Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Virus deleting all files on XP/SP3

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Virus deleting all files on XP/SP3

Unread postby johnag » August 14th, 2011, 11:33 am

Good day,

*** I have created this a few times but keep pressing the wrong button and loosing everything.
*** My apologies if duplicates have occurred.

I have been attacked by a vicious virus/malware that erases all files on the system (XP/SP3).

1. The first attack was on 28 July.
2. The first phase of the attack deletes the desktop shorcuts in C:\Documents and Settings\username. This is done slowly, one icon at a time. Eventually the entire folder is deleted.
3. Next the virus deletes the files in c:\. Again slowly. Eventually it takes out boot.ini and the other boot files.
4. It then appears to delete the other files and folders in C:\Documents and Settings\username. If I move fast enough I can copy my outlook.pst to another drive. You have gathered by now that I can sit and watch this thing slowly destroy my PC, hence I have called it Reality Virus since it is like watching a reality TV show.
5. Once C: is destroyed the virus moves onto D:
6. Having destroyed all available drives it then creates a .bat file that attempts to erase everything in \system32 and finally the system dies never to be booted again.
7. I recover by restoring from an image of my C drive. However the first time I connected the backup drive to the PC the virus jumped onto the backup drive and also destroyed it. Fortunately I always have 2 backup images.
I now recover by booting Linux and deleteing the MBR on all drives (not sure if this required but decided not to take a chance). The destroyed C drive is re-formatted. I then boot the backup image and copy it across to the "production" C drive.
8. I have run Kaspersky, NOD32, Malwarebytes and BitDefender (evaluation copies) but nothing is found.

That was 2 weeks ago and I thought I had recovered. This past Friday, 12 Aug, I got hit again at 7.00am. By noon I had recovered using the previous night's backup. At 4.00pm I was once again attacked.

I have now recovered, yet again, and have been running for 24 hours. After the recovery I once again did a full scan with Kaspersky and again nothing has been found.

I am waiting for the next attack.... HELP PLEASE

Regards John

dds.txt
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 6.0.2900.5512
Run by John at 7:02:58 on 2011-08-14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1173 [GMT 2:00]
.
AV: Kaspersky Anti-Virus *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kerio WinRoute Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINNT\system32\svchost -k DcomLaunch
svchost.exe
C:\WINNT\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Oracle10\bin\omtsreco.exe
c:\oracle9i\BIN\TNSLSNR.exe
c:\oracle9i\bin\ORACLE.EXE
C:\WINNT\system32\igfxsrvc.exe
C:\WINNT\system32\igfxpers.exe
C:\WINNT\Twain_32\Samsung\SCX4x28\Scan2pc.exe
C:\Program Files\JawsSystems\Jaws PDF Creator\PDFClient.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINNT\system32\PDFCreatorMessages.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2012\avp.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HDD Thermometer\HDD Thermometer.exe
C:\Program Files\Kerio\MailServer\mailctrl.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\Program Files\Kerio\WinRoute Firewall\wrctrl.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\PVSW\bin\w3dbsmgr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINNT\system32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINNT\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINNT\System32\vssvc.exe
C:\WINNT\system32\SearchIndexer.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\system32\logon.scr
C:\Program Files\Kerio\WinRoute Firewall\winroute.exe
C:\Program Files\Kerio\MailServer\mailserver.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\WINNT\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page =
uStart Page = about:blank
uSearch Bar =
uInternet Settings,ProxyServer = 192.168.1.159:3128
uInternet Settings,ProxyOverride = <local>
mSearchAssistant =
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky anti-virus 2012\ievkbd.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: {A1056498-D09A-41E4-864B-505EDD640D9E} - No File
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky anti-virus 2012\klwtbbho.dll
BHO: {FF7C3CF0-4B15-11D1-ABED-709549C10000} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [RSD_HDDThermo] c:\program files\hdd thermometer\HDD Thermometer.exe
uRun: [MailCtrl] "c:\program files\kerio\mailserver\mailctrl.exe"
uRun: [DynDNS Updater] "c:\program files\dyndns updater\DynDNS.exe"
uRun: [WrCtrl] "c:\program files\kerio\winroute firewall\wrctrl.exe"
uRun: [ctfmon.exe] c:\winnt\system32\ctfmon.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
mRun: [IgfxTray] c:\winnt\system32\igfxtray.exe
mRun: [Persistence] c:\winnt\system32\igfxpers.exe
mRun: [4x28 Scan2PC] "c:\winnt\twain_32\samsung\scx4x28\Scan2pc.exe"
mRun: [MSConfig] c:\winnt\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [PDFCreatorClient] c:\program files\jawssystems\jaws pdf creator\PDFClient.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 2012\avp.exe"
dRun: [WrCtrl] c:\program files\kerio\winroute firewall\WrCtrl.exe
dRun: [internat.exe] internat.exe
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~2\alluse~1\startm~1\programs\startup\pervas~1.lnk - c:\pvsw\bin\w3dbsmgr.exe
StartupFolder: c:\docume~2\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
IE: Atomic Email Hunter - c:\program files\atompark\atomic email hunter\ie.htm
IE: Capture Selection - c:\program files\smarthru office\WebCapture.dll2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Save as HTML - c:\program files\smarthru office\WebCapture.dll1.htm
IE: Save Selected Text - c:\program files\smarthru office\WebCapture.dll.htm
IE: Web Capture - c:\program files\smarthru office\WebCapture.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky anti-virus 2012\ievkbd.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky anti-virus 2012\klwtbbho.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/ ... ontrol.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {31564D57-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmvax.cab
DPF: {32564D57-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv8ax.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/ ... mv9VCM.CAB
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resour ... se8300.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupda ... 8147368671
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/fl ... rashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/C ... 8763541667
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.co ... nos/gp.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://driveragent.com/files/driveragent.cab
TCP: Interfaces\{BA0E9F2B-0C9E-4AA7-BF95-63842599DE1F} : NameServer = 10.0.1.2,196.30.31.193
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\winnt\system32\klogon.dll
SEH: ShellObj Class: {f6329918-1a8e-4dbb-a427-d9371aeb988f} - c:\program files\tpwins\SHELLEXT.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R0 KL1;kl1;c:\winnt\system32\drivers\kl1.sys [2011-3-4 133208]
R1 ibvcm2ku;iBurst Terminal Virtual COM Service;c:\winnt\system32\drivers\ibvcm2ku.sys [2006-10-20 44416]
R1 kl2;kl2;c:\winnt\system32\drivers\kl2.sys [2011-3-4 11352]
R1 KLIF;Kaspersky Lab Driver;c:\winnt\system32\drivers\klif.sys [2011-8-13 565552]
R1 NipppoeU;NDIS(PPPoE) User mode I/O Protocol for iBurst Terminal;c:\winnt\system32\drivers\NipppoeU.sys [2006-10-20 26112]
R2 AVP;Kaspersky Anti-Virus Service;c:\program files\kaspersky lab\kaspersky anti-virus 2012\avp.exe [2011-4-24 202296]
R2 IOPort;IOPort;c:\winnt\system32\drivers\Ioport.sys [2004-5-22 6144]
R2 Iprip;RIP Listener;c:\winnt\system32\svchost.exe -k netsvcs [2008-4-14 14336]
R2 Oracleoracle9iTNSListener;Oracleoracle9iTNSListener;c:\oracle9i\bin\tnslsnr --> c:\oracle9i\bin\TNSLSNR [?]
R2 OracleServiceJOHNAG;OracleServiceJOHNAG;c:\oracle9i\bin\oracle.exe johnag --> c:\oracle9i\bin\ORACLE.EXE JOHNAG [?]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-8-24 92008]
R2 WinRoute;Kerio WinRoute Firewall;c:\program files\kerio\winroute firewall\winroute.exe [2009-10-26 5605840]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\winnt\system32\drivers\klim5.sys [2011-3-10 34608]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\winnt\system32\drivers\klmouflt.sys [2009-11-2 19472]
R3 kwflower;Kerio WinRoute Firewall Driver - Lower Layer;c:\winnt\system32\drivers\kwflower.sys [2008-7-2 100352]
R3 kwfupper;Kerio WinRoute Firewall Driver - Upper Layer;c:\winnt\system32\drivers\kwfupper.sys [2009-10-26 122928]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-8-8 136176]
S2 ousbehci;NEC PCI to USB Enhanced Host Controller;c:\winnt\system32\drivers\ousbehci.sys [2007-5-30 36224]
S2 ReportServer$SQLEXPRESS;SQL Server Reporting Services (SQLEXPRESS);c:\program files\microsoft sql server\mssql.2\reporting services\reportserver\bin\ReportingServicesService.exe [2008-11-24 14688]
S2 SSPORT;SSPORT;\??\c:\winnt\system32\drivers\ssport.sys --> c:\winnt\system32\drivers\SSPORT.sys [?]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\winnt\system32\drivers\A5AGU.sys [2005-7-26 348352]
S3 ATHFMWDL;D-Link predator Bootloader driver;c:\winnt\system32\drivers\Athfmwdl.sys [2005-7-26 43392]
S3 CA500AI;D-Link, WDM Still Image Capture, Version 1.00;c:\winnt\system32\drivers\minbulk.sys [2004-5-22 10810]
S3 DLPortIO;DriverLINX Port I/O Driver;c:\winnt\system32\drivers\DLPORTIO.SYS [2004-5-22 3584]
S3 dwVSCD;NetOp Virtual Smart Card Driver;c:\winnt\system32\drivers\dwvscd.sys [2008-4-16 16696]
S3 FirebirdGuardianDefaultInstance;Firebird Guardian - DefaultInstance;c:\program files\firebird\firebird_1_5\bin\fbguard.exe -s --> c:\program files\firebird\firebird_1_5\bin\fbguard.exe -s [?]
S3 FirebirdServerDefaultInstance;Firebird Server - DefaultInstance;c:\program files\firebird\firebird_1_5\bin\fbserver.exe -s --> c:\program files\firebird\firebird_1_5\bin\fbserver.exe -s [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-8-8 136176]
S3 iBurstu;iBurst Terminal;c:\winnt\system32\drivers\iburstu.sys --> c:\winnt\system32\drivers\iBurstu.sys [?]
S3 ipw_mdfl;Wireless Broadband Modem Filter;c:\winnt\system32\drivers\ipw_mdfl.sys [2004-5-27 15312]
S3 ipw_mdm;Wireless Broadband Modem (WDM);c:\winnt\system32\drivers\ipw_mdm.sys [2004-5-27 269696]
S3 kvnet;Kerio Virtual Network Adapter;c:\winnt\system32\drivers\kvnet.sys [2009-3-23 29696]
S3 kvpndev;Kerio VPN adapter;c:\winnt\system32\drivers\kvpndrv.sys [2005-10-17 65024]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\winnt\system32\11.tmp --> c:\winnt\system32\11.tmp [?]
S3 mxcard;MOXA Intellio Family Driver;c:\winnt\system32\drivers\mxcard.sys [2001-8-17 21888]
S3 mxport;Moxa Intellio Multiport Board Port Driver;c:\winnt\system32\drivers\mxport.sys [2001-8-17 75520]
S3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\drivers\openhci.sys [2003-7-14 24784]
S3 OracleClientCache80;OracleClientCache80;c:\orawin95\bin\ONRSD80.EXE [2004-5-22 101136]
S3 Oracleoracle9iAgent;Oracleoracle9iAgent;c:\oracle9i\bin\agntsrvc.exe [2004-5-22 16656]
S3 Oracleoracle9iClientCache;Oracleoracle9iClientCache;c:\oracle9i\bin\ONRSD.EXE [2004-5-22 425828]
S3 Oracleoracle9iHTTPServer;Oracleoracle9iHTTPServer;c:\oracle9i\apache\apache\Apache.exe [2004-5-22 3584]
S3 Oracleoracle9iPagingServer;Oracleoracle9iPagingServer;c:\oracle9i\bin\pagntsrv.exe [2004-5-22 52224]
S3 Oracleoracle9iSNMPPeerEncapsulator;Oracleoracle9iSNMPPeerEncapsulator;c:\oracle9i\bin\encsvc.exe [2004-5-22 189952]
S3 Oracleoracle9iSNMPPeerMasterAgent;Oracleoracle9iSNMPPeerMasterAgent;c:\oracle9i\bin\agntsvc.exe [2004-5-22 256512]
S3 ousb2hub;OrangeWare USB 2.0 Hub Support;c:\winnt\system32\drivers\ousb2hub.sys [2007-5-30 53888]
S3 TPP300;USB Storage Adapter V3 (TPP);c:\winnt\system32\drivers\TPP300.SYS [2004-5-22 33669]
S3 usbhub20;USB Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2003-7-14 49776]
S3 Xceed.Chart.Renderer.Service;Xceed Chart for ASP.NET Renderer Service;c:\program files\xceed components\bin\.net\Xceed.Chart.Renderer.Service.exe [2008-2-25 53248]
S3 xsSmartAgent;Visibroker Smart Agent;c:\oracle9i\bin\osagent.exe [2004-5-22 205312]
S4 OracleServiceJAGAR;OracleServiceJAGAR;c:\oracle9i\bin\oracle.exe jagar --> c:\oracle9i\bin\ORACLE.EXE JAGAR [?]
.
=============== File Associations ===============
.
.txt=
.
=============== Created Last 30 ================
.
2011-08-13 13:50:54 97859 ----a-w- c:\winnt\system32\drivers\klick.dat
2011-08-13 13:50:54 115369 ----a-w- c:\winnt\system32\drivers\klin.dat
2011-08-13 13:49:33 -------- d-----w- c:\program files\Kaspersky Lab
2011-08-13 13:49:33 -------- d-----w- c:\documents and settings\all users\application data\Kaspersky Lab
2011-08-13 13:48:56 -------- d-sh--w- c:\winnt\Installer
2011-08-13 10:32:26 -------- d-----w- c:\program files\Sophos
.
==================== Find3M ====================
.
2011-08-08 06:51:41 404640 ----a-w- c:\winnt\system32\FlashPlayerCPLApp.cpl
2011-08-03 09:30:29 27648 ----a-w- c:\winnt\system32\MSCAL.oca
2011-08-03 09:08:03 43008 ----a-w- c:\winnt\system32\MSMAPI32.oca
2011-08-01 17:29:59 1295358 ----a-w- c:\documents and settings\all users\application data\bdinstall.bin
2011-07-05 07:39:33 6656 ----a-w- c:\winnt\system32\haspvdd.dll
2011-07-05 07:39:33 47616 ----a-w- c:\winnt\system32\drivers\Haspnt.sys
2011-07-05 07:39:33 383 ----a-w- c:\winnt\system32\haspdos.sys
2011-06-27 13:42:16 796672 ----a-w- c:\winnt\GPInstall.exe
2011-06-24 06:30:57 64000 ----a-w- c:\winnt\system32\ieframe.oca
2010-07-08 08:37:14 101544 ----a-w- c:\program files\common files\LinkInstaller.exe
2007-04-24 06:44:22 0 ----a-r- c:\program files\sig.tmp.bin
2004-08-19 08:35:18 38912 ----a-w- c:\program files\TCPNV.EXE
2001-10-05 10:53:04 21866 ----a-w- c:\program files\common files\tppupd2k.dll
.
============= FINISH: 7:04:40.79 ===============

attach.txt

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2010/07/21 09:52:16
System Uptime: 2011/08/13 16:03:29 (15 hours ago)
.
Motherboard: Gigabyte Technology Co., Ltd. | | 946GMX-S2
Processor: Intel(R) Core(TM)2 Duo CPU E6550 @ 2.33GHz | Socket 775 | 1875/266mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 17.313 GiB free.
N: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Kerio Virtual Network Adapter
Device ID: ROOT\KVNETID\0000
Manufacturer: KerioTechnologies
Name: Kerio Virtual Network Adapter
PNP Device ID: ROOT\KVNETID\0000
Service: kvnet
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
.
2007 Microsoft Office Suite Service Pack 1 (SP1)
Adobe Flash Player 10 ActiveX
Adobe Reader 9.1
Alternate Firebird Copy 1.201
Amigo DVD Ripper 2.8.86
ATI Display Driver
Avance AC'97 Audio
AXIS Media Control Embedded
BASCOM-8051 Setup
BDE Merge Module - Professional Edition
Bennet-Tec TList 7 ActiveX Control
Bennet-Tec TList 8 ActiveX Control
BioMatch 2007 Toolbox
Borland Delphi 6
BulletProof FTP Client v2.60.0.53
Data Lifeguard Tools
DelinvFile - 4.03
Delux Demonstration Edition v2.07
DF SDK Demo
DirectX 8 Hotfix - KB839643
DiscWizard for Windows
DynaZip Max Secure Eval 6.00.05
DynDNS Updater 3.1
Easy2Sync for Outlook
EMS Data Comparer 2007 for InterBase/Firebird
EMS Data Export 2005 for InterBase/Firebird
EMS InterBase/FireBird DB Comparer
EMS InterBase/FireBird Manager
EMS SQL Manager 2005 for InterBase and Firebird
ExecuJet Std Bank Payment System
FastForm 3.7.32
FBFirstAID Personal 2.0
Fedile SSH Server v 1.0.0.0
File Catalog
Firebird 1.5.4
Firebird Data Wizard 7.8
Firebird/InterBase(r) ODBC driver 2.0.0.150
FUSION WOL v1.0
G3-SD
getPlus(R) for Adobe
Google Earth Plug-in
Google Update Helper
HASP Device Drivers
HDD Thermometer
HexEdit
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB981793)
HP Extended Capabilities 4.7
HP LaserJet 1100
HP LaserJet 3050/3052/3055/3390/3392 3.0
HP Software Update
HP USB Disk Storage Format Tool
hpp3390usg
hppFaxDrv3390
hppFaxUtility
hppFonts
hppIOFiles
hppLJ3390
hppManuals3390
hppscan3390
hppScanTo
hppSendFax
hppTooCool
hppToolBoxFX
hpzTLBXFX
HTML Help Workshop
IBAccess 1.18
IBFirstAID Diagnostician 2.0
IBOConsole 1.1.11.11
ICY Hexplorer (remove only)
IDAutomation.com Code 39 Font Advantage Package DEMO
Imca Systems FlyTreeView Suite for C++ Builder6
ImproNet Suite
Inno Setup version 3.0.7
Inno Setup version 5.1.14
Innovasys Document! X 4.1 (Evaluation)
Innovasys Freeware ActiveX Control Suite
InstallShield Express Borland Limited Edition
Intel(R) Graphics Media Accelerator Driver
InterBase
IO ActiveX Control
IPBandit 1.0.1
IPWireless PC Software
J2SE Development Kit 5.0 Update 6
J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 6
Jaws PDF Creator
Kaspersky Anti-Virus 2012
Kerio Connect
Kerio MailServer (Uninstalled)
Kerio Visual C++ 2005 redistributable permanent package
Kerio WinRoute Firewall
Kerio WinRoute Firewall (Upgraded & Uninstalled)
Logi Report Studio and Server 9.1.47
Logiccode GSM SMS ActiveX Dll v3.2
MB MouseHelper Control 1.0
MGI PhotoSuite III SE (Remove Only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Office 2000 SR-1 Premium
Microsoft Office 2003 Web Components
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Outlook Personal Folders Backup
Microsoft Project 2000 SR-1
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005
Microsoft SQL Server 2005 (SQLEXPRESS)
Microsoft SQL Server 2005 Backward compatibility
Microsoft SQL Server 2005 Books Online (English) (November2008)
Microsoft SQL Server 2005 Reporting Services (SQLEXPRESS)
Microsoft SQL Server 2005 Tools
Microsoft SQL Server Management Studio Express
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Tool Web Package:INUSE.EXE
Microsoft Visio Professional 2002 [English]
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual Studio 2005 Toolbox Controls Installer
Microsoft Visual Studio 6.0 Enterprise Edition
Microsoft Web Publishing Wizard 1.53
Microsoft XML Parser and SDK
MSDN Library - October 2000
MSDN Library - Visual Studio 6.0a
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser
MySQL Servers and Clients 3.23.51
MySQL Servers and Clients 4.0.18
MySQL Servers and Clients 4.0.21
MySQL Servers and Clients 4.0.23
Nero - Burning Rom
ODAC 3.50 for Delphi 6
OdbcJdbc version 1-1-beta
Oracle Data Provider for .NET Help
Outlook Address Extractor 2007
Outlook Express Backup Genie v2.0
Pervasive System Analyzer
Pervasive.SQL 9 SP2 Workgroup for Windows (9.5)
pinPDF
PL-2303 USB-to-Serial
Polar Component Suite - Trial
Polar ZIP
PonyProg2000 v2.05a
PowerQuest PartitionMagic 7.0
Process Revealer Free Edition 1.0
Python 2.2 MySQL-python-0.9.1
Python 2.2.1
QFolder
QuickBooks Pro 2002
RBS Server
Readiris Pro 10
REALTEK GbE & FE Ethernet PCI NIC Driver
Realtek High Definition Audio Driver
RemObjects Pascal Script
Samsung SCX-4x28 Series
Scan
SecureBlackbox (ActiveX/DLL edition)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 7.1 (KB917734)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2124261)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2290570)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB970483)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976323)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
SFTP test
Shell MegaPack ActiveX 8.0
SmarThru Office
SmarThru Office PC Fax
Sophos Anti-Rootkit 1.5.20
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
SQLBackupAndFTP
SSH Secure Shell
STI 1.06
Sureback Configuration Viewer
SureBack EMU V3.2.36
SureBack iClient V3.2.29
SurePipe Bootstrap V1.1.5
SurePipe Client V1.1.5
SurePipe SPClient V3.1.0
Tcl 8.0 for Windows
TomTom HOME 2.7.6.2056
TomTom HOME Visual Studio Merge Modules
TopStyle Lite (Version 3.0)
TPP Storage Driver Installation
TracePlus/Winsock
Tweakui Powertoy for Windows XP
Uniblue Registry Booster
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB2345886)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
UPSMON Plus for Windows
USB Storage Adapter V2 (TPP)
USB Storage Adapter V3 (TPP)
VB Project Eye 1.3.0 Freeware
VB2 Popup Balloon Control
Video Codecs
ViewSonic Monitor Drivers
ViewSonic Windows 2K Signed Files
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Volume Shadow Copy Service SDK, v7.2
WeOnlyDo! Crypt (30 day Evaluation)
WeOnlyDo! Http DELUXE (30 day Evaluation)
WeOnlyDo! Pop3
WeOnlyDo! SFTP
WeOnlyDo! Smtp
WeOnlyDo! SmtpServer
WeOnlyDo! SSH
WeOnlyDo! SSH Tunnel (30 day Evaluation)
WeOnlyDo! SSHServer
WeOnlyDo! WebServer
Windows 2000 Hotfix - KB905495
Windows 2000 Hotfix - KB911567
Windows 2000 Hotfix - KB916281
Windows 2000 Hotfix - KB923694
Windows 2000 Hotfix - KB928090
Windows 2000 Hotfix - KB929969
Windows 2000 Hotfix - KB933566
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer Clean Up
Windows Live OneCare safety scanner
Windows Media Player Hotfix [See Q828026 for more information]
Windows Resource Kit Tools
Windows Search 4.0
WinRescue 2000
WinZip
Xtreme Suite v8.60 for ActiveX
.
==== Event Viewer Messages From Past Week ========
.
2011/08/13 12:56:29, error: NetBT [4321] - The name "JAFCAL SOFTWARE:1d" could not be registered on the Interface with IP address 10.0.1.159. The machine with the IP address 10.0.1.161 did not allow the name to be claimed by this machine.
2011/08/12 11:56:16, error: Removable Storage Service [111] - RSM could not load media in drive Drive 0 of library JetFlash Transcend 8GB USB Device.
2011/08/12 10:55:10, error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).
2011/08/12 10:55:09, error: Service Control Manager [7022] - The Windows Search service hung on starting.
2011/08/12 10:44:36, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSEC MRxSmb NetBIOS NetBT NipppoeU RasAcd Rdbss Tcpip Tcpip6
2011/08/12 10:44:36, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
2011/08/12 10:44:36, error: Service Control Manager [7001] - The Simple TCP/IP Services service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
2011/08/12 10:44:36, error: Service Control Manager [7001] - The Simple Mail Transfer Protocol (SMTP) service depends on the IIS Admin service which failed to start because of the following error: The dependency service or group failed to start.
2011/08/12 10:44:36, error: Service Control Manager [7001] - The IPv6 Helper Service service depends on the Microsoft IPv6 Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2011/08/12 10:44:36, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
2011/08/12 10:44:36, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2011/08/12 10:44:36, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
2011/08/12 10:44:34, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
2011/08/12 10:44:14, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
2011/08/12 10:44:05, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2011/08/09 17:13:27, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: The class is configured to run as a security id different from the caller
2011/08/09 17:12:28, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Kerio Connect service to connect.
2011/08/09 17:12:28, error: Service Control Manager [7000] - The Kerio Connect service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2011/08/09 17:12:24, error: Service Control Manager [7024] - The SQL Server (SQLEXPRESS) service terminated with service-specific error 17058 (0x42A2).
2011/08/09 17:12:24, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the SQL Server Reporting Services (SQLEXPRESS) service to connect.
2011/08/09 17:12:24, error: Service Control Manager [7000] - The VNC Server service failed to start due to the following error: The system cannot find the path specified.
2011/08/09 17:12:24, error: Service Control Manager [7000] - The SSPORT service failed to start due to the following error: The system cannot find the file specified.
2011/08/09 17:12:24, error: Service Control Manager [7000] - The SQL Server Reporting Services (SQLEXPRESS) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2011/08/09 17:12:24, error: Service Control Manager [7000] - The NEC PCI to USB Enhanced Host Controller service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
2011/08/09 17:12:24, error: Service Control Manager [7000] - The Firebird Server service failed to start due to the following error: The system cannot find the path specified.
2011/08/09 17:12:10, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
2011/08/09 17:11:41, error: Distributed Link Tracking Client [12507] - The volume ID for E: has been reset, since it was a duplicate of that on C:. This volume ID is used by Distributed Link Tracking to automatically repair file links, such as Shell Shortcuts and OLE links, when for some reason those links become broken.
2011/08/08 17:55:04, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Search service to connect.
2011/08/08 17:55:04, error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2011/08/08 17:55:04, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
2011/08/07 16:26:09, error: TermServDevices [1111] - Driver DTC4500 Card Printer required for printer DTC4500 Card Printer is unknown. Contact the administrator to install the driver before you log in again.
.
==== End Of File ===========================
johnag
Active Member
 
Posts: 3
Joined: August 13th, 2011, 12:11 pm
Advertisement
Register to Remove

Re: Virus deleting all files on XP/SP3

Unread postby deltalima » August 14th, 2011, 12:14 pm

atomic email hunter


Please let me know what the computer is used for.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Virus deleting all files on XP/SP3

Unread postby johnag » August 14th, 2011, 1:58 pm

I took over the PC when I retired from IBM as a systems engineer 12 years ago (I am 64 years old – the oldest nerd around (X’40’). Since then I have managed to keep the PC going, upgrading from W2K to XP, installing new motherboards and disk drives etc. Currently I use the PC to support community projects (such as mailing lists and contact information for our sector crime watch), hence all the free databases installed (Oracle 10G, Firebird, MSSQL express). Looking at the dds data I see a lot of junk I have tried out over the years and thought I had deleted, such as VNC and Atomic Email Hunter, which looked like a possible spam tool when I used it to try to recover a lost mailing list and then deleted it. It is not even listed in the list of programs in "add or remove programs", but it appears to have left code behind in IE as per the dds report. Has this thing been using my PC as a spam agent?
johnag
Active Member
 
Posts: 3
Joined: August 13th, 2011, 12:11 pm

Re: Virus deleting all files on XP/SP3

Unread postby deltalima » August 14th, 2011, 2:33 pm

Hi johnag,

Welcome to the forum.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Please note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please do not run any scans or make any changes to the system unless I ask you too.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Currently I use the PC to support community projects (such as mailing lists and contact information for our sector crime watch), hence all the free databases installed (Oracle 10G, Firebird, MSSQL express). Looking at the dds data I see a lot of junk I have tried out over the years and thought I had deleted, such as VNC and Atomic Email Hunter, which looked like a possible spam tool when I used it to try to recover a lost mailing list and then deleted it.


The software installed did make me think that the computer is running as some form of spam machine. Let's continue and investigate the problems.

Please let me know what connection you have with the company JAFCAL SOFTWARE and what the FARGO DTC4500 Card Printer is used for.

CKScanner

  • Please download CKScanner from here to your Desktop.
  • Make sure that CKScanner.exe is on the your Desktop before running the application!
  • Double-click on CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File.
  • A message box will verify the file saved
  • Double-click on the CKFiles.txt icon on your Desktop and copy/paste the contents in your next reply.

Next

  • Please download this tool from Microsoft.
  • Double click on MGADiag.exe to run it.
  • Click Continue.
  • The program will run. It takes a while to finish the diagnosis, please be patient.
  • Once done, click on Copy.
  • Open Notepad and paste the contents in the window.
  • Save this file and copy/paste it in your next reply.

Please let me know if the computer is used for home or for business use.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Virus deleting all files on XP/SP3

Unread postby johnag » August 16th, 2011, 7:45 am

Hi Deltalima

I lost the system again yesterday morning. Instead of restoring from a backup image (which I now suspect is also infected) I decided to do a Windows repair. The repair process continually failed when referencing the driver “IBVCM2KU.SYS”, which is an old driver supplied by my previous ISP and no longer required. I then deleted the driver and the repair completed. Whist I was applying the Windows Updates that had been lost, the desktop was again deleted. From searching the web I understand that a worm called VBS.PUB, that uses a polymorphic engine to modify itself, will, on the 6th, 13th, 21st, or 28th of the month, delete all the files from the computer (which is exactly what happened to me). Given that the system on my PC is over 10 years old, and goodness knows where this worm is hiding, I have decided against wasting any more time, yours and mine, in trying to fix XP and instead I will get new hardware, install Windows 7 with IE9 and keep family critical data on a USB3 drive. All existing programs that I still required I will install from their original CD/web images so I know all is clean. Fortunately my data is kept on the D drive, so all of this can be recovered.
Thanks for your help
johnag
Active Member
 
Posts: 3
Joined: August 13th, 2011, 12:11 pm

Re: Virus deleting all files on XP/SP3

Unread postby deltalima » August 16th, 2011, 12:25 pm

Thanks for letting me know.

As this issue will be resolved with a new computer, this topic is now closed.

You can help support this site from this link :
Donations For Malware Removal
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 327 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware