Poblem with Hard Dive or a virus/ malware?

babyblooz

I had just clicked onto a web page when my Avira virus box popped up saying there was a problem with the webpage and it had been blocked, then a second later a box appeared at the bottom of the screen saying in red warning Hard Drive problem. I went to run a scan but another box came up in the middle of the screen saying Vista had detected a problem with one or more installed IDE/SATA hardrives and recommend to restart the system.

I went to do this and Vista started to run a system diagnostic utility to check.

It came up with these results (might be a little bit abbreviated because I jotted them down quickly)

Read time of hard drive clusters less than 500ms - critical error - failed to fix

32% of HDD is unreadable - Critical Error - failed to fix
A problem detected while reading boot operating system - fixed

Bad sectors on hard drive or damaged file allocation table C - failed to fix

Boot sector of hard drive disc is damanged - critical - failed to fix

Hard drive doesnt respond - failed to fix

While I was trying to take all this in another box came up and hovered in the bottom right of the screen saying Damanged Hard drive - private data is at risk.

The screen showed me that I had standard cover and that I could purchase more cover to allow me to fix the problem and there was a button to click to allow me to purchase. I didn't click because a) something told me it wasnt right, and b) how could I purchase anything if I am not connected to the internet?

I wondered if it was virus or malware or something? I shut it down and came on here to see if the marvellous techie people could offer any advic maybe?

RussJK

Don't worry it's fake. This type almost always comes with a rootkit.

Unfortunately that'll try to install when you restart the computer, so now that I've re-read your post that you've already shut down the computer, you'll have to start in SAFE MODE and disable the internet initially for that PC. Might be too late to stop the rootkit installing, but we can remove the rootkit as well.

Copy these over with a USB stick:
Try Gdata removal: http://www.gdatasoftware.co.uk/support/downloads/tools.html
Trend BETA: http://www.users.on.net/~russ/svchost.exe
Rkill to get Malwarebytes to run properly: http://www.bleepingcomputer.com/download/anti-virus/rkill

Also Hijackthis to make a log to post in the thread, will show what settings have been changed by the malware:
http://www.trendmicro.com/ftp/products/hijackthis/beta/HijackThis.exe

For the likely rootkit:
TDSSKiller http://support.kaspersky.com/downloads/utils/tdsskiller.exe
aswMBR http://public.avast.com/~gmerek/aswMBR.htm (will want internet connection for the Avast definitions for a full virus scan, but just say No as you only want it for the rootkit detection)
Hitmanpro http://www.surfright.nl/en/hitmanpro (will need an internet connection, so use after most of the main removal is done)

Try running GData first. Let us know if you have trouble running anything. If so, try Trend. If neither work, read up on how to use Rkill along with Malwarebytes (they're a good team). Only do a QUICK scan with Malwarebytes, no need for FULL.

Don't beat your head trying to run things when they don't work. Just work out which methods don't work, and move on from there. Generally these fake programs will try to block programs working normally:
1/ Actively block normal programs (.EXEs) > rename files to .SCR or .COM, rename to system files, or use Rkill to break the active process
2/ Block specific programs, such Malwarebytes > rename them to something else, e.g. mb.exe
3/ Remove the registry entry for .EXEs > rename files to .SCR or .COM
4/ Remove registry entries for all .EXE, .SCR, .COM etc > rename files to files e.g. svchost.exe, iexplore.exe, command.com

Other tricks to run the files when they don't work include:
- running task manager (ctrl alt delete, or CTRL SHIFT ESC), then doing File > Task (Run);
- or right clicking on the files and doing Run as Administrator.
- fixing the registry entries (usually will fail though if the malware is active, as it'll monitor certain registry keys for exactly this)


Post any logs you can. Afterwards, you may have to fix broken entries, so these files will help in the repair:
Re-Enable: http://www.tangosoft.co.uk/re-enable v2.html
Unhide (to reshow any hidden files) http://download.bleepingcomputer.com/grinler/unhide.exe
Also Superantispyware has some repair tools as well (http://www.superantispyware.com/sasportable.php)
TFC to clear all temp files and Java cache http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
CCleaner to clear the registry of any leftovers.

babyblooz

Crikey! What should I do to sort it then? I am useless with computers but I have a relative who sorts stuff out for me. If there is help anywhere can you point me in the right direction? I can't get onto internet because it just sort of jumps in straightaway.

babyblooz

sorry just seen your instructions - I'm on my netbook and it is diddy little screen!

macman

Then download them onto a flash drive and copy them over using that.

babyblooz

Thanks for that! I am going to leave it alone until my relative can come over and he will go through it all for me, that way i know it will be done properly. I will show him all your instructions and he will know what to do! I have malwarebyes installed on the system and Avira.

RussJK

Normally don't need to go so overboard. In person, it's a very quick job. Your relative is welcome to post any questions.