Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus causing HDD to become completely full


  • This topic is locked This topic is locked
56 replies to this topic

#1 Prickly Pete

Prickly Pete

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 30 January 2013 - 03:04 PM

Hello Bleeping Computer people. You have helped me before with other malware/virus issues.
I have a computer running Windows 7 and it has become infected with a virus that has filled up the hard drive to it's limit. The computer was also constantly accessing the internet and uploading/downloading gigabites of data. I fear the computer has been turned into a zombie computer.

I have run DDS and the log is below. Your help will be most appreciated! Thank you.

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16421
Run by Andy Lau at 14:43:53 on 2013-01-30
Microsoft Windows 7 Professional 6.1.7600.0.1252.1.1033.18.2013.1192 [GMT -5:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Trend Micro Personal Firewall *Enabled* {70A91CD9-303D-A217-A80E-6DEE136EDB2B}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe
C:\Program Files\Broadcom\BPowMon\BPowMon.exe
c:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\Program Files\Trend Micro\Client Server Security Agent\HostedAgent\svcGenericHost.exe
C:\Windows\system32\taskhost.exe
c:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
c:\Program Files\Trend Micro\Client Server Security Agent\HostedAgent\HostedAgent.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
c:\Program Files\Trend Micro\Client Server Security Agent\TmPfw.exe
c:\Program Files\Trend Micro\Client Server Security Agent\CNTAoSMgr.exe
C:\Windows\system32\conhost.exe
c:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Trend Micro\Client Server Security Agent\PccNTMon.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\System32\NILaunch.exe
C:\dell\DBRM\Reminder\DbrmTrayicon.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\System32\WUDFHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uURLSearchHooks: YTNavAssist.YTNavAssistPlugin Class: {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - c:\program files\yahoo!\companion\installs\cpn0\YTNavAssist.dll
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: TmIEPlugInBHO Class: {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - c:\program files\trend micro\client server security agent\bho\1009\TmIEPlg.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: &Windows Live Toolbar: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Yahoo! Toolbar: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\client server security agent\pccntmon.exe" -HideWindow
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Net-It Launcher] c:\windows\system32\NILaunch.exe
mRun: [DBRMTray] c:\dell\dbrm\reminder\DbrmTrayIcon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [DBRMTray] c:\dell\dbrm\reminder\TrayApp.exe
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: E&xport to Microsoft Excel - c:\progra~1\mif5ba~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\mif5ba~1\office14\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: mswsock.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{A4F0F8BD-1F66-4612-86B3-5D9A372AC3B9} : NameServer = 66.28.0.45,66.28.0.61
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\client server security agent\bho\1009\TmIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\24.0.1312.52\installer\setup.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R1 tmlwf;Trend Micro NDIS 6.0 Filter Driver;c:\windows\system32\drivers\tmlwf.sys [2009-7-15 146448]
R2 AERTFilters;Andrea RT Filters Service;c:\program files\realtek\audio\hda\AERTSrv.exe [2010-12-18 81920]
R2 BPowMon;Broadcom Power monitoring service;c:\program files\broadcom\bpowmon\BPowMon.exe [2009-8-17 79168]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2013-1-24 1153368]
R2 svcGenericHost;Trend Micro Client/Server Security Agent;c:\program files\trend micro\client server security agent\hostedagent\svcGenericHost.exe [2010-7-5 45056]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\client server security agent\TmXPFlt.sys [2010-5-11 230928]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\client server security agent\tmpreflt.sys [2010-5-11 36368]
R2 tmwfp;Trend Micro WFP Callout Driver;c:\windows\system32\drivers\tmwfp.sys [2009-7-15 283152]
R3 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-7-6 51792]
R3 TmPfw;Trend Micro Client/Server Security Agent Personal Firewall;c:\program files\trend micro\client server security agent\TmPfw.exe [2009-7-15 497008]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 k57nd60x;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2010-12-18 273960]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TmProxy;Trend Micro Client/Server Security Agent Proxy Service;c:\program files\trend micro\client server security agent\TmProxy.exe [2009-7-15 689416]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-2-9 1343400]
.
=============== Created Last 30 ================
.
2013-01-24 18:40:59 -------- d-----w- c:\program files\WinDirStat
2013-01-24 18:25:19 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2013-01-24 18:25:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2013-01-09 13:57:08 627712 ----a-w- c:\windows\system32\usp10.dll
2013-01-09 13:57:00 2344960 ----a-w- c:\windows\system32\win32k.sys
2013-01-09 13:56:42 492032 ----a-w- c:\windows\system32\win32spl.dll
2013-01-09 13:53:46 55296 ----a-w- c:\windows\system32\cero.rs
.
==================== Find3M ====================
.
2012-12-16 14:25:27 295424 ----a-w- c:\windows\system32\atmfd.dll
2012-12-16 14:25:19 34304 ----a-w- c:\windows\system32\atmlib.dll
2012-12-07 05:04:20 308736 ----a-w- c:\windows\system32\Wpc.dll
2012-12-07 04:57:38 2576384 ----a-w- c:\windows\system32\gameux.dll
2012-11-30 05:06:15 169984 ----a-w- c:\windows\system32\winsrv.dll
2012-11-30 05:00:06 293376 ----a-w- c:\windows\system32\KernelBase.dll
2012-11-30 03:07:41 271360 ----a-w- c:\windows\system32\conhost.exe
2012-11-30 02:51:41 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2012-11-30 02:51:41 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2012-11-30 02:51:41 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2012-11-30 02:51:41 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2012-11-20 05:10:07 219136 ----a-w- c:\windows\system32\ncrypt.dll
2012-11-09 04:49:37 2048 ----a-w- c:\windows\system32\tzres.dll
2012-11-02 04:50:33 1388544 ----a-w- c:\windows\system32\msxml6.dll
2012-11-02 04:48:28 376832 ----a-w- c:\windows\system32\dpnet.dll
.
============= FINISH: 14:44:41.41 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:02 PM

Posted 30 January 2013 - 10:23 PM

Hello


These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.


-AdwCleaner-

  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

--RogueKiller--

  • Download & SAVE to your Desktop RogueKiller or from here
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • Then Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • click on "delete"
  • Wait until the Status box shows "Deleting Finished"
  • Click on "Report" and copy/paste the content of the Notepad into your next reply.
  • The log should be found in RKreport[1].txt on your Desktop
  • Exit/Close RogueKiller+

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Prickly Pete

Prickly Pete
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 01 February 2013 - 09:22 AM

Hello Gringo! Thanks for the quick reply. Funny coincidence, I was born in PR. I will follow your instructions and get back to you right away.

#4 Prickly Pete

Prickly Pete
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 01 February 2013 - 09:25 AM

BTW, should I be running these programs in safe mode? Thanks.

#5 Prickly Pete

Prickly Pete
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 01 February 2013 - 09:44 AM

Gringo-

I ran both programs the two logs are below. Thank you.

# AdwCleaner v2.109 - Logfile created 02/01/2013 at 09:31:46
# Updated 26/01/2013 by Xplode
# Operating system : Windows 7 Professional (32 bits)
# User : Andy Lau - ANDYLAU-PC
# Boot Mode : Normal
# Running from : C:\Users\Andy Lau\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Program Files\Yontoo Layers Runtime
Folder Deleted : C:\ProgramData\Tarma Installer

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\niapdbllcanepiiimjjndipklodoedlc
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}
Key Deleted : HKLM\Software\Tarma Installer

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

-\\ Google Chrome v24.0.1312.52

File : C:\Users\Andy Lau\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [2280 octets] - [01/02/2013 09:31:46]

########## EOF - C:\AdwCleaner[S1].txt - [2340 octets] ##########




RogueKiller V8.4.3 [Feb 1 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7600 ) 32 bits version
Started in : Normal mode
User : Andy Lau [Admin rights]
Mode : Scan -- Date : 02/01/2013 09:37:24
| ARK || MBR |

Bad processes : 0

Registry Entries : 6
[DNS] HKLM\[...]\ControlSet001\Services\Tcpip\Interfaces\{A4F0F8BD-1F66-4612-86B3-5D9A372AC3B9} : NameServer (66.28.0.45,66.28.0.61) -> FOUND
[DNS] HKLM\[...]\ControlSet002\Services\Tcpip\Interfaces\{A4F0F8BD-1F66-4612-86B3-5D9A372AC3B9} : NameServer (66.28.0.45,66.28.0.61) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\$Recycle.Bin\S-1-5-21-4263660371-3221451652-93485766-1000\$0abee96b32283d2941f6248eb920285f\n) -> FOUND

Particular Files / Folders:
[ZeroAccess][FILE] n : C:\$recycle.bin\S-1-5-21-4263660371-3221451652-93485766-1000\$0abee96b32283d2941f6248eb920285f\n --> FOUND
[ZeroAccess][FILE] @ : C:\$recycle.bin\S-1-5-21-4263660371-3221451652-93485766-1000\$0abee96b32283d2941f6248eb920285f\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\$recycle.bin\S-1-5-21-4263660371-3221451652-93485766-1000\$0abee96b32283d2941f6248eb920285f\U --> FOUND
[ZeroAccess][FOLDER] L : C:\$recycle.bin\S-1-5-21-4263660371-3221451652-93485766-1000\$0abee96b32283d2941f6248eb920285f\L --> FOUND
[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC\Desktop.ini --> FOUND

Driver : [LOADED]
SSDT[70] : NtCreateKey @ 0x82C46E63 -> HOOKED (Unknown @ 0x84A28100)
SSDT[74] : NtCreateMutant @ 0x82CB72E5 -> HOOKED (Unknown @ 0x84A29440)
SSDT[79] : NtCreateProcess @ 0x82D134BB -> HOOKED (Unknown @ 0x84A27340)
SSDT[80] : NtCreateProcessEx @ 0x82D13506 -> HOOKED (Unknown @ 0x84A27600)
SSDT[87] : NtCreateThread @ 0x82D132C2 -> HOOKED (Unknown @ 0x84A28F60)
SSDT[88] : NtCreateThreadEx @ 0x82C71381 -> HOOKED (Unknown @ 0x84A29100)
SSDT[93] : NtCreateUserProcess @ 0x82C8E46D -> HOOKED (Unknown @ 0x84A278C0)
SSDT[103] : NtDeleteKey @ 0x82C3566E -> HOOKED (Unknown @ 0x84A28680)
SSDT[106] : NtDeleteValueKey @ 0x82C1B296 -> HOOKED (Unknown @ 0x84A28940)
SSDT[155] : NtLoadDriver @ 0x82BD9313 -> HOOKED (Unknown @ 0x84A292A0)
SSDT[190] : NtOpenProcess @ 0x82CB9C01 -> HOOKED (Unknown @ 0x84A27B80)
SSDT[350] : NtSetSystemInformation @ 0x82CC34C5 -> HOOKED (Unknown @ 0x84A295E0)
SSDT[358] : NtSetValueKey @ 0x82C38A06 -> HOOKED (Unknown @ 0x84A283C0)
SSDT[370] : NtTerminateProcess @ 0x82C9A1D5 -> HOOKED (Unknown @ 0x84A27E40)
SSDT[399] : NtWriteVirtualMemory @ 0x82CBFC85 -> HOOKED (Unknown @ 0x84A28DC0)
S_SSDT[584] : NtUserSetWindowsHookAW -> HOOKED (Unknown @ 0x84A29C40)
S_SSDT[585] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x84A29A60)

Infection : ZeroAccess

HOSTS File:
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.0scan.com
127.0.0.1 0scan.com
127.0.0.1 www.1000gratisproben.com
127.0.0.1 1000gratisproben.com
127.0.0.1 1001namen.com
127.0.0.1 www.1001namen.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
[...]


MBR Check:

+++++ PhysicalDrive0: ST3250318AS ATA Device +++++
--- User ---
[MBR] 2ddb0fec0ca8bfbcd33f5452d7457e2b
[BSP] 976833c91be82e3a47ff2464d98af4e2 : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 81920 | Size: 10018 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 20598784 | Size: 228359 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_02012013_02d0937.txt >>
RKreport[1]_S_02012013_02d0937.txt

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:02 PM

Posted 01 February 2013 - 09:50 AM

Hello Prickly Pete


I would rather they be done in normal mode



what part of PR - I am in the east


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Prickly Pete

Prickly Pete
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 01 February 2013 - 09:54 AM

I was born in Mayaguez and lived near San Juan until I was 7yo. I have family all over the island (big surprise, right?). Grew up in Denver, though.
I did run the programs in normal mode.

Question: Will I be able to clear the hdd of all the hidden files that filled it up? Or is it just part of the virus to make it look like the hdd is full, when it really isn't?

Thanks.

PP

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:02 PM

Posted 01 February 2013 - 10:07 AM

Hello Pete

Will I be able to clear the hdd of all the hidden files that filled it up? - we will see how things stand when we are done

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Prickly Pete

Prickly Pete
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 01 February 2013 - 10:23 AM

Gringo-

Before I download combofix, are the downloads you linked clear of the Sality Virus?

Thanks

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:02 PM

Posted 01 February 2013 - 11:02 AM

yes they have been cleared - it was only up for a few hours on the 29th
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Prickly Pete

Prickly Pete
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 01 February 2013 - 01:39 PM

Sorry for the delay. The combofix scan is taking a long time.

#12 Prickly Pete

Prickly Pete
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 01 February 2013 - 03:58 PM

Gringo-

Combo fix is still on stage 4 and has been there for several hours now. I don't think it's hung up because the hard drive is active.
Can it take this long to scan? Thanks.

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:02 PM

Posted 01 February 2013 - 04:41 PM

Hello

Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

after combofix has finished its scan please post the report back here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Prickly Pete

Prickly Pete
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:10:02 PM

Posted 01 February 2013 - 04:56 PM

Looks like it's hanging after completing stage 4 again.

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:02 PM

Posted 01 February 2013 - 09:12 PM

Hello

I would like you to try this to see if combofix will run

combofix

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
ComboFix /nombr
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users