Virus - Access denied - H:\system volume information

VistaKing said:

Jamal

Attrib commands and what they do

- Clears an attribute.

R Read-only file attribute.

A Archive file attribute.

S System file attribute.

H Hidden file attribute.

Many thanks VistaKing,

1. Then what does the RogueKillerX64.exe do?

2. Why I got the message “access is denied” as I applied the command “attrib -h -s -r -a /s /d F:\*.*”

3. How about the shortcuts generated by the virus? How can we remove them automatically?

4. How to remove the virus itself?

cottonball said:

Jamal NUMAN,

RogueKiller is a program created by Tigzy, in France.
The author describes it as a program that scans processes running, and kills those that are malicious and block the execution of malware removal programs.

The program also cleans the Windows Registry, and has evolved to handle the following:
Read / Fix DNS Hijacks (DNS Fix button)
Read / Fix Proxy Hijacks (Proxy Fix button)
Read / Fix Hosts Hijacks (Hosts Fix button)
Restore shortcuts / files hidden by rogues of type "Fake HDD"
Read / Fix malicious Master Boot Record (MBR) -- Even hidden by rootkit
Find and restore system files patched / faked by a rootkit
It is also able to remove many infections, including ZeroAccess, TDSS, all rogues, and Ransomwares.


On your particular predicament, let's see if this helps...

Please go to Start > Run (or, press Windows key and the R key)
In the open area of the Run prompt, type the following and press OK: control folders
In Folder Options, click: View
Check: Show hidden files and folders
Uncheck: Hide protected operating system files
Press: OK

Now, please download RKill:
RKill Download
Save to the Desktop.

If rkill.exe does not run, then download and try to run iExplore.exe (a renamed RKill.exe), or RKill.com
You only need to get one of these to run.

If your antivirus warns you about this tool, ignore the warning, or temporarily disable your antivirus.
Info: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - BleepingComputer.com

Right-click on the downloaded RKill file and select: Run as Administrator

When the tool runs, a black DOS box briefly flashes and then disappears. This is normal and indicates the tool ran successfully.

>>Do not reboot the computer after running Rkill, as the malware programs will start again!
If the computer reboots, run Rkill again before continuing to the next step.<<

When the scan is done, Notepad opens with the RKill report.

Please post the RKill report in your reply.

The RKill report provides information on:
Malware services stopped
Processes terminated
Malware related Registry settings
...and other items.



Next, use avast! Free Antivirus to perform a complete scan of your external hard drive:

Download: AVAST 2013 | Download Free Antivirus Software for Virus Protection
Scroll down to: avast! Free Antivirus – World's most popular antivirus
Save to the Desktop

Temporarily disable your current antivirus.
Info: How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - BleepingComputer.com

Double-click on the file to launch the installation of avast! Free, and follow the prompts.

If asked to run a Scan, hold off, and do the following:
Make sure the external drive’s power cable is plugged into a wall outlet before proceeding.

At the avast! program console, main menu, click: Scan Computer (left side)
The window that opens, Scan Now, features controls that allow you to scan the external hard drive.

Locate the section: Removable media scan
Click: More Details to expand this section.
In the Removable media scan section, click: Start

Any viruses or other types of infected files that are identified are immediately quarantined by avast!
Wait for the scan to complete. It may take a while depending on the size of the drive.

To get a report of what the program found, on the left side, click: Scan Logs

Please provide the avast! scan log in your reply.

Once we get the RKill and the avast! information, we will proceed.

Thank you cottonball for the very integrated piece of answer. It worked like a charm.

I clicked the “fix shortcuts” and all issues are fixed.

Appreciated

Best

Jamal

cottonball said:

Outstanding!! Good work, Jamal!!

Was not sure that RogueKiller was going to act on anything other than drive C:\, but, it did.

I believe at one point the program only scanned C:\, but I could be wrong. This program has developed by leaps and bounds, and is one of my favorites.

If you do not mind posting the RKreport (Shortcut Fix), it will help others with similar problems.

Thank you!!

Hi cottonball,

The “fix shortcuts” is an option in the Rogue Killer X64 software. Please, have a look on the attached screenshot


The only issue that remains unsolved is that the Rogue Killer does fix the problem but fails to kill the virus itself.

Best

Jamal

cottonball said:

Also, we can take a look at the system before Windows starts, but, we need to run a special tool.

However, to do so, need some info from you:
Do you have the Repair your computer option in the Advanced Boot Options menu?


To find out:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Boot Options menu appears.

Is the Repair your computer option listed?


If you do not have the option, do you have your Windows 7 installation CD/DVD available?


~~~~
>>> If you have the Repair your computer option, please run FRST from your bootable computer, as follows:


First, please check the size an name of the Hard Drive that has Windows Seven installed.
Start > double-click: Computer (Take note of the info.)


Also, you may want to print these instructions for reference after the process starts.


Next, download the Farbar Recovery Scan Tool:
http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/
Select the version that applies to computer (64-bit)

Save FRST64.exe to the Desktop


Right-click Start, and select: Open Windows Explorer

Look for drive C:\

On the Desktop, right-click FRST.exe, and move it into C:\
Confirm that FRST.exe is in C:\.


>>Restart the computer.


Tap the F8 key until the Advanced Boot Options menu appears.

Select: Repair your Computer

Select language settings, and User account. (In the User Account leave the passworrd field blank, if you do not have one.)


On the System Recovery Options menu, select: Command Prompt


In the Command Prompt window, at the blinking cursor, type: notepad

In Notepad, under the File menu selec: Open
Double-click: Computer
Double-click on the OS drive (May not show as C:\ in the Recovery Environment, but you already found out its size.)
Press: Open


At the Command Prompt window type: X:\frst64.exe, and press: Enter
(Replace X with the letter of drive that now shows.)


The tool starts and presents a prompt with:
The tool is setting up to read the Local Disk. Please wait...

Click OK to continue.


When presented with the disclaimer, press: Yes


When the FRST console appears, press the Scan button.


Once the scan finishes, a prompt appears stating:
Scan completed. The frst.txt has been saved in the same location FRST tool is run.

Close this prompt. Notepad shows that a log was created.


Close FRST64, and close everything else except System Recovery Options.
Press: Restart



Back in Windows, right-click Start, and select: Open Windows Explorer
Look for drive C:\, and open it.
A folder named: FRST is there.

Inside the FRST folder, there are three folders.
One of them is named: Logs

Open the Logs folder to find the text document resulting from the scan.


Please post the FRST.txt in your reply.

Hi cottonball,

Sorry for the delay to get back to you.

· For the time being, I’m using Kespersky but is sounds to do noting as all other antivirus software! They just do nothing.
· From time to time, the issue of hidden folders and shortcuts appear on the machine

· Other three folders are created also due to the virus: $RECYCLE.BIN/ RECYCLER/ System Volume Information (attached)

Unfortunately, I couldn’t follow the instructions that you have sent! Sounds to be long and I got confused.

By the way, as an end user, do I need to struggle all my life just to kill this virus!

I’m not sure to to get rid of this virus from my machines!
· I do have antivirus
· I do user the “RogueKillerX64.exe”
BUT the virus is still there!

Best

Jamal