ENTIRE HDD Erased!

[GEWB]

First post shows XP and Win 7 computers and router with minimal protection. Sounds like reinfection from CD/DVD or networked XP.

Found this:

VGHD.EXE has been seen to perform the following behavior:

• Executes a Process
• Registers a Dynamic Link Library File
• Adds products to the system registry
• Adds a Registry Key (RUN) to auto start Programs on system start up
• Adds a Registry Key (RUNONCE) to auto start Programs on system start up
• Writes to another Process's Virtual Memory (Process Hijacking)
• The Process is polymorphic and can change its structure
• Uses rootkit techniques to conceal its presence, interrogation or removal
• Found on infected systems and resists interrogation by security products
• Makes outbound connections to other computers using NETBIOSOUT protocols
• The Process is packed and/or encrypted using a software packing process

VGHD.EXE has been the subject of the following behavior:

• Created as a process on disk
• Executed as a Process
• Terminated as a Process
• Has code inserted into its Virtual Memory space by other programs
• Changes to the file command map within the registry
• Deleted as a process from disk
• Added as a Registry auto start to load Program on Boot up
• Registered as a Dynamic Link Library File

Sounds like it is "hiding" in memory or in the MBR which is NOT affected by format commands unless specified to do so.

Regards,
GEWB

 

[GEWB]

Do a Google search on this string:

how to use linux to remove viruses from windows

See if a live Linux distribution might help.

Regards,
GEWB

 

[pparks1]

Perhaps it's a wireless router with open security and somebody who is leaching on your bandwidth who is also infecting your computer???

 

[Lordbob75]

Or perhaps it corrupted the router firmware, or something in the network...

~Lordbob

 

[Tepid]

It is not common (pretty rare) , (but possible, and does happen) for any viruses/malware to infect the MBR's of HDD's these day.
Not saying this is not the case, and definitely can/should try, but playing with the MBR of the HDD can cause problems.

Again, I say it is very rare (if at all) for Malware to infect the MBR, and no long all that common for Viruses.

I think this is an infection from a linked (know or unknown) computer (inclduing but not limited to),, Desktops, Laptops NAS Device, External Storage of any kind.

Or someone is really screwing with you.

At this point,, if you have not done so already.,.. to eliminate the drive as the problem.. Go buy a New drive,, they are very cheap now, for small sized drives and test install that way.
If you get infected,, then it isn't anything with the drive (which I do not think it is).

 

[MacGyvr]

It is not common (pretty rare) , (but possible, and does happen) for any viruses/malware to infect the MBR's of HDD's these day.
Not saying this is not the case, and definitely can/should try, but playing with the MBR of the HDD can cause problems.

Again, I say it is very rare (if at all) for Malware to infect the MBR, and no long all that common for Viruses.

I think this is an infection from a linked (know or unknown) computer (inclduing but not limited to),, Desktops, Laptops NAS Device, External Storage of any kind.

Or someone is really screwing with you.

At this point,, if you have not done so already.,.. to eliminate the drive as the problem.. Go buy a New drive,, they are very cheap now, for small sized drives and test install that way.
If you get infected,, then it isn't anything with the drive (which I do not think it is).

I'm with Tepid on this. It's not something embedded in the drive. This is a simple re-infection occurring as the user "sets up" their system.

 

[karthurk]

It is not common (pretty rare) , (but possible, and does happen) for any viruses/malware to infect the MBR's of HDD's these day.
Not saying this is not the case, and definitely can/should try, but playing with the MBR of the HDD can cause problems.

Again, I say it is very rare (if at all) for Malware to infect the MBR, and no long all that common for Viruses.

I think this is an infection from a linked (know or unknown) computer (inclduing but not limited to),, Desktops, Laptops NAS Device, External Storage of any kind.

Or someone is really screwing with you.

At this point,, if you have not done so already.,.. to eliminate the drive as the problem.. Go buy a New drive,, they are very cheap now, for small sized drives and test install that way.
If you get infected,, then it isn't anything with the drive (which I do not think it is).

I'm with Tepid on this. It's not something embedded in the drive. This is a simple re-infection occurring as the user "sets up" their system.

You are wrong, I have ZERO-ed all my HHD, everything is ok, 4 days now, same "setup process", the only difference now is that everyting is zeroed, and on my main hdd I have intalled MAcOSx Snow Leopard, to do my work from that OS, and W7 on the secondary for everything else. Still having some hw issues with my soundcard in Snow Leopard, but everything else works.

Never did found out what the actual threat was, besides VGHD, I am happy nothing hapenned so far.

Thanks for all the advices, if my pc starts going crazy again, I'm going to let you now,


THANKS!

 

[InternetLord]

Run another AV, need second opinion.

In the future, anything you download from a torrent needs to be extracted and rightclick scanned with AV and Spybot before running.

this is the far better option than the other users scolding him for downloading torrents when they are doing it themselves. dam hypocrites. now as for uac shut it down.

1. next time make sure you have a router between your machine and the modem. even if it is the only machine you have hooked up to the net.
2. use a third party antivirus / firewall / spyware solution(disable the windows firewall).
3. run a second spyware solution.
4. do not use security software from microsoft.
5. i suggest creating a folder on your desktop and anything you download, download directly there and then scan it with both your programs. then you can move the file to the location you want it stored(anywhere but c).
6. setup your scheduled scans to only scan drive c because the files on the other drives you would have all ready scanned.

 

[pparks1]

this is the far better option than the other users scolding him for downloading torrents when they are doing it themselves. dam hypocrites. now as for uac shut it down.

While I do agree with the approach....I don't agree with the rest of your sentiments.

My OS copies are legal/legit and all of my software that I use is as well. (of course, 95% of it is open source and free to begin with). I don't have a need to use any pirated, or otherwise hacked software. So, while I may scold against using torrented software...I'm no hypocrite either.

With regards to UAC..I don't see any need to turn it off. It's there to protect you from software which wants to automatically escalate to admin levels to do something. And with Windows 7, it's configured to not warn when you (the admin) try to do something with requires admin level permissions. While UAC won't protect you from running something malicious and saying YES when prompted...it might bring to light an application which is trying to automatically switch to admin without the end user knowing. Even being a savvy home user myself and a systems admin/engineer for a living (12+ years), I cannot imagine NOT wanting to know when this is happening. While I have a very good grasp on the few software packages that I use, I cannot absolutely guarantee that nothing nefarious is happening. At least with UAC, I know if it wants to become admin.

 

[Lordbob75]

this is the far better option than the other users scolding him for downloading torrents when they are doing it themselves. dam hypocrites. now as for uac shut it down.

While I do agree with the approach....I don't agree with the rest of your sentiments.

My OS copies are legal/legit and all of my software that I use is as well. (of course, 95% of it is open source and free to begin with). I don't have a need to use any pirated, or otherwise hacked software. So, while I may scold against using torrented software...I'm no hypocrite either.

With regards to UAC..I don't see any need to turn it off. It's there to protect you from software which wants to automatically escalate to admin levels to do something. And with Windows 7, it's configured to not warn when you (the admin) try to do something with requires admin level permissions. While UAC won't protect you from running something malicious and saying YES when prompted...it might bring to light an application which is trying to automatically switch to admin without the end user knowing. Even being a savvy home user myself and a systems admin/engineer for a living (12+ years), I cannot imagine NOT wanting to know when this is happening. While I have a very good grasp on the few software packages that I use, I cannot absolutely guarantee that nothing nefarious is happening. At least with UAC, I know if it wants to become admin.

+1

~Lordbob

 

[gamepro127]

The reason why THIS person got infected is because he dident use his brain and installed programs such as "The ultimate virus" and a "Virutal Girl HD" Screensaver.

 

[zzz2496]

<sarcasm>

And while all of you discussing (or bickering...) things, the thread starter already did what he/she do best... Which is use illegal software all over again (Snow Leopard on a PC? With Win7 on another partition?? And Accompanying Adobe Software suite for Mac, which is as expensive as the Windows Version???), which in time will get back to him/her all over again...

What an irony...

Regards,

zzz2496

</sarcasm>

Cheers

 

[Lordbob75]

i am quite aware of what uac does and what zonealarm and counterspy does.

Apparently not.

If you did, you would not have made the statement about UAC.

the idea of uac is for people who do not bother to scan files when they are downloaded

~Lordbob

 

[pparks1]

<sarcasm>

And while all of you discussing (or bickering...) things, the thread starter already did what he/she do best... Which is use illegal software all over again (Snow Leopard on a PC? With Win7 on another partition?? And Accompanying Adobe Software suite for Mac, which is as expensive as the Windows Version???), which in time will get back to him/her all over again...

What an irony...

Regards,

zzz2496

</sarcasm>

Cheers

Yeah, I couldn't agree with you more completely. Irony is a funny thing. It is funny sometimes the number of problems people have that in the end might be traced right down to the software they are using and the methods used to obtain that software. And in the end, sometimes Microsoft takes the egg on the face when things don't seem to work right within their OS..even though they might not even have a single thing to do with the problem.

 

[InternetLord]

i am quite aware of what uac does and what zonealarm and counterspy does.

Apparently not.

If you did, you would not have made the statement about UAC.

the idea of uac is for people who do not bother to scan files when they are downloaded

~Lordbob

please talk about what you know and not what you don't. uac is meant to make the dumb stop and think before they proceed. over half the people using windows machines think they need nothing more than uac. the first time i used vista and left uac on and would get a prompt from it i would either get the same prompt from counterspy, zonealarm or both. after installing all of my drivers and software i finally realized i did not need uac running.

 

[pparks1]

over half the people using windows machines think they need nothing more than uac.

And all of would agree that this is the wrong assumption. Even worse, some believe that UAC is supposed to prevent malware/viruses/trojans from installing at all. I've even seen trade mags posting stories about how UAC doesn't stop a user from installing something nasty. Well, of course not...it's not supposed to.

the first time i used vista and left uac on and would get a prompt from it i would either get the same prompt from counterspy, zonealarm or both. after installing all of my drivers and software i finally realized i did not need uac running.

In your case, you probably don't need it running. However, I still don't agree with the general advice to simply turn off UAC, nor do I feel that it's necessary to replace UAC with something else.

 

[Tepid]

While UAC could use a some more improvements, it is not the end all be all of defense and security.

But by no means should people be instructed to turn it off cause they think it is worthless.
There are advantages to having it on. But am not listing them.

If you don't know what they are and you are instructing people to turn off UAC, then you are misinforming people with a service you know nothing about.

 

[Lordbob75]

please talk about what you know and not what you don't. uac is meant to make the dumb stop and think before they proceed. over half the people using windows machines think they need nothing more than uac. the first time i used vista and left uac on and would get a prompt from it i would either get the same prompt from counterspy, zonealarm or both. after installing all of my drivers and software i finally realized i did not need uac running.

You really have no idea what UAC does do you?

Here:

What is User Account Control?

User Account Control (UAC) is a new security component in Windows Vista. UAC enables users to perform common tasks as non-administrators, called standard users in Windows Vista, and as administrators without having to switch users, log off, or use Run As. A standard user account is synonymous with a user account in Windows XP. User accounts that are members of the local Administrators group will run most applications as a standard user. By separating user and administrator functions while enabling productivity, UAC is an important enhancement for Windows Vista.


When an administrator logs on to a computer running Windows Vista, the user is assigned two separate access tokens. Access tokens, which contain a user's group membership and authorization and access control data, are used by Windows® to control what resources and tasks the user can access. Before Windows Vista, an administrator account received only one access token, which included data to grant the user access to all Windows resources. This access control model did not include any failsafe checks to ensure that users truly wanted to perform a task that required their administrative access token. As a result, malicious software could install on users' computers without notifying the users. (This is sometimes referred to as "silent" installation.)
Even more damaging, because the user is an administrator, the malicious software could use the administrator's access control data to infect core operating system files and, in some instances, to become nearly impossible to remove.
The primary difference between a standard user and an administrator in Windows Vista is the level of access the user has over core, protected areas of the computer. Administrators can change system state, turn off the firewall, configure security policy, install a service or a driver that affects every user on the computer, and install software for the entire computer. Standard users cannot perform these tasks and can only install per-user software.
To help prevent malicious software from silently installing and causing computer-wide infection, Microsoft developed the UAC feature. Unlike previous versions of Windows, when an administrator logs on to a computer running Windows Vista, the user’s full administrator access token is split into two access tokens: a full administrator access token and a standard user access token. During the logon process, authorization and access control components that identify an administrator are removed, resulting in a standard user access token. The standard user access token is then used to start the desktop, the Explorer.exe process. Because all applications inherit their access control data from the initial launch of the desktop, they all run as a standard user as well.
After an administrator logs on, the full administrator access token is not invoked until the user attempts to perform an administrative task.
Contrasting with this process, when a standard user logs on, only a standard user access token is created. This standard user access token is then used to start the desktop.

Source: User Account Control Step-by-Step Guide


Don't argue about something you obviously don't know about.


~Lordbob

P.S. While I did agree with John removing Negative Rep, it is situations like this where I believe it would be beneficial. I will not tolerate advice so wrong it could seriously cause trouble.

 

[InternetLord]

as stated below i do full well know what i am talking about. i even tested this in 7 to be sure that it still held true, and it does.

please talk about what you know and not what you don't. uac is meant to make the dumb stop and think before they proceed. over half the people using windows machines think they need nothing more than uac. the first time i used vista and left uac on and would get a prompt from it i would either get the same prompt from counterspy, zonealarm or both. after installing all of my drivers and software i finally realized i did not need uac running.

 

[Lordbob75]

uac is meant to make the dumb stop and think before they proceed.

I am done with this.

Keep your ignorance, I have no desire for it.

~Lordbob