Malware, virus, or boot sector?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by LCR, Mar 25, 2005.

  1. LCR

    LCR Private E-2

    I have a computer operating on Win XP SP2. After running an antispyware utility (I do have several that I run because I have found that each will pickup spyware that not all will detect) but cannot remember which one, I rebooted. I now have a problem where at the end normal bootup windows can only detect the bearest of files. No desktop can run almost no programs, including windows system progams. I can use safe mode most of the time, although it does take along time to bootup, and use all programs that can run in safe mode. I have rume virus scans, Spybot (which did clean up alot a stuff) but there is still no improvement. Question is, is it malware, a nasty virus etal, or is my boot sector going meaning, I have to format it. If I have to format it, is there a cheap Ghost type utility out there that I could save everything on the drive and after formatting reload it and be able to run it like it was before the problems started?
     
  2. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Try to attach me a HJT log so we can see what startup items you have.

    • Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT
    • Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file.
    • Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.
    • Run HijackThis and save your log file.
    • Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post).

     
  3. LCR

    LCR Private E-2

    Importing as a text file from the computer with the problem.
     

    Attached Files:

  4. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    At the moment, can you access Control Panel, Run box, Desktop?
     
  5. LCR

    LCR Private E-2

    Only in safe mode. In normal mode, even the run command does not work.
     
  6. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Okay! Boot back into Safe Mode and click start and then run.

    Type in msconfig and hit OK.

    Click on "Selective Startup" and uncheck "Load Startup Items" and hit ok.

    Reboot, see if this helps any!
     
  7. LCR

    LCR Private E-2

    Because I have browsed these forums before in search of other answers(which by the way are very helpful), I already tried that and I get a message saying that desktop is not available due to insufficiant resourses.
     
  8. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Okay! Let me post you a fix from the HJT log and we will go from there.

    Give me a few moments.
     
  9. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Please look in Add or Remove Programs for the following and Uninstall them if found:

    Ghrone

    ddcdes

    Please print out these instructions so that you can operate with All Browser Windows CLOSED.

    Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.



    Now, look in Task Manager (Ctrl-Alt-Del) for the following running process and, if you see it, try to END it:

    Ghrone.exe


    Now scan with HijackThis and Check the Boxes for the following:

    Make sure All Browser Windows are Closed when you Click FIX.

    O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
    O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
    O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)

    O4 - HKLM\..\Run: [DDCDes] C:\Program Files\ddcdes\ddcdes.exe
    O4 - HKCU\..\Run: [Ghrone] C:\Program Files\Ghrone\Ghrone.exe
    O4 - Startup: NaturalColorLoad.lnk = ?

    O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite.net/dlmanager/live/code/IE_1070/Downlo adManager.cab
    O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://tw.msi.com.tw/autobios/client/iftwclix.cab

    O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - c:\program files\common files\symantec shared\ccevtmgr.exe (file missing)
    O23 - Service: Symantec Network Proxy (ccProxy) - Unknown owner - c:\program files\common files\symantec shared\ccproxy.exe (file missing)
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner -c:\program files\common files\symantec shared\ccpwdsvc.exe (file missing)
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - c:\program files\common files\symantec shared\ccsetmgr.exe (file missing)
    O23 - Service: ISSvc (ISSVC) - Unknown owner - d:\a\nis2005\setup\iscommon\app\issvc.exe (file missing)
    O23 - Service: KOZYU - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Bryan\LOCALS~1\Temp\KOZYU.exe
    O23 - Service: Prevx Agent (PrevxAgent) - Unknown owner - D:\Prevx Home\PXAgent.exe" -f (file missing)
    O23 - Service: SAVScan - Unknown owner - d:\a\nis2005\nav\external\norton\app\savscan.exe (file missing)
    O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - c:\program files\common files\symantec shared\script blocking\sbserv.exe (file missing)
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Unknown owner - c:\program files\common files\symantec shared\spbbc\spbbcsvc.exe (file missing)
    O23 - Service: Symantec Core LC - Unknown owner - c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe (file missing)

    Again, make sure All Browser Windows are Closed when you Click FIX.

    NOW:
    While in Safe Mode, delete these files if they exist.

    C:\Program Files\Ghrone ←–– Delete this whole folder if it exist!

    C:\Program Files\ddcdes ←–– Delete this whole folder if it exist!

    NEXT:
    Run CCleaner and Spybot S&D and have Spybot fix what it finds.
    Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

    Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
    Temporary Files
    Temporary Internet Files
    Recycle Bin


    And Click OK.

    Reboot to Normal Windows , Scan with HijackThis and attach the new log.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds