Virus on laptop Windows Vista Ultimate

I have a virus on a laptop.  What has happened is all of the program files, users, etc. are gone - all desktop icons also disappeared.  After looking at the laptop, I realized that all of the folders were hidden (greyed out).  I unhid the folders and program files, program data but the virus is still there.  I was running AVG and it detected the virus, but I cannot get rid of it.
Has anyone seen this?  How do I get rid of it?

I can log into it and navigate to the internet, but still need to rid the virus.
manch03Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sarasotamacIT ManagerCommented:
Start with Malwarebytes, if you can install it. Run it a few times.
0
sarasotamacIT ManagerCommented:
Download from http://www.malwarebytes.org/ and make sure to update it before scanning.
0
mmichaCommented:
Malwarebytes is a good program for cleaning as suggested.  You may also want to run it from safe mode rather then the normal login.  You can get to it by rebooting, holding down F8 key, and selecting "safe mode with networking".
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

☠ MASQ ☠Commented:
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PSGITechCommented:
I used to like Malwarebytes...recently it's not cleaning the infections... try Combofix

http://www.bleepingcomputer.com/download/anti-virus/combofix

You will need to disable AVG temporarily...tools ->advanced-> temp disable AVG.

Run ComboFix but only download from Bleeping Computer.

Then I do a custom install of the old version of Spybot 1.6.2 without the realtime components, the Tea Timer sucks. Update and Immunize and then Search and destroy to remove the bad guys and then run a registry cleanup CCLeaner is an affective tool.
0
☠ MASQ ☠Commented:
Whoa! Please do not use ccleaner on this particular kind of infection.  This particular nasty moves your important files to tempoary folders which is what ccleaner erases.
0
PSGITechCommented:
After the infection is cleaned use CCleaner for registry cleanups
0
manch03Author Commented:
In safe mode running anti malwarebytes a second time. Waiting for that to finish. The last scan found 3 trojans and i removed those. It takes a while so I will get back with you
0
manch03Author Commented:
Second scan - same 3 viruses , selected to remove and rebooting again.
0
manch03Author Commented:
3rd scan with malware bytes and the same 3 viruses appear - it is not removing them I will go to the other site and try those solutions
0
manch03Author Commented:
The other issue - access is denied on every folder I try to open on the C drive -
annoying.  I have the user access control off and I cannot get into any folder - access is denied.  I am a local admin on the laptop - how do I get around this?
0
Russell_VenableCommented:
Which folders are you trying to access? There most likely owned by TrustedInstaller. Can you post the log for malwarebytes? Umm also if your getting help from another site it makes it almost impossible for us or anyone else to help you. The malware symptoms you talk about do sound like rogue antivirus infection.

What happened during this infection? Did you receive a popup with a security tool, antivirus, cleaning tool, or some other advertisement.
0
manch03Author Commented:
This has gone from bad to worse.  I tried installing the anti-virus that was suggested on the link - alvira - could not install - stopped responding.  Then I rebooted and all I get now is System Message - write fault error  A write command during the test has failed to complete  This may be due to a media or read/write error.  The system generates an exception error when using a reference to an invalid system memory address.  Cancel Try again Continue
Then this S.M.A.R.T. Repair comes up with multiple messages  hard drives diagnostic report -
hard drive boot sector reading error - critical.... and goes on and on.  Then I click on Repair and it is something that I need to purchase.  This is in normal mode - not safe mode.  There is nothing in the start menu - it is completely blank (empty).  Yesterday, it told me the hard drive was missing and it would not even start.
0
☠ MASQ ☠Commented:
This is scareware, you have Smart HDD/System Check still infecting your system, the error messages are fakes trying to get you to part with money for a fix that isn't needed.

Please read through the link I posted, run The Killer followed by MBAM, don't restart between running the two.
0
☠ MASQ ☠Commented:
Here's a step-by-step guide if you prefer
http://www.bleepingcomputer.com/virus-removal/remove-smart-hdd
Feel free to post back at any stage if you're having problems.

Be reassured that your computer is actually OK, it's just the malware that's making it appear to be failing.
0
manch03Author Commented:
This laptop will not allow the rkill to run. It terminates immediately. Access is denied. I could not even go to that site with The laptop. I had To download it to a usb drive copy to the desktop (the rena,ed one) and it also terminated that one. Is this what it should do?  Should i run the mbam now?
0
manch03Author Commented:
Renamed one. Sorry about that.
0
manch03Author Commented:
Ok. Finally got it to run. I ended up running unhide and then ran the explore.exe file again and now making some progress. Running mbam now. Will keep you updated.
0
manch03Author Commented:
Ran mbam - found 31 bad things - removed those - should I run this 3 times to make sure they are gone?
0
manch03Author Commented:
Lost power - computer shut down - rebooted into normal mode and it looks like it is back.  Darn,  I will have to start over again.
0
sarasotamacIT ManagerCommented:
At this point, I would recommend trying to save data and rebuild. With this many issues I would start with fresh OS. If you can save files do that and reformat. If not this could continue for a long time.

Just my thought.
0
manch03Author Commented:
That is what I was thinking - especially after 3 hours of scanning an removing and then it comes right back....
0
sarasotamacIT ManagerCommented:
Sucks, but you know it will be fixed.
0
manch03Author Commented:
@Russell - no I am not getting any advice from any other site - I clicked on the link above to run the kill program, which worked.  I was following the directions on that site that the link describes above.  Should I not do that?
0
manch03Author Commented:
@Russell - This is not my laptop - so I am not sure what happened except I was told that all the icons disappeared off the desktop and all the folders appeared to be empty under the c drive.  Everything was listed as empty.  Then I realized they were all hidden and I when I unhid the files through windows, they appeared, but still were greyed out so I knew something was wrong.
0
Russell_VenableCommented:
Those instructions are fine. I can definitely work with that. We do need to see to the logs generated by malwarebytes and any other tools used during this process. Tell me your progress after you have attempted the above link as well.
0
manch03Author Commented:
Ok - Had to start all over and mbam is running now - has been for 1 hour 45 minutes -  I will post that log when it is finished.
0
manch03Author Commented:
Here is the log - I have not rebooted it yet - I am afraid this will come  back
I will wait for instructions  on what to do next.

Protection: Disabled

4/16/2012 9:54:50 AM
mbam-log-2012-04-16 (09-54-50).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 718595
Time elapsed: 2 hour(s), 4 minute(s), 26 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 15
C:\Windows\System32\KS0108.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\Windows\System32\AGV.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\Windows\System32\aslm75.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\Windows\System32\firelm01.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\Windows\System32\gs30s.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\Windows\System32\GTF32BUS.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\Windows\System32\HBtnKey.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\Windows\System32\ivscheduler.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\Windows\System32\pxfhmdfl.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\Windows\System32\qkbfiltr.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\Windows\System32\rt73.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\Windows\System32\swupdtmr.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\Windows\System32\viaagp.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\Windows\System32\ZDPSp50.dll (RootKit.0Access.H) -> Quarantined and deleted successfully.
C:\Windows\Temp\ms0cfg32.exe (Exploit.Drop.CFG) -> Quarantined and deleted successfully.
0
☠ MASQ ☠Commented:
If it helps at this stage you need only run the Quick Scan in MBAM that will cover all the likely locations once everything comes up clean in quickscan then you could run a full scan just to cover all the bases.  Remember until you get a clear scan to run RKill or TheKiller before the scan and run MBAM without restarting.

From the log looks like you've got the Smart HDD infection sorted, you may find there's still a folder for on C: which simply needs deleting.
0
manch03Author Commented:
I am running another big scan - takes forever, but should be worth it - not sure if it is totally gone - I cannot change the background from black to a different color.
0
manch03Author Commented:
So far 9 infections found again...  I am so tempted to wipe this out, but there are many licensed manufacturing programs on it and the programmer is worried this will wipe out all the licensing, etc. etc. which it will, but if I cannot get rid of this, I have no choice.
0
sarasotamacIT ManagerCommented:
I think you are wasting your time. This is so bad, even if it is cleaned, it messed with folders permissions, this laptop maybe unstable after you fix it. He got a virus, not you. Salvage what you can, rebuild, help the next person.

Surrender! White flag!
0
manch03Author Commented:
@sarasotoarnac - you are right - I bit the bullet and did the restore to factory settings - too much time wasted on this - I have to support this, so this is probably for the best.  Just hope all my copying of all the files worked and I don't copy the virus back into the laptop.  But it was a good effort.
0
manch03Author Commented:
Although I could not get rid of the virus because it was too embedded in the system, these were both good tries.
0
Russell_VenableCommented:
I got really busy today. Things came up. You needed to flush the mbr even with a new re-install. Sorry, to say but it was possible to get it back to normal, especially with this kind of rootkit. I've done this many times over.

If its still possible you need to definitely wipe the Master Boot Record. A few tools that do this are the Win Vista/W7 Repair disk(best way) or bootrec from the Windows Installation disk(best way), aswmbr tool, and mbrfix.exe

You can also do a check/repair using MBRCheck. This one outputs a logfile to the desktop. just for future reference.
0
PSGITechCommented:
I repeat....

I used to like Malwarebytes...recently it's not cleaning the infections... try Combofix

http://www.bleepingcomputer.com/download/anti-virus/combofix

You will need to disable AVG temporarily...tools ->advanced-> temp disable AVG.

Run ComboFix but only download from Bleeping Computer.
0
manch03Author Commented:
Even the restore from the D drive was corrupt so I wiped out the disk and reformatted - hopefully this gets rid of it right?
0
sarasotamacIT ManagerCommented:
Yes it will.
0
Russell_VenableCommented:
Are you talking about the recovery drive that has the factory backup image? In most cases this should not be the case.

ZeroAccess does not touch the backup image. This would wipe any hope of restoring to the original out of factory condition and also troublesome If there is a lack of a vista installation disk to restore damaged system files which ZeroAccess has been known to corrupt on the main drive.
0
manch03Author Commented:
Yes, the recovery drive on the D drive of the laptop was corrupt.  I restored it and had the same problems - could not update windows at all.  In addition to having the virus it also started with this original problem.  I ended up wiping it out, formatting the drive and a clean install of windows.  It is perfect now.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Vista

From novice to tech pro — start learning today.