• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1650
  • Last Modified:

viruse boots up and eats my hard disk space

hi
i have scaned my computer with AVG, trendmicro, norton, spyware, adware
now i have a following problem
i tried deleting hidden files from the recovery console and i did successfully but everytime it woudl exit an d teh system woudl boot up in the normal mode and the virus woudl be see again actually a fiel
c:\WINDOWS\blubbgger.sys = BackDoor.Hacdef.BR
and i searched the register for it and deleted 2 paths but then when i booted up again the message by AVG would show
saying BackDoor.Hacdef.BR was found please scan with avg
just before the login screen

i tried everything but cannot do it

can anybody please help me get rid of that virus or whatevr couses it

thanks

ps. the thing also is that when i delete and make my free space 2 Gb(20Gb hard disk) the next boot up the system would
slowly eating myu space
like just after i log in it would be 2GB the 10 minutes after 1.04 and the 335Kb

please help me with this problem


0
zgeorge_2
Asked:
zgeorge_2
  • 3
  • 2
  • 2
  • +4
1 Solution
 
SBPCGuruCommented:
Run HiJackThis.exe after downloading from the website below and post the results.
Your problem will most likely be caused by something in the results.
http://www.spychecker.com/program/hijackthis.html
0
 
zgeorge_2Author Commented:
Logfile of HijackThis v1.97.7
Scan saved at 6:36:21 PM, on 03/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Amaprt\MainSrv.exe
C:\Amaprt\AmaPrt.exe
C:\Amaprt\AmaPrt.exe
C:\Amaprt\AmaPrt.exe
C:\Amaprt\ComAdapt.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\down\RegSeeker\RegSeeker\RegSeeker.exe
C:\Program Files\Agnitum\Tauscan 1.7\Tauscan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\down\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O4 - HKLM\..\Run: [HPWH myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp business inkjet 1100 series\Toolbox\mpm.exe
O4 - HKLM\..\Run: [Extranet AutoDial] C:\Program Files\AMADEUS VPN\AutoExt.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .SWF: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O16 - DPF: {051FE707-9706-11D5-A836-000102A7C938} (Amadeus Automatic Update) - http://ca.amadeusvista.com/AutomaticUpdate/AutoUpdateATL.CAB
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {266BB960-7DA8-11D4-A849-00008321B7D9} (Amadeus Cmd Page Cross Communication) - http://ca.amadeusvista.com/common/cabs/VistaPWComms.CAB
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/public/chat/msnchat41.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {3D518D7D-422F-4787-AC71-10BB552E897B} (Amadeus_SP2_Patcher Class) - http://amadeusvista.com/common/cabs/SP2Patch.CAB
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://i.rn11.com/iwasher/pptproactauthmirror/internetwasherpro.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093348470644
O16 - DPF: {665C05C1-517D-11D3-BE4A-00008322ED5D} (MSIInspect.Inspector) - http://us.amadeuscruise.com/common/cabs/MSIInspect.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37915.6139236111
O16 - DPF: {CDE9DD16-37C8-11D5-8476-000102A80AF0} (Socks Class) - http://vacation.agentnet.com/app/amadeus/ComSocks_1001.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {E037FC50-FE36-11D3-BEEB-00008322EEB5} (PPUpdate Class) - http://amadeusproprinter.com/genericprev/PPUpdateATL.CAB
O16 - DPF: {EBE01DF7-D451-11D5-A842-000102A97CAB} (AmadeusInit.Init) - http://ca.amadeusvista.com/common/cabs/AmadeusInit.CAB
0
 
SBPCGuruCommented:
Take these thinsg out using HiJackThis:

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab

O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://i.rn11.com/iwasher/pptproactauthmirror/internetwasherpro.cab

O16 - DPF: {CDE9DD16-37C8-11D5-8476-000102A80AF0} (Socks Class) - http://vacation.agentnet.com/app/amadeus/ComSocks_1001.CAB

Reboot and see what happens.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
zgeorge_2Author Commented:
same thing happens

a popup comes up and says

You have BackDoor.Hacdef.BR. located in c:\WINDOWS\blubbgger.sys


scan with avg for viruses

i don'tknow what that could be i tried deleting it and fixing

doing all that stuff
but still the same thing appears

please help me

thnaks

0
 
zgeorge_2Author Commented:
and also Blubbg~.sys

the same thing keeps poping up

0
 
natcomCommented:
0
 
cwkhangCommented:
Hi,
BackDoor.Hacdef.BR is trojan horse
try scan online (free) at http://www.trojanscan.com

gd luck!


0
 
jatcanCommented:
boot to safe mode by pressing F8 continuously when first turning on the power to your computer, when the safe mode menu appears, choose safe mode with networking.

After the desktop loads, I assume windows XP here, disable system restore by the following:

Click Start > Programs > Accessories > Windows Explorer
Right-click My Computer, and then click Properties.
Click the System Restore tab.
Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box
Click Apply. A message will appear telling you that you will lose all of your restore points. click OK on that

Use on of the above posted online scanners to scan your system or continue below for manual removal instructions of the trojan on your system.


=====================================

Manual Removal Instructions

Open task manager by right clicking the taskbar and selecting it or pressing keyboard keys ctrl + alt+Esc at the same time...

On the task manager window click the processes tab and then click the Image Name filed twice to sort in alphabetical, acsending order. Locate and high light each of the following processes one and a time and click the end process button, and the OK to confirm it on the message window that pops up. If you do not see one of the following items in the list of running processes forget about it and move on to the next one:

Here's the list:

1059609355.exe
-1439546010.exe
-1624699784.exe
1822900638.exe
1db5f417.exe
-2083902967.exe
-396436812.exe
53371a48.exe
68df4bf7.exe
736adfc5.exe
7d07e4c4.exe
87de6b33.exe
afb790b7.exe
b9357815.exe
bdcli026.exe
db34223f.exe
db6f8695.exe
hxdef026.exe
isplog.exe
isplogger.exe
hkrnlrdv.sys
hxdefdrv.sys

OK, that done we move on to step two, close the Task manager. Double click My Computer, click tools menhu, then folder options, then view tab. Make sure that "Show hidden files and folders" has a dot next to it, if not click it to put the dot there. Un-check the box next to hide extensions for known file types and hide protected operating system files, click apply at the bottom and say OK to the message window that pops up, click OK to get rid of the window and close My Computer.

Then open search or find files from the start menu.

type the items from the following list in the search for files files and folders named box one at a time and search your system for them, deleting any that are found. You can delete them right from the search window by highlighting and pressing delete on your keyboard.

1059609355.exe
-1439546010.exe
-1624699784.exe
1822900638.exe
1db5f417.exe
-2083902967.exe
-396436812.exe
53371a48.exe
68df4bf7.exe
736adfc5.exe
7d07e4c4.exe
87de6b33.exe
afb790b7.exe
b9357815.exe
bdcli026.exe
db34223f.exe
db6f8695.exe
hxdef026.exe
hxdef026.ini
readmecz.txt
readmeen.txt

After that rescan your system using one or more of the above posted online scanners.
0
 
jatcanCommented:
If you are running Windows XP or Windows ME(I suspect XP) you must turn off system restore or the virii will keep replacing itself with new copies everytime yu delete something, it does this at boot, so please turn off system restore in safe mode, end any suspicious running processes, THEN and only THEN use an online scanner...

After you reboot a few times and you are sure that the trojan is gone; then turn system restore back on, or leave it off, as you like.

Cheers,

Jatcan
0
 
Paul SCommented:
first of all try this tool:
http://www.mwti.net/antivirus/free_utilities.asp

if it fails then i am pretty sure the problem is that this virus uses special NTFS permissions. All of the new viruses/spywares are using these NTFS permissions.

here is a page on my website about a similar virus. the instructions may work for this virus:
http://www.paulscomputerservice.net/index.php?body=spyware/backdoorAgentBA.php

Basically you need to boot to safe mode (push F8 during boot up process to get to safe mode) then locate the file "c:\WINDOWS\blubbgger.sys" make sure you enable viewing of all files and extentions and view protected operating system files.. then find the file in explorer right click goto properties, then select security, make sure everyone has full control. then hit apply. if eveyone isn't on the list add it. then try deleteing the file. if you can't find the file in explorer then open up notepad and select file>open,set view to all files then use the open window as if it were explorer and follow the previous instructions. do this too all files that you think are lrelated to this virus. normally there in only 1 with special ntfs permissions.
0
 
moduloCommented:
PAQed with no points refunded (of 150)

modulo
Community Support Moderator
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 3
  • 2
  • 2
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now