Replicating "virus"?

November 24, 2011 at 06:52:57
Specs: Windows XP Professional, Intel Pentium4 CPU 2.80GHz 2.79GHz, 1.00GB of RAM
I have...something on all computers. It seems to make a copy of HDD(hidden) and then scan and copy and download to the hidden part it has created. This is a Registry Key from one of the files that I run, but am really not running.... C:\DOCUME~1\STAN1~1.DBS\LOCALS~1\Temp\6711125\4749144.exe
This seems to have the ability to copy and run any type of detection tool itself....thereby making it completely undetectable.
I really had suspicions affirmed when I ran Kaspersky Rescue Disk...it showed my drives as...
sda, sda1, sdb, sdb1, sdc, sdc1.....I only have three drives on machine...lol.
One thing that seems to make it "reveal" itself is when i wipe free space on drive...it creates a folder like this.... 3590F75ABA9E485486C100C1A9D4FF06ZZZ..Z.....ZZZZZ, and that folder contains many, many folders with some sort of Z label, like this.. ZZ..Z...Z...Z..Z.
If I try and delete these(even with unlocker) it will, but more just pop right back up! It also will "zip" itself after then actual wiping has started...before this it is not "zipped".
So, long story short...I can't detect it, I can't remove it, I can't do anything about it...and it's freakin' annoying!
Also, I have done "outside" scans and used other cds to boot from(Hiren's Boot CD as example) and it seems to read those and one of two things happen...it controls if I can run a program or not...or it stops the CD in the boot process.
One thing I have tried...to no avail....is to run the wipe, have the folders present...then immediately shut down. I then insert something like my Ubuntu Live CD and access my drives. I then find those folders present. I then delete them...if I really am.
Oh, one more thing...when using Hiren's, I will protect drives from autorun virus (one of the programs). Before I do this though..on B: (which I am assuming is my RAM) there is a file... something like ~DF0005.tmp or something like that. When I use the "protect drive from autorun virus" program...it will disappear.
I am not sure if anyone has seen this, knows what to do...but I have to try something. The "thing" doesn't stop me from using computer...but I use programs such as Skype and on the internet i have paypal and all. My thought is my computer is my computer not someone elses..if ya get my drift.
Oh, and one last thing...I'm just remembering all this stuff(kinda flustered, sorry).. I have absolutely no control over RPC(remote procedure call). Seems to be being run by NTAuthority(whoever that is) them and LocalAuthority seem to be running the show. RPC has also made EVERYTHING on this computer dependent on it...not sure if this is odd, but it is what mine is saying.
Sorry for all the rambling and I greatly appreciate any actual suggestions or advice!


See More: Replicating "virus"?

Report •

#1
November 24, 2011 at 09:51:58
that virus must be giving you hell. lmao but if u can delete/remove this virus then you going have to fomat you drives and install your os again .. (Note remove your internet acess)

Report •

#2
November 24, 2011 at 19:01:54
Thanks for responding..and yes it's a pain the @##! lmao
I have tried to remove it, but it controls everything...even with internet disconnected..and I want to flash BIOS(I know it's risky, but I think it's called for) but it won't let me...I need to do all prep on outside machine I think.

Report •

#3
December 10, 2011 at 00:33:01
3590F75ABA9E485486C100C1A9D4FF06ZZZ..Z.....ZZZZZ

I have the complete same problem on my Computer and i haven't found a solution yet.
I wonder why this is the only post i found so far, describing the problem.
I think , i will remove the harddisk and install a new OS on a new one.

citizen-x@online.de


Report •

Related Solutions

#4
December 13, 2011 at 19:10:03
citizen-x,

There is no need to remove the hard disk.

Those files are removed with specialized tools.

Please start your own post in the Security and Virus forum (this forum), and lable it ZZZZ files attn: aaflac44

Will be glad to assist you with their removal.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#5
December 15, 2011 at 14:09:58
sorry for the delay in response...have been out of town.
Are you saying that I should repost this with a different header, and then I can get help to fix, aaflac44?

Report •

#6
December 15, 2011 at 16:47:13
"Are you saying that I should repost this with a different header"

citizen-x, what he is saying, is you start a brand new post, which will be for you.

Click on the Orange button below this post > Start a discussion.

Lable it > ZZZZ files attn: aaflac44


Report •

#7
December 15, 2011 at 17:36:26
@wjj8,

You started this topic on 24 November, and do not need to start a new topic. However, you need to update what is happening with your computer.

Instructions follow...

@citizen-x,

Johnw is giving you the right instructions on what to do, since this is not your topic.

Working with two cases in one topic creates mass confusion in my old brain. ;-)

Thanks for your cooperation.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#8
December 15, 2011 at 17:51:52
@wjj8,

In order to help identify the malware issue with your system, please do the following:

Download DDS from one of these locations:
http://download.bleepingcomputer.co...

http://download.bleepingcomputer.co...

Save it to your Desktop

Make sure you temporarily disable your AntiVirus, Firewall, and any other AntiSpyware applications. They may interfere with the programs we are about to run.

If you wish to look at information on how to disable these programs, please refer to the information available through this link:
http://www.bleepingcomputer.com/for...

XP: Double-click the DDS file to run the program
Vista/Windows Seven: Right-click DDS and select: Run as Administrator

When done, DDS opens two logs:
-DDS.txt (Opens on the Desktop)
-Attach.txt (Is minimized - will show on the TaskBar)

Save both reports to your Desktop, and post both of them in your reply.
If the forum does not allow you to do so, post back stating so, and we'll do something else.

~~~~
Also download aswMBR:
http://public.avast.com/~gmerek/asw...

Save it to the Desktop.

XP: Double-click the file to run the program
Vista/Windows Seven: Right-click the file and select: Run as Administrator

Click Scan

Upon completion of the scan, click ‘Save log’ and save it to the Desktop.
Note - Please do NOT attempt any fix anything!!

Also post the aswMBR report in your reply.

You will notice that another file is created on the Desktop.
It is named MBR.dat

Please keep the file on the Desktop, however, do submit 'MBR.dat' for analysis to VirusTotal:
http://www.virustotal.com/

Use the 'Browse' button to navigate to the location of the file.

Click on the file

Then, click the 'Open' button.
The file is now displayed in the 'Submit' Box.

Scroll down and click 'Send File', and wait for the results
If you get a message saying: 'File has already been analyzed', click 'Reanalyze file now'
Once scanned, please provide the link to the results page in your reply.


Thanks.

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#9
December 15, 2011 at 18:03:35
Opp's aaflac44, I edited my post to the right name, thanks.

Report •

#10
December 15, 2011 at 20:35:26
See that, guys!!

Neither Johnw nor I can work with two posters in the same topic!!

ROFL!!

~~~~
Retired - Doin' Dis, Dat, and slapping malware.
Malware Eliminator/Member of UNITE and the
Alliance of Security Analysis Professionals


Report •

#11
December 16, 2011 at 03:48:42
"Neither Johnw nor I can work with two posters in the same topic!!"

And I had the easy part.


Report •

#12
December 22, 2011 at 07:50:51
If you are using CCleaner, they might not be virus.
That files may be temporary files to fill up the MFT free space.
Don't touch them.
After MFT cleanup,they'll be automatically deleted by CCleaner.

Report •

#13
December 24, 2011 at 12:13:42
To aaflac44,

I downloaded the above program, shut down anti-virus and firewall, and ran program.
Unfortunately, the program got about 2/3rds of the way with the progress bar and then hung there. and locked up computer(i.e. keyboard, hotkeys, basically nothing worked) so had to reboot..I tried in every mode of windows. I even left it up and alone for about 2hrs+, and came back to computer and still hadn't done a thing. Thanks for trying though.


Report •

Ask Question