It is currently Sat May 26, 2018 9:07 am


Emergency

Discuss security related topics in here (Hacking, Cracking, and Protecting)
Do not post HJT Logs here

Moderator: PCguy

Emergency

Postby pch13 » Sat Oct 06, 2012 1:18 pm

First of all i must tell that my english may be terrible..so please saw mercy

I have a very big problem i think..2 days ago i caught a virus and i can't see my C drive but i can see only my E drive..also start menu icon give's me only three options:
1. Log off instead of shut down
2. Lock and
3. Switch user

Take a look what am talking about
[img=http://img163.imagevenue.com/loc517/th_520792157_a2_122_517lo.jpg] (DVD RW drive took place of my C drive and BD-ROM drive took place of my DVD RW recorder)

[img=http://img261.imagevenue.com/loc437/th_520795503_aaa_122_437lo.jpg]

[img=http://img179.imagevenue.com/loc35/th_523746189_a3_122_35lo.jpg]


what can i do?

p.s. i have a toshiba satellite laptop with windows 7 64bit and 500gb hard disk which is seperated in two 250gb hard disks(C which i can't see right now and E)

thanks in advance!
Last edited by pch13 on Sat Oct 06, 2012 5:41 pm, edited 1 time in total.
pch13
Newbie
Newbie
 
Posts: 6
Joined: Sat Oct 06, 2012 11:03 am
Location: Greece
Operating System: windows 7 64bit

Thanks given:3
Thanks received:0
Top

Re: Emergency

Postby Gecko » Sat Oct 06, 2012 3:24 pm

Please download combofix to your desktop.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

Double click combofix.exe and follow the prompts.

If combofix will not start or is ended before the "Blue window" please rename combofix.exe to cbf.exe and try again.

If cbf.exe will not start or is ended, you will have to run cbf.exe from safe mode.
Reboot in to Safe mode:
Restart Windows after you see the BIOS screen and before Windows starts to load.
Start tapping the F8 key. The Windows Advanced Options Menu appears.
Use the Arrow key to ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.

Do not exit Combofix while it is running you my loose all your personal settings!
Important Note - Do not mouseclick combofix's window while it's running, that may cause it to stall.

When it's done running it will produce a log for you. Please post that log in your next reply.

Who said thanks: pch13 (Sat Oct 06, 2012 5:36 pm)
User avatar
Gecko
Super Moderator
Super Moderator
 
Posts: 5209
Joined: Thu Oct 25, 2001 1:00 am
Location: Florida, USA

Thanks given:1
Thanks received:23
Top

Re: Emergency

Postby pch13 » Sat Oct 06, 2012 5:36 pm

first of all i want to thank you a lot!! :)

firstly: i ran a full system control with avast and my C drive appeared..but i couldn't opened it(see the error in the third image of my first reply)
secondly: i ran the program you' ve gave me and now i can open my c drive without a problem but some losses still remain


[img=http://img152.imagevenue.com/loc19/th_537090291_a4_122_19lo.jpg] (instead of switch user, lock and log off the options must be hibernate, sleep, restart etc)

also take a look at this:
[img=http://img138.imagevenue.com/loc513/th_549460929_5a_122_513lo.jpg] (i don't have BD-Rom drive :|)


here is the log.txt that you asked
ComboFix.zip
(9.8 KiB) Downloaded 285 times
pch13
Newbie
Newbie
 
Posts: 6
Joined: Sat Oct 06, 2012 11:03 am
Location: Greece
Operating System: windows 7 64bit

Thanks given:3
Thanks received:0
Top

Re: Emergency

Postby Gecko » Sun Oct 07, 2012 4:25 pm

It looks like Avast removed some infection but not the registry keys so I'll have to look into how to simply fix all the extra entries in the registry if that is even possable.

Your winver.exe file is infected so first of all we will need to replace it with the backup file on your system.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.
ClearJavaCache::

KillAll::

FCopy::
C:\Windows\winsxs\x86_microsoft-windows-winver_31bf3856ad364e35_6.1.7600.16385_none_b627d45ffdcc6f00\winver.exe | c:\windows\System32\winver.exe

Now drag then drop the CFScript file onto ComboFix.exe
Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Who said thanks: pch13 (Sun Oct 07, 2012 11:16 pm)
User avatar
Gecko
Super Moderator
Super Moderator
 
Posts: 5209
Joined: Thu Oct 25, 2001 1:00 am
Location: Florida, USA

Thanks given:1
Thanks received:23
Top

Re: Emergency

Postby pch13 » Sun Oct 07, 2012 4:38 pm

Good afternoon..
before i do all that you mentioned let me tell you that after restarting my pc everything went well and now it works just like old..

do you believe that the problem still remains? :?
pch13
Newbie
Newbie
 
Posts: 6
Joined: Sat Oct 06, 2012 11:03 am
Location: Greece
Operating System: windows 7 64bit

Thanks given:3
Thanks received:0
Top

Re: Emergency

Postby Gecko » Sun Oct 07, 2012 5:59 pm

Yes you still have an infected winver.exe and it needs to be replaced.
User avatar
Gecko
Super Moderator
Super Moderator
 
Posts: 5209
Joined: Thu Oct 25, 2001 1:00 am
Location: Florida, USA

Thanks given:1
Thanks received:23
Top

Re: Emergency

Postby pch13 » Sun Oct 07, 2012 11:15 pm

Here are the results.. :)

ComboFix (2).zip
(10.22 KiB) Downloaded 274 times


the problem still remains and i did everything you said :?
pch13
Newbie
Newbie
 
Posts: 6
Joined: Sat Oct 06, 2012 11:03 am
Location: Greece
Operating System: windows 7 64bit

Thanks given:3
Thanks received:0
Top

Re: Emergency

Postby Gecko » Mon Oct 08, 2012 12:40 pm

pch13 wrote:the problem still remains and i did everything you said :?


You are not correct in your assessment of the log file, the Fcopy command I had you run looks to have been successful the file was replaced but after the infected notification in the combofix log.
User avatar
Gecko
Super Moderator
Super Moderator
 
Posts: 5209
Joined: Thu Oct 25, 2001 1:00 am
Location: Florida, USA

Thanks given:1
Thanks received:23
Top

Re: Emergency

Postby pch13 » Tue Oct 09, 2012 5:06 pm

So you are telling me that the winver.exe isn't infected anymore and that the txt file is wrong?

Do you want me to run the process again and upload the correct txt file?..if that is possible
pch13
Newbie
Newbie
 
Posts: 6
Joined: Sat Oct 06, 2012 11:03 am
Location: Greece
Operating System: windows 7 64bit

Thanks given:3
Thanks received:0
Top

Re: Emergency

Postby Gecko » Wed Oct 10, 2012 12:13 pm

pch13 wrote:So you are telling me that the winver.exe isn't infected anymore and that the txt file is wrong?

No what I am saying is that combofix first detected and listed the infected file before the fcopy command was executed that should have replaced the winver.exe from backup.

Please go to to http://virusscan.jotti.org/en and upload your c:\windows\System32\winver.exe file for checking and post the result in your reply.

Who said thanks: pch13 (Wed Oct 10, 2012 5:23 pm)
User avatar
Gecko
Super Moderator
Super Moderator
 
Posts: 5209
Joined: Thu Oct 25, 2001 1:00 am
Location: Florida, USA

Thanks given:1
Thanks received:23
Top

Re: Emergency

Postby pch13 » Wed Oct 10, 2012 5:24 pm

pch13
Newbie
Newbie
 
Posts: 6
Joined: Sat Oct 06, 2012 11:03 am
Location: Greece
Operating System: windows 7 64bit

Thanks given:3
Thanks received:0
Top


Return to Security

Who is online

Users browsing this forum: No registered users and 0 guests

cron