Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hard drive filling up


  • This topic is locked This topic is locked
33 replies to this topic

#1 dubritski

dubritski

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Laplace LA
  • Local time:05:48 AM

Posted 07 May 2013 - 08:33 AM

I was requested to start a new thread here after working with Broni in the linked Thread,

 

http://www.bleepingcomputer.com/forums/t/493044/temp-files-cannot-be-deleted/

 

attached is the last log he asked me to post here, all other log files can be found in the previous thread.

 

short version of my problem 

 

there is a folder on my computer that keeps filling with temp files, but nothing i have tried gets rid of it, all the automatic temp file removal tools i have tried does not clean the location of this temp folder, and i cannot figure out why this folder is being filled, IE and JAVA are both set to put temp files in their default location.

 

the location of the temp folder that fills up is:C:\Users\<username>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\z52xt5lx

 

 

DDS log

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 9.0.8112.16476
Run by holmj_adm at 8:24:03 on 2013-05-07
Microsoft Windows 7 Professional   6.1.7601.1.1252.1.1033.18.1407.832 [GMT -5:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Symantec Endpoint Protection *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Symantec Endpoint Protection *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\SYSTEM32\DNTUS26.EXE
C:\Windows\system32\DWRCS.exe
C:\Program Files\HP\HPBDSService\HPBDSService.exe
C:\Program Files\HP\HPLaserJetService\HPLaserJetService.exe
C:\Program Files\OCS Inventory Agent\ocsservice.exe
C:\Program Files\Lenovo\Lenovo Mouse Suite\PelService.exe
C:\Program Files\ThinkPad\Utilities\PWMDBSVC.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Windows\system32\DWRCST.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Lenovo\FanSpeedControl\LenovoFSC.exe
C:\Program Files\Lenovo\Lenovo Mouse Suite\ICO.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\HP\StatusAlerts\bin\HPStatusAlerts.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ThinkPad\Utilities\SCHTASK.EXE
C:\Program Files\Lenovo\Lenovo Mouse Suite\FSRremoS.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Lenovo\Lenovo Mouse Suite\PelElvDm.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\DWRCS.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
.
============== Pseudo HJT Report ===============
.
uDefault_Page_URL = hxxp://lenovo.msn.com
uProxyOverride = 10.6.*;10.7.*;142.70.*;172.16.*;sharepoint*;*.norinc.net;*.gramercyal.com;<local>
mWinlogon: Userinit = c:\windows\system32\userinit.exe
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
mRun: [LenovoFSC] c:\program files\lenovo\fanspeedcontrol\LenovoFSC.exe
mRun: [Daemon for Mouse Suite] c:\program files\lenovo\lenovo mouse suite\ICO.EXE
mRun: [PWMTRV] rundll32 c:\progra~1\thinkpad\utilit~1\PWMTR32V.DLL,PwrMgrBkGndMonitor
mRun: [Power Manager Power Agenda] c:\progra~1\thinkpad\utilit~1\DPMHost.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [StatusAlerts] "c:\program files\hp\statusalerts\bin\HPStatusAlerts.exe" /enum:on /alerts:on /notifications:on /fl:on /fr:on /appData:on /tmcp:on
mRun: [DameWare MRC Agent] c:\windows\system32\DWRCST.exe
mRunOnce: [Z1] cmd /c "\\ga-fs1\apps$\MSIAppInstalls\Anti Virus programs\mbar-1.05.0.1001\mbar\mbar.exe" /cleanup /s
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: UseDefaultTile = dword:1
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: dontdisplaylastusername = dword:1
mPolicies-System: legalnoticecaption = Noranda Alumina
mPolicies-System: legalnoticetext = Noranda IT assets (i.e. including this computer) and all
Information on these assets are the property of the Company.
There should be no expectation of privacy related to anything
that is created, stored or received while using this computer.
At the Company’s discretion information on this asset
or created by this asset  may be audited for business purposes.
For further details on the use of IT assets
please refer to the Company’s policy entitled “Information Technology (IT) Use.
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0039-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab
TCP: NameServer = 10.6.0.10 172.16.2.87
TCP: Interfaces\{0DEA4807-CABD-4C81-AB7E-6D6734AD6BAD} : DHCPNameServer = 10.6.0.10 172.16.2.87
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-2-15 26624]
R1 Teefer3;Symantec Endpoint Protection Firewall;c:\windows\system32\drivers\Teefer3.sys [2011-12-8 43936]
R2 HP DS Service;HP DS Service;c:\program files\hp\hpbdsservice\HPBDSService.exe [2011-10-17 13824]
R2 HP LaserJet Service;HP LaserJet Service;c:\program files\hp\hplaserjetservice\HPLaserJetService.exe [2011-8-4 164352]
R2 OCS INVENTORY;OCS INVENTORY SERVICE;c:\program files\ocs inventory agent\OcsService.exe [2009-4-16 69632]
R2 PelService;Session Launcher Service;c:\program files\lenovo\lenovo mouse suite\PelService.exe [2010-9-21 184320]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-2-7 3712]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-8-16 106656]
R3 SuperIO;Lenovo ASD HWM Driver;c:\windows\system32\drivers\spio.sys [2009-6-5 11720]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2010-9-21 314368]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 netw5v32;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
S3 pelvendr;Mouse Suite I/O Driver;c:\windows\system32\drivers\PELVENDR.SYS [2010-9-21 10240]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-11-16 14848]
S3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\drivers\VSTAZL3.SYS [2009-7-13 207360]
S3 SrvHsfV92;SrvHsfV92;c:\windows\system32\drivers\VSTDPV3.SYS [2009-7-13 980992]
S3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\drivers\VSTCNXT3.SYS [2009-7-13 661504]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-11-16 49664]
.
=============== Created Last 30 ================
.
2013-05-06 20:40:15 36864 ----a-w- c:\windows\system32\DNTUSrvu.exe
2013-05-06 14:56:45 -------- d-----w- c:\windows\pss
2013-05-06 14:48:40 -------- d-----w- c:\windows\ERUNT
2013-05-06 14:48:24 -------- d-----w- C:\JRT
2013-04-30 17:21:55 -------- d-----w- c:\users\holmj_adm\appdata\local\Programs
2013-04-29 20:01:38 -------- d-----w- C:\!KillBox
2013-04-29 19:44:55 92672 ----a-w- c:\windows\system32\KillBox.exe
2013-04-24 19:40:57 1211752 ----a-w- c:\windows\system32\drivers\ntfs.sys
2013-04-11 18:47:28 2347008 ----a-w- c:\windows\system32\win32k.sys
2013-04-11 18:47:26 196328 ----a-w- c:\windows\system32\drivers\fvevol.sys
2013-04-11 18:47:24 3968856 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-04-11 18:47:24 3913560 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-04-11 18:47:23 69632 ----a-w- c:\windows\system32\smss.exe
2013-04-11 18:47:23 38912 ----a-w- c:\windows\system32\csrsrv.dll
.
==================== Find3M  ====================
.
2013-04-04 19:50:32 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-02-22 03:46:00 1800704 ----a-w- c:\windows\system32\jscript9.dll
2013-02-22 03:38:00 1129472 ----a-w- c:\windows\system32\wininet.dll
2013-02-22 03:37:50 1427968 ----a-w- c:\windows\system32\inetcpl.cpl
2013-02-22 03:34:17 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2013-02-22 03:34:03 420864 ----a-w- c:\windows\system32\vbscript.dll
2013-02-22 03:31:46 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2013-02-13 22:48:18 697712 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-02-13 22:48:17 74096 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-02-12 04:48:31 474112 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2013-02-12 04:48:26 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll
2013-02-12 03:32:45 15872 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-02-08 15:09:57 477616 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-02-08 15:09:57 473520 ----a-w- c:\windows\system32\deployJava1.dll
.
============= FINISH:  8:24:59.05 ===============

 



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:48 AM

Posted 12 May 2013 - 08:35 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/493786 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 whoabuddy

whoabuddy

    Bleepin' Verbose


  • Malware Response Instructor
  • 2,053 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:02:48 AM

Posted 13 May 2013 - 10:59 AM

Hello dubritski,

:welcome: to Bleeping Computer!

My name is whoabuddy and I will be assisting you today. Before we get started, please keep the following in mind while I am helping you to make things go easier and faster for both of us.


Please do not run any tools unless instructed to do so.

We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.

Please do not attach logs or use code boxes, just copy and paste the text.

Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.

Please read every post completely before doing anything.

Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process. Also watch for items italicized or in green[/i], these entries are notes to help explain the process or common occurrences.

Please provide feedback about your experience as we go.

A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of headaches as we go along. For more information about backing up your system, please review the links in the first item of the Malware Removal Preparation Guide.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Please respond and acknowledge that you have read my introduction and I will begin reviewing your logs so we can get started!

Best Regards,
whoabuddy
Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE

#4 dubritski

dubritski
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Laplace LA
  • Local time:05:48 AM

Posted 13 May 2013 - 11:07 PM

Read and understand, thank you

#5 whoabuddy

whoabuddy

    Bleepin' Verbose


  • Malware Response Instructor
  • 2,053 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:02:48 AM

Posted 14 May 2013 - 07:26 AM

Hi dubritski,

Thank you for acknowledging that post. Now let's take a closer look at a few things before we start applying fixes, please follow the instructions below.

Do you recognize the application Dameware Utilities?

This software may be in use by your organization, but if not we definitely want to remove it as hacker's can use it for remote control. You can see it running below:

============== Running Processes ================
.
C:\Windows\SYSTEM32\DNTUS26.EXE
C:\Windows\system32\DWRCS.exe
C:\Windows\system32\DWRCST.exe
C:\Windows\system32\DWRCS.exe
.


Reference: http://www.systemlookup.com/O23/687-DNTUS26_EXE.html

We need to run a scan with aswMBR:

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.
We need to run a custom batch script:
  • Go to the Start Orb, in the search box, type notepad and press enter
  • Copy and paste the entire text below into the blank notepad document:
    @echo off
    :: This script was created for dubritski on 05132013
    :: and should only be run by the user it was intended
    :: for in accordance with the accompanying instructions
    echo [b]/////// Starting Script[/b] >search.txt
    echo. >>search.txt
    echo Running From: %~dp0 >>search.txt
    echo. >>search.txt
    echo [b]/////// Basic Info[/b] >>search.txt
    echo. >>search.txt
    echo Username: %username% >>search.txt
    echo User Profile: %userprofile% >>search.txt
    echo. >>search.txt
    echo [b]/////// My Documents Location[/b] >>search.txt
    reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Personal" >>search.txt
    echo [b]/////// User Information[/b] >>search.txt
    echo. >>search.txt
    net user %username% >>search.txt
    echo.
    echo [b]/////// Share Information[/b] >>search.txt
    echo. >>search.txt
    net share >>search.txt
    echo [b]/////// Folder Permissions[/b] >>search.txt
    echo. >>search.txt
    cacls "Y:\Users\power1\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Z52XT5LX" >>search.txt
    echo. >>search.txt
    echo [b]/////// Script Complete[/b] >>search.txt
    echo. >>search.txt
    start notepad search.txt
    exit
    
  • Click on File > Save As... to save the file to your desktop
  • Enter search.bat for the file name and All Files for the file type
  • Close notepad, right-click on search.bat, click Run As Administrator
  • When complete a log file will pop up, and a copy will be saved to your desktop as search.txt, please post it in your next reply
In your next post I need the following:
  • whether or not you recognize the Dameware software
  • log file from aswMBR scan
  • log file from custom batch script
Best Regards,
whoabuddy
Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE

#6 dubritski

dubritski
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Laplace LA
  • Local time:05:48 AM

Posted 14 May 2013 - 12:55 PM

Dameware is the software we use for remote desktop support, 

I wont be able to get to this computer this week, I'll get the reports monday morning



#7 whoabuddy

whoabuddy

    Bleepin' Verbose


  • Malware Response Instructor
  • 2,053 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:02:48 AM

Posted 14 May 2013 - 10:54 PM

Hi dubritski,

Dameware is the software we use for remote desktop support


Good, we can disregard those entries from the log then, and I will be looking forward to your reply on Monday.

Best Regards,
whoabuddy
Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE

#8 dubritski

dubritski
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Laplace LA
  • Local time:05:48 AM

Posted 20 May 2013 - 04:20 PM

aswMBR log

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-05-20 15:54:07
-----------------------------
15:54:07.869    OS Version: Windows 6.1.7601 Service Pack 1
15:54:07.869    Number of processors: 2 586 0x6B01
15:54:07.879    ComputerName: LAB-PWRHOUSE-W7  UserName: holmj_adm
15:54:11.733    Initialize success
16:05:01.893    AVAST engine defs: 13052001
16:06:05.757    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
16:06:05.772    Disk 0 Vendor: ST380815AS 3.CCA Size: 76324MB BusType: 3
16:06:05.866    Disk 0 MBR read successfully
16:06:05.882    Disk 0 MBR scan
16:06:05.913    Disk 0 unknown MBR code
16:06:05.913    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS         1200 MB offset 63
16:06:05.944    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS        65115 MB offset 2457945
16:06:05.960    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        10001 MB offset 135813510
16:06:06.006    Disk 0 scanning sectors +156296385
16:06:06.147    Disk 0 scanning C:\Windows\system32\drivers
16:06:30.887    Service scanning
16:07:00.167    Service SysPlant C:\Windows\SYSTEM32\Drivers\SysPlant.sys **LOCKED** 32
16:07:06.594    Service WPS C:\Windows\system32\drivers\wpsdrvnt.sys **LOCKED** 32
16:07:07.218    Service WpsHelper C:\Windows\system32\drivers\WpsHelper.sys **LOCKED** 32
16:07:08.684    Modules scanning
16:07:29.899    Disk 0 trace - called modules:
16:07:29.931    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys 
16:07:29.946    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x855beac8]
16:07:29.962    3 CLASSPNP.SYS[877b859e] -> nt!IofCallDriver -> [0x855b5918]
16:07:29.977    5 ACPI.sys[872283d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x855ac030]
16:07:30.352    AVAST engine scan C:\Windows
16:07:33.097    AVAST engine scan C:\Windows\system32
16:12:59.840    AVAST engine scan C:\Windows\system32\drivers
16:13:21.788    AVAST engine scan C:\Users\holmj_adm
16:13:40.320    AVAST engine scan C:\ProgramData
16:14:49.363    Scan finished successfully
16:20:01.864    Disk 0 MBR has been saved successfully to "\\ga-fs1\apps$\MSIAppInstalls\Anti Virus programs\lab-pwrhouse logs\MBR.dat"
16:20:01.895    The log file has been saved successfully to "\\ga-fs1\apps$\MSIAppInstalls\Anti Virus programs\lab-pwrhouse logs\aswMBR.txt"
 
 

 

Batch Script log 

 

/////// Starting Script 
 
Running From: \\ga-fs1\apps$\MSIAppInstalls\Anti Virus programs\lab-pwrhouse logs\ 
 
/////// Basic Info 
 
Username: holmj_adm 
User Profile: C:\Users\holmj_adm 
 
/////// My Documents Location 
 
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    Personal    REG_SZ    C:\Users\holmj_adm\Documents
 
/////// User Information 
 
/////// Share Information 
 
 
Share name   Resource                        Remark
 
-------------------------------------------------------------------------------
C$           C:\                             Default share                     
D$           D:\                             Default share                     
IPC$                                         Remote IPC                        
ADMIN$       C:\Windows                      Remote Admin                      
The command completed successfully.
 
/////// Folder Permissions 
 
 
/////// Script Complete 


#9 dubritski

dubritski
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Laplace LA
  • Local time:05:48 AM

Posted 20 May 2013 - 04:21 PM

for clarification, the scans are run with my credentials. not the user usually using the computer



#10 whoabuddy

whoabuddy

    Bleepin' Verbose


  • Malware Response Instructor
  • 2,053 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:02:48 AM

Posted 21 May 2013 - 12:49 PM

Hi dubritski,

Thank you for the logs and clarification, I will review these and get back to you with our next steps.

Best Regards,
whoabuddy
Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE

#11 whoabuddy

whoabuddy

    Bleepin' Verbose


  • Malware Response Instructor
  • 2,053 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:02:48 AM

Posted 22 May 2013 - 02:42 PM

Hi dubritski,

Looking over your logs from this and your previous post I do not see an infection running on your machine, so we are most likely dealing with an application and/or permissions issue. There was a typo in that last script, please re-run the updated script below and post the results, same method as my last post.

We need to run a custom script:

@echo off
:: This script was created for dubritski on 05222013
:: and should only be run by the user it was intended
:: for in accordance with the accompanying instructions
echo [b]/////// Starting Script[/b] >search.txt
echo. >>search.txt
echo Running From: %~dp0 >>search.txt
echo. >>search.txt
echo [b]/////// Mapped Drive Information[/b] >>search.txt 
echo. >>search.txt
net use >>search.txt 
echo. >>search.txt
echo [b]/////// Folder Permissions[/b] >>search.txt 
echo. >>search.txt 
cacls "C:\Users\power1\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Z52XT5LX" >>search.txt
echo. >>search.txt
echo [b]/////// Script Complete[/b] >>search.txt
echo. >>search.txt
start notepad search.txt
exit
Once we take a closer look at the permissions we can try to delete the folder, then narrow down what is recreating it if it comes back. I would also like to review a copy of your MBR created by aswMBR, please follow the instructions below:

We need to upload a copy of your MBR:

  • In the same directory where aswMBR was run, a file named MBR.dat should have been created.
  • Right-click on the file, click Send To > Compressed (zip) Folder
  • Accept the default name and save the file
  • Click on Browse... under Attach Files on your next post and attach the MBR.zip file

In your next post I need the following:

  • search.txt from revised custom script
  • MBR.zip attachment from aswMBR

Best Regards,
whoabuddy
Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE

#12 dubritski

dubritski
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Laplace LA
  • Local time:05:48 AM

Posted 22 May 2013 - 02:52 PM

/////// Starting Script 
 
Running From: \\ga-fs1\apps$\MSIAppInstalls\Anti Virus programs\lab-pwrhouse logs\ 
 
/////// Mapped Drive Information  
 
New connections will be remembered.
 
 
Status       Local     Remote                    Network
 
-------------------------------------------------------------------------------
Unavailable  H:        \\publicfile.gramercyal.com\shared 
                                                Microsoft Windows Network
Unavailable  T:        \\publicfile.gramercyal.com\mockingbird 
                                                Microsoft Windows Network
The command completed successfully.
 
 
/////// Folder Permissions  
  
C:\Users\power1\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Z52XT5LX NT AUTHORITY\SYSTEM:(OI)(CI)F 
                                                                                                  BUILTIN\Administrators:(OI)(CI)F 
                                                                                                  NORANDA\power1:(OI)(CI)F 
                                                                                                  NORANDA\power1:(OI)(CI)F 
 
 
/////// Script Complete 


#13 whoabuddy

whoabuddy

    Bleepin' Verbose


  • Malware Response Instructor
  • 2,053 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:02:48 AM

Posted 22 May 2013 - 03:18 PM

Hi dubritski,

That looks perfect, can you zip and attach the MBR.dat file as MBR.zip as well please?

Best Regards,
whoabuddy
Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE

#14 dubritski

dubritski
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Laplace LA
  • Local time:05:48 AM

Posted 22 May 2013 - 03:27 PM

here you go

Attached Files

  • Attached File  MBR.zip   533bytes   5 downloads

Edited by dubritski, 22 May 2013 - 03:28 PM.


#15 dubritski

dubritski
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Laplace LA
  • Local time:05:48 AM

Posted 22 May 2013 - 03:38 PM

attached are some screenshots of the files in the folder. i cleared the folder on 5/7 and there are now 95.000 files in the folder

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users