Jump to content

"E" Drive Isn't Accessable, Help Please

yosemitest

By yosemitest
in General Windows PC Help

 Share

Recommended Posts

yosemitest

yosemitest

Posted
Posted
Hi,

I don't see any sign of malware of your logs. Since your problem is not malware related, you can start a new topic in the PC Help forum.

There is only a bit of cleanup that we will deal with in this post, as well as prevention from future infections. :blink:

Remove Combofix now that we're done with it.

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
    CF_Uninstall-1.jpg
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  • Download OTC to your desktop and run it
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Keep a backup of your important files

Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Make proper use of your anti-virus and firewall

You should keep your anti-virus and firewall guard enabled at all times, don't shut them off unless there's a specific reason to do so.

Also, regularly performing a full system scan with your anti-virus program is a good idea to make sure nothing has slipped through your protection. Once every two weeks works well for many people. You can set the scan to run during a time when you don't plan to use the computer and just leave it to complete on its own.

Keep in mind that anti-virus programs are far from perfect. They don't protect you against every piece of malware that's out there, so don't trust them blindly. If an anti-virus reports a file as 'clean' then it's doesn't necessarily has to mean it is.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Keep all your software updated

It is important to keep up on system updates from Microsoft by regularly checking their website at: http://windowsupdate.microsoft.com/, as these patch critical security vulnerabilities and help to keep you safe.

It's also important to keep programs up to date so that malware doesn't exploit any old security flaws. FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. Java and Adobe Reader are two of the main security vulnerabilities. You can find the latest version of Java here, you will want the Java SE Runtime Environment (JRE) one. You can find the latest version of Adobe Reader here.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Use a safer web browser

Internet Explorer is not the most secure tool for browsing the web. It has been known to be very susceptible to infection, and there are a couple good free alternatives: Firefox and Opera. Both are excellent faster, safer, more powerful and functional free alternatives to Internet Explorer. It's definitely worth the short period of adjustment to start using one of these. If you wish to continue using Internet Explorer, it would be a good idea to follow the tutorial here which will help you to make IE much safer.

If you decide to use the Firefox browser, the McAfee SiteAdvisor add-on will nicely help to enhance your security. This add-on tells you whether the sites you are about to visit are safe or not. A must if you do a lot of Googling.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Some other security programs

It is wise these days to have a few security programs installed and running on your machine except from just an anti-virus and a firewall. I will list some of them.

  • A good anti-spyware program installed on your pc is very important to help remove any spyware that may have gotten on your computer. I highly recommend Malwarebytes' Anti-Malware.
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites in the future.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Be careful

Having security programs installed is very helpful to you, but none of them have the gift of human thought. The best way to make sure you don't get infected is to exercise common sense. Be careful of what websites you visit - if a site looks suspicious, trust your instincts and get out of there. Be careful of what attachments you open in emails and files you download from websites - check them over carefully to make sure that you know what you're getting.

Using peer-to-peer programs (eg: LimeWire, BitTorrent, uTorrent, Kazaa) or downloading cracks and keygens is something else to avoid. These are the most common way to get infected. Malware writers use these programs to spread infections as it is the easiest way for them. The majority of infections we see in the Malware Removal forum are due to people using p2p programs to download cracks/keygens/warez. These are not only illegal, but will always contain some form of malware. You have no way of verifying that the things you download are legitimate or that they don't contain malware. Even with an up to date anti-virus and firewall, some of these things will still infect you. It is highly recommend that you uninstall all peer-to-peer programs. It just isn't worth it.

Other common ways of getting infected are dis-reputable sites forcing you to download and install a codec. Or viruses using Instant Messaging programs (Windows Live Messenger, MSN Messenger, AIM) to send a file claiming it to be "photos" from a friend, only for it to turn out to be a virus.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Slow computer?

If your computer begins to slow down in the future for no particular reason, your first step should not be to come to the malware forum. As your computer ages and is used, it's parts wear, files and programs accumulate, and its performance can decrease. To restore your computer's performance to its best possible level, follow the steps in this page written by malware expert Miekiemoes.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I'll leave this thread open for a couple days in case you come across any lingering problems that need fixing, then I'll close it up. If you need it reopened for any reason just shoot me a PM. It's been a pleasure working with you, now best of luck!

Cheers,

Gammo :P

Hello,

I need help, please.

I was told to post on this forum and ...

I don't see any sign of malware of your logs. Since your problem is not malware related, you can start a new topic in the PC Help forum.

Here's my previous post Malwarebytes Freezes Up Scanning "E" Drive and here's the problem:

I scanned with updated Malwarebytes' Anti-Malware 1.46 Free Version.

It found 8 infected files:

Files Infected:

E:\My Folders to Back Up Hard Drive\(my name) Office Programs\Microsoft Office\Office\GRINTL32.DLL (Trojan.Srizbi) -> Quarantined and deleted successfully.

E:\My Folders to Back Up Hard Drive\(my name) Office Programs\Microsoft Office\Office\OUTFORM.DAT (Trojan.ADS) -> Quarantined and deleted successfully.

E:\My Folders to Back Up Hard Drive\(my name)Office Programs\Microsoft Office\Templates\Presentations\Managing HR's Changing Role - Dale Carnegie Training

Link to post
Share on other sites
noknojon

noknojon

Posted
Posted

How much of the information on the external drive is actually required material - If you only have backup items on it are they required -

Find a Manual on the external drive and see if it gives you enough information on cleaning it -

The information should be online for cleaning all the drive unit -

Have you or Someone else put a password on the unit ?? Is the unit Yours or someone elses ??

Link to post
Share on other sites
yosemitest

yosemitest

Posted
  • Author
Posted

To Haider,

I can't easily check it against another working computer, at least for a couple of weeks,

unless I take it to a repair shop 30 miles away.

And no, I did NOT apply any encryption to that drive.

To Noknojon,

"How much of the information on the external drive is actually required material - If you only have backup items on it are they required"

Good question.

There are some files that I kept on this drive that aren't part of the "C" drive backup, that I'd like to have.

I believe I can get to an online manual from WD.

No, I haven't put a password on the drive.

The unit is mine, and is about 1 and 1/2 years old.

I think what is happening is a malware root kit that is loading before windows xp starts and I think it is also on my "E" drive.

All of my drives are hooked up during these scans, and "E" drive "light" on the external drive moves up and down, like it's working.

When I click on "Start" and on "My Computer" , "E" Drive shows up, but when I click on "Properties" , it shows up as a "local disk", file system "RAW",

used space "0" bytes, free space "0"bytes, Capacity "0" bytes.

It shows "Auto Play" and is selected for "Prompt me each time to choose an action".

I can select "mixed content" and click "apply", but if I check it again, it shows the same"auto play" and "music files".

Also, unless I unplug my ethernet cable from my computer for my DSL connection BEFORE I turn my computer off, when I turn it back on, my "local area connection" come up with a "limited or no connection" and I then have to "Repair" it. After I repair it, it will come up connected and show 100.0 mbps connected.

I just don't understand how ...what I done ... could have caused this problem, without a MBR rootkit that was activated by my deleting one of those files.

But again, I'm NOT a computer expert.

Sincerely, Yosemitest.

Link to post
Share on other sites
noknojon

noknojon

Posted
Posted
I just don't understand how ...what I done ... could have caused this problem, without a MBR rootkit that was activated by my deleting one of those files.

You will find that you have basically only had your hard drive C checked and not the external drive -

The chances are that you loaded an infected item (or, in this case it looks like several items) onto the drive -

There are too many infections listed to load onto your normal system - Clean/erase is my choice -

My personal version would be to fully erase this drive (any way you can) and hopefully you will have a clean external unit again -

Regards -

Link to post
Share on other sites
yosemitest

yosemitest

Posted
  • Author
Posted

TO Firefox,

Thanks for the suggestion.

I went to the HirenCD site and asked them if it might help, after I explained the situation.

I'm waiting for an answer back in my e-mail.

To AdvancedSetup,

Then I shouldn't use "HirenCD"?

I haven't hidden my "E" drive, and Norton Ghost 12.0 hasn't hidden it before.

I don't know how to use the "Microsoft Recovery Console". :)

I'm not experienced with DOS. :)

When I restarted my computer, it gave me 3 choices.

"Microsoft Recovery Console"

"Do Not Select This, Debugger Enabled"

"Normal Windows XP SP3"

When I restarted my computer and used the "F-12" key, then started with my "CD Drive and Norton Ghost 12.0,

then selected "Analyze", then "Explore", it came up as "wdext (I:)".

I opened it and saw 36 folders and 3 documents. The 3 documents were sized as "0" KB.

Of the 36 folders, 20 folders were titled "Recycler" and I don't remember them being there before.

The attributes to some of the folders and files were HS, R, and A.

Sincerely, yosemitest.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

You restart and choose this one: "Microsoft Recovery Console"

http://support.microsoft.com/kb/314058

Then once in run the following command assuming the E: drive is still a valid drive.

chkdsk e: /p /r

Let it run and when done restart the computer and see what you have now.

Link to post
Share on other sites
yosemitest

yosemitest

Posted
  • Author
Posted

To AdvancedSetup

I did as you said with chkdsk e: /p /r and I can see it now under "My Computer".

Thank you very, very much. :lol:

I'm concerned though.

When I typed in "chkdsk e: /p /r" , it first did the following:

CHKDSK is checking the volume ...

CHKDSK is performing additional checking or recovery

CHKDSK is performing additional checking or recovery

CHKDSK is performing additional checking or recovery

50 % completed

Then it froze up.

So I held down the power button and cut it off.

The I hit the power button again and when I got the option to reenter "Microsoft Recovery Console" , I did.

I again typed in "chkdsk e: /p /r".

This time it did the following:

Volume wdext created 03/08/10 09:46pm

The Volume Serial Number is e212-d3ae

CHKDSK is checking the volume ...

CHKDSK is performing additional checking or recovery

CHKDSK is performing additional checking or recovery

CHKDSK is performing additional checking or recovery

(it got up to 72% completed, then it jumped back to 50% completed) 50% completed

Then it froze up, again.

So I held down the power button and after about 30 seconds, it cut off.

I restarted it into normal mode and found that "E" Drive appears normal. :)

I'm going to run a full scan with malwarebytes and with "Online Armor++".

Should I run as check of "ComboFix" and another scan of DDS?

Sincerely, Yosemitest

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

STOP doing that. That is how you are going to have bad sectors on the drive. It's busy doing work and unless your idea of frozen means you've already waited over an hour for it to continue then you just need to get a cup of coffee and wait. Let it do it's thing. Forcing a power off when it's doing disk repair is a BAD IDEA. I would wait at least an hour before deciding that nothing is happening and no disk activity appears to be going on, sometimes its doing stuff in memory so there won't be any disk activity either.

Let it run it's course

Link to post
Share on other sites
yosemitest

yosemitest

Posted
  • Author
Posted

To AdvancedSetup,

Okay, I'll try it again, or should I do it in a different way.

My "Online Armor++" Scan gets about 3/4 through the "E" drive, and then the computer will cut itself off.

I don't know why. I've cleaned the fans and made sure that nothing else is running while it scans.

Any suggestions?

Sincerely, Yosemitest.

Link to post
Share on other sites
yosemitest

yosemitest

Posted
  • Author
Posted

To AdvancedSetup,

I ran it again, and at 5:33pm it went from 74% completed to 50%complete.

At 8:24pm it finished, and I typed "exit" and restarted my computer.

I'm going to update and rerun a Malwarebytes Full scan again, and after that finishes, I'll run "Online Armor++" Full scan.

Sincerely, Yosemitest.

Link to post
Share on other sites
yosemitest

yosemitest

Posted
  • Author
Posted

To AdvancedSetup,

I ran malwarebytes again. Here's the log.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4866

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

10/18/2010 2:26:01 AM

mbam-log-2010-10-18 (02-26-01).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)

Objects scanned: 404781

Time elapsed: 1 hour(s), 33 minute(s), 55 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

But "Online Armor++" Full Scan freezes up on "E" drive. I tried it with the ethernet cable to my DSL disconnected from my computer, and with it connected.

Both ways, it freezes up.

You said "It's possible you have a worm that is downloading tons of data onto the drive... don't know".

How would I find it, and get rid of it?

Sincerely, Yosemitest.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

If you had one we should have detected it.

Please remove all old versions of Java and install the latest version. Then run this offline AV scan and post back the results.

It can take several hours, so please be patient and allow it to run it's full course.

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Link to post
Share on other sites
yosemitest

yosemitest

Posted
  • Author
Posted

To noknojon,

Thank you.

I thought he was recommending an additional offline AV scan to do, BEFORE I did the "Kaspersky Online Scanner".

While I was waiting for an answer, I ran my "SUPERAntiSpyware Pro LIFETIME" "Complete Scan" and it found this.

Trojan .Agent/Gen-Nullo [short] [ 1 items ]

Files

E:\MY FOLDERS TO BACK UP HARD DRIVE\DOCUMENTS AND SETTINGS\YOSEMITEST\MY DOCUMENTS\ATT-SST.EXE

I removed it and then I ran the "Complete Scan again and found this.

Trojan .Agent/Gen-Nullo [short] [ 1 items ]

Files

E:\SYSTEM VOLUME INFORMATION\_RESTORE{1593D9F2-BEBE-480D-9CDC-68B6495175A6}\RP6\A0009537.EXE

After this I checked the real-time protection, and found it not enabled.

I enabled it and scaned again with another "Complete Scan".

No harmful software was detected.

Then, I retried a Full Scan with my "Online++".

It was slow but it finished the scan this time.

Here's the results.

Online Armor++ Full Scan Oct 20 2010 4:22 pm.

Online Armor++ Scan took 12 hours 56 minutes 35 seconds.

This is what it reported.

C:\Documents and Settings\All Users\Application Data\Symantec\hpc\:3898751835 Suspicious (alternate data stream)

C:\Documents and Settings\All Users\Application Data\TEMP\:5C321E34 Suspicious (alternate data stream)

C:\Program Files\AT&T\Internet Security Wizard\ISW.exe:?SummaryInformation Suspicious (alternate data stream)

C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe:?SummaryInformation Suspicious (alternate data stream)

C:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe:?SummaryInformation Suspicious (alternate data stream)

C:\WINDOWS\$NtServicePackUninstall$\hotplug.dll:?SummaryInformation Suspicious (alternate data stream)

C:\WINDOWS\$NtServicePackUninstall$\lsass.exe:?SummaryInformation Suspicious (alternate data stream)

C:\WINDOWS\$NtServicePackUninstall$\wscript.exe:?SummaryInformation Suspicious (alternate data stream)

I then "extracted" the alternate data streams and scanned them with "Online Armor++" and found nothing.

I only had two of these eight files that would "extract and save to another file".

That makes me suspicious of these "Alternate Data Streams:.

The ":3898751835" extracted file has nothing visible in it. It's size is "0" bytes and it's "size on disk" is "0" bytes.

The ":5C321E34" extracted file makes me more suspicious. It's size is "101" bytes and it's size on disk is "(4,096 bytes)".

When I opened it to "Notepad", it looks like this:

&

Link to post
Share on other sites
yosemitest

yosemitest

Posted
  • Author
Posted

To noknojon,

One other thing,

while "Online Armor++" was scanning "E" Drive with the "Full Scan" , Secunia PSI Updater poped-up a message about "Patched Programs".

Some of these "Patched Programs" Secunia found were on "E" Drive in my backup copies.

I think the safest thing to do is to delete these backup files and make a new "Ghost Image" of my main drive.

What do you think?

Sincerely, Yosemitest

Link to post
Share on other sites
yosemitest

yosemitest

Posted
  • Author
Posted

To AdvancedSetup,

I had a lot of trouble getting "Kaspersky Online Scanner" to work.

The first time I tried it with all my virus protection turned off, my computer clicked off 12 minutes after the scan started.

Suspecting "Kill bytes", I run my Malwarebyte's Full Scan and it found this.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4901

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

10/21/2010 3:32:36 PM

mbam-log-2010-10-21 (15-32-36).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)

Objects scanned: 405618

Time elapsed: 1 hour(s), 30 minute(s), 59 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

So, I completely turned off my "Online Armor++" including the firewall, and I turned off "SuperAntiSpyware Pro Lifetime", and made sure that Windows Firewall was off. Then I tried to run "Kaspersky Online Scanner" again.

It cut my computer off, about 6 minutes into the scan.

I restarted the computer. I checked again to make sure all security was turned off.

I started "Kaspersky Online Scanner" again and after the scan started, I unplugged my Ethernet cable to my DSL connection.

The computer clicked off after about 3 minutes, like a "Kill byte" had cut it off.

I restarted it again and turned on "Online Armor++" completely and run all scans.

Online Armor++ had a few suspicious ADS, the same as named before, so I extracted them and deleted them.

The rest came up clean.

I turned "Online Armor++ Antivirus" off, and started "Kaspersky Online Scanner".

I got the following message:

http://www.kaspersky.com/kos/eng/partner/d...764703003812345

The application's digital signature has an error. Do you want to run the application?

Name: jReport

Publisher: Kaspersky Lab

From: http://kaspersky.com

This application will be run without the security restrictions normally provided by Java.

The digital signature has expired.

The digital signature was generated with a trusted certificate.

I'm using Java 6 Update 22 (build 1.6.0_22-b04) Copyright 2010 Oracle and/or it's affiliates.

"The program is starting. Please wait...

Finally the program finished updating, and I clicked "run" on the message.

"Online Armor++" asked me to verify the program, and I told it to run it, and to trust it, and to let it "Install".

"Kaspersky Online Scanner" started its' scan on "My Computer".

It finished hours later, and here's the report.

KASPERSKY ONLINE SCANNER 7.0: scan report

Friday, October 22, 2010

Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Friday, October 22, 2010 15:10:58

Records in database: 4184543

Scan settings

scan using the following database extended

Scan archives yes

Scan e-mail databases yes

Scan area My Computer

C:\

D:\

E:\

F:\

G:\

H:\

I:\

Scan statistics

Objects scanned 110593

Threats found 0

Infected objects found 0

Suspicious objects found 0

Scan duration 03:53:17

No threats found. Scanned area is clean.

Selected area has been scanned.

After it finished, I turned it off.

I turned on my "SuperAntiSpyware Pro" Real-Time protection.

I rescanned with everything and it came up with no viruses or malware detected.

I don't know what to think.

I still suspect a MBR Rootkit that runs when I turn on my computer, and loads before Windows XP SP3.

But I'm not the computer expert. You are.

Sincerely, Yosemitest.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.