Hi, i need some urgent advice, please read everything because it's important for any help given and i apologise for the long thread. After a hard drive failed on a computer i built for my nephew i bought it home to arrange for an RMA etc and to try and recover what files i could, the hard drive was disconnected completely from the mobo for security. I had an old trusted pata drive that i keep loaded with windows xp for my own pc in case of emergencies, i decided to install this into my nephews pc and install windows xp back on to it, i plugged the hard drive into the my nephews pc and booted into the bios to change boot order etc when i realised i had forgotten to format the drive, windows installation warning, putting two operating systems on the same hard drive etc. So after disconnecting my own hard drive from my pc i put into my pc and run four scans with AVG, AVG AntiSpyware, SuperAnti-Spyware and Karpersky online scanner just in case and then ran killdisk to erase the drive. I put the drive back into my nephews pc and started the window xp install. While this was installing i decided before i plugged my own drive back into my pc to clear the bios by taking the battery out for a period of time, after plugging my drive back in and booting up it all started, AVG instantly started picking up viruses every 5 to 10 seconds, i healed them as they appeared but every minute or two AVG would stop working with a warning about a missing dll and that re-installing the program might help. This carried on with shut downs and reboots, every time it re-booted i got the black screen with the small windows login and password box, i had to keep repairing AVG and healing files for some hours, i could not do a windows restore and other functions seemed disabled as well, i also got the error message come up that some of my system files had been replaced etc, please insert the windows cd now but it was prevented or could not copy the files, eventually after many hours everything was back to normal and i did a windows repair to get the effected functions back, scanned and rescanned with no infections. Now hear is my concern, after doing a full format of the wiped had drive and installing windows xp on my nephews pc i installed my firewall first, no connection to the internet, all cables unplugged, then installed all my usual security programs including AVG 7.5, after configuring my firewall i connected to the internet and updated my security programs, then bang it started all over again on my nephews newly installed windows pc, it was easier this time to deal with but very similar and below is a list of the viruses healed, AVG keeps emptying the virus vault so some info is missing, there were more programs effect on my own pc but it was very similar. There was no contact with the damaged hard drive what so ever, i had removed the ram and drive from my nephews pc only inserting the ram back in to install windows and a different clean hard drive as mentioned, so have i been infected with a virus that was on his motherboard, i've been reading all of the for's and againsts for these viruses existing and it's about 50% they do and 50% they don't, these include professional pc engineers opinions and experiences. I rang the makers of my motherboard Gygabyte, who advised me the only way to be sure was to return it so they could check the bios codes, so they obviously believe it's possible or even a normal hazard. Please tell me if there could be another way that this could have happened, or is my mobo now infected? Viruses detected on fully formatted newly installed windows xp pc, not all info available: C:\WINDOWS\system32\msvcr71.dll msvcr71.dll C:\WINDOWS\system32\jscript.dll jscript.dll C:\WINDOWS\system32\dllcache\jscript.dll jscript.dll C:\WINDOWS\system32\jscript.dll jscript.dl C:\WINDOWS\system32\msacm32.drv msacm32.drv xrg.exe Local Settings\Temp\Trojan Horse Downloader 7AVKJ iebtu.exe Program Files\Application\Trojan Horse.Generic 11.ANZI iebu.exe Program Files\Application\Trojan Horse Downloader ZLob.ADKV wcu.exe Program Files\Application\Trojan Horse Downloader ZLob.ADDJ oanlvs.dll C:\WINDOWS\system32\Trojan Horse.Generic.11.AOUQ A0003046.EXE C:\System Volume Information\restore(0210FB49-66DF-40EA)Trojan Horse Downloader ZLob.ADLR Thanks for your help.
Thanks for all your help, by the way i was assurred by some computer engineers with over twenty years of experience that a virus in my bios, sounds like a nasty disease, was almost impossible. Can certain viruses survive a full format, if it's in my bios it's a whole new world of hurt and the end of computing for me, could the viruses i,ve listed been kept in my bios or do you think it's more likely they were on the hard drive, survived the full format, then when AVG 7.5 updated it picked them up and bang!, thanks again.
Hi rogue20 I would say that you are not infected with a bios virus for the following reasons: 1. Motherboard viruses have to be specific to hardware, version, and brand. This is highly unlikely that you happened to be infected with a virus specific to your motherboard brand exactly. 2. Motherboard viruses that have the capability and patience to download files to the PC and then run from there is also very unlikely. 3. The files you have are known trojans that have not been found to infect motherboards. They are trojans which download other malware, and sneaked into your system either by being downloaded by other malware on your PC or pretending to be a valid program that you installed. As hinted here: it seems that malware on your PC, when internet was enabled, managed to download these trojans. So... I would say it's more likely that you installed malware accidentally on the PCs after reformatting it. Best Regards
Thanks for your help, i tried a new install with the same windows xp installation disc, installed firewall and security program's from different source, same thing. Now trying a different windows xp cd because at the moment it could be a possible source, it is genuine, but it would have to be a virus timed to activate on a certain date if this is the case, or it could be coming from the AVG 7.5 update, i've found out that updates for this version were meant to end a few months ago? I will let you know what happens and use another source for my security programs again, the only thing that i've changed when connecting to the internet is i'm connected directly to my modem instead of going through my router which i use as an extra firewall. But there's worse, with all the worry caused by the the virus problems the files i saved from my nephews failing hard drive have been lost, i thought i saved them to my pen drive and have done a full format of the new drive and re-installed windows, i'm embarrassed and feel terrible, do you know of any good software that might recover them, it's a long shot i know, thanks again for your advice and help.
ccleaner http://www.filehippo.com/download_ccleaner/download/cce8fe21916a4d3c9d82be054cf5519a/ avg free edition http://www.avg.com/filedir/inst/avg_free_stf_en_8_176a1399.exe spybot search & destroy 1.6 http://www.majorgeeks.com/download2471.html data recovery programs http://www.majorgeeks.com/download5301.html http://www.ontrack.com/freesoftware/ http://www.z-a-recovery.com/download.htm http://www.snapfiles.com/Freeware/system/fwdatarecovery.html http://www.pcworld.com/downloads/collection/collid,1295-order,1-c,downloads/files.html http://www.easeus.com/ http://www.ntfs.com/products.htm http://www.pcinspector.de/download.asp?language=1#file_recovery http://www.cgsecurity.org/wiki/TestDisk
Hey rogue20 For recovering files I recommend the freebie Recuva, from the same author as CCleaner. It's deep scan is pretty powerful. Best Regards
Thanks for all your help, it now seems certain it's my so called genuine windows xp cd or the AVG update, if it is the cd then it must have been a dated virus? Just one more process of elimination to be sure, i still use the AVG 7.5 version as i found there new version would slow my pc to a crawl, so it needed a lot of configuring, and the odd thing is on the AVG forum they stated that updates for the 7.5 version were to end, i think in late August 2008, but mine still updates on a regular basis?. As for recovering the lost files, i've been up all night trying different deep scanning programs, only one found a folder which i could recover, it was because i had to re-install windows twice because the virus was disabling everything, so one format and re-install there was a good chance, but two, it's gone. What IP address would you like next? please stop showing everyone or i'll have to change it constantly, at least that program works.
what are you talking about ip address for? avg8 dosen't slow my pc down much as i'm running a p4 2.53ghz with 768 megs of ram.
Oh, just in all the replies above, not yours, there's a litte hacker banner showing my IP address and other details, not hard to do but i didn't know if everybody could see it, i guess not. Yes i'm sure AVG8 is ok, it just needs to be installed properly, i think you have to disable something when installing it, which in the free version it doesn't do anything anyway, there's been lots of people having the same problem. I'll try it again but the 7.5 version seems to be working ok for now, i guess they extended the update support.
haven't disabled anything when i installed avg8 on customers' & friends' computers including my own desktop pc & laptop.
Everyone else sees whatever settings apply to them. I see that I use SBC DSL with Firefox as browser...
Looks like i spoke to soon, i started to wonder why this was happening on two pc's, it happened on my nephews pc even after three full formats and re-installs of windows, each time the installed programs were from different clean souces from the first one. I decided to do exactly the same thing just after i had put my spare hard drive back into my nephews pc after taking it out of mine. I removed the battery again for a few minutes, when re-inserted i booted up and got a bios error screen, then a count down and it would reboot into windows, then the AVG error signature ModName msvcr71.dll and AVG would crash. Obviously i thought of the clock resetting but even after that was set it took many attempts to get it to install, then when it did and i started to update the virus alert would start, file msvcr71.dll, if healed or moved to the virus vault AVG would crash again, but here's the odd thing, something was trying to connect to AVG through my fire-wall on port 1010, i blocked it this time as i believe this is when the trojan's were downloaded the first time. Now obviously this could be caused by the resetting of the bios clock, would this have this effect on AVG? but this is how it started the first time with the mass attack, is something trying to protect it self from detection by taking control of AVG, opening up ports and downloading trojan's to throw up a smoke screen. And why would the exact same thing occur three times on another pc, who's battery was not removed and after the first AVG errors, infected msvcr71.dll, trojan's were detected or it would be system files that needed constant healing, then finally when it stopped windows be at a crawl. I just can't think of anything other then something in the bios thats spread, i did find this on another thread, "Last real nasty I saw off limewire actually run and trash a system started downloading without even being selected.. so much for norton too.. it got infected itself and then helped replicate the virus.. it just came and ran with no interaction from the user at all. I know the name of a really nasty virus that will need a complete format, then a 3 pass wipe with killdisk, followed by a total repartition and reinstall, a bios virus check and a ram virus check to remove completely.... should I give the file name for the limewire fans... alladobekeys&serials2k7... there you go. Probably circulated by adobe themselves.. and believe..it's a hottie " No i don't use limewire but i have used emule in the past, but i've been having problems since i finished this build?, have i now infected or been infected by my nephews pc, or is it AVG that's being used by a virus from the two pc's bios, there's one other strange thing, since this first happened the classic symbol for AVG in add and remove programs has changed? this is also in the program folder.
Hey rogue20 Hmmm... that's all very strange. AVG 7.5 crashing? But by resetting the motherboard, any malware in the motherboard should have been erased. Could you try to format/reinstall Windows on the hard drive? This time, do not install any programs or even connect it to the internet. If the crashes continue, it may be hardware problems. Best Regards
Could i just ask you one more question, i apologise for my last reply as i was very worried and it was written in haste, and with the flu to top it off, the irony. I've just bought a new external hard drive as my other one is full and i was going to keep duplicates of all my files, would it be safe to connect them or if this does turn out to be a malacious program or worm etc would it just jump to them, thanks again.
Hey rogue20 If the infected hard drive is inactive (no programs are running from it), it probably shouldn't be able to infect other hard drives. However, if an autorun.inf file is placed at the root of a drive, it will contain instructions that loads a program when the drive is accessed, thus making it possible for malware to load from an infected hard drive. Read here for more info: http://en.wikipedia.org/wiki/Autorun Be sure to delete autorun.inf (if it exists) from the infected hard drive first. Best Regards
