Solved

Files affected by virus removal

Posted on 2006-06-10
34
812 Views
Last Modified: 2012-06-27
I have a Sony Viao laptop with Windows XP.

Some of the documents files got infected by a virus but they were deleted.  However when I play any of the music files there is a background crackling sound.  Any ideas why this is happening and how I can get rid of it?
0
Comment
Question by:midan
  • 12
  • 10
  • 6
  • +3
34 Comments
 
LVL 38

Expert Comment

by:BillDL
ID: 16879415
We will only be able to find out the type of files that may have been affected if you tell us the name of the virus that was eradicated from the computer, and how you eradicated it.

When you say that you "deleted" the virus, I can only assume that you used an AntiVirus software suite or one of the standalone virus fix tools.  The tool won't necessarily have created a log file, but any antivirus program should have created a log file from which you will find out the name of the virus and possibly also what infected files were removed.  Open the AntiVirus program and look for the options to read the log file.

Many antivirus programs will also "quarantine" infected files rather than just completely deleting them, but it depends on the user settings whether the quarantine area is used or not.  You should be able to see what files have been quarantined from one of the antivirus user programs.

If you cannot find out any of these details, or if you just manually deleted files, then there is one option that I am always very hesitant to suggest.  IF you know EXACTLY when the computer was infected, and if you have a restore point that dates BEFORE the infection, then performing a "system restore" MIGHT fix the problem.  I rarely use System Restore, as it doesn't always work fully, and in your scenario you also risk the likelihood of restoring a virus again.
0
 
LVL 38

Expert Comment

by:BillDL
ID: 16879420
Correction:
>>> "You should be able to see what files have been quarantined from one of the antivirus user programs". <<<
should read:
>>> "You should be able to see what files have been quarantined from one of the antivirus user OPTIONS". <<<
0
 
LVL 69

Expert Comment

by:Merete
ID: 16879562
run a system file checker after removing malware as you say these may corrupt some windows system files
at start run type in cmd press enter then type in sfc /scannow you will need your xpcd

Update the audio drivers r/click my computer properties hardware system devices then scan for hardware changes.

0
 
LVL 69

Expert Comment

by:Merete
ID: 16879591
Windows also has a troubleshoot, go to start help and support>fixing a problem>games sounds and video>choose from the right side.
0
 

Author Comment

by:midan
ID: 16880636
BillDL

The virus was the Trojan horse with extension name Lop.A.  The infected files were stored in the virus vault but I deleted because they were temporary document files.  Why keep files in quarantine anyway?

I am tempted to try to go to previous restore point.  What would be lost if I go back to avery early restore point?

Merete

I did a system file scan which did not show up anything.  I tried updating drivers but that did not help.  I think we are dealing with some sort of virus infection.  The question is can we avoid having to re-install windows XP.  As well as the sound being distorted the computer has become slower.
0
 
LVL 32

Expert Comment

by:r-k
ID: 16881230
"What would be lost if I go back to avery early restore point?"

What you would lose is anything you installed since then, such as programs, usernames, etc. and also if you changed any preferences, such as wallpaper, screen resolution, etc. For this reason you want to go back to a restore point that is before the start of the problem, but not too many weeks or months before that.

"computer has become slower"

Maybe some part of the infection is still lurking. Please do the following:

Download and run HijackThis from http://www.hijackthis.de/
Copy-and-paste the resulting log back to that same web site (not here)
Click on "Analyze", and then click on "Save Analysis" at the bottom of the next page.
Finally post a link here to the saved analyzed page.
0
 
LVL 38

Expert Comment

by:BillDL
ID: 16881750
>>> "Why keep files in quarantine anyway?" <<<
So you can find out what they were called and identify if they were genuine files infected or overwritten by the virus, and thus figure out if you will probably have to reinstall the program or application that installed those files originally.

Personally I would try and view the activity logfile that the antivirus scan should have created.  This should tell you what files it quarantined, and you then flushed from quarantine.  That way you will be able to determine, either by asking here or by searching google.com, if they WERE Windows XP system files or not.

If they were, then (as suggested by Merete)
SFC  /SCANNOW
can be used to check for and restore the missing files from your Windows XP CD.

I can't really find much info about "Lop.A" through google, but I found the following page in which a user states that the files for Lop.A, Lop.B, etc were found during a scan in the
System Volume Information\ _ restore {B762F5BE-1DF...
folder.
http://forum.grisoft.cz/freeforum/read.php?4,68107,68109

That's obviously an incomplete folder path, but the mention of "restore" worries me.  I think that you should TURN OFF System Restore and then scan your system several times using HiJack This!, Adaware, and your AntiVirus software again to eradicate any remnants that might be automatically restored again after removal.

The problem with this is that all the existing restore points will be deleted if you say Yes when prompted.Click Yes to do this. Unfortunately that's probably going to be the sacrifice you will have to make.  Perhaps you might want to try other tactics first, and use that as a last resort.

Turn off System Restore:
Start Menu > Right-click on "My Computer" >  Click "Properties".
Open the System Restore tab > Tick the box "Turn off System Restore" or "Turn off System Restore on all drives".
Click "Apply" and reboot.

Several links tend to suggest that the Lop.A Trojan is Adware that is installed by "Messenger Plus!"
http://forums.maddoktor2.com/index.php?showtopic=7412
http://archives.neohapsis.com/archives/fulldisclosure/2004-09/1068.html
http://www.geekstogo.com/forum/lofiversion/index.php/t109841.html
0
 
LVL 69

Expert Comment

by:Merete
ID: 16883016
run trend micro housecalls and see it can find this malware/ if it can after this online scan, it will provide a repair guide and maybe even a patch.
But at least you will know if there is any varients

http://housecall.trendmicro.com/
0
 
LVL 15

Expert Comment

by:Ryan_R
ID: 16891596
are you trying to avoid FORMATTING or REINSTALLING, you don't need to fromat to reinstall system files that may be affected.

does the crackling happen only when you play your music or dows it happen on ALL SOUNDS that play throught your PC (eg Windows startup sond)?

Try reinstalling some of your music players, if you're lucky it just might work.

(Hi to Merete again, long time no see (not really))
0
 
LVL 69

Expert Comment

by:Merete
ID: 16892112
lol Hi Ryan :)
0
 

Author Comment

by:midan
ID: 16892142
I am trying out all the suggestions but in the meantime I can let you know that all the sound files are affected including the Windows start up sound.  The sound is distorted in one way or another.
0
 
LVL 69

Expert Comment

by:Merete
ID: 16892443
midan
there is also a diag at start run type in  dxdiag press enter  run the audio tests. It may find some errors that can help you. Have you tried new drivers for your sound card and installed compatible windowsxp?  Upgrade to xpsp2.
also reduce the wav mid vol.

Your computer should have come with a mainboard cd on this cd is all the default drivers for your computer.

What devices are you listening thru>> media players? What  CD'S??  On the HDD? Are these recorded by you and is teh sound too loud?
Check your speakers are plugged in properly, try another set of speakers.

Windows XP Tips
Crackling Sound With Soundblaster Cards
This seems like a strange problem with Windows XP. Some users are noticing scratchy, popping sound with their SoundBlaster cards and Windows XP. I have come to the conclusion that this is happening the most often on PC's that contain RAID setups such as a Highpoint controller. The main fix I have come across is to install Raid drivers OTHER than those that shipped with Windows XP. For instance on my Raid setup, I went back to a older Windows 2000 driver and this has almost completely stopped my sound problems.

USB-Based Sound May Be Distorted During Heavy File System Input/Output
http://support.microsoft.com/default.aspx?scid=kb;en-us;284201

Windows XP Sound Help
http://www.activewin.com/tips/tips/microsoft/winxp/basic/25.shtml


0
 

Author Comment

by:midan
ID: 16897744
I like the idea of the sound test.  Running dxdiag I got the following message for the sound test- DirectSound test result:failure at step 19(User verification of software):HRESULT = 0x00000000 (error code).

I also ran the trend micro housecall which was very useful in picking up malware that was not previously detected.  I think it deleted the malware and the computer seems to be running better but the problem is still there with the sound.  It happens whichever player I use.
0
 
LVL 69

Expert Comment

by:Merete
ID: 16898499
It  is not digitally signed, which means that it has not been tested by Microsoft's Windows Hardware Quality Labs (WHQL).  You may be able to get a WHQL logo'd driver from the hardware manufacturer. DirectSound test results: Failure at step 19 (User verification of software): HRESULT = 0x00000000 (error code)
Uninstall your audio drivers from safemode if possible, use your mainboard cd to install the correct drivers then update them.
Run the dxdiag again.
Runa scan for corrupt files later.
rebooting helps to flush the cache and reset things.
Midan  it always pays to run several malware scanners what one misses another finds, hackers discovered this idea so by writing a virus then a sub virus incase one was picked the other missed tricky buggars they are.
Good luck your gettin there.
Merete :)



0
 
LVL 38

Expert Comment

by:BillDL
ID: 16898800
Could you please tell us whether you are using some kind of external sound device connected by USB or some similar arrangement.  I would expect the laptop to have an integrated sound chip on the motherboard, but if this hasn't been disabled in the CMOS Setup then it could cause problems.

The DirectX error message tends to point to audio driver mismatches or conflicts, and I go along with Merete in suggesting that you reinstall all motherboard chipset drivers and the soundcard driver.  In particular, I would also ensure that the driver for the soundcard is one stated to be a WHQL (Windows Hardware Quality Labs) version.
0
 
LVL 38

Expert Comment

by:BillDL
ID: 16898823
Sorry Merete.  I was multitasking there and didn't reload the page before posting.

Actually, I was setting up a funny "adult" OEMLOGO.BMP and OEMINFO.INI on someone else's computer to make them fall off their seat with shock and laughter the next time they open System Properties.  It was a photo of that person doing something stupid while on holiday :-)
0
 
LVL 69

Expert Comment

by:Merete
ID: 16899060
:D sounds like fun there BillDL
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 15

Expert Comment

by:Ryan_R
ID: 16899927
agree with merete. i believe you deleted some corrupted files. might be an idea to replace them again and reinstall other sound drivers.
0
 

Author Comment

by:midan
ID: 16902478
Sorry guys but what is the best way to uninstall the sound drivers.  There are various choices like audio codecs, legacy audio drivers etc which when you right click on show 'update driver' but no 'uninstall'.
0
 
LVL 69

Expert Comment

by:Merete
ID: 16904738
boot to safemode, tap f8 contin then logon to administr account press enter to bypass the password.
r/click my computer properties hardware  device manager, sound video game controllers, highlight the default Legacy then properties either uninstall or roll back. Do you have any other audio devices besides Legacy, these maybe windows defaults, your other default maybe Nvidia or AC97.
0
 
LVL 15

Expert Comment

by:Ryan_R
ID: 16907568
there should be a 'roll back drivers' button in the audio hardware properties page. If you go to device manager and right click the audio device (sound card) and click uninstall, this should delete any drivers associated with it. Press F5 to refresh the list and you should be asked to reinstall the drivers
0
 

Author Comment

by:midan
ID: 16916602
I am not sure if I have uninstalled the sound drivers.  The only sound hardware    with the uninstall option is Realtek high definition audio.  I did uninstall it and reinstalled it.  No change in the sound.  No I do not have external speakers.  

I have just installed the Real Player program which wasn't in the computer before.  Playing the audio files with the Real Player I still get distorted sounds.
0
 
LVL 15

Expert Comment

by:Ryan_R
ID: 16917693
Do you feel like reinstalling Windows using the Repair option?

In the Windows XP OEM Setup (booting from your XP CD), don't press 'R' the first time you have the option to (for the Recovery Console), but press it the second time (for Repair Windows).

Windows will delete all system files and then continue to install XP as normal. All your documents and programs will still be intact when finished. Only a few programs might need to be reinstalled. (eg, I had to reinstall my Virtual CD software so that it would re-create my Virtual CD/DVD drive). You probably won't need to reinstall amything else besides any Service Packs you have installed (unless you have a slipstreamed XP SP 1/2 disc)
0
 

Expert Comment

by:mcowley5
ID: 16921181
I would try and update the Audio drivers for the computer

Right Click "My Computer" > Manage >

Device manager > Expand "Sound, Video and Game Controllers" >

NOTE : At this point make sure you dont have any Warning symbols next to the hardware in device manager

Right click your Audio device and choose "Update Driver"

Another way to check for updates on your computer is on the windows update site, check there for any security and driver updates> You'll need to goto the Custom Section for optional driver downloads for your sound card.

Hope this helps
Mike
0
 
LVL 69

Expert Comment

by:Merete
ID: 16924681
Hello Miden
as you say here>>I can let you know that all the sound files are >> affected including the Windows start up sound<< if your windows default sounds are corrupted run a scan for corrupted files
at start run type in cmd press enter then type in sfc /scannow you will need your xp cd.
if you get any  messages during the scan eject the cd and and close it again, teh sfc should continue.
Once the windows audio files are gone awol all your sounds will be no good.

If you have already tried re-installing the drivers off your mainboard then the only option is to fix the windows audio sfc will do that.
Real Player is pretty intensive uninstall it for now.
Try using winamp instead.

Scannow sfc / with or without an xpcd
http://www.updatexp.com/scannow-sfc.html


0
 

Author Comment

by:midan
ID: 16930857
I'm not sure how much further I can go with this.  I am now getting a message on start up which reads as follows:SMART failure predicted on hard disk 0: Hitachi-DK23FA-60-(PM).
WARNING Immediately back up your data and replace your hard disk drive.  A failure may be imminent.  Prss F1 to continue.
0
 
LVL 69

Assisted Solution

by:Merete
Merete earned 125 total points
ID: 16931726
well it is time for you to take out that hdd and slave it to another pc, just use their cdrom,pull out its two cables/ide and power/ look on the rear of your hdd see the pin move it to slave, there is a diagram ontop/now  plug inthe ide cable and white power plug into the rear of your hdd, they fit perfectly, just make sure to unpower pull out the power so that the bios does not know.
Then power in again and boot, its a little slower but once the desktop loads soon you'll see found new hardware, then you are still safe enough to save off your files.
open outlook express tools >options>maintinence>store folder change> direct it to a new folder name it your emails backup  
then ok, close outlook and open all your emails will now move to this folder. You canuse this to import them back exzctly as is.
Now in tools again accounts properties >highlight your account>look to the right and see export> click on export to the same folder as your emails, once your back up and running you can import your mail account again.

FYI on your HDD:
In an effort to help users avoid data loss, drive manufacturers are now incorporating logic into their drives that acts as an "early warning system" for pending drive problems. This system is called Self-Monitoring Analysis and Reporting Technology or SMART. The hard disk's integrated controller works with various sensors to monitor various aspects of the drive's performance, determines from this information if the drive is behaving normally or not, and makes available status information to software that probes the drive and look at it.
http://www.pcguide.com/ref/hdd/perf/qual/featuresSMART-c.html
0
 
LVL 38

Accepted Solution

by:
BillDL earned 125 total points
ID: 16931875
I think it would be a very good idea to take heed of that warning and back up any data that you cannot easily restore from another source again eg. your emails, user-created images, documents, etc, favorites, address book, and so on.

If you need advice on where to find your data and how to back it up, then just ask.

After you have done that, and verified that the medium you copied the data onto has stored it properly, I think you should run the hard drive diagnostics utility created specifically to test your hitachi hard drive.

IF your drive model is being correctly reported by that message, then you would appear to have a 60 GB Hitachi Ultrastar Legacy Notebook Hard Drive:
http://www.hitachigst.com/hdd/support/dk/table.html#dk23xx
The exact DK23FA model isn't listed, but I checked it out to ensure that the downloadable "Drive Fitness Test" utility was compatible with your hard drive:

http://www.hitachigst.com/hdd/support/download.htm#DFT

I recommend that you download the program file that will create a bootable floppy:
http://www.hitachigst.com/hdd/support/downloads/dft32_v407_b00.EXE
(read instructions: http://www.hitachigst.com/hdd/support/dftreadme.htm)

Or a bootable CD:
http://www.hitachigst.com/hdd/support/downloads/dft32_v407_b00.iso

*** WARNING ***
Stick ONLY to the processes that analyse and test the hard drive, eg. Drive Fitness Test, SMART Operations, and Drive Info.  These should not damage data on the hard drive.

The other utilities on the drive WILL destroy your data, eg. The Low Level Format will wipe everything off the drive, and you will have to repartition it from scratch again.  Similarly, the "Erase Bootsector utility" is intended for radical purposes like getting rid of boot sector viruses, etc.

Read the User Guide first.  It explains how to access the correct options from the Boot Menu of the CD or Floppy:
http://www.hitachigst.com/downloads/dft32_user_guide.pdf

Just for your info, S.M.A.R.T. is predictive monitoring based on previous and ongoing logging of various aspects of the hard drive.  If it THINKS that the drive's performance is beginning to go downhill, for instance it is hunting more or taking longer to spin up, then it will warn you. It isn't always correct, but you can't take that risk.
http://en.wikipedia.org/wiki/Self-Monitoring,_Analysis_and_Reporting_Technology

One utility that allows you to see details of SMAERT monitored activity is Everest.  There was a FREE utility named AIDA32 which was created and continually updated by a Hungarian guy named Tamás Miklós up until 2004 when he was taken on in a senior role by a Canadian company named Lavalys (http://www.aida32.hu/).  AIDA32 was then modified, but continued as a freeware product known as "Everest Home Edition" until 1st December this year when they decided to ditch the free version in favour of retail only versions.
http://www.lavalys.com/news.php?article=31&selcat=PR&lang=en

The good news is that the last of the freeware versions (Everest Home 2.20) can still be downloaded from independent sites like this:
http://fizika.hfd.hr/~ftpdir/Utils/everesthome220.exe

That's the installer version of the program.  To download a zip file containing all the program files that will run everest.exe as a standalone without installing, open the following page:
http://www.softpedia.com/progDownload/EVEREST-Home-Edition-Download-16369.html
and click the link "Softpedia Mirror (RO) - Stable" to start the download.

Once you have Everest running, open the "Storage" section, and then the "SMART" sub-section to see the logged performance.

If the problems are mechanical, then you are as well throwing the drive in the trash. If problems are to do with degrading magnetic properties of the disk's platters, then you can sometimes breathe a new lease of life into it by doing a low level format, then repartitioning and formatting the drive.  It's hard to know if it is mechanical or magnetic though, and low-level formats take a long time and aren't absolutely guaranteed success.

Hope this helps.
0
 
LVL 38

Expert Comment

by:BillDL
ID: 16931901
That's a good explanation in that link of yours Merete.  I've been avoiding giving links to the pcguide.com pages recently because I found that the pages have been coming up blank but with the mottled grey background showing.  That one comes up OK though.  Must be my browser, or maybe the site was being maintained at the times I've tried.

Sorry if my comment seemed to repeat what you said, but almost an hour later.  I was trying to find that Hitachi model number, and then went for a coffee before posting my comment.  Isn't it marvellous when two great minds think in parallel like that ;-)
0
 
LVL 38

Expert Comment

by:BillDL
ID: 16931993
I feel that I should emphasise that my discussion about Low Level Formatting is NOT something you should try UNLESS you are about to throw the drive in the trash can.  It's an absolute LAST resort.  In fact, most utilities that purport to do a LLF on a hard drive are actually doing a zero-fill instead.  This isn't quite as radical as a proper LLF performed in hard drive assembling labs, but is still not something to try unless as a last resort.  The "Erase Disk"  utility on the bootable floppy/CD from the Hitachi download is NOT a true LLF - it just zero-fills ALL sectors, including the boot sector with total data loss.

Error codes for the Hitachi Drive Fitness Tests shown on page 29 of the manual
http://www.hitachigst.com/downloads/dft32_user_guide.pdf
You can also verify the SMART results from one of the menu options.
0
 
LVL 69

Expert Comment

by:Merete
ID: 16932510
@BillDL :) sharing a coffee sounds good.
0
 
LVL 38

Expert Comment

by:BillDL
ID: 16935129
Yeah, I reckon we could have all the worlds computer problems sewn up over a few coffees :-)
0
 
LVL 38

Expert Comment

by:BillDL
ID: 16949073
Thank you, midan
0
 
LVL 69

Expert Comment

by:Merete
ID: 16949079
cheers midan
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

Occasionally Windows/Microsoft Updates will fail to update. We have found a code that will delete all temporary files and re-register all dll's related to Windows/Microsoft Updates! This works 99% of the time to get the updates working again! The…
I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
This video discusses moving either the default database or any database to a new volume.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now