Spyware, Viruses, & Security forum

General discussion

Help with virus removal

by jake194858 / December 13, 2012 1:33 PM PST

I am working on a friends computer. I have never seen anything like this before.

I believe this is a virus. Symptoms include:

1) error 993 on C drive. A recovery CD of XP and chkdsk /p and chkdsk /r find problems, but still get error 993. Re checking the disk says no problems but error 993 still exists.

2) XP Services will on their own suddenly change to disabled. Even the sound drivers!

3) If I copy or download any files to the HD, it will download, but then disappears. You can actually watch this happen with windows explorer. I have to copy files to a thumbdrive and then load them from there.

I have tried just about every antivirus, adware and malware software with no effect. I have had some things that may have contributed to this. The friend had a few internet search bars, including Yahoo and Babylon. This has help with some stability, but these 3 items are still a major concern.

Thanks for help!

Post a reply
Discussion is locked
You are posting a reply to: Help with virus removal
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Help with virus removal
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
About item 1.
by R. Proffitt Forum moderator / December 14, 2012 2:12 AM PST

That's an EXPECTED error in some situations. There is NO CURE! If chkdsk is clean, then ERROR 993 is expected when you use such a check in the OS as noted at
http://www.daniweb.com/hardware-and-software/microsoft-windows/windows-nt-2000-xp/threads/7087/error-993-partition-contains-open-files.-use-the-operating-system-check-utility

That was 7 years ago and is not going to be fixed. We hope folk can catch up on why it happens but it does and that's that. Sorry if this sounds harsh.

Items 2 and 3 sound like rootkit or other issues. Here's a QUICK TEST I perform. Go get RKILL as noted by Grif and tell me the output.

Grif writes more at http://forums.cnet.com/7726-6132_102-5098912.html?tag=posts;msg5099421

Bob

Collapse -
damn!
by jake194858 / December 14, 2012 1:28 PM PST
In reply to: About item 1.

I did all you asked and more so. I used all of the bleepingcomputers security programs. No help.

The only thing that looked something of a problem was.

Checking Windows Service Integrity:

* RpcSs => %SystemRoot%\system32\svchost.exe -k rpcss [Incorrect ImagePath]

I followed that and I didn't find anything.

----------------------------------------------------------

This a very nasty virus. Here is why.

I cloned the drive to another hd drive. Then I booted to the cloned hd drive.

This hd has 3 (boot) primary and 2 (data) non-primary partitions.

The 993 error is on the main 3rd primary partition

I than deleted the 1 & 2 primary partitions. I made a new bigger 1th primary. I then copied the 3rd primary to the 1 primary.

I booted into the 1 primary and low and behold the 1 primary had a 993 error! The 3 primary had no error!

I booted back into the 3rd primary and it now had the 993 error and the 1st primary did not!!!!!!!!!!

This is some crazy crap! The 993 error follows the active partition!

I completely uninstalled PM8 thinking it could be the problem.

I went back into the recovery cd and did a chkdsk /p. It said "found one or more errors on the volume."

The chkdsk /r did not find a problem.


I am going to reformat and reinstall!

thanks

Collapse -
Some errors can not be fixed with CHKDSK.
by R. Proffitt Forum moderator / December 15, 2012 1:19 AM PST
In reply to: damn!

But it was my WILD GUESS you had partition magic. It's a known issue that has old discussions. I tried to be a little too blunt about it and it's no reason to format in my opinion.

It is a reason (among many) to keep your backups up to date but for that alone I would not be formatting.

-> * RpcSs => %SystemRoot%\system32\svchost.exe -k rpcss [Incorrect ImagePath]

Now that's interesting and something to post on bleepingcomputer forums to ask about. I'm encountering rootkits that show up like that. It's not a sure sign but it's what makes me dig deeper.
Bob

Collapse -
Damn!
by jake194858 / December 15, 2012 2:47 AM PST

I have used PM for a lot of years and I haven't had a problem like this before.

I am now doing a low level format on a completely different hd to see if the 993 goes away.

Now no PM. Low level format and new XP install. The 993 persists! With just one primary partition. This 993 error has to be a hardware error.

On the other post there was the mention of the bios interfering in the cmos. I checked that several posts ago. No cmos switch to toggle on and off in bios about boot or any other lock for virus. I have seen that on some of my MBs so I knew what it was.

This has to be a hardware problem, not software. The computer I am working on has so many other problems I am reinstalling xp anyway.

What is even stranger is this is an Intel MB and only about 2 years old.

thanks


Thanks

Collapse -
Damn!
by jake194858 / December 15, 2012 3:06 AM PST
In reply to: Damn!

A interesting thing is that that dos and xp does not have a problem with the 993 error. PM does though.

Collapse -
After XP updates all this makes sense to me.
by R. Proffitt Forum moderator / December 15, 2012 9:12 AM PST
In reply to: Damn!

With more files protected my thought is the PM 993 error is expected. There are a lot of discussions about it, but to me it looks like OK, that's going to happen.

I wish I could condense a course in Windows SFP here but for now it looks like it was doomed anyway, maybe not back a few years but today with all the patches that removed a lot of 16 bit support and more protection, PM will die.

This is why I would not use that as a reason to format/start over.
Bob

Collapse -
As I proved before
by jake194858 / December 16, 2012 9:13 AM PST

With all the tests I did, with and without PM, it is not PM that is causing it. It is hardware based, at least on this machine.

I did a new HD and on a new install of XP, without PM, I was still getting from the recovery disk on chkdsk /P error.

Since I have my own computers with xp and PM without error 993, it has to be that specific hardware.

Collapse -
After all these posts.
by R. Proffitt Forum moderator / December 17, 2012 12:16 AM PST
In reply to: As I proved before

I can't tell what app gives the error 993. Chkdsk doesn't issue such codes. And we know that PM could.

I've had to guess from your very first post that Partition Magic had a part in this story. It did and since there are discussions about it and I see how it could fail, my failing is how to convey that back to you.

For your part, you should, when working issues like this detail out how to create the message. If it comes from PM then it's a question for them to see if they have an update to handle MSFT's updates.

There's also some outer edge issues such as XP and drives over 127GB but that detail may or may not apply. I'm sure you know about that issue.
Bob

Collapse -
errors
by jake194858 / December 17, 2012 3:38 AM PST
In reply to: After all these posts.

Although PM does the 993 error, chkdsk was also giving an error found in DOS.

The last hd low level format and reinstall of xp, without PM, chkdsk was still giving the found errors under /P. This is not stated as a 993 error, but just an error the same.

Collapse -
You said low level format. That's odd.
by R. Proffitt Forum moderator / December 17, 2012 4:17 AM PST
In reply to: errors

Today's drives do not offer such a feature. Can you supply which drive this is? Low level formatting is now quite rare but you will encounter folk that redefine this as a wipe of the drive with something like DBAN.

DOS is rarely used with NTFS. So again I wonder if you are writing about the XP Command Prompt but can't tell.

Sorry about this need to be exact but I'd like to see if we can recover from the normal XP partition and formatting. Once in awhile you find a machine and user that can't do the work without PM and they are good for our shop counter business.
Bob

Collapse -
You must be young
by jake194858 / December 17, 2012 10:46 AM PST

The HD is an older Maxtor 120 gb. And yes, I low level formatted it with my old Maxtor CD.

The error did not go away by formatting so low level formatted just to be sure it wasn't the drive.

XP has DOS underneath. When you boot to the XP recovery CD, you are in DOS, not NTFS.

Since I have been building and repairing PCs since 1982 I think I can handle it.

Collapse -
No I'm older.
by R. Proffitt Forum moderator / December 17, 2012 12:15 PM PST
In reply to: You must be young

We did such back in the days of 5 megabyte to some just under 1GB drives but it's very rare.

My first program ran on the GE-210 and if you want to trade creds that's fine but if you want to maintain that's DOS when we boot XP CDs, OUCH!

It really doesn't matter as you let folk think it's DOS. Do you want to bicker or work the problem?
Bob

Collapse -
You have not understood
by jake194858 / December 17, 2012 1:48 PM PST
In reply to: You must be young

You have not understood what I have said. If you boot to the recovery xp cd, you do not have gui. You have xp's dos.

If you do a dos prompt when in xp, you are doing a dos shell.

I have written over 20 dos programs in Dbxl and Quicksliver that run in xp in ntfs.

Collapse -
To test you assertion.
by R. Proffitt Forum moderator / December 17, 2012 3:24 PM PST
In reply to: You must be young

Now try to add a DOS driver to that DOS. I see some folk call a command line DOS. Maybe that's your definition.

I've never found anyone able to do that to XP's command prompt. If you called it NTDOS that's closer to the truth.

Look, if you want to banter, sure. But wouldn't you rather tackle the issue?
Bob

Collapse -
DOS in XP
by jake194858 / December 17, 2012 7:20 PM PST
In reply to: You must be young

My programs were in 16 bit DOS. They run in XP 32 bit NTFS because XP has an underlaying DOS structure. If you run A DOS program in XP GUI it goes into the XP DOS shell. My programs could also directly run from the recovery cd.

My programs ran DOS CMDs like making directories, converting data and printing to ports. Several of my utility billing programs for city governments, after calculating utility bills, exported ACH data on floppies for banks.

And I solved the error a long time ago. It was a hardware issue.

Full Set of DOS Commands with XP
for descriptions - go HERE

Command-line tools must be run at the prompt of the Cmd.exe command interpreter. To open Command Prompt, click Start, click Run, type cmd, and then click OK. To view help at the command-line, at the command prompt, type the following:

CommandName /?
Arp
Assoc
At
Atmadm
Attrib
Batch files
Bootcfg
Break
Cacls
Call
Change
Chcp
Chdir
Chkdsk
Chkntfs
Cipher
Cls
Cmd
Cmstp
Color
Command shell overview
Comp
Compact
Convert
Copy
Cprofile
CScript overview
Date
Defrag
Del
Dir
Diskcomp
Diskcopy
DiskPart
Doskey
Driverquery Echo
Endlocal
Eventcreate
Eventquery
Eventtriggers
Evntcmd
Exit
Expand
Fc
Filter commands
Find
Findstr
Finger
Flattemp
For
Format
Fsutil
Ftp
Ftp subcommands
Ftype
Getmac
Goto
Gpresult
Gpupdate
Graftabl
Help
Helpctr
Hostname
If
Ipconfig
Ipseccmd
Ipxroute
Irftp
Label
Lodctr
Logman
Lpq
Lpr Macfile
Mkdir (md)
Mmc
Mode
More
Mountvol
Move
Msiexec
Msinfo32
Nbtstat
Net services overview
Net services commands
Netsh commands (many)
Netstat
Nslookup
Nslookup subcommands
Ntbackup
Ntcmdprompt
Ntsd
Openfiles
Pagefileconfig
Path
Pathping
Pause
Pbadmin
Pentnt
Perfmon
Ping
Popd
Print
Prncnfg
Prndrvr
Prnjobs
Prnmngr
Prnport
Prnqctl
Prompt
Pushd Query
Rasdial
Rcp
Recover
Redirection operators
Reg
Regsvr32
Relog
Rem
Rename
Replace
Reset session
Rexec
Rmdir
Route
Rsh
Rsm
Runas
Sc
Schtasks
Secedit
Set
Setlocal
Shift
Shutdown
Sort
Start
Subst
Systeminfo
System File Checker (sfc) Taskkill
Tasklist
Tcmsetup
TCP/IP utilities and services
Telnet commands
Terminal Services commands
Tftp
Time
Title
Tracerpt
Tracert
Tree
Type
Typeperf
Unlodctr
Ver
Verify
Vol
Vssadmin
W32tm
Winnt
Winnt32
WMIC overview
Xcopy

Collapse -
What's the use of publishing a list like this?
by Kees_B Forum moderator / December 17, 2012 7:39 PM PST
In reply to: You must be young

It seems a list of things supported by a program called cmd.exe that runs in Windows XP and calls itself (in its right click properties) "Windows command processor".

That clearly isn't a Disk Operating System (which is what DOS stands for), but a Windows application. In fact, I think that most of this commands where unknown to MS_DOS 7.0 (the latest version of MS-DOS). So it aren't DOS-commands.

And surely a "Redirection operator" isn't a command, but an operator. And "Ftp subcommands" aren't commands for the command processor either.

Only laymen call the Windows command processor "DOS". Some of them even call the BIOS-screens "DOS-screens", because they have white letters on a black background.
But laymen are welcome here also, of course.

Kees

Collapse -
So we're going to discuss what is DOS.
by R. Proffitt Forum moderator / December 18, 2012 12:03 AM PST

No, we're not. I'll let folk think that in order to work the issues. It appears you want to debate that and might have a stance on "What is the true UNIX?" which was rather famous.

We know there are issue with PM. If you remove that from the playing field you still have that CHKDSK issue.

But if the drive was partitioned and/or formatted with PM then I can see where this can fail. And have seen it fail.

Next time, take the blank drive and use only the XP CD to partition and format. CHKDSK will be fine unless the drive or host PC has a fault.
Bob

Collapse -
I'm done
by jake194858 / December 18, 2012 5:08 AM PST

You are an idiot. You have not heard a single thing I have said this entire time!

The last thing I told you about the error and drive is that I low level formatted it with a Maxtor CD. Then I formatted it with the XP installation CD while loading XP. NO PM!

I still had the chkdsk /p error when running the XP recovery CD.

It is a motherboard hardware error.

Done, over. Go pester someone else now!

Collapse -
I'll try if you will.
by R. Proffitt Forum moderator / December 18, 2012 5:17 AM PST
In reply to: I'm done

I've seen this error when the drive was prepared with partition magic. You did write you formatted it with the Maxtor CD so that could cause another source of the problem which we can deal with.

When you boot your XP CD, use the option to delete all partitions (I'll supply a link) then let Windows use the entire drive.

If after all that CHKDSK fails, you have some hardware issue.

-> Yes, I've had folk blow up that it can't be the hardware but I've swapped cables, boards and drives and the problem vanishes so how could it not be a hardware issue? I see you calling it a motherboard issue so if you knew this after all this, what are we bickering about?

I always like to do those last hurrahs to save you a few bucks and will keep trying.

Here's the link -> http://www.blackviper.com/os-install-guides/windows-xp-home-install-guide/
Step 5 is where I can delete possibly incompatible work done with those helpful maker CDs.
Bob

Popular Forums
icon
Computer Help 49,613 discussions
icon
Computer Newbies 10,349 discussions
icon
Laptops 19,436 discussions
icon
Security 30,426 discussions
icon
TVs & Home Theaters 20,308 discussions
icon
Windows 10 360 discussions
icon
Phones 15,802 discussions
icon
Windows 7 7,351 discussions
icon
Networking & Wireless 14,641 discussions

Tech explained

Do you know what an OLED TV is?

CNET explains how OLED technology differs from regular TVs, and what you need to know to make the right shopping decision.