PDA

View Full Version : Virus - cannot acess 2nd partition



Nomad
11-01-2009, 03:03 PM
It says the following:

D:\ is not accessible.
The maximum number of secrets that may be stored in a single system has been exceeded.

Going into safe mode D: say it is not formatted, do you want to format.

I just want to get 2 excel files off it.
Avast didn't help. It did say virus of "autorun.inf" on C: and D:
Hackthis log appears to be clean now, before it had IP numbers on a few lines.

Possible :dogeye:

Speedy Gonzales
11-01-2009, 03:13 PM
It sounds like one of those removable drive viruses, since its got autorun.inf on it. This doesnt normally exist on hdd's.

Connect it to a working computer and scan it

Or get trojan remover below update it then scan. Then select all options under utilities

Then scan the partition with it

wainuitech
11-01-2009, 03:14 PM
You got spyware on the drives - that autorun shouldn't be there - but dont simply go deleting it.

get malwarebytes , spyware terminator from my sig - install and do full system scans.

Also post back the Hijack log.

if the above mentioned antimalware doest fix it, get Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) and run that. BUT malware bytes and spyware terminator should fix it.

Nomad
11-01-2009, 03:19 PM
Thanks, trying spyware terminator now.

Malwarebytes link does not work .. could you pls update it.


:)

Speedy Gonzales
11-01-2009, 03:24 PM
It works, whatever you've got is probably stopping / blocking it

Direct link (http://dw.com.com/redir?edId=3&siteId=4&oId=3000-8022_4-10804572&ontId=8022_4&spi=2e24cf6483d168ba6485753a5081edc1&lop=link&tag=tdw_dltext&ltype=dl_dlnow&pid=10995810&mfgId=6290020&merId=6290020&pguid=rs3KJwoPjGAAAEHqjOQAAAC2&destUrl=http%3A%2F%2Fwww.download.com%2F3001-8022_4-10804572.html%3Fspi%3D2e24cf6483d168ba6485753a5081 edc1%26part%3Ddl-10804572)

wainuitech
11-01-2009, 03:28 PM
Can agree with Speedy - works fine. - Just tried it.

beama
11-01-2009, 04:51 PM
if none of the above works try this and its only for removable device virus speedy was talking about

reboot pc
safe or normal mode ok

DONT ATTEMPT TO OPEN ANY DRIVES IN EXPLORER
this will activate the virus and unless you know the process name ( to stop the virus process) you will not be able to do anything with it ie delete it


go to a cmd prompt type in the following cmds

C: [takes you to root of the drive you are working on]

attrib - s -h autorun.inf
type autorun.inf

you will then get the contents of the autorun.inf, look for the exe, vbs file it launches then back to the cmd prompt type in

attrib - s -h [name of exe or vbs file id'ed earlier]
del autorun.inf
del [name of file id'ed earlier]

attrib
look for anything else suspect that may have a h or s (hidden or system) attribute if you post the file names back here someone well confirm yes or no to delete.

repeat for other drives /partitions
this need to be done in a cmd line enviroment as it does not activate the autorun command but opening your drive by double clicking on does

Nomad
11-01-2009, 06:17 PM
Thanks heaps, I got my file back. I thought the locked partition may of been permanently lost.

Beama - didn't need that but thanks :)

Speedy and Wanuitech - thanks - Trojan Remover, Spyware Teminator worked, Malwarebytes worked eventually after some error screens. Upon restart I got the partition back. Saved me doing the last 6 months of monthly budgets. I have the papers thou.

The hijackthis log as follows:

Logfile of HijackThis v1.98.0
Scan saved at 6:20:09 p.m., on 11/01/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\system32\ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\tp4serv.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINNT\system32\Atiptaxx.exe
C:\WINNT\system32\PRPCUI.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ray\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xnet.co.nz/
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: ColorVisionStartup.lnk
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

Speedy Gonzales
11-01-2009, 06:25 PM
Uninstall all versions of Java its out of date, then update it

Uninstall DAP

Tick these then tick fix checked

Close browsers

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"

O4 - HKCU\..\Run: [internat.exe] internat.exe

O4 - Global Startup: ColorVisionStartup.lnk

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Update Avast then scan the whole hdd. Is this all of the log? If it isnt update HJT, its out of date

Nomad
11-01-2009, 06:52 PM
Yup a small hijackthis log. Its a P3 laptop that soon will be used just for writing journals. A new PC should be ordered about now ... :D

You sure to delete colovision start up link? That is my custom color calibrator for my screen.

Speedy Gonzales
11-01-2009, 06:57 PM
You sure to delete colovision start up link? That is my custom color calibrator for my screen.

Ok then that can stay.. Even tho it isnt pointing to anything