FakeHDD Rogue Anti-Spyware

I have a strong feeling I've been hit with one of these. My computer shut itself down and restarted...and slowly started "disassembling" itself. By that, I mean everything began to disappear. First, my desktop background, then many useful desktop shortcuts, such as My Computer.

The whole time, access to the Task Manager was restricted...Control Panel and other menu items under the Start menu were removed. I can access Sticky Notes, Notepad, Calculator, Mozilla Firefox, Adobe Photoshop CS4, and Adobe Dreamweaver CS4 from the start menu. I tried accessing other programs, such as MSPaint.exe, by using Ctrl + R and this did work fine. I also was able to navigate to a random folder using notepad and change the settings to not be "hidden," sure enough the files within reappeared in the folder.

I tried running the Unhide.exe application but received the following errors: repeatedly until the program closed itself.

Processing C:\
'ATTRIB' is not recognized as an internal or external command, operable program or batch file.
Processing D:\
'ATTRIB' is not recognized as an internal or external command, operable program or batch file.


Currently, I am running full scans with the following: Malwarebytes (Trial version), iolo System Mechanic Professional, and Microsoft Safety Scanner -1.0.03001. So far, all but the iolo SMP have picked up infection(s).



Meanwhile, I am repeatedly receiving a bunch of notifications, which I have typed into Notepad and emailed to myself in case this thing shuts itself down suddenly again. I have seen each of the following one time each in this order (adding new ones as they appear):


Malwarebytes Anti-Malware
Successfully blocked access to a potentially malicious website 31.184.237.71

Type: outgoing
Port: 49253
Process: le27n05b1zzoyb.exe


Malwarebytes Anti-Malware
Successfully blocked access to a potentially malicious website 31.184.237.71

Type: outgoing
Port 50405
Porcess: firefox.exe


Malwarebytes Anti-Malware
Successfully blocked access to a potentially malicious website: 206.161.121.3

Type: outgoing
Port: 51115
Process: explorer.exe


Malwarebytes Anti-Malware
Successfully blocked access to a potentially malicious website: 206.161.121.2

Type: outgoing
Port: 51118
Process: explorer.exe


Malwarebytes Anti-Malware
Successfully blocked access to a potentially malicious website 206.161.121.4

Type: outgoing
Port: 51177
Process: explorer.exe


Malwarebytes Anti-Malware
Successfully blocked access to a potentially malicious website 206.161.121.5

Type: outgoing
Port: 51180
Process: explorer.exe


Malwarebytes Anti-Malware
Successfully blocked access to a potentially malicious website 31.184.237.71

Type: outgoing
Port: 49253
Process: le27n05b1zzoyb.exe


Malwarebytes Anti-Malware
Successfully blocked access to a potentially malicious website 31.184.237.71

Type: outgoing
Port: 51500
Process: le27n05b1zzoyb.exe


Malwarebytes Anti-Malware
Successfully blocked access to a potentially malicious website 31.44.184.49

Type: outgoing
Port: 51529
Process: le27n05b1zzoyb.exe



The repeating notifications are:

Hard drive clusters are partly damaged. Segment load failure
Hard drive clusters are partly damaged. Segment load failure

Critical Error
Windows OS can't detect a free hard drive space. hard drive error

Critical Error
Hard drive critical error. Start a system diagnostics application to scan your hard disk for errors and performance problems.

RAM memory reliability is extremely low. This problem may cause
RAM memory reliability is extremely low. This problem may cause system failure




Another window periodically appears which has all of the following:

Files indexation process failed

Indexation process failure may cause
i File may became unreadable
i Files and documents can be lost
i Operation system may slow down dramatically

To prevent possible damage to the PC follow the recomendations.

Recommendations:

It's highly reccomended to run file integrity checker now and resolve this issue.




There is also a series of popups which keeps appearing, all of them containing the same message:

Failed to save all the components for the file \\System32\\00000xxxx. The file is corrupted or unreadable. This error may be caused by a PC hardware problem.

The xxxx is always a series of letters and numbers such as "5bc4."




Also, there is a "System Check" window which looks almost exactly like the one shown in this thread (the Windows Vista Repair, though mine is for Windows 7). If I close this window, the system restarts itself without fail. I cannot minimize it, so I simply dragged it mostly off screen so I can see what I'm doing.



Finally, sometimes while I've been browsing for answers tonight, I am randomly redirected to several sites such as "excitemoney.com" and a few others I couldn't catch in time. There doesn't appear to be any consistency or reason to why this is happening, but it just started when all of these other problems started, leading me to believe it is related.




All of the scans are taking a really long time so far (several hours and none appear to be nearly finished), but I'll post any information that I get from them if/when they finish. In the meantime, if you have any information which could help me, I would really appreciate it. After owning my own PC (actually this is my second one) for about 4-5 years and never having any sort of virus problems before, this is beginning to worry me. If it becomes necessary, I can attempt a full wipe of the system and re-installation of Windows. I made a series of "backup discs (I think?)" when I first got this PC, so hopefully I can pull that off with minimal issue if the need arises. I would prefer not to do this as I never created an image of my computer with all of the programs installed and all of my personal files intact.

If you need any other information, please let me know. I will be sure to check this often and reply back with the information you require, if possible.

Thank you for any help you can provide!


EDIT: I am reading on the following site:

http://www.411-spyware-remove.com/shield-up-for-system-check/

about this error and it sounds exactly like what I have. The descriptions offered are the same "errors" shown in the System Check window...I'm going to follow the instructions in the link they provided and hope to clear this bad boy up.

EDIT: Well...definitely working so far. My files have been "restored" (unhidden...), but I'm still receiving these weird notifications and the "blocked" output messages from Malwarebytes are getting more frequent.

Thought I'd go ahead and post an update of what's going on and what I'm doing to attempt to fix this. I have confirmed that this bit of malware is indeed "System Check". I am having SpyHunter 4 run through right now and detect it, though I doubt that will do any good as I do not own the full version of this software. I need to remove system check, not just detect it. I am afraid to do this manually in case I leave anything behind by accident, however, I am not sure if there are any free tools which can remove it for me. At this point, that should be all I need, so if you have information regarding that (or other useful info), please let me know!

EDIT: Also, all of the messages/popups described have gone away since I put in the activation key listed on the site I linked to before. I have a program "Trojan Killer" that is supposedly taking it out right now...all should be well soon, I hope. All of my files and permissions appear to have been restored as well, at least that I have noticed. I just need to remove the traces of this program so it doesn't recreate itself later down the road or have other adverse effects (tracking web usage, taking passwords etc. to important account information).


EDIT: 3 and a half hours into the full scan I read that a "full scan" is not even necessary...so I aborted and just did a quick scan. It found a number of issues and removed them then prompted me to restart my computer. I did so, it rebooted successfully, and I have seen none of the previous issues; the program appears to be completely gone. I'm re-running a quick-scan just in case, but I think this is solved.

Day 2, I thought everything was cleared up, but my web browser is crawwwwling so slowly when I try to navigate pages. I installed the "noscript" plugin for Firefox last night and a lot of times when I open a web page, the page will be white with one button. The button always has a URL on it to completely unrelated sites. For example, I went to BestBuy.com and the button was to hipnoza.com and it had the noscript logo nearby. I "allowed" the scripts on the page, went back, and it would load the site fine afterwards, leading me to believe it was just something weird with Noscript. That still doesn't explain the slow browsing experience I'm having.


I tried running netstat commands in the command prompt but they were always "not recognized." I even tried "ipconfig" after navigating directly to the C drive (cd C:) and received the same message. That seems fishy to me.

At this point, I'm considering backing up important files and just doing a fresh re-installation of my operating system. That would be such a pain having to reinstall and reauthenticate all of my programs, though; I never created a backup image I could go to under these circumstances.

Malwarebytes is not picking anything up when I run a "quick scan."

EDIT: Definitely seems like I've got some sort of Redirect Virus going on now. x__x Got sent to YellowPages.com numerous times so far. God this is so frustrating!

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

• Do not run any other tool untill instructed to do so!
• Please Do not Attach logs or put in code boxes.
• Tell me about any problems that have occurred during the fix.
• Tell me of any other symptoms you may be having as these can help also.
• Do not run anything while running a fix.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

In order for me to see the status of the infection I will need a new set of logs to start with.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

DeFogger:

• Please download DeFogger to your desktop.
  
  Double click DeFogger to run the tool.
  
• The application window will appear
• Click the Disable button to disable your CD Emulation drivers
• Click Yes to continue
• A 'Finished!' message will appear
• Click OK
• DeFogger may ask you to reboot the machine, if it does - click OK

Do not re-enable these drivers until otherwise instructed.

Download DDS:

• Please download DDS by sUBs from one of the links below and save it to your desktop:
  
  
  Download DDS and save it to your desktop
  
  Link1
  Link2
  Link3
  
  Please disable any anti-malware program that will block scripts from running before running DDS.
  
  
  • Double-Click on dds.scr and a command window will appear. This is normal.
  • Shortly after two logs will appear:
    
  • DDS.txt
  • Attach.txt
• A window will open instructing you save & post the logs
• Save the logs to a convenient place such as your desktop
• Copy the contents of both logs & post in your next reply

information and logs:

• In your next post I need the following
  
  
• .logs from DDS
• let me know of any problems you may have had

Gringo

Hello

48 Hour bump

It has been more than 48 hours since my last post.

• do you still need help with this?
• do you need more time?
• are you having problems following my instructions?
  
• if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.