| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 66015 | 2006-02-08 02:19:00 | Something is reading and writing on my hard drive | Ian the Man (9772) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 428252 | 2006-02-08 02:19:00 | Hi, this is my first post on this forum but i need help badly. About a week ago i noticed that even while i was not using my PC, i could hear the HDD writing to the disk, and this confused me. So, i assumed it was spyware/malware. I ran Spybot S&D, and i was clean. I ran AVG anti-virus and it detected nothing. So then i determined that it was not a minor threat, so i ran a rootkit revealer, and found 4, though 3 were not 'rootkits' in the bad-security sense. The fourth, however, seemed to be embedded in a Firefox profile, so i logged into safe mode and uninstalled firefox, and then reinstalled it later. Without accessing the internet, however, i still heard the HDD. so then i downloaded a disk monitor, and i was right, something was reading my HDD every few seconds, and then writing to it. So here's my problem-- i dont know what this is but my hunch is that i have a rootkit installed. Can anyone suggest a program that seeks out and destroys them, or maybe even a program that can tell me the specific program writing to my HDD (my monitor doesnt)? p.s. -- it isnt the Sony rootkit, i can be sure of that. i am worried that i have been compromised, so any help would be great. EDIT: a suggestion of "Format NOW" is completely fine with me, i would just like to avoid it. |
Ian the Man (9772) | ||
| 428253 | 2006-02-08 02:23:00 | Get hijackthis (www.merijn.org) from here (www.spywareinfo.com) Unzip this file then run it then click on scan & save the log. Copy and paste the log here. |
Speedy Gonzales (78) | ||
| 428254 | 2006-02-08 02:29:00 | Logfile of HijackThis v1 . 99 . 1 Scan saved at 9:34:33 PM, on 2/7/2006 Platform: Windows XP SP2 (WinNT 5 . 01 . 2600) MSIE: Internet Explorer v6 . 00 SP2 (6 . 00 . 2900 . 2180) Running processes: C:\WINDOWS\System32\smss . exe C:\WINDOWS\system32\winlogon . exe C:\WINDOWS\system32\services . exe C:\WINDOWS\system32\lsass . exe C:\WINDOWS\system32\svchost . exe C:\WINDOWS\System32\svchost . exe C:\WINDOWS\system32\spoolsv . exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr . exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc . exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc . exe C:\WINDOWS\system32\CTsvcCDA . EXE C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss . exe C:\WINDOWS\system32\nvsvc32 . exe C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui . exe C:\WINDOWS\Explorer . EXE C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray . exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc . exe C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui . exe C:\Program Files\CyberLink\PowerDVD\PDVDServ . exe C:\Program Files\Creative\MediaSource\Detector\CTDetect . exe C:\Program Files\Mozilla Firefox\firefox . exe C:\Program Files\Gaim\gaim . exe D:\startuplist\StartupList . exe C:\WINDOWS\system32\NOTEPAD . EXE D:\hijackthis\HijackThis . exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7 . 0\ActiveX\AcroIEHelper . dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1 . 5 . 0_06\bin\ssv . dll O4 - HKLM\ . . \Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray . exe" O4 - HKLM\ . . \Run: [NvCplDaemon] RUNDLL32 . EXE C:\WINDOWS\system32\NvCpl . dll,NvStartup O4 - HKLM\ . . \Run: [NvMediaCenter] RUNDLL32 . EXE C:\WINDOWS\system32\NvMcTray . dll,NvTaskbarInit O4 - HKLM\ . . \Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc . exe /STARTUP O4 - HKLM\ . . \Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck . exe O4 - HKLM\ . . \Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ . exe" O4 - HKLM\ . . \Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask . exe" -atboottime O4 - HKLM\ . . \Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig . exe /auto O4 - HKCU\ . . \Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect . exe /R O4 - HKCU\ . . \Run: [Malware Sweeper] C:\Program Files\MalwareSweeper . com\Malware Sweeper\MalSwep . exe /STARTUP O4 - Startup: Xfire . lnk = C:\Program Files\Xfire\Xfire . exe O4 - Global Startup: Adobe Gamma Loader . lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader . exe O4 - Global Startup: Adobe Reader Speed Launch . lnk = C:\Program Files\Adobe\Acrobat 7 . 0\Reader\reader_sl . exe O4 - Global Startup: Microsoft Office . lnk = C:\Program Files\Microsoft Office\Office10\OSA . EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL . EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1 . 5 . 0_06\bin\ssv . dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1 . 5 . 0_06\bin\ssv . dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs . exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - . microsoft . com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site . cab?1136934211359" target="_blank">update . microsoft . com O17 - HKLM\System\CCS\Services\Tcpip\ . . \{BE72306C-6C8B-4D16-BBCB-2EA65FB8C305}: NameServer = 24 . 95 . 80 . 41,24 . 95 . 80 . 47 O20 - AppInit_DLLs: C:\WINDOWS\system32\wmfhotfix . dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc . exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s . r . o . - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr . exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s . r . o . - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc . exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s . r . o . - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc . exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA . EXE O23 - Service: DXYUKF - Sysinternals - www . sysinternals . com - C:\DOCUME~1\Ian\LOCALS~1\Temp\DXYUKF . exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT . exe O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss . exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32 . exe O23 - Service: RMDRV - Sysinternals - www . sysinternals . com - C:\DOCUME~1\Ian\LOCALS~1\Temp\RMDRV . exe BTW just realized i put this in the wrong forum, my bad |
Ian the Man (9772) | ||
| 428255 | 2006-02-08 02:31:00 | filemon (www.sysinternals.com) is one tool, assuming it just isn't ye old spyware (run hijackthis as Speedy Gonzales suggests). Heh, at the moment MS Antispyware is having a merry old time reading/writing to my drive. |
gibler (49) | ||
| 428256 | 2006-02-08 02:32:00 | How much RAM does the machine have. Maybe it's just using the page file. |
ninja (1671) | ||
| 428257 | 2006-02-08 02:36:00 | has 1 gb RAM soooooooooooooo. what do i do after i have scanned with HijackThis? i already posted my log, dont know what to do now tho. |
Ian the Man (9772) | ||
| 428258 | 2006-02-08 03:21:00 | The log looks fine to me. Run hijackthis again, and tick these, and tick fix checked. These dont have to run on bootup. O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime I think this belongs to the WMF vulnerability (the patch)? O20 - AppInit_DLLs: C:\WINDOWS\system32\wmfhotfix.dll If you haven't installed the MS patch for it yet, go to Windowsupdate. |
Speedy Gonzales (78) | ||
| 428259 | 2006-02-08 03:27:00 | It could theoretically be the disk defragmenter starting up whilst idle. It can be disabled through the TweakUI utility from Microsofts website. Somewhere on the TweakUI interface i an option "optimise the hard disk when idle" this shuold be unticked. And the computer should be restarted. It should not happen again. |
bob_doe_nz (92) | ||
| 428260 | 2006-02-08 03:39:00 | O23 - Service: DXYUKF - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Ian\LOCALS~1\Temp\DXYUKF.exe whats this? a service should not be running from a temp location. also what size swap file do you have? whats it set to? |
tweak'e (69) | ||
| 428261 | 2006-02-08 03:39:00 | Got OSA .exe running, Findfast/Fastfind or any such hog hungry indexers. Run a health check on the drive(s) in question using the disk manufacturers drive untility. Edit: I see you do have OSA (MS Office startup, etc). Kill the farker dead. |
Murray P (44) | ||
| 1 2 | |||||