Просмотр полной версии : Excessive hard drive activity, gmer disables computer at /cdfs.

19.12.2007, 04:05
I play poker online and am always concerned with security of my system.
I have excessive hard drive activity when there should be none.
My webroot spysweeper autostart was changed, not my doing.
My IE on loading locks up with a runonce loop. Redirects to go.microsoft.com/...
I now use netscape 7.(less swiss cheese like)
I first tried using Rogue Remover, the scan takes only 2 seconds to complete, literally.
Not satisfied I moved to Gmer. It began scanning fine, then at /cdfs my computer would shut off, the lcd light still on(toshiba laptop). No buttons would change the state. Had to unplug and remove battery.
I moved then to RKU 3.+, it would not load. I used " net stop gmer " at command prompt, message= service gmer not found for net stop help...
Then I tried your program AVZ, I bought the book though not a programmer.
AVZGuard would not load, error [c00000061], attempted to load AVZPM; Would not load. It did quarentine 2 files (before reading your forum help). The zip files are after reading your site for help.

19.12.2007, 07:03
As far as I can see, there is nothing suspicious in your logfiles.

To get rid of Gmer's driver, execute the following script in AVZ:

BC_DeleteFile('C:\Windows\system32\DRIVERS\gmer.sy s');

19.12.2007, 11:20
1. AVZGuard would not load, AVZ Guard error: [c0000061]; What is causing this?
2. It did quarentine 2 files (before reading your forum help); They were 5%.
3. My webroot spysweeper autostart was changed, not my doing.
Would not autostart when it previously had. Then after AVZ found 2 files and quarentined them I rebooted, Webroot autostart was back. The files were called newshortcut_5(....................random numbers.........................).xxx and
newshortcut_21(same as former).xxx. They were in windows/system32.
They were only given a 5% probability of being a problem, something to do with PE.
4. Is there anything in the Hijackthis that needs cleaning?
5. I did possibly have an aoutocomplete trojan, (not verified by anyone), in association with IE. That is one of the reasons why I switched to Netscape 7.
I would lose the ability to type in google box. Had to open new tabs to type.
After disabling autocomplete it would come on by itself. When it did work, I would be taken to results that were not what I was looking for.
6. If I had this trojan, can it also infect the HPA, which is 10gbs on my computer? Is it associated with any rootkits?

19.12.2007, 11:54
1. AVZGuard would not load, AVZ Guard error: [c0000061]; What is causing this?

Not enough rights on Vista, I suppose.

2. It did quarentine 2 files (before reading your forum help); They were 5%.
3. My webroot spysweeper autostart was changed, not my doing.
Would not autostart when it previously had. Then after AVZ found 2 files and quarentined them I rebooted, Webroot autostart was back. The files were called newshortcut_5(....................random numbers.........................).xxx and
newshortcut_21(same as former).xxx. They were in windows/system32.
They were only given a 5% probability of being a problem, something to do with PE.

Probably PE file with non-standard extension allowing its launch?

Please boot in Safe Mode, run AVZ, go to Service - Services and Drivers Manager. Define filter All - All, save the log and attach it to your next message.

19.12.2007, 23:18
It doesn't look as if there is anything serious, just buggy vista and software incompatabilities- OK, that makes me feel better.

Can any of the R1 and R0 be fixed from the HJT scan? I had a runonce addy, in IE, that did not run once.
Or, How do I fix the run once problem that locks the tab on go.microsoft.com?

I ran an AVZ scan while in safe mode and saved a log file. If you would like to see it let me know. It contained a different AVZ error code.

How do I correct the security vulnerabilities of the AVZ report?

Here is the file you requested, uhoh, it saved the file as .htm. It's a little choppy, I copy and pasted the .htm.

19.12.2007, 23:21
P.S. Do you want a copy of the quarentined files?

20.12.2007, 10:11
Please, ZIP the HTM file and attach it. It is not much intelligible in TXT.

As soon as I make sure that everything is OK about services and drivers, I will review your HJT log and give some additional recommendations.

20.12.2007, 22:03
Here included, the AVZ_services.zip.

21.12.2007, 09:32
I see only running services and drivers, though I asked you to set filter "All" - "All". Looks like you've set "All" - "Active". Are you sure that the filter was right?

21.12.2007, 10:42
Sorry about that. I had some eggnog with rum (151) that night. I was C.W.I. Computing While Intoxicated. Tis the season.

S Rozhdestvom!

22.12.2007, 10:50
I've reviewed both AVZ and HJT logfiles. There is nothing suspicious that I can see.

23.12.2007, 08:00
Maybe, If I give you the symptoms as they occurred with the choices I made this may help to discover the culprit of the issue.

This current installation of windows:
Webroot Spysweeper is my only security scanner. I have it configured to a high level. Heuristics, rootkits, extended analising, password protected files.

How long should the scan take? 40 minutes to an 1 1/2 hours approximately, yes.

I became concerned when the scan took only 11 minutes at these high level settings.
Because of my previous experience with malicious trojan infections, (i.e. smitfraud, zlob, memsweep2, 0), I suspected a rootkit or trojan subverting Spysweeper.

Because vista is new to me, I read how to go about managing for a similar problem on the new platform. The advice was a malware scan, a virus scan and a Rogue Remover scan.
The malware scan took less time than previously, 10 minutes. The virus scan, I had difficulty attempting to scan. Panda active scan does not work on Netscape.
I moved right to Rogue Remover. With my previous experience listed above, RR usually took 10-15 minutes to complete. This time it took 2 seconds flat.

That equals 2 security programs that take less time to complete than they should.

I develope a runonce loop in IE that wasn't there when I installed the os.

I use Autoruns but it doesn't show anything dangerous.

I begin having extra hdd activity with no downloads, all autoupdates turned off.

I try old hats, Gmer. It crashes my computer and the only way to recover is to remove the battery. 3 security programs down, 2 possibly returning false results and one not being allowed to operate.

I try RKU, it won't load. Probably because of the Gmer driver. I try the net stop command and it doesn't work. (Thanks to Bratez for the script for kiling the driver.)

I remember old Oleg. I liked its thinking and methods. Lets try this new 4.29 version.
Scan with all files, set high, extended analysis. Program returns errors on checking for rootkits.

Now I have lost most of my internet bandwidth. My downloads were at 400kb. Now they are at 30kb.

I have installed my Kaspersky Anti-virus 7.0 tonight. My computer is having tremendous trouble running it. I previously had no problems with KAV on this computer last incarnation. I implemented a rootkit scan after updating, with all settings at the default install level. Time to complete the scan, which is not a full scan, said 3 days. After an entire movie, V for Vendetta, it still was not finished. I stopped it.

When I look at the sum of these together I feel a threat infiltration. Though I can't locate it, it isn't for lack of trying. Every rootkit scan has been beyond my grasp.

Now Dr. What do you think the problem is.

I am at a loss to understand what is occuring to my computer.

23.12.2007, 14:54
Rootkit Unhooker is a very clever tool and it is hard to disable it. It uses several methods that do not allow to interrupt or prevent its execution. At the same time I don't know whether it supports Vista. Maybe not.

Vista implements various mechanisms that are designed to increase system security. As a result many programs experience problems on Vista. And, of course, the performance of scanners on Vista and on XP cannot be compared.

As for hard drive activity:
try File Monitor by Mark Russinovich. Run it when you see the HDD activity and watch what's going on: what files are opened and by whom. It may help you.

As for network bandwidth:
is there any network activity when you do not use Internet? No data should be transmitted if no application uses the network. Does the slowdown depend on KAV?

As for rootkit scan:
it is a rather deep scan and it involves some heavy technologies such as heuristic analyser. That is why 3 hours are never enough if you run a deep scan on a machine with lots of data. Try to unload all applications from system tray, turn off network connection and start My Computer scan. Leave the computer working for a whole night - it should be enough for it. Do not believe if it says that some days are required to complete scanning. :) Also you may pause scanning, hibernate your machine and continue scanning when you can.

24.12.2007, 05:30
File Monitor by Mark Russinovich, I will try this.

As for network bandwidth:
I found a program called Bitmeter, Is this what you mean for monitoring bandwidth?

Does the slowdown depend on KAV?
Apparently yes. I installed two games and KAV. The one game was fine playing b4 KAV. After KAV install, the whole computer became slugish. It took 2 minutes to open the windows start menu. Using system restore, I roled back to a date befrore the games and KAV install. The computer seems to act fine, things popping open after activating with clicks or buttons. I then installed KAV. the computer became sluggish, taking copious amounts of time to open anything. 1 1/2 minutes for netscape to open.

I have used KAV on this computer B4 without any problems. I wiped the hdd and reinstalled Vista since, this being the current incarnation(not xp). I wanted to get rid of the HPA on this laptop but that is proving a little difficult.

As far as the scans go, I only have 20gigs of data on this comp, and none of it is important must save stuff.

I tried using disk virtualizaton Returnil, but after a week or so it crashed my computer. That was why I wiped and reinstalled. Similar thing occurred on a friends computer with vista. I had to reload their computer. I prefer virtualization to any virus scanners or such, especially for just putzing around the internet.

So, the Rootkit Scan in KAV takes as long or longer than a typical virus scan?

24.12.2007, 07:08
It does.

I actually meant the network slowdown when I asked about Kaspersky. You said:

My downloads were at 400kb. Now they are at 30kb

Kaspersky may cause that, so I asked whether this network slowdown depends on presence of KAV.

24.12.2007, 07:23
My downloads were at 400kb. Now they are at 30kb:
Post #12 is a timeline as well as I could remeber, so the bandwidth narrowing was before KAV install.

Also, I have 18 addresses hooked by: unknown module filename, according to RKU 3.7, pre KAV. Is this normal for Vista or abnormal?

24.12.2007, 10:56
I can't say for sure because AVZ Driver does not load; correspondingly I do not see hooks in its logs and cannot define whether RkU is right or wrong. Have you tried to run AVZ with administrator privileges, by the way?

25.12.2007, 23:32
Here is the AVZ log from admin user. I had previously scanned with AVZ in limited user with admin rights. Are you saying that the scan may not be as thorough within limited user regardless of rights?

The settings I used are as follows:
Search Range:
Check running processes: yes
Heuristic system check: yes
Searching for vulnerabilities: yes

File Types:
All files: yes
Check ntfs stream: yes
Check archives: yes

Search Parameters:
Heuristic analysis: maximum heuristic analysis: Extended analysis: yes
Detect API hooks and rootkits: yes
block user mode: no
block kernal mode: no
Winsock service provider:
Check SPI/LSP settings: yes
Check for keyloggers: yes
Check for TCP/UDP ports used by trojan horses

Healing Method:
Perform healing: yes
Heuristic file deletion: yes
Copy deleted files to infected: no
Copy suspicious files to Quarentine: yes

Also, I can copy and paste in Quick Message but not in Post Message.

26.12.2007, 11:35
Oops.. no, the driver still does not load. That's strange.

What does Rootkit Unhooker say? Please post a screenshot or a text report.

26.12.2007, 23:27
I used mwav as an on demand scanner. It showed a zlob trojan infection.
These are the ssdt's from RKU.

27.12.2007, 00:24
I was having trouble trying to create report. Services.exe was trying to install a random file name. When I allow, RKU does not display scan results and hangs there. When I denied the change, it made the report.

This is what you need.

27.12.2007, 11:08
Right, services.exe was supposed to create a random-named service belonging to RkU. It is strange that it hangs.

30.12.2007, 00:39
I am sorry to inform you doctor that the patient has passed.
Not to worry, he will be born again.
Thank you for your time. I appreciate the effort you have given thus far.
Maybe the informaion I already provided will help you in tweaking your software.
I could not continue, other computers were being infected.
My ISP accounts were possibly compromised. I have reset their pw's.
To ensure no furter problems I will upgrade the firmware on my router in the event that it was compromised by N.P.D.E. (null pointer dereferencing error) attack or other subversion. Better safe than sorry.

30.12.2007, 13:11
I am now up and running. I would like to add that a particular file was present in my troubles. pinfect.zip. I didn't bother saving anything, too afraid of cross contamination.
Also, Verizon in conjunction with Yahoo seems to be having a lot of problems right now with email and account features and updates. Not sure if it is related to my problem or not.
Also on my computer before I wiped, Matewatch-trace and IM worm sahadan(don't remember spelling) found by A2.
I have also added another layer of protection, router the 2nd.