Страница 1 из 2 12 Последняя
Показано с 1 по 20 из 24.

Excessive hard drive activity, gmer disables computer at /cdfs.

  1. #1
    Junior Member Репутация Репутация Репутация Репутация
    Регистрация
    19.12.2007
    Адрес
    New Jersey, USA
    Сообщений
    83
    Вес репутации
    63

    Excessive hard drive activity, gmer disables computer at /cdfs.

    I play poker online and am always concerned with security of my system.
    I have excessive hard drive activity when there should be none.
    My webroot spysweeper autostart was changed, not my doing.
    My IE on loading locks up with a runonce loop. Redirects to go.microsoft.com/...
    I now use netscape 7.(less swiss cheese like)
    I first tried using Rogue Remover, the scan takes only 2 seconds to complete, literally.
    Not satisfied I moved to Gmer. It began scanning fine, then at /cdfs my computer would shut off, the lcd light still on(toshiba laptop). No buttons would change the state. Had to unplug and remove battery.
    I moved then to RKU 3.+, it would not load. I used " net stop gmer " at command prompt, message= service gmer not found for net stop help...
    Then I tried your program AVZ, I bought the book though not a programmer.
    AVZGuard would not load, error [c00000061], attempted to load AVZPM; Would not load. It did quarentine 2 files (before reading your forum help). The zip files are after reading your site for help.
    Вложения Вложения

  2. #2
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    26.12.2006
    Адрес
    Vladivostok
    Сообщений
    23,298
    Вес репутации
    1578
    As far as I can see, there is nothing suspicious in your logfiles.

    To get rid of Gmer's driver, execute the following script in AVZ:
    Код:
    begin
    BC_DeleteSvc('gmer');
    BC_DeleteFile('C:\Windows\system32\DRIVERS\gmer.sys');
    BC_Activate;
    RebootWindows(true);
    end.
    I am not young enough to know everything...

  3. #3
    Junior Member Репутация Репутация Репутация Репутация
    Регистрация
    19.12.2007
    Адрес
    New Jersey, USA
    Сообщений
    83
    Вес репутации
    63
    1. AVZGuard would not load, AVZ Guard error: [c0000061]; What is causing this?
    2. It did quarentine 2 files (before reading your forum help); They were 5%.
    3. My webroot spysweeper autostart was changed, not my doing.
    Would not autostart when it previously had. Then after AVZ found 2 files and quarentined them I rebooted, Webroot autostart was back. The files were called newshortcut_5(....................random numbers.........................).xxx and
    newshortcut_21(same as former).xxx. They were in windows/system32.
    They were only given a 5% probability of being a problem, something to do with PE.
    4. Is there anything in the Hijackthis that needs cleaning?
    5. I did possibly have an aoutocomplete trojan, (not verified by anyone), in association with IE. That is one of the reasons why I switched to Netscape 7.
    I would lose the ability to type in google box. Had to open new tabs to type.
    After disabling autocomplete it would come on by itself. When it did work, I would be taken to results that were not what I was looking for.
    6. If I had this trojan, can it also infect the HPA, which is 10gbs on my computer? Is it associated with any rootkits?

  4. #4
    Junior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    06.09.2006
    Сообщений
    5,658
    Вес репутации
    1838
    1. AVZGuard would not load, AVZ Guard error: [c0000061]; What is causing this?
    Not enough rights on Vista, I suppose.

    2. It did quarentine 2 files (before reading your forum help); They were 5%.
    3. My webroot spysweeper autostart was changed, not my doing.
    Would not autostart when it previously had. Then after AVZ found 2 files and quarentined them I rebooted, Webroot autostart was back. The files were called newshortcut_5(....................random numbers.........................).xxx and
    newshortcut_21(same as former).xxx. They were in windows/system32.
    They were only given a 5% probability of being a problem, something to do with PE.
    Probably PE file with non-standard extension allowing its launch?

    Please boot in Safe Mode, run AVZ, go to Service - Services and Drivers Manager. Define filter All - All, save the log and attach it to your next message.
    [I]Nick Golovko
    NCFU lecturer, information security specialist[/I]

  5. #5
    Junior Member Репутация Репутация Репутация Репутация
    Регистрация
    19.12.2007
    Адрес
    New Jersey, USA
    Сообщений
    83
    Вес репутации
    63

    The file you requested and questions.

    It doesn't look as if there is anything serious, just buggy vista and software incompatabilities- OK, that makes me feel better.

    Can any of the R1 and R0 be fixed from the HJT scan? I had a runonce addy, in IE, that did not run once.
    Or, How do I fix the run once problem that locks the tab on go.microsoft.com?

    I ran an AVZ scan while in safe mode and saved a log file. If you would like to see it let me know. It contained a different AVZ error code.

    How do I correct the security vulnerabilities of the AVZ report?

    Here is the file you requested, uhoh, it saved the file as .htm. It's a little choppy, I copy and pasted the .htm.
    Вложения Вложения

  6. #6
    Junior Member Репутация Репутация Репутация Репутация
    Регистрация
    19.12.2007
    Адрес
    New Jersey, USA
    Сообщений
    83
    Вес репутации
    63
    P.S. Do you want a copy of the quarentined files?

  7. #7
    Junior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    06.09.2006
    Сообщений
    5,658
    Вес репутации
    1838
    Please, ZIP the HTM file and attach it. It is not much intelligible in TXT.

    As soon as I make sure that everything is OK about services and drivers, I will review your HJT log and give some additional recommendations.
    [I]Nick Golovko
    NCFU lecturer, information security specialist[/I]

  8. #8
    Junior Member Репутация Репутация Репутация Репутация
    Регистрация
    19.12.2007
    Адрес
    New Jersey, USA
    Сообщений
    83
    Вес репутации
    63

    The .zip per your request.

    Here included, the AVZ_services.zip.
    Вложения Вложения

  9. #9
    Junior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    06.09.2006
    Сообщений
    5,658
    Вес репутации
    1838
    I see only running services and drivers, though I asked you to set filter "All" - "All". Looks like you've set "All" - "Active". Are you sure that the filter was right?
    Изображения Изображения
    • Тип файла: png 20.PNG (12.1 Кб, 11 просмотров)
    [I]Nick Golovko
    NCFU lecturer, information security specialist[/I]

  10. #10
    Junior Member Репутация Репутация Репутация Репутация
    Регистрация
    19.12.2007
    Адрес
    New Jersey, USA
    Сообщений
    83
    Вес репутации
    63

    The all all.

    Sorry about that. I had some eggnog with rum (151) that night. I was C.W.I. Computing While Intoxicated. Tis the season.

    S Rozhdestvom!
    Изображения Изображения
    Вложения Вложения
    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.
    -Albert Einstein

  11. #11
    Junior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    06.09.2006
    Сообщений
    5,658
    Вес репутации
    1838
    I've reviewed both AVZ and HJT logfiles. There is nothing suspicious that I can see.
    [I]Nick Golovko
    NCFU lecturer, information security specialist[/I]

  12. #12
    Junior Member Репутация Репутация Репутация Репутация
    Регистрация
    19.12.2007
    Адрес
    New Jersey, USA
    Сообщений
    83
    Вес репутации
    63
    Maybe, If I give you the symptoms as they occurred with the choices I made this may help to discover the culprit of the issue.

    This current installation of windows:
    Webroot Spysweeper is my only security scanner. I have it configured to a high level. Heuristics, rootkits, extended analising, password protected files.

    How long should the scan take? 40 minutes to an 1 1/2 hours approximately, yes.

    I became concerned when the scan took only 11 minutes at these high level settings.
    Because of my previous experience with malicious trojan infections, (i.e. smitfraud, zlob, memsweep2, 0), I suspected a rootkit or trojan subverting Spysweeper.

    Because vista is new to me, I read how to go about managing for a similar problem on the new platform. The advice was a malware scan, a virus scan and a Rogue Remover scan.
    The malware scan took less time than previously, 10 minutes. The virus scan, I had difficulty attempting to scan. Panda active scan does not work on Netscape.
    I moved right to Rogue Remover. With my previous experience listed above, RR usually took 10-15 minutes to complete. This time it took 2 seconds flat.

    That equals 2 security programs that take less time to complete than they should.

    I develope a runonce loop in IE that wasn't there when I installed the os.

    I use Autoruns but it doesn't show anything dangerous.

    I begin having extra hdd activity with no downloads, all autoupdates turned off.

    I try old hats, Gmer. It crashes my computer and the only way to recover is to remove the battery. 3 security programs down, 2 possibly returning false results and one not being allowed to operate.

    I try RKU, it won't load. Probably because of the Gmer driver. I try the net stop command and it doesn't work. (Thanks to Bratez for the script for kiling the driver.)

    I remember old Oleg. I liked its thinking and methods. Lets try this new 4.29 version.
    Scan with all files, set high, extended analysis. Program returns errors on checking for rootkits.

    Now I have lost most of my internet bandwidth. My downloads were at 400kb. Now they are at 30kb.

    I have installed my Kaspersky Anti-virus 7.0 tonight. My computer is having tremendous trouble running it. I previously had no problems with KAV on this computer last incarnation. I implemented a rootkit scan after updating, with all settings at the default install level. Time to complete the scan, which is not a full scan, said 3 days. After an entire movie, V for Vendetta, it still was not finished. I stopped it.

    When I look at the sum of these together I feel a threat infiltration. Though I can't locate it, it isn't for lack of trying. Every rootkit scan has been beyond my grasp.

    Now Dr. What do you think the problem is.

    I am at a loss to understand what is occuring to my computer.
    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.
    -Albert Einstein

  13. #13
    Junior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    06.09.2006
    Сообщений
    5,658
    Вес репутации
    1838
    Rootkit Unhooker is a very clever tool and it is hard to disable it. It uses several methods that do not allow to interrupt or prevent its execution. At the same time I don't know whether it supports Vista. Maybe not.

    Vista implements various mechanisms that are designed to increase system security. As a result many programs experience problems on Vista. And, of course, the performance of scanners on Vista and on XP cannot be compared.

    As for hard drive activity:
    try File Monitor by Mark Russinovich. Run it when you see the HDD activity and watch what's going on: what files are opened and by whom. It may help you.

    As for network bandwidth:
    is there any network activity when you do not use Internet? No data should be transmitted if no application uses the network. Does the slowdown depend on KAV?

    As for rootkit scan:
    it is a rather deep scan and it involves some heavy technologies such as heuristic analyser. That is why 3 hours are never enough if you run a deep scan on a machine with lots of data. Try to unload all applications from system tray, turn off network connection and start My Computer scan. Leave the computer working for a whole night - it should be enough for it. Do not believe if it says that some days are required to complete scanning. Also you may pause scanning, hibernate your machine and continue scanning when you can.
    [I]Nick Golovko
    NCFU lecturer, information security specialist[/I]

  14. #14
    Junior Member Репутация Репутация Репутация Репутация
    Регистрация
    19.12.2007
    Адрес
    New Jersey, USA
    Сообщений
    83
    Вес репутации
    63
    File Monitor by Mark Russinovich, I will try this.

    As for network bandwidth:
    I found a program called Bitmeter, Is this what you mean for monitoring bandwidth?

    Does the slowdown depend on KAV?
    Apparently yes. I installed two games and KAV. The one game was fine playing b4 KAV. After KAV install, the whole computer became slugish. It took 2 minutes to open the windows start menu. Using system restore, I roled back to a date befrore the games and KAV install. The computer seems to act fine, things popping open after activating with clicks or buttons. I then installed KAV. the computer became sluggish, taking copious amounts of time to open anything. 1 1/2 minutes for netscape to open.

    I have used KAV on this computer B4 without any problems. I wiped the hdd and reinstalled Vista since, this being the current incarnation(not xp). I wanted to get rid of the HPA on this laptop but that is proving a little difficult.

    As far as the scans go, I only have 20gigs of data on this comp, and none of it is important must save stuff.

    I tried using disk virtualizaton Returnil, but after a week or so it crashed my computer. That was why I wiped and reinstalled. Similar thing occurred on a friends computer with vista. I had to reload their computer. I prefer virtualization to any virus scanners or such, especially for just putzing around the internet.

    So, the Rootkit Scan in KAV takes as long or longer than a typical virus scan?
    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.
    -Albert Einstein

  15. #15
    Junior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    06.09.2006
    Сообщений
    5,658
    Вес репутации
    1838
    It does.

    I actually meant the network slowdown when I asked about Kaspersky. You said:

    My downloads were at 400kb. Now they are at 30kb
    Kaspersky may cause that, so I asked whether this network slowdown depends on presence of KAV.
    [I]Nick Golovko
    NCFU lecturer, information security specialist[/I]

  16. #16
    Junior Member Репутация Репутация Репутация Репутация
    Регистрация
    19.12.2007
    Адрес
    New Jersey, USA
    Сообщений
    83
    Вес репутации
    63
    My downloads were at 400kb. Now they are at 30kb:
    Post #12 is a timeline as well as I could remeber, so the bandwidth narrowing was before KAV install.

    Also, I have 18 addresses hooked by: unknown module filename, according to RKU 3.7, pre KAV. Is this normal for Vista or abnormal?
    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.
    -Albert Einstein

  17. #17
    Junior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    06.09.2006
    Сообщений
    5,658
    Вес репутации
    1838
    I can't say for sure because AVZ Driver does not load; correspondingly I do not see hooks in its logs and cannot define whether RkU is right or wrong. Have you tried to run AVZ with administrator privileges, by the way?
    [I]Nick Golovko
    NCFU lecturer, information security specialist[/I]

  18. #18
    Junior Member Репутация Репутация Репутация Репутация
    Регистрация
    19.12.2007
    Адрес
    New Jersey, USA
    Сообщений
    83
    Вес репутации
    63
    Here is the AVZ log from admin user. I had previously scanned with AVZ in limited user with admin rights. Are you saying that the scan may not be as thorough within limited user regardless of rights?

    The settings I used are as follows:
    Search Range:
    C:
    Check running processes: yes
    Heuristic system check: yes
    Searching for vulnerabilities: yes

    File Types:
    All files: yes
    Check ntfs stream: yes
    Check archives: yes

    Search Parameters:
    Heuristic analysis: maximum heuristic analysis: Extended analysis: yes
    Anti-Rootkits:
    Detect API hooks and rootkits: yes
    block user mode: no
    block kernal mode: no
    Winsock service provider:
    Check SPI/LSP settings: yes
    Check for keyloggers: yes
    Check for TCP/UDP ports used by trojan horses

    Healing Method:
    Perform healing: yes
    Heuristic file deletion: yes
    Copy deleted files to infected: no
    Copy suspicious files to Quarentine: yes

    Also, I can copy and paste in Quick Message but not in Post Message.
    Вложения Вложения
    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.
    -Albert Einstein

  19. #19
    Junior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация
    Регистрация
    06.09.2006
    Сообщений
    5,658
    Вес репутации
    1838
    Oops.. no, the driver still does not load. That's strange.

    What does Rootkit Unhooker say? Please post a screenshot or a text report.
    [I]Nick Golovko
    NCFU lecturer, information security specialist[/I]

  20. #20
    Junior Member Репутация Репутация Репутация Репутация
    Регистрация
    19.12.2007
    Адрес
    New Jersey, USA
    Сообщений
    83
    Вес репутации
    63

    RKU logs

    I used mwav as an on demand scanner. It showed a zlob trojan infection.
    These are the ssdt's from RKU.
    Вложения Вложения
    Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.
    -Albert Einstein

Страница 1 из 2 12 Последняя

Похожие темы

  1. Hard Drive repeatedly crashes (заявка №61820)
    От CyberHelper в разделе Отчеты сервиса лечения VirusInfo
    Ответов: 2
    Последнее сообщение: 28.03.2011, 00:00
  2. Suspicious activity
    От toleti_ramesh в разделе Malware Removal Service
    Ответов: 2
    Последнее сообщение: 16.09.2010, 07:59
  3. Scanning BIOS Имидж In Hard Drive
    От Vagon в разделе Microsoft Windows
    Ответов: 3
    Последнее сообщение: 06.12.2008, 18:49
  4. Spyware activity found on my computer
    От kumar в разделе Malware Removal Service
    Ответов: 3
    Последнее сообщение: 25.08.2008, 00:04
  5. No Hard Disk Icon in my computer
    От Nadia в разделе Viruses, Adware, Spyware, Hijackers
    Ответов: 1
    Последнее сообщение: 27.04.2008, 15:23

Свернуть/Развернуть Ваши права в разделе

  • Вы не можете создавать новые темы
  • Вы не можете отвечать в темах
  • Вы не можете прикреплять вложения
  • Вы не можете редактировать свои сообщения
  •  
Page generated in 0.00608 seconds with 20 queries