LIGHTNING UK! Posted June 8, 2009 Posted June 8, 2009 Do you get this when you start ImgBurn? If so, you probably have a virus/rootkit on your system that's blocking access to the drives. I 20:19:41 ImgBurn Version 2.4.4.7 Beta started! I 20:19:41 Microsoft Windows XP Professional (5.1, Build 2600 : Service Pack 3) I 20:19:41 Total Physical Memory: 2,061,420 KB - Available: 1,586,340 KB I 20:19:41 Initialising SPTI... I 20:19:41 Searching for SCSI / ATAPI devices... E 20:19:44 CreateFile Failed! - Device: '\\.\CdRom0' (D:) E 20:19:44 Reason: The maximum number of secrets that may be stored in a single system has been exceeded. W 20:19:44 Errors were encountered when trying to access a drive. W 20:19:44 This drive will not be visible in the program. W 20:19:44 No devices detected! The important thing here is the bit in the log window that says: The maximum number of secrets that may be stored in a single system has been exceeded. If you don't see that line in the log window, you should not be looking at this thread - at least not for troubleshooting your problem anyway! Below are a few of the ways this virus/rootkit can be disabled and removed...
LIGHTNING UK! Posted June 8, 2009 Author Posted June 8, 2009 Disabling the virus with GMER GMER can be downloaded (for free) from: http://www.gmer.net/ Run GMER and it'll perform a quick scan. Chances are that it'll detect the rootkit and you'll then see this prompt asking if you want to perform a full scan. Click the 'No' button and you should be left with a screen like this - the rootkit will be shown in red. Right click the red entry (note the odd and seemingly random file name) and select 'Disable Service' on the content menu. Hopefully it'll disable the service ok and you'll get this new prompt telling you to reboot. Assuming that's the only red service entry you need to disable, go ahead and reboot. Once the machine is back up and running again, load GMER. You should hopefully see that the red service entries have the word '[DISABLED]' by them in the 'Value' column. That's a good sign! Right click them and selete 'Delete Service'. Click 'Yes' to confirm that you want to remove the service. Click 'Yes' to confirm you know it might cause the system to crash (it won't!) That's it, ImgBurn should work fine again I would now suggest you run a full scan on every AntiVirus / Anti-Malware program you can lay your hands on to clean up the remains.
LIGHTNING UK! Posted June 9, 2009 Author Posted June 9, 2009 Removing the virus with avast! AntiVirus avast! Antivirus Home Edition can be downloaded (for free) from: http://www.avast.com/ Right click the avast tray icon and select 'Start avast! Antivirus' from the context menu. Its should then perform a quick scan as it starts up. Chances are that it'll then pop up a box similar to that below. Just click the 'Continue' option at this point so it continues with the quick scan. When it's finished you should see a message like this: Click the 'Yes' button so it restarts and performs a boot time virus scan. The boot time scan should pick up on the bad files and you'll be prompted to delete them by pressing the '1' key. When you've done all that, Windows should boot as normal and ImgBurn should be working again. I would now suggest you run a full scan on every AntiVirus / Anti-Malware program you can lay your hands on to clean up the remains.
LIGHTNING UK! Posted June 9, 2009 Author Posted June 9, 2009 Disabling the virus with RootRepeal RootRepeal can be downloaded (for free) from: http://rootrepeal.googlepages.com/ Run RootRepeal You should the see a screen like this: Switch to the 'Files' tab and click the 'Scan' button. The 'Select Drives' window will then pop up. Select the 'C:\' entry in the list and click the 'OK' button. RootRepeal will then scan the selected drive for files... this may take a few minutes so be patient. When it's finished you should see something like this: Select the main driver file (this is probably the one in the 'drivers' folder or one with the '.sys' file extension). If you're unsure of which one to select, just ask us for help! Right click the file entry and select 'Wipe File'. When prompted, confirm you want to wipe the file by clicking the 'Yes' button. Hopefully it'll be able to wipe it ok and then you'll see the 'Success' message. Click the 'OK' button and then reboot your machine quickly. That's it, the virus should now be disabled (well, the main part that 'hides' everything else anyway). Now you need to actually clean it off your system! I would now suggest you run a full scan on every AntiVirus / Anti-Malware program you can lay your hands on to clean up the remains.
Recommended Posts