Solved External hard drive corrupted suddenly, other signs of virus/malware

[mtrenal]

Hello, and thank you very much for running this forum.

I had a 500 GB external hardrive which one day worked and the next day was corrupted. I had used it for about three years, so I wasn't particularly worried for my computer as I had heard that sometimes hardrives can just stop working after long-term continuous use. Then I noticed in Task Manager two particular processes that I had never really seen before, but of course they have seemingly legitimate names "System Idle Proccess" which uses a lot of CPU and "System" which uses a lot of memory. I also have had a couple BSOD crashes when using programs that had never given me any crashes, let alone BSODs before. I am fairly worried for my computer and I am hoping that if it is seriously infected then it can be cleaned.

I completed the 8 steps and have my logs attatched. Thank you very much for your assistance!

Malware bytes log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4399

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

8/6/2010 1:52:07 PM
mbam-log-2010-08-06 (13-52-07).txt

Scan type: Quick scan
Objects scanned: 149714
Time elapsed: 8 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 17
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mywebsearch email plugin (Adware.MyWebSearch) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

the other logs needed to be attached

The GMER log was too big for the forum, so I split it up into two logs... hopefully thats not too bad of a sign...

 

[crunchie]

Hi and welcome to TechSpot .

Did you Take no Action as MBA_M's log shows, or did you remove the entries found? If you ignored, then you need to re-run MBA_M and rremove them.

==

Please download ComboFix by sUBs from HERE or HERE

• You must download it to and run it from your Desktop
• Physically disconnect from the internet.
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
• Double click combofix.exe & follow the prompts.
• When finished, it will produce a log. Please save that log to post in your next reply.
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

 

[mtrenal]

Thank you for responding so quickly!
No, I removed everything that it came up with. I'm not sure why it said I took no action. Anyway, I ran combofix have the log attached (it was about 2000 characters above the limit)

 

[crunchie]

Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.

c:\windows\system32\drivers\atapi.sys

 

[mtrenal]

apparently its a legit file. I used Jotti's and everything gave me a "Found Nothing".

 

[crunchie]

No worries. Combofix was flagging it.

How is the pc at the moment?

 

[mtrenal]

The PC is running fine as far as I can tell. I just tried running some games that previously had given me the aforementioned computer crashes/blue screens, and they run now, which is good, but very slowly.

EDIT: As I said before, I don't know if these processes are supposed to be running or not, but under the SYSTEM username in Task Manager, "System" and "System Idle Process" are both still running and both using a lot of resources (System consistantly is using about 102,000 K of memory and System Idle Process is using less CPU than before, about 10-20%)

 

[crunchie]

When you are doing nothing on the PC, the system idle should be up around the 98-99%.

Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on the Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

• Spyware, Adware, Dialers, and other potentially dangerous programs
  [*] Archives
  [*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

 

[mtrenal]

I have tried to install the latest Java update on my computer twice so that Kaspersky could run, but both times I got blue screens and system reboots during the installation process. I have also noticed a couple differences in my processes list that I was looking at while Java was installing. I've got a bunch of the "svchost.exe" and both "iexplore.exe" and "explorer.exe".
What should I do about the Kaspersky scanner/java update?

 

[crunchie]

You will always have multiple svchost processes running ( I have 13 as I write).

Try an ESET scan instead.

Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.

• You will need to use Internet Explorer to complete this scan.
• You will need to temporarily Disable your current Anti-virus program.
• Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
• When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

 

[mtrenal]

Sorry my reply has taken so long, the scan itself took about an hour. I have attached the results of the scan.

 

[crunchie]

Looks clean .

How many iexplorer.exe's are running and do you have it open at the time?

 

[mtrenal]

Thanks!

There's only one iexplore.exe running
edit: and one running

 

[crunchie]

So how does it seem now? Any other problems with it?

 

[mtrenal]

Not that I notice. I thought that the Java blue screens were a little weird, but other than that everything seems good.

 

[crunchie]

Just give it a little time and let me know if anything changes .

 

[mtrenal]

Will do, thank you for the help

 

[crunchie]

No worries .

Let's get rid of Combofix now that we are finished with it.

• Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
  
  ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.
  
  
• 

 

[mtrenal]

This isn't really a big deal but it seems that somewhere in this process one of the programs used has deleted whatever files autorun disk drives, because when I inserted disks to test out the machine, I had to manually start them up.

 

[crunchie]

Combofix has done that.
Download this reg file from kellyskorner and run it.

http://www.kellys-korner-xp.com/regs_edits/enableautorun.reg

Should get you going again.

 

[mtrenal]

Thanks.

As soon as I ran the uninstall, which didnt appear to work because combofix is still on my desktop, all of a sudden I'm being spammed with malware detected messages from my AV... they're all PUAs, so I just quarantined all of them.

 

[crunchie]

PUA =?

Download random's system information tool (RSIT) by random/random from >>here<< and save it to your desktop.

• Double click on RSIT.exe to launch program.
• Click Continue at the disclaimer screen.
• Your firewall may alert you that RSIT is requesting Internet access. Please allow it.
• Once it has finished, two logs will open: log.txt<-- this will be maximized and info.txt<-- this will be minimized.

==

How long have you had Combofix on the pc?

 

[mtrenal]

PUA = potentially unwanted applications, or at least thats just what my AV called them.

RSIT seems to stall at "Running HijackThis"... how long does that portion of the program generally take? I figured that installing HijackThis would perhaps expediate the process but no luck. I'm just not sure if every time I load RSIT it stalls there or if that step is supposed to take a very long time and its actually running.

Edit: And ComboFix has only been on the PC since you asked me to install it. I believe I have had it on the PC one other time, a few years ago, when I used this site to help me with a virus, but I could be wrong as all the other tools used now are completely different. I remember having to do almost everything in SafeMode.

 

[mtrenal]

Whoops, I spoke a slight bit too soon. My AV was blocking the program for awhile. Here are the logs.

EDIT:
Also, I've been experiencing some issues with running programs, specifically games. 3 out of the 4 I have tried have blue screened and restarted the machine consistantly. The blue screen flashes are too quick for me to get a STOP error number, so I don't really know what to do. I also dont know why two have not worked and then one has worked. As soon as the actual game itself starts (past the autorun screen/desktop loading screen), I crash.

EDIT2:

Okay I've fixed all those issues. They were not related to virus/malware infection at all. Thank you so much for helping me with cleaning though!!! It is so incredibly greatly appreciated.
The only thing that is still being a little odd is ComboFix still being on my desktop... I know its a very powerful tool and shouldn't be used unless directed, so I definitely wont be using it, but it is a little odd that it seems to not uninstall.

 

[crunchie]

The PUA's will be the tools we have been using .

Can you get a couple of files checked. I don't think they exist, but need to check.

Please go to Jotti's or to virustotal and have these files scanned. Post the results back here.

C:\WINDOWS\system32\drivers\aowuznns.sys
C:\WINDOWS\system32\drivers\a2m8f7q0.sys

===========

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC by OldTimer:
Save it to your Desktop.
Double click OTC.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes.