?
I expect this is like Vista and the text copy is C:\ProgramData\Alwil Software\Avast5\report\aswboot.txt. Copy and paste that in your reply.
Ron
Let's run an Avast Boot-time scan.
Click on the Avast ball. Then click on Scan Computer, then on
Boot-Time Scan then on Settings. Change the Ask at the bottom to Move to Chest. OK then Schedule Now. Reboot and let it run a scan. It may take hours.
Once it finishes it should load windows. Click on the Avast ball and then on Scan Logs, select the Boot-time scan report then View Results. How many did it find?
I expect this is like Vista and the text copy is C:\ProgramData\Alwil Software\Avast5\report\aswboot.txt. Copy and paste that in your reply.
Ron
#21
Posted 18 October 2011 - 08:53 PM

Thanks to one of my fellow helpers I now know how to find out where the strange thing is hiding.
Copy this line:
reg query HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices > \junk.txt
Start, All Programs, Accessories then right click on Command Prompt and Run As Admin.
right click and Paste or Edit then Paste and the copied line should appear. Hit Enter.
notepad \junk.txt
copy and paste the text from notepad into a reply.
Ron
PS you haven't installed Office 2010 have you?
Copy this line:
reg query HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices > \junk.txt
Start, All Programs, Accessories then right click on Command Prompt and Run As Admin.
right click and Paste or Edit then Paste and the copied line should appear. Hit Enter.
notepad \junk.txt
copy and paste the text from notepad into a reply.
Ron
PS you haven't installed Office 2010 have you?
#22
Posted 19 October 2011 - 09:04 AM

I will run a boot scan and perform the other scan this afternoon/evening. A startup version of Office 2010 was on the computer (not the full version). It is being used for her schoolwork etc. Why?
#23
Posted 19 October 2011 - 09:18 AM

The VSS error is linked to Office 2010:
http://answers.micro...38-28ab2343ff45
so it's probably not left over from the ZA infection.
Ron
http://answers.micro...38-28ab2343ff45
so it's probably not left over from the ZA infection.
Ron
#24
Posted 19 October 2011 - 11:37 AM

The aswboot log is below:
10/17/2011 1:54
Scan of all local drives
File c:\HP\Bin\EndProcess.exe is infected by Win32:KillApp-w [PUP], Moved to chest
Number of searched folders: 32809
Number of tested files: 682668
Number of infected files: 1
----------------------------------------------
10/20/2011 11:52
Scan of all local drives
Number of searched folders: 32316
Number of tested files: 697439
Number of infected files: 0
10/17/2011 1:54
Scan of all local drives
File c:\HP\Bin\EndProcess.exe is infected by Win32:KillApp-w [PUP], Moved to chest
Number of searched folders: 32809
Number of tested files: 682668
Number of infected files: 1
----------------------------------------------
10/20/2011 11:52
Scan of all local drives
Number of searched folders: 32316
Number of tested files: 697439
Number of infected files: 0
#25
Posted 19 October 2011 - 11:58 AM

The junk.txt is below:
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
\??\Volume{1362b6b8-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY A7A3AEF40000100000000000
\??\Volume{1362b6b9-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY A7A3AEF40000800C00000000
\??\Volume{1362b6ba-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY A7A3AEF4000060C670000000
\??\Volume{1362b6bb-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY A7A3AEF40000406A74000000
\DosDevices\C: REG_BINARY A7A3AEF40000800C00000000
\??\Volume{1362b6c6-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY 5C003F003F005C0049004400450023004300640052006F006D00680070005F004300440044005600440057005F00540053002D004C0036003300330052005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F0030003300300030005F005F005F005F002300340026003100640033003600370035006100650026003000260030002E0031002E00300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
\??\Volume{1362b6c8-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY 5F003F003F005F00500043004900530054004F00520023004400690073006B002600560065006E005F005200450041004C00530049004C002600500072006F0064005F0052005400530035003200300038004C0055004E00300026005200650076005F0031002E00300030002300300030003000300023007B00350033006600350036003300300037002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
\DosDevices\D: REG_BINARY A7A3AEF4000060C670000000
\DosDevices\F: REG_BINARY 5F003F003F005F00500043004900530054004F00520023004400690073006B002600560065006E005F005200450041004C00530049004C002600500072006F0064005F0052005400530035003200300038004C0055004E00300026005200650076005F0031002E00300030002300300030003000300023007B00350033006600350036003300300037002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
#{1362b6d0-f6a5-11e0-9cfe-e02a82d31bf9} REG_BINARY A7A3AEF40000406A74000000
\DosDevices\E: REG_BINARY 5C003F003F005C0049004400450023004300640052006F006D00680070005F004300440044005600440057005F00540053002D004C0036003300330052005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F0030003300300030005F005F005F005F002300340026003100640033003600370035006100650026003000260030002E0031002E00300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
\??\Volume{1362b781-f6a5-11e0-9cfe-e02a82d31bf9} REG_BINARY 5F003F003F005F00550053004200530054004F00520023004400690073006B002600560065006E005F00530061006E004400690073006B002600500072006F0064005F004300720075007A006500720026005200650076005F0031002E00300030002300320030003000350031003000330031003800330030004300410036003200300032003800350031002600300023007B00350033006600350036003300300037002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
\??\Volume{1362b7d2-f6a5-11e0-9cfe-e02a82d31bf9} REG_BINARY 5C003F003F005C0056006F006C0075006D0065007B00610030003800380038003800300034002D0033003000370033002D0034006500660032002D0062003700660065002D003800370064003300340034003300630066003500390066007D00
\DosDevices\Q: REG_BINARY 5C003F003F005C0056006F006C0075006D0065007B00610030003800380038003800300034002D0033003000370033002D0034006500660032002D0062003700660065002D003800370064003300340034003300630066003500390066007D00
\DosDevices\G: REG_BINARY 5F003F003F005F00550053004200530054004F00520023004400690073006B002600560065006E005F00530061006E004400690073006B002600500072006F0064005F004300720075007A006500720026005200650076005F0031002E00300030002300320030003000350031003000330031003800330030004300410036003200300032003800350031002600300023007B00350033006600350036003300300037002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
\??\Volume{33f76ed1-f93a-11e0-9f55-984be1a62e47} REG_BINARY 5F003F003F005F00550053004200530054004F00520023004400690073006B002600560065006E005F004800540043002600500072006F0064005F0041006E00640072006F00690064005F00500068006F006E00650026005200650076005F003000310030003000230048005400310032004B0048005600300030003000300037002600300023007B00350033006600350036003300300037002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
\??\Volume{1362b6b8-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY A7A3AEF40000100000000000
\??\Volume{1362b6b9-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY A7A3AEF40000800C00000000
\??\Volume{1362b6ba-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY A7A3AEF4000060C670000000
\??\Volume{1362b6bb-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY A7A3AEF40000406A74000000
\DosDevices\C: REG_BINARY A7A3AEF40000800C00000000
\??\Volume{1362b6c6-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY 5C003F003F005C0049004400450023004300640052006F006D00680070005F004300440044005600440057005F00540053002D004C0036003300330052005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F0030003300300030005F005F005F005F002300340026003100640033003600370035006100650026003000260030002E0031002E00300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
\??\Volume{1362b6c8-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY 5F003F003F005F00500043004900530054004F00520023004400690073006B002600560065006E005F005200450041004C00530049004C002600500072006F0064005F0052005400530035003200300038004C0055004E00300026005200650076005F0031002E00300030002300300030003000300023007B00350033006600350036003300300037002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
\DosDevices\D: REG_BINARY A7A3AEF4000060C670000000
\DosDevices\F: REG_BINARY 5F003F003F005F00500043004900530054004F00520023004400690073006B002600560065006E005F005200450041004C00530049004C002600500072006F0064005F0052005400530035003200300038004C0055004E00300026005200650076005F0031002E00300030002300300030003000300023007B00350033006600350036003300300037002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
#{1362b6d0-f6a5-11e0-9cfe-e02a82d31bf9} REG_BINARY A7A3AEF40000406A74000000
\DosDevices\E: REG_BINARY 5C003F003F005C0049004400450023004300640052006F006D00680070005F004300440044005600440057005F00540053002D004C0036003300330052005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F005F0030003300300030005F005F005F005F002300340026003100640033003600370035006100650026003000260030002E0031002E00300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
\??\Volume{1362b781-f6a5-11e0-9cfe-e02a82d31bf9} REG_BINARY 5F003F003F005F00550053004200530054004F00520023004400690073006B002600560065006E005F00530061006E004400690073006B002600500072006F0064005F004300720075007A006500720026005200650076005F0031002E00300030002300320030003000350031003000330031003800330030004300410036003200300032003800350031002600300023007B00350033006600350036003300300037002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
\??\Volume{1362b7d2-f6a5-11e0-9cfe-e02a82d31bf9} REG_BINARY 5C003F003F005C0056006F006C0075006D0065007B00610030003800380038003800300034002D0033003000370033002D0034006500660032002D0062003700660065002D003800370064003300340034003300630066003500390066007D00
\DosDevices\Q: REG_BINARY 5C003F003F005C0056006F006C0075006D0065007B00610030003800380038003800300034002D0033003000370033002D0034006500660032002D0062003700660065002D003800370064003300340034003300630066003500390066007D00
\DosDevices\G: REG_BINARY 5F003F003F005F00550053004200530054004F00520023004400690073006B002600560065006E005F00530061006E004400690073006B002600500072006F0064005F004300720075007A006500720026005200650076005F0031002E00300030002300320030003000350031003000330031003800330030004300410036003200300032003800350031002600300023007B00350033006600350036003300300037002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
\??\Volume{33f76ed1-f93a-11e0-9f55-984be1a62e47} REG_BINARY 5F003F003F005F00550053004200530054004F00520023004400690073006B002600560065006E005F004800540043002600500072006F0064005F0041006E00640072006F00690064005F00500068006F006E00650026005200650076005F003000310030003000230048005400310032004B0048005600300030003000300037002600300023007B00350033006600350036003300300037002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D00
#26
Posted 19 October 2011 - 01:24 PM

Copy the next line:
wmic diskdrive list > \junk.txt
Start, All Programs, Accessories then right click on Command Prompt and Run As Admin.
Right click and Paste or Edit then Paste. Hit Enter.
This should create a file C:\junk.txt. Please ATTACH it to your next post.
Ron
wmic diskdrive list > \junk.txt
Start, All Programs, Accessories then right click on Command Prompt and Run As Admin.
Right click and Paste or Edit then Paste. Hit Enter.
This should create a file C:\junk.txt. Please ATTACH it to your next post.
Ron
#27
Posted 19 October 2011 - 01:54 PM

Ron,
Here is the log attached as you requested.
Thanks,
Here is the log attached as you requested.
Thanks,
Attached Files
#28
Posted 19 October 2011 - 03:48 PM

I've just switched to a Win 7 PC and now I'm starting to make some sense of your output. Vista apparently does things differently.
You have four partitions and that is what we see at the beginning of the output from the first junk.txt:
\??\Volume{1362b6b8-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY A7A3AEF40000100000000000 = partition 1
\??\Volume{1362b6b9-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY A7A3AEF40000800C00000000 = partition 2
\??\Volume{1362b6ba-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY A7A3AEF4000060C670000000 = partition 3
\??\Volume{1362b6bb-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY A7A3AEF40000406A74000000 = partition 4
{1362b6b8-f6a5-11e0-9cfe-806e6f6e6963} is the whole hard drive.
Your C drive information:
\DosDevices\C: REG_BINARY A7A3AEF40000800C00000000 <==Refers to partition 2. (This is where Windows lives)
D drive:
\DosDevices\D: REG_BINARY A7A3AEF4000060C670000000 <=Refers to partition 3. (Usually the Recovery Partition 10-16G)
F drive:
\DosDevices\F: REG_BINARY A7A3AEF40000406A74000000 <=Refers to partition 4. (Mystery partition)
Partition 1 is usually the leftover stuff (100M on mine) that doesn't fit with the rest. Windows calls it System on mine.
I guess the question is do you have an F: drive?
OTL did not see it. Right click on Computer and select Manage then Disk Management (Under Storage). This should show you your hard drive broken up into 4 partitions.
Does it? What does it say about the 4th partition?
You have four partitions and that is what we see at the beginning of the output from the first junk.txt:
\??\Volume{1362b6b8-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY A7A3AEF40000100000000000 = partition 1
\??\Volume{1362b6b9-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY A7A3AEF40000800C00000000 = partition 2
\??\Volume{1362b6ba-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY A7A3AEF4000060C670000000 = partition 3
\??\Volume{1362b6bb-f6a5-11e0-9cfe-806e6f6e6963} REG_BINARY A7A3AEF40000406A74000000 = partition 4
{1362b6b8-f6a5-11e0-9cfe-806e6f6e6963} is the whole hard drive.
Your C drive information:
\DosDevices\C: REG_BINARY A7A3AEF40000800C00000000 <==Refers to partition 2. (This is where Windows lives)
D drive:
\DosDevices\D: REG_BINARY A7A3AEF4000060C670000000 <=Refers to partition 3. (Usually the Recovery Partition 10-16G)
F drive:
\DosDevices\F: REG_BINARY A7A3AEF40000406A74000000 <=Refers to partition 4. (Mystery partition)
Partition 1 is usually the leftover stuff (100M on mine) that doesn't fit with the rest. Windows calls it System on mine.
I guess the question is do you have an F: drive?
OTL did not see it. Right click on Computer and select Manage then Disk Management (Under Storage). This should show you your hard drive broken up into 4 partitions.
Does it? What does it say about the 4th partition?
#29
Posted 19 October 2011 - 07:42 PM

It has 4 partitions as follows:
C:\ NTFS Status Healthy (Boot, Page File, Crash Dump, Primary Partition)
HP_Tools FAT32 Status Healthy (Primary Partition)
Recovery D:\ NTFS Status Healthy (Primary Partition)
System NTFS Status Healthy (System Active, Primary Partition)
C:\ NTFS Status Healthy (Boot, Page File, Crash Dump, Primary Partition)
HP_Tools FAT32 Status Healthy (Primary Partition)
Recovery D:\ NTFS Status Healthy (Primary Partition)
System NTFS Status Healthy (System Active, Primary Partition)
#30
Posted 19 October 2011 - 09:20 PM

I think you are OK then. I expect that your Recovery drive or your HP tools are not letting themselves get backed up or it could be that the Q:\ drive created by Office 2010 is the problem. Not ZA anyway.
Ron
Ron
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:






