Solved

viruse boots up and eats my hard disk space

Posted on 2004-09-03
13
1,639 Views
Last Modified: 2008-01-09
hi
i have scaned my computer with AVG, trendmicro, norton, spyware, adware
now i have a following problem
i tried deleting hidden files from the recovery console and i did successfully but everytime it woudl exit an d teh system woudl boot up in the normal mode and the virus woudl be see again actually a fiel
c:\WINDOWS\blubbgger.sys = BackDoor.Hacdef.BR
and i searched the register for it and deleted 2 paths but then when i booted up again the message by AVG would show
saying BackDoor.Hacdef.BR was found please scan with avg
just before the login screen

i tried everything but cannot do it

can anybody please help me get rid of that virus or whatevr couses it

thanks

ps. the thing also is that when i delete and make my free space 2 Gb(20Gb hard disk) the next boot up the system would
slowly eating myu space
like just after i log in it would be 2GB the 10 minutes after 1.04 and the 335Kb

please help me with this problem


0
Comment
Question by:zgeorge_2
  • 3
  • 2
  • 2
  • +4
13 Comments
 
LVL 3

Expert Comment

by:SBPCGuru
ID: 11977157
Run HiJackThis.exe after downloading from the website below and post the results.
Your problem will most likely be caused by something in the results.
http://www.spychecker.com/program/hijackthis.html
0
 

Author Comment

by:zgeorge_2
ID: 11977912
Logfile of HijackThis v1.97.7
Scan saved at 6:36:21 PM, on 03/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Amaprt\MainSrv.exe
C:\Amaprt\AmaPrt.exe
C:\Amaprt\AmaPrt.exe
C:\Amaprt\AmaPrt.exe
C:\Amaprt\ComAdapt.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\down\RegSeeker\RegSeeker\RegSeeker.exe
C:\Program Files\Agnitum\Tauscan 1.7\Tauscan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\down\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKLM\..\Run: [HPWH myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
O4 - HKLM\..\Run: [Extranet AutoDial] C:\Program Files\AMADEUS VPN\AutoExt.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .SWF: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O16 - DPF: {051FE707-9706-11D5-A836-000102A7C938} (Amadeus Automatic Update) - http://ca.amadeusvista.com/AutomaticUpdate/AutoUpdateATL.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {266BB960-7DA8-11D4-A849-00008321B7D9} (Amadeus Cmd Page Cross Communication) - http://ca.amadeusvista.com/common/cabs/VistaPWComms.CAB
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/public/chat/msnchat41.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {3D518D7D-422F-4787-AC71-10BB552E897B} (Amadeus_SP2_Patcher Class) - http://amadeusvista.com/common/cabs/SP2Patch.CAB
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://i.rn11.com/iwasher/pptproactauthmirror/internetwasherpro.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093348470644
O16 - DPF: {665C05C1-517D-11D3-BE4A-00008322ED5D} (MSIInspect.Inspector) - http://us.amadeuscruise.com/common/cabs/MSIInspect.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37915.6139236111
O16 - DPF: {CDE9DD16-37C8-11D5-8476-000102A80AF0} (Socks Class) - http://vacation.agentnet.com/app/amadeus/ComSocks_1001.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {E037FC50-FE36-11D3-BEEB-00008322EEB5} (PPUpdate Class) - http://amadeusproprinter.com/genericprev/PPUpdateATL.CAB
O16 - DPF: {EBE01DF7-D451-11D5-A842-000102A97CAB} (AmadeusInit.Init) - http://ca.amadeusvista.com/common/cabs/AmadeusInit.CAB
0
 
LVL 3

Expert Comment

by:SBPCGuru
ID: 11977946
Take these thinsg out using HiJackThis:

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab

O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://i.rn11.com/iwasher/pptproactauthmirror/internetwasherpro.cab

O16 - DPF: {CDE9DD16-37C8-11D5-8476-000102A80AF0} (Socks Class) - http://vacation.agentnet.com/app/amadeus/ComSocks_1001.CAB

Reboot and see what happens.
0
 

Author Comment

by:zgeorge_2
ID: 11978125
same thing happens

a popup comes up and says

You have BackDoor.Hacdef.BR. located in c:\WINDOWS\blubbgger.sys


scan with avg for viruses

i don'tknow what that could be i tried deleting it and fixing

doing all that stuff
but still the same thing appears

please help me

thnaks

0
 

Author Comment

by:zgeorge_2
ID: 11978320
and also Blubbg~.sys

the same thing keeps poping up

0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 8

Expert Comment

by:natcom
ID: 11978441
0
 
LVL 6

Expert Comment

by:cwkhang
ID: 11978854
Hi,
BackDoor.Hacdef.BR is trojan horse
try scan online (free) at http://www.trojanscan.com

gd luck!


0
 
LVL 7

Expert Comment

by:jatcan
ID: 11978862
boot to safe mode by pressing F8 continuously when first turning on the power to your computer, when the safe mode menu appears, choose safe mode with networking.

After the desktop loads, I assume windows XP here, disable system restore by the following:

Click Start > Programs > Accessories > Windows Explorer
Right-click My Computer, and then click Properties.
Click the System Restore tab.
Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box
Click Apply. A message will appear telling you that you will lose all of your restore points. click OK on that

Use on of the above posted online scanners to scan your system or continue below for manual removal instructions of the trojan on your system.


=====================================

Manual Removal Instructions

Open task manager by right clicking the taskbar and selecting it or pressing keyboard keys ctrl + alt+Esc at the same time...

On the task manager window click the processes tab and then click the Image Name filed twice to sort in alphabetical, acsending order. Locate and high light each of the following processes one and a time and click the end process button, and the OK to confirm it on the message window that pops up. If you do not see one of the following items in the list of running processes forget about it and move on to the next one:

Here's the list:

1059609355.exe
-1439546010.exe
-1624699784.exe
1822900638.exe
1db5f417.exe
-2083902967.exe
-396436812.exe
53371a48.exe
68df4bf7.exe
736adfc5.exe
7d07e4c4.exe
87de6b33.exe
afb790b7.exe
b9357815.exe
bdcli026.exe
db34223f.exe
db6f8695.exe
hxdef026.exe
isplog.exe
isplogger.exe
hkrnlrdv.sys
hxdefdrv.sys

OK, that done we move on to step two, close the Task manager. Double click My Computer, click tools menhu, then folder options, then view tab. Make sure that "Show hidden files and folders" has a dot next to it, if not click it to put the dot there. Un-check the box next to hide extensions for known file types and hide protected operating system files, click apply at the bottom and say OK to the message window that pops up, click OK to get rid of the window and close My Computer.

Then open search or find files from the start menu.

type the items from the following list in the search for files files and folders named box one at a time and search your system for them, deleting any that are found. You can delete them right from the search window by highlighting and pressing delete on your keyboard.

1059609355.exe
-1439546010.exe
-1624699784.exe
1822900638.exe
1db5f417.exe
-2083902967.exe
-396436812.exe
53371a48.exe
68df4bf7.exe
736adfc5.exe
7d07e4c4.exe
87de6b33.exe
afb790b7.exe
b9357815.exe
bdcli026.exe
db34223f.exe
db6f8695.exe
hxdef026.exe
hxdef026.ini
readmecz.txt
readmeen.txt

After that rescan your system using one or more of the above posted online scanners.
0
 
LVL 7

Expert Comment

by:jatcan
ID: 11978866
If you are running Windows XP or Windows ME(I suspect XP) you must turn off system restore or the virii will keep replacing itself with new copies everytime yu delete something, it does this at boot, so please turn off system restore in safe mode, end any suspicious running processes, THEN and only THEN use an online scanner...

After you reboot a few times and you are sure that the trojan is gone; then turn system restore back on, or leave it off, as you like.

Cheers,

Jatcan
0
 
LVL 11

Expert Comment

by:Paul S
ID: 11986216
first of all try this tool:
http://www.mwti.net/antivirus/free_utilities.asp

if it fails then i am pretty sure the problem is that this virus uses special NTFS permissions. All of the new viruses/spywares are using these NTFS permissions.

here is a page on my website about a similar virus. the instructions may work for this virus:
http://www.paulscomputerservice.net/index.php?body=spyware/backdoorAgentBA.php

Basically you need to boot to safe mode (push F8 during boot up process to get to safe mode) then locate the file "c:\WINDOWS\blubbgger.sys" make sure you enable viewing of all files and extentions and view protected operating system files.. then find the file in explorer right click goto properties, then select security, make sure everyone has full control. then hit apply. if eveyone isn't on the list add it. then try deleteing the file. if you can't find the file in explorer then open up notepad and select file>open,set view to all files then use the open window as if it were explorer and follow the previous instructions. do this too all files that you think are lrelated to this virus. normally there in only 1 with special ntfs permissions.
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 13747687
PAQed with no points refunded (of 150)

modulo
Community Support Moderator
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Just about everyone has an old PC laying around.  Ask anyone in the IT industry, whether they are a professional or play in it as a hobby.  From outdated Desktops to cheap "throwaway" laptops, they are all around and not as hard to "fix up" as you m…
I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
This video discusses moving either the default database or any database to a new volume.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now