[brandenqi]

My laptop infected this nasty virus on December 18 or 19? 2011 when I downloaded a file. I forced the computer to shut down and retored to a previous backup in safe mold. It seems ok when i restarted except all files became hidden. it doesn't bother me to much beside it becomes slower.It gets worse on December 30, when i accidently unplug the power cord. When i restarted the computer, this virus goes wild. System restore funcion doesn't work anymore.I have to get in safety model. I did some delet according to online reference of manual removal. however, when i tried to start computer with normal, this nasty virus comes back agian. my computer can only run in safety mode now. I have limited access to internet too.
Can someone please help me?

Thanks a lot

Wish everyone a happy new year.

bo

[Advertisements]

Update on my laptop:
I can log on computer with normal model, however, I lost cotrol on every application,I cann't even open this log file with notebook.

Edited by brandenqi, 02 January 2012 - 11:10 AM.

[brandenqi]

Update on my laptop:
I can log on computer with normal model, however, I lost cotrol on every application,I cann't even open this log file with notebook.

Edited by brandenqi, 02 January 2012 - 11:10 AM.

[BlackOxide]

Hi, brandenqi! My name is BlackOxide and I will be assisting you with your Malware/Security problems. Please make sure you read all of the instructions and fixes thoroughly before continuing with them. If you have any queries or you are unsure about anything, just say and I'll help you out

It may well be worth you printing/saving the instructions throughout the fix, so you have them to hand just incase you are unable to access this site.

Please note the following:

• Remember to post your logs, not attach them. So, any logs from any programs we run, should be just 'copied & pasted' into your reply, unless I specifically need you to attach them.
• Please only run the tools that I request. I know malware can be frustrating but running other tools in the meantime and between posts, only makes it harder for me to analyse and fix your PC in the long run.
• I will always try and respond to replies as soon as possible, but please be patient as some logs require more time than others to fully analyse.
• If you are not sure of anything along the way, just ask.

OK, lets start



Could you do the following scans for me please, then get back to me with the relevant logs...


1)
Download RogueKiller to your desktop

• Quit all running programs
• For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
• When prompted, type 2 and press Enter on the keyboard
• The RKreport.txt shall be generated next to the executable.
• If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Once this has been done, run RogueKiller again and do the following...

• Quit all running programs
• For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
• When prompted, type 6 and press Enter on the keyboard
• The RKreport.txt shall be generated next to the executable.

Please post the contents of the RKreport.txt file(s) in your next Reply.


If you cannot do the above due to the malware interfering, try following the instructions as above again, but this time with your computer booted into Safe Mode with Networking

To get into Safe Mode with Networking:

• Switch on your PC and immediately start tapping the F8 key on the keyboard
• Keep tapping it until a menu comes on the screen whereby you have several options to choose from, one of which is Safe Mode with Networking
• Make sure Safe Mode with Networking is highlighted and then press Enter
• Your PC will now boot into Safe Mode.

2)
Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O4 - HKLM..\Run: [avPYOWQgOag.exe] C:\Documents and Settings\All Users.WINDOWS\Application Data\avPYOWQgOag.exe File not found
  O4 - HKLM..\Run: [dplaysvr] C:\Documents and Settings\bobo\Application Data\dplaysvr.exe ()
  O4 - HKLM..\Run: [gfhYdHclcK.exe] C:\Documents and Settings\All Users.WINDOWS\Application Data\gfhYdHclcK.exe File not found
  [2011/12/31 18:54:18 | 000,016,418 | -HS- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\458v73p75ekmqk3f8msv2l
  
  :Services
  
  :Reg
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [CREATERESTOREPOINT]]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done.
• A log may appear when the PC restarts. Just close this text file.
• Open OTL again, Tick the Scan All Users box at the top and then click the Quick Scan button. Post the log it produces in your next reply.

In your next reply
Please post the contents of...
RogueKiller log files
OTL log

[brandenqi]

Hi Blackoxide,

Thank you so much for your help. I got new problem with my computer. it won't start now. error notice is <window root>\system32\hal.dll is missing, please reinstall the file.

I have no idea how to install this file

Regards,

Bo

[BlackOxide]

Hey,

Can you tell me, did this happen after running either RogueKiller or OTL, or did it just seem to happen on it's own?


See if you can boot the PC using Last Known Good Configuration:

• Switch your PC on, then immediately start tapping the F8 key
• Keep pressing it until you are shown a list of options which include Safe Mode, Safe Mode with Networking etc...
• Use the arrow keys on the keyboard and highlight Last Known Good Configuration
• Now press Enter
• Let me know whether the PC now boots normally

If the above didn't work, could you answer the following questions for me please...

• What is the make and model of the PC? E.g Dell Dimension 5150
• What version of Windows are you running? E.g Windows XP, Windows Vista etc?
• Do you have a Windows Installation CD?
• Do you have access to another PC or Laptop?

[brandenqi]

Hey,

Can you tell me, did this happen after running either RogueKiller or OTL, or did it just seem to happen on it's own?
I did run OTL yesterday, but I am not sure it is because of this or on its own. This computer seems have multiple virus.



See if you can boot the PC using Last Known Good Configuration:

• Switch your PC on, then immediately start tapping the F8 key
• Keep pressing it until you are shown a list of options which include Safe Mode, Safe Mode with Networking etc...
• Use the arrow keys on the keyboard and highlight Last Known Good Configuration
• Now press Enter
• Let me know whether the PC now boots normally

This doesn't work.

If the above didn't work, could you answer the following questions for me please...

• What is the make and model of the PC? E.g Dell Dimension 5150
  compaq presario F500,
  
• What version of Windows are you running? E.g Windows XP, Windows Vista etc?
  Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600)
• Do you have a Windows Installation CD?
  no
• Do you have access to another PC or Laptop?
  I have another laptop running with xp

Edited by brandenqi, 02 January 2012 - 03:40 PM.

[BlackOxide]

To fix this issue we will need to boot from either a Windows Installation disc or a Recovery Console Disc. As you don't currently have a Windows disc we'll go ahead and create a CD containing the Recovery Console. You will need to do this on your Laptop and it will require a blank CD.

To create the Recovery Console disc, just follow the steps below...


Please download ARCDC from Artellos.com.

• Double click ARCDC.exe
• Follow the dialog until you see 6 options. Please pick: Windows Professional SP2 & SP3
• You will be prompted with a Terms of Use by Microsoft, please accept.
• You will see a few dos screens flash by, this is normal.
• Next you will be able to choose to add extra files. Select the Default Files.
• The last window will allow you to burn the disk using BurnCDCC

Your ISO is located on your desktop.

[brandenqi]

Hey,
I burn a Recovery Concole disc and ready to go, please let me know next move.

Thanks

bo

Edited by brandenqi, 02 January 2012 - 07:06 PM.

[brandenqi]

Hey,
Things get more complex with my laptop. I made the recovery console disk and use it to copy hal.dll file to my computer. it goes well.however, when I start it, a new error messange says "load needed dlls file to kernel".

Then I did a really stupid thing, I followed a online reference to solve dlls problems.The result is a new error comming up :"NTLDR is missing".

Now I know the right way to do is exactly waiting for your advice on next move. I am really sorry for my stupid doing and looking forward for your help.

what I did is I run this two actions under recovery mold.
FIXBOOT
FIXMBR

Edited by brandenqi, 02 January 2012 - 10:15 PM.

[BlackOxide]

Yep if you can always try and wait for the instructions as it can often mean one step forward and two steps back

There will sometimes be delays between our posts due to the time differences, but we'll get it sorted I'm sure.


Back onto the problem in hand. We will try Fix NTLDR to see if this resolves the problem. This is another CD you will need to burn. Just follow the instructions here on burning the CD and using the bootable CD. Basically you will need to try all of the options to see if any get the PC booting again. Note down which number gets the PC booting (if at all).

Let me know if you have any problems.

[brandenqi]

I will keep your advice in mind

I tyied the new NTLDR disc, only the 1ST option sent me to "windows could not start because of an error in the software. please report this problem as:load needed dlls for kernel", which appeared after I copied hal.dll file with fist burned Disk.
all the other options give me error message mention by the web site.

I also tried to go to safe mode,the screen shows:
multi(0)disk(0)rdisk(0)partition(1)\windows\system32\ntkrnlpa.exe
multi(0)disk(0)rdisk(0)partition(1)\windows\system32\hal.dll
multi(0)disk(0)rdisk(0)partition(1)\windows\system32\kdcom.dll
windows could not start because of an error in the software. please report this problem as:load needed dlls for kernel


bo

[BlackOxide]

Thanks for the info. Could be a tricky one to get round without the use of a Windows CD or Recovery Disc by the looks of it. Do you know anybody that has got an official Windows CD you could borrow by any chance?

What we'll do first though is test the Hard Drive, as in your OTL log there were reports of Bad Blocks in the Event logs, which could indicate that part of the problem here is the Hard Drive. To see what state it is in we'll run a test on it. It just means using another blank CD, so I hope I haven't gone through them all yet


Hard Drive Test
We will use SeaTools to test your Hard Drive. You will need a blank CD for this process.

Click here to download the SeaTools disc image

Burning the ISO image to CD

• Click here to download ImgBurn, a program which we will use to burn the .iso file onto a Blank CD
• Once downloaded, double click the ImgBurn installation file and follow the prompts to install it
• Open ImgBurn and click Write image file to disc
• Insert a blank CD into your drive
• Now click Browse for a file

• Navigate to the SeaTools ISO file that you downloaded, select it, then click Open
• Now click on the following button to start burning the image to disc
  
  
  
• Once the CD has been burnt, insert it back into the CD drive and shutdown your PC
• Restart the PC and SeaTools should load up
• If it doesn't automatically load, you will need to change the Boot Order in your BIOS, so that the PC looks at the CD Drive before booting into Windows. If you are unsure of how to do this, just let me know your Make and Model of PC/Laptop
• When SeaTools has loaded, click I Agree on the License Agreement
• Click Basic Tests at the top, then click on Long Test
• It will then perform a full test on your Hard Drive
• If no errors were found, at the end of the test it will display PASSED in the Test Results column
• If a problem was detected on the Hard Drive it will alert you to it and you should see the number of errors detected in the Test Progress column. If there are any errors, please note down how many errors it found.
• Once the scan has finished, just click Exit at the top and boot back into Windows
• Report back on whether the drive passed or if any errors were detected (and how many)

[brandenqi]

Hey,

I burn the SeaTools disc, and boot my computer from the disc, however, i can't move my mouse to do anything even click on i accept.

[BlackOxide]

Ahh I have known this before on some USB Mice. You will just need to use the keyboard to start the scan. When you see the License Agreement at the start, press Enter on the keyboard. Then give it around 10-20 seconds to detect your Hard Drive. Then press the Down arrow key on your keyboard twice. Long Test should now be highlighted. Just press Enter and it will begin the Test

[brandenqi]

I run the test and it said long test passed