zgeorge_2
asked on
viruse boots up and eats my hard disk space
hi
i have scaned my computer with AVG, trendmicro, norton, spyware, adware
now i have a following problem
i tried deleting hidden files from the recovery console and i did successfully but everytime it woudl exit an d teh system woudl boot up in the normal mode and the virus woudl be see again actually a fiel
c:\WINDOWS\blubbgger.sys = BackDoor.Hacdef.BR
and i searched the register for it and deleted 2 paths but then when i booted up again the message by AVG would show
saying BackDoor.Hacdef.BR was found please scan with avg
just before the login screen
i tried everything but cannot do it
can anybody please help me get rid of that virus or whatevr couses it
thanks
ps. the thing also is that when i delete and make my free space 2 Gb(20Gb hard disk) the next boot up the system would
slowly eating myu space
like just after i log in it would be 2GB the 10 minutes after 1.04 and the 335Kb
please help me with this problem
i have scaned my computer with AVG, trendmicro, norton, spyware, adware
now i have a following problem
i tried deleting hidden files from the recovery console and i did successfully but everytime it woudl exit an d teh system woudl boot up in the normal mode and the virus woudl be see again actually a fiel
c:\WINDOWS\blubbgger.sys = BackDoor.Hacdef.BR
and i searched the register for it and deleted 2 paths but then when i booted up again the message by AVG would show
saying BackDoor.Hacdef.BR was found please scan with avg
just before the login screen
i tried everything but cannot do it
can anybody please help me get rid of that virus or whatevr couses it
thanks
ps. the thing also is that when i delete and make my free space 2 Gb(20Gb hard disk) the next boot up the system would
slowly eating myu space
like just after i log in it would be 2GB the 10 minutes after 1.04 and the 335Kb
please help me with this problem
ASKER
Logfile of HijackThis v1.97.7
Scan saved at 6:36:21 PM, on 03/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Amaprt\MainSrv.exe
C:\Amaprt\AmaPrt.exe
C:\Amaprt\AmaPrt.exe
C:\Amaprt\AmaPrt.exe
C:\Amaprt\ComAdapt.exe
C:\PROGRA~1\Grisoft\AVG6\a
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
C:\PROGRA~1\Grisoft\AVG6\a
C:\Program Files\Common Files\Intuit\QuickBooks\QB
C:\down\RegSeeker\RegSeeke
C:\Program Files\Agnitum\Tauscan 1.7\Tauscan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\down\HijackThis.exe
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKLM\..\Run: [HPWH myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
O4 - HKLM\..\Run: [Extranet AutoDial] C:\Program Files\AMADEUS VPN\AutoExt.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\a
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QB
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .SWF: C:\PROGRAM FILES\NETSCAPE\COMMUNICATO
O16 - DPF: {051FE707-9706-11D5-A836-0
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1
O16 - DPF: {266BB960-7DA8-11D4-A849-0
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0
O16 - DPF: {33564D57-0000-0010-8000-0
O16 - DPF: {3D518D7D-422F-4787-AC71-1
O16 - DPF: {421A63BA-4632-43E0-A942-3
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {665C05C1-517D-11D3-BE4A-0
O16 - DPF: {74D05D43-3236-11D4-BDCD-0
O16 - DPF: {7A32634B-029C-4836-A023-5
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-1
O16 - DPF: {9F1C11AA-197B-4942-BA54-4
O16 - DPF: {CDE9DD16-37C8-11D5-8476-0
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-7
O16 - DPF: {E037FC50-FE36-11D3-BEEB-0
O16 - DPF: {EBE01DF7-D451-11D5-A842-0
Scan saved at 6:36:21 PM, on 03/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\Amaprt\MainSrv.exe
C:\Amaprt\AmaPrt.exe
C:\Amaprt\AmaPrt.exe
C:\Amaprt\AmaPrt.exe
C:\Amaprt\ComAdapt.exe
C:\PROGRA~1\Grisoft\AVG6\a
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
C:\PROGRA~1\Grisoft\AVG6\a
C:\Program Files\Common Files\Intuit\QuickBooks\QB
C:\down\RegSeeker\RegSeeke
C:\Program Files\Agnitum\Tauscan 1.7\Tauscan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\down\HijackThis.exe
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKLM\..\Run: [HPWH myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
O4 - HKLM\..\Run: [Extranet AutoDial] C:\Program Files\AMADEUS VPN\AutoExt.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\a
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QB
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .SWF: C:\PROGRAM FILES\NETSCAPE\COMMUNICATO
O16 - DPF: {051FE707-9706-11D5-A836-0
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1
O16 - DPF: {266BB960-7DA8-11D4-A849-0
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0
O16 - DPF: {33564D57-0000-0010-8000-0
O16 - DPF: {3D518D7D-422F-4787-AC71-1
O16 - DPF: {421A63BA-4632-43E0-A942-3
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {665C05C1-517D-11D3-BE4A-0
O16 - DPF: {74D05D43-3236-11D4-BDCD-0
O16 - DPF: {7A32634B-029C-4836-A023-5
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-1
O16 - DPF: {9F1C11AA-197B-4942-BA54-4
O16 - DPF: {CDE9DD16-37C8-11D5-8476-0
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-7
O16 - DPF: {E037FC50-FE36-11D3-BEEB-0
O16 - DPF: {EBE01DF7-D451-11D5-A842-0
Take these thinsg out using HiJackThis:
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1
O16 - DPF: {421A63BA-4632-43E0-A942-3
O16 - DPF: {CDE9DD16-37C8-11D5-8476-0
Reboot and see what happens.
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1
O16 - DPF: {421A63BA-4632-43E0-A942-3
O16 - DPF: {CDE9DD16-37C8-11D5-8476-0
Reboot and see what happens.
ASKER
same thing happens
a popup comes up and says
You have BackDoor.Hacdef.BR. located in c:\WINDOWS\blubbgger.sys
scan with avg for viruses
i don'tknow what that could be i tried deleting it and fixing
doing all that stuff
but still the same thing appears
please help me
thnaks
a popup comes up and says
You have BackDoor.Hacdef.BR. located in c:\WINDOWS\blubbgger.sys
scan with avg for viruses
i don'tknow what that could be i tried deleting it and fixing
doing all that stuff
but still the same thing appears
please help me
thnaks
ASKER
and also Blubbg~.sys
the same thing keeps poping up
the same thing keeps poping up
Check for Viruses with online scanners
Norton/Symantec --> http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym
Trend Micro --> http://housecall.antivirus.com/housecall/start_corp.asp
BitDefender --> http://www.bitdefender.com/scan/licence.php
RAV Antivirus --> http://www.ravantivirus.com/scan/
Panda ActiveScan --> http://www.pandasoftware.com/activescan/
McAfee Security --> http://us.mcafee.com/root/mfs/default.asp
Individual File Scanner --> http://www.kaspersky.com/remoteviruschk.html
Norton/Symantec --> http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym
Trend Micro --> http://housecall.antivirus.com/housecall/start_corp.asp
BitDefender --> http://www.bitdefender.com/scan/licence.php
RAV Antivirus --> http://www.ravantivirus.com/scan/
Panda ActiveScan --> http://www.pandasoftware.com/activescan/
McAfee Security --> http://us.mcafee.com/root/mfs/default.asp
Individual File Scanner --> http://www.kaspersky.com/remoteviruschk.html
boot to safe mode by pressing F8 continuously when first turning on the power to your computer, when the safe mode menu appears, choose safe mode with networking.
After the desktop loads, I assume windows XP here, disable system restore by the following:
Click Start > Programs > Accessories > Windows Explorer
Right-click My Computer, and then click Properties.
Click the System Restore tab.
Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box
Click Apply. A message will appear telling you that you will lose all of your restore points. click OK on that
Use on of the above posted online scanners to scan your system or continue below for manual removal instructions of the trojan on your system.
==========================
Manual Removal Instructions
Open task manager by right clicking the taskbar and selecting it or pressing keyboard keys ctrl + alt+Esc at the same time...
On the task manager window click the processes tab and then click the Image Name filed twice to sort in alphabetical, acsending order. Locate and high light each of the following processes one and a time and click the end process button, and the OK to confirm it on the message window that pops up. If you do not see one of the following items in the list of running processes forget about it and move on to the next one:
Here's the list:
1059609355.exe
-1439546010.exe
-1624699784.exe
1822900638.exe
1db5f417.exe
-2083902967.exe
-396436812.exe
53371a48.exe
68df4bf7.exe
736adfc5.exe
7d07e4c4.exe
87de6b33.exe
afb790b7.exe
b9357815.exe
bdcli026.exe
db34223f.exe
db6f8695.exe
hxdef026.exe
isplog.exe
isplogger.exe
hkrnlrdv.sys
hxdefdrv.sys
OK, that done we move on to step two, close the Task manager. Double click My Computer, click tools menhu, then folder options, then view tab. Make sure that "Show hidden files and folders" has a dot next to it, if not click it to put the dot there. Un-check the box next to hide extensions for known file types and hide protected operating system files, click apply at the bottom and say OK to the message window that pops up, click OK to get rid of the window and close My Computer.
Then open search or find files from the start menu.
type the items from the following list in the search for files files and folders named box one at a time and search your system for them, deleting any that are found. You can delete them right from the search window by highlighting and pressing delete on your keyboard.
1059609355.exe
-1439546010.exe
-1624699784.exe
1822900638.exe
1db5f417.exe
-2083902967.exe
-396436812.exe
53371a48.exe
68df4bf7.exe
736adfc5.exe
7d07e4c4.exe
87de6b33.exe
afb790b7.exe
b9357815.exe
bdcli026.exe
db34223f.exe
db6f8695.exe
hxdef026.exe
hxdef026.ini
readmecz.txt
readmeen.txt
After that rescan your system using one or more of the above posted online scanners.
After the desktop loads, I assume windows XP here, disable system restore by the following:
Click Start > Programs > Accessories > Windows Explorer
Right-click My Computer, and then click Properties.
Click the System Restore tab.
Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box
Click Apply. A message will appear telling you that you will lose all of your restore points. click OK on that
Use on of the above posted online scanners to scan your system or continue below for manual removal instructions of the trojan on your system.
==========================
Manual Removal Instructions
Open task manager by right clicking the taskbar and selecting it or pressing keyboard keys ctrl + alt+Esc at the same time...
On the task manager window click the processes tab and then click the Image Name filed twice to sort in alphabetical, acsending order. Locate and high light each of the following processes one and a time and click the end process button, and the OK to confirm it on the message window that pops up. If you do not see one of the following items in the list of running processes forget about it and move on to the next one:
Here's the list:
1059609355.exe
-1439546010.exe
-1624699784.exe
1822900638.exe
1db5f417.exe
-2083902967.exe
-396436812.exe
53371a48.exe
68df4bf7.exe
736adfc5.exe
7d07e4c4.exe
87de6b33.exe
afb790b7.exe
b9357815.exe
bdcli026.exe
db34223f.exe
db6f8695.exe
hxdef026.exe
isplog.exe
isplogger.exe
hkrnlrdv.sys
hxdefdrv.sys
OK, that done we move on to step two, close the Task manager. Double click My Computer, click tools menhu, then folder options, then view tab. Make sure that "Show hidden files and folders" has a dot next to it, if not click it to put the dot there. Un-check the box next to hide extensions for known file types and hide protected operating system files, click apply at the bottom and say OK to the message window that pops up, click OK to get rid of the window and close My Computer.
Then open search or find files from the start menu.
type the items from the following list in the search for files files and folders named box one at a time and search your system for them, deleting any that are found. You can delete them right from the search window by highlighting and pressing delete on your keyboard.
1059609355.exe
-1439546010.exe
-1624699784.exe
1822900638.exe
1db5f417.exe
-2083902967.exe
-396436812.exe
53371a48.exe
68df4bf7.exe
736adfc5.exe
7d07e4c4.exe
87de6b33.exe
afb790b7.exe
b9357815.exe
bdcli026.exe
db34223f.exe
db6f8695.exe
hxdef026.exe
hxdef026.ini
readmecz.txt
readmeen.txt
After that rescan your system using one or more of the above posted online scanners.
If you are running Windows XP or Windows ME(I suspect XP) you must turn off system restore or the virii will keep replacing itself with new copies everytime yu delete something, it does this at boot, so please turn off system restore in safe mode, end any suspicious running processes, THEN and only THEN use an online scanner...
After you reboot a few times and you are sure that the trojan is gone; then turn system restore back on, or leave it off, as you like.
Cheers,
Jatcan
After you reboot a few times and you are sure that the trojan is gone; then turn system restore back on, or leave it off, as you like.
Cheers,
Jatcan
first of all try this tool:
http://www.mwti.net/antivirus/free_utilities.asp
if it fails then i am pretty sure the problem is that this virus uses special NTFS permissions. All of the new viruses/spywares are using these NTFS permissions.
here is a page on my website about a similar virus. the instructions may work for this virus:
http://www.paulscomputerservice.net/index.php?body=spyware/backdoorAgentBA.php
Basically you need to boot to safe mode (push F8 during boot up process to get to safe mode) then locate the file "c:\WINDOWS\blubbgger.sys"
http://www.mwti.net/antivirus/free_utilities.asp
if it fails then i am pretty sure the problem is that this virus uses special NTFS permissions. All of the new viruses/spywares are using these NTFS permissions.
here is a page on my website about a similar virus. the instructions may work for this virus:
http://www.paulscomputerservice.net/index.php?body=spyware/backdoorAgentBA.php
Basically you need to boot to safe mode (push F8 during boot up process to get to safe mode) then locate the file "c:\WINDOWS\blubbgger.sys"
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Your problem will most likely be caused by something in the results.
http://www.spychecker.com/program/hijackthis.html