[smathis94]

I am in need of some serious help with my laptop computer, as I use it for school... University of Phoenix (IT/Networking), and cannot afford much downtime. To describe my dilemma: something or someone is burning up my hard drive... it is a 125gig drive, and is in critical shape with less than 8 gigs left; and that is gradually being drained. I should have more than 30 gigs of free space, but something is overriding that. I believe this is the work of a hacker because I have a user file that has been created (I didn't create this) with a .000 extension (filename: Administrator.000), which I cannot gain access to delete even after changing ownership. Also, there are some suspicious files that are extremely large that I cannot access. I believe these may be part of the problem, as the files add up to over 17 gigabytes!!! They are found in a folder that was hidden, named: System Volume Information (located in my local c: drive). Whatever is taking my hard drive is causing my computer to respond very slowly... which it makes it near impossible to complete my schoolwork assignments. Any help on this crisis would be greatly appreciated!

I could not get AVG spyware to run on my computer so I do not have a log file from that. I do have the results from deckards system scanner and hijack this. I am using Trend Micro Internet Security, which apparently was not able to stop this intrusion. After following the 15 steps and running all the scans, my computer is still in critical shape. Please help!

[Albert Lionheart]

Hi
I have had a look at the logs and cannot see anything sufficiently nasty to have caused this. Perhaps Howard can have a shufti when next on line?
Can you boot the machine into safe mode, log in as Administrator, and access the folder?
Can you tell us a bit more about the large suspicious files?
cheers

[wektech]

I am not sure that you can consider system restore information as suspicious.

[Albert Lionheart]

I did wonder about that - but these files seem to be too big?
The test would be to turn it off as this would then clear these files, wouldn't it?

[wektech]

On XP you can define up 12% of your drive for system restore. On a 125GB drive that would be around 15GB. I have been plugging away on my old p4 for 6 or 7 years and recently recovered half my drive using Crap Cleaner.

[Albert Lionheart]

Interesting what this started off: i have 3 drives on my XP SPII system as follows:
C:\ is WD 36 Gb 10000 rpm
D:\ is WD 2 x 160 Gb as RAID0
G:\ is WD 500 Gb in a NAS caddy.
System restore is on for all drives but I cannot see a single system file anywhere. So I am going to run a backup and then turn it off to see what happens.

[Daveskater]

The system restore files are kept in the hidden "System Volume Information" folder so this is nothing to worry about. They will also have seemingly random file names.

Try running CCleaner to clear out your temporary files and see how your drive is after that. If you want to get rid of all your restore points, then turn system restore off then on again, but I wouldn't recommend this yet if it is possible that you have a malware problem. I don't think that you do by the sound of it but I haven't looked at your logs yet.

Edit: I can't see anything nasty in your HJT log but it would be best for Howard or Evilfantasy to have a look when they come back.

[evilfantasy]

Please see Official TST Malware forum helpers list

If and when malware has been ruled out then we will suggest that the OP make a new thread in the appropriate forum describing the problem. Please respect the rules Jason, Howard and I have agreed upon. Thanks.

----------

A few questions.

It looks like you have been fixing items in Hijackthis (HJT) on your own?

Why is Vundofix running as a Service?

Could you not run combofix?

[Albert Lionheart]

I really hope you are not suggesting that input from anyone outside the 'helpers list' is unwanted, because if you are you are going against the whole concept of the general forum.

[evilfantasy]

My point is that without ruling out malware any suggested repairs are useless. Everything will still be infected and therefore add to the problem.

This is not the general forum it is the security forum.

[smathis94]

I did fix a few items in HJT that I knew I was looking to get rid of.

I do not know why Vundofix is running as a Service... I just installed this and ran it as instructed.

And no, I could not get combofix to run... it was giving an error stating not enough memory to run, and an access violation at address 770A258F (even after running as administrator option)... the complete message shown:

The system cannot find message text for message number 0x8 in the message file for System.

Please wait.
ComboFix is preparing to run.
Access Denied. Administrator permissions are needed to use the selected options. Use an administrator command prompt to complete these tasks.

Access violation at address 770A258F. Read of address 006D006C.

swreg.cfexe - Application Error (message):

The instruction at 0x00403cba referenced memory at 0x00f0c4b8. The memory could not be read.

After running again in safe mode: combofix attempted to fix itself. Several of the options are Access Denied. Administrator permissions are needed...

Here are the results after automatic fix (see attachment):

I booted in safe mode, logged in as Administrator, but still am not able to access the suspicious user folder. Is there a program or application that can allow me to gain control of my computer again?

[evilfantasy]

Please post a fresh Hijackthis log.

Also post an uninstall list for me.

Create An Uninstall List

1. Start HijackThis
2. Click on the Open the Misc Tools section
3. Click on the Open Uninstall Manager button.
4. Click on the Save list button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file.
5. Save it to your desktop
6. Add the uninstall_list.txt as an attachment in the next post.

Next post please add
New HJT log
uninstall list

[smathis94]

Here are the log files you requested:

I have booted in safe mode, logged in as administrator, but am still unable to access the user file.

The only thing I know of the large suspicious is that they were all modified on or after 1/29/08, and I have no access to them whatsoever. The names of files are:

(These are all System Files)
{379a4a41-d080-11dc-89f8-001636b2c77c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Size: 2,560,000KB
{379a4a2d-d080-11dc-89f8-001636b2c77c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Size: 1,914,240KB
{379a4a27-d080-11dc-89f8-001636b2c77c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Size: 27,008KB
{379a4a15-d080-11dc-89f8-001636b2c77c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Size: 282,096KB
{2dca6c8c-cf6d-11dc-9888-001636b2c77c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Size: 1,367,472KB
{79a7b524-cdf8-11dc-ad3c-001636b2c77c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Size: 3,527,984KB
{1228172f-cd2a-11dc-8bc8-001636b2c77c}{3808876b-c176-4e48-b7ae-04046e6cc752}
Size: 4,510,752KB

other questionable files in this folder:

MountPointManagerRemoteDatabase (System File)

desktop.ini (Config Setting... this is a hidden file with different date modifications that is appearing everywhere such as on desktop, in User folder, Start Menu, Favorites and History, etc... )

tracking.log (Text Document... inaccessible!)

SPP (empty file folder???)

[evilfantasy]

First there is actually too much protection on the computer. Lets do some cleaning up and trim things down to a normal level.

You are using two antivirus which is never advised. It can cause system instability, conflicts and crashes.

Pick one. Either AVG or Trend Micro and uninstall the other.

Ad-Aware 2007 << Keep
a-squared Free 3.1 << Your choice although I can suggest something better
a-squared HiJackFree 3.0 << Your choice although I can suggest something better
CA Yahoo! Anti-Spy (remove only) << Undecided
Privacy Guardian 3.2 << Outdated & Suggested to uninstall
Spybot - Search & Destroy << Keep
Spyware Doctor 3.1 << Outdated & Suggested to uninstall
Windows Defender << Keep
Yahoo! Anti-Spy << Undecided

----------

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries:

O2 - BHO: AskBar BHO - {5A074B21-F830-49de-A31B-5BB9D7F6B407} - (no file)

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

Click Start > Run and type in: services.msc
Click OK
In the Services window find: VundoFix Service
Select/highlight and right click the entry, and choose: Properties
On the General tab, under Service Status click the Stop button
Beside: Startup Type, in the drop menu, select: Disabled
Click Apply, then OK

Now, go to Start > Run, and copy/paste the following into the Open box:

Quote:

sc delete VundoFix Service

Click: OK


Download FileASSASSIN and save to your desktop (this tool is compatible with Win 2000/NT/XP/Vista only).

• Double click fa-setup and let it install to the default location.
• Open the folder and double-click on FileASSASSIN.exe.
• Copy and then paste the below file path into FileAssassin's window.
  • C:\Windows\SYSTEM32\VundoFixSVC.exe
• Select a removal method. Start with the default "Attempt FileASSASSIN's method of file removal"
• Click delete and the removal process will begin.
• If that did not work, start the program again, select the file(s) the same way as before and this time check "Use delete on reboot function from windows."

----------

Stop Ad-Aware running as a Service.

• Go Start > Run. type in:
  • services.msc
  • Find the Ad-Aware 2007 Service and set it to Manual
• Go to Start > Run type in:
  • Notepad.exe and press Enter
• Copy and paste the below quoted text into Notepad:

Quote:
@ECHO OFF
Ad-Aware2007.exe
sc stop aawservice
@echo Done

• In Notepad go to File > Save As...
• Name it start_adaware.bat <<Be sure it is saved as a Text file
• Choose the save location as
  • C:\Program Files\Lavasoft\Ad-Aware 2007
• Double click the start_adaware.bat file to run it.
  • It should look like this
  • 
• Ad-Aware will open, close it.
• Ad-Aware will no longer run as a Service.

----------

Go to www.java.com
Click Free Java Download to get the new version of Java.

Go to add/remove programs and Uninstall all older versions of Java.
Old versions are exploitable by malware.

• J2SE Runtime Environment 5.0 Update 11
• Java(TM) 6 Update 2
• Java(TM) SE Runtime Environment 6 Update 1

Also uninstall iWin Games (remove only) << This is Spyware

----------

For the suspicious file that you can not access see this Symantec article regarding these Large temporary files.

http://seer.entsupport.symantec.com/docs/269989.htm

----------

If you need help with any of the suggestions please just ask.

Also please let me know how everything is once everything is done.

[smathis94]

I have done everything as instructed... still no luck in gaining access or deletion of files, even with FileASSASSIN. Also the last instruction where you had me follow the link didn't help. I followed the direction (stopped volume shadow copy service), tried deleting... nothing. I even tried to unlock/delete with FileASSASSIN.

One other note: The user folder I have been having trouble is not seen by FileASSASSIN either. I cannot gain permission to do anything with this folder. :frown:

[evilfantasy]

What are the full file paths?

[smathis94]

The file paths for these files are:

C:\Users\Administrator.000

C:\System Volume Information\...
(the system files shown earlier are all in this folder)

[evilfantasy]

Quote:

C:\System Volume Information\.. <<--System restore points

• Go to Start > All Programs > Accessories > System Tools > System Restore
• Select Create a restore point, and click Next.
• Next, go to Start > Run and type in cleanmgr
• Select the More options tab
• Next to System Restore click Clean up...

This will remove all restore points except the new one you just created.

Quote:

C:\Users\Administrator.000

Thats the whole file path?

[evilfantasy]

Quote:

desktop.ini

Delete the desktop.ini files. These files save your view settings etc. Once you delete them, when you next set your settings, they should come back as hidden files and won't show.

These files will show up in any folder which you (or the system defaults) change view settings for. If you have explorer set to show all files then you will see them.

Quote:

tracking.log - MountPointManagerRemoteDatabase - SPP

These are all related somehow. I am not totally clear on them but they also have to do with the System Volume Information.

I don't know your level of computing skills and I am not here to preach. BUT. You are trying to alter/delete Protected System Files. I don't know why windows stores some of the information it does but unless they are causing errors or system instability it is best to leave them alone. These files/folders should not be manually altered.

A possible solution: From the Desktop right click My Computer > Properties > System Restore tab. Adjust the slide bar to whatever you are comfortable with.

Note: The System Volume Information holds more then just System Restore Points. If the method of taking ownership that I posted earlier still doesn't work then Windows is protecting itself from being damaged. BUT. They should NOT be manually altered anyway.

[smathis94]

C:\Users\Administrator.000 is the full file path.

Is there a way to change the security settings for this file using or creating a MMC snap-in?