ENTIRE HDD Erased!

First post shows XP and Win 7 computers and router with minimal protection. Sounds like reinfection from CD/DVD or networked XP.

Found this:

VGHD.EXE has been seen to perform the following behavior:

• Executes a Process
• Registers a Dynamic Link Library File
• Adds products to the system registry
• Adds a Registry Key (RUN) to auto start Programs on system start up
• Adds a Registry Key (RUNONCE) to auto start Programs on system start up
• Writes to another Process's Virtual Memory (Process Hijacking)
• The Process is polymorphic and can change its structure
• Uses rootkit techniques to conceal its presence, interrogation or removal
• Found on infected systems and resists interrogation by security products
• Makes outbound connections to other computers using NETBIOSOUT protocols
• The Process is packed and/or encrypted using a software packing process

VGHD.EXE has been the subject of the following behavior:

• Created as a process on disk
• Executed as a Process
• Terminated as a Process
• Has code inserted into its Virtual Memory space by other programs
• Changes to the file command map within the registry
• Deleted as a process from disk
• Added as a Registry auto start to load Program on Boot up
• Registered as a Dynamic Link Library File

Sounds like it is "hiding" in memory or in the MBR which is NOT affected by format commands unless specified to do so.

Regards,
GEWB

Do a Google search on this string:

how to use linux to remove viruses from windows

See if a live Linux distribution might help.

Regards,
GEWB

Perhaps it's a wireless router with open security and somebody who is leaching on your bandwidth who is also infecting your computer???

Tepid said:

It is not common (pretty rare) , (but possible, and does happen) for any viruses/malware to infect the MBR's of HDD's these day.
Not saying this is not the case, and definitely can/should try, but playing with the MBR of the HDD can cause problems.

Again, I say it is very rare (if at all) for Malware to infect the MBR, and no long all that common for Viruses.

I think this is an infection from a linked (know or unknown) computer (inclduing but not limited to),, Desktops, Laptops NAS Device, External Storage of any kind.

Or someone is really screwing with you.

At this point,, if you have not done so already.,.. to eliminate the drive as the problem.. Go buy a New drive,, they are very cheap now, for small sized drives and test install that way.
If you get infected,, then it isn't anything with the drive (which I do not think it is).

I'm with Tepid on this. It's not something embedded in the drive. This is a simple re-infection occurring as the user "sets up" their system.

MacGyvr said:

Tepid said:

It is not common (pretty rare) , (but possible, and does happen) for any viruses/malware to infect the MBR's of HDD's these day.
Not saying this is not the case, and definitely can/should try, but playing with the MBR of the HDD can cause problems.

Again, I say it is very rare (if at all) for Malware to infect the MBR, and no long all that common for Viruses.

I think this is an infection from a linked (know or unknown) computer (inclduing but not limited to),, Desktops, Laptops NAS Device, External Storage of any kind.

Or someone is really screwing with you.

At this point,, if you have not done so already.,.. to eliminate the drive as the problem.. Go buy a New drive,, they are very cheap now, for small sized drives and test install that way.
If you get infected,, then it isn't anything with the drive (which I do not think it is).

I'm with Tepid on this. It's not something embedded in the drive. This is a simple re-infection occurring as the user "sets up" their system.

You are wrong, I have ZERO-ed all my HHD, everything is ok, 4 days now, same "setup process", the only difference now is that everyting is zeroed, and on my main hdd I have intalled MAcOSx Snow Leopard, to do my work from that OS, and W7 on the secondary for everything else. Still having some hw issues with my soundcard in Snow Leopard, but everything else works.

Never did found out what the actual threat was, besides VGHD, I am happy nothing hapenned so far.

Thanks for all the advices, if my pc starts going crazy again, I'm going to let you now,


THANKS!

gregrocker said:

Run another AV, need second opinion.

In the future, anything you download from a torrent needs to be extracted and rightclick scanned with AV and Spybot before running.

this is the far better option than the other users scolding him for downloading torrents when they are doing it themselves. dam hypocrites. now as for uac shut it down.

1. next time make sure you have a router between your machine and the modem. even if it is the only machine you have hooked up to the net.
2. use a third party antivirus / firewall / spyware solution(disable the windows firewall).
3. run a second spyware solution.
4. do not use security software from microsoft.
5. i suggest creating a folder on your desktop and anything you download, download directly there and then scan it with both your programs. then you can move the file to the location you want it stored(anywhere but c).
6. setup your scheduled scans to only scan drive c because the files on the other drives you would have all ready scanned.

InternetLord said:

this is the far better option than the other users scolding him for downloading torrents when they are doing it themselves. dam hypocrites. now as for uac shut it down.

While I do agree with the approach....I don't agree with the rest of your sentiments.

My OS copies are legal/legit and all of my software that I use is as well. (of course, 95% of it is open source and free to begin with). I don't have a need to use any pirated, or otherwise hacked software. So, while I may scold against using torrented software...I'm no hypocrite either.

With regards to UAC..I don't see any need to turn it off. It's there to protect you from software which wants to automatically escalate to admin levels to do something. And with Windows 7, it's configured to not warn when you (the admin) try to do something with requires admin level permissions. While UAC won't protect you from running something malicious and saying YES when prompted...it might bring to light an application which is trying to automatically switch to admin without the end user knowing. Even being a savvy home user myself and a systems admin/engineer for a living (12+ years), I cannot imagine NOT wanting to know when this is happening. While I have a very good grasp on the few software packages that I use, I cannot absolutely guarantee that nothing nefarious is happening. At least with UAC, I know if it wants to become admin.