My hard drive goes berserk every time I log on

[KeithH]

Hi,

I have installed the Recovery Console (how do I check it installed OK because it didn't seem to end properly?)

I ran Combofix before Avast uninstallation and I uninstalled using the Avast uninstal facility

I have run ATF

[Blade81]

Hi

Upload these to http://www.virustotal.com or http://virusscan.jotti.org and post back the results:
C:\Program Files\SetAttrib.exe
C:\Program Files\delete.exe

To check if recovery console is properly installed run combofix once again. Has your system performance improved during this process?

[KeithH]

Hi,

I ran the Virus checker on the two files and they both came up with zero. (I couldn't find where the results went or how to save them - is it just print to file?)

Yesterday I ran Kerspersky on my Documents and Settings folder and it found

Trojan-Spy.HTML.Bayfraud.hc 3 times
Trojan-Downloader.Win32.small.dz 2 times
Trojan-Downloader.Win32.nurech.s

The whole process took hours - would they replicate/move themselves during that time

I am going to set it running agaiin today on the whole PC
(everything is still very slow)

[Blade81]

Hi

I ran the Virus checker on the two files and they both came up with zero. (I couldn't find where the results went or how to save them - is it just print to file?)

Only way is to copy-paste the results. Doesn't matter here though since results was zero.

Yesterday I ran Kerspersky on my Documents and Settings folder and it found

Trojan-Spy.HTML.Bayfraud.hc 3 times
Trojan-Downloader.Win32.small.dz 2 times
Trojan-Downloader.Win32.nurech.s

Complete (all drives included in scan) Kaspersky report would tell me more Scanners find sometimes false positives too.

I am going to set it running agaiin today on the whole PC
(everything is still very slow)

You could try this slow computer guide written by Miekiemoes.

[KeithH]

I was thinking through some of what as gone on in the last few days and decide to download combofix again from a different site. Then just to make sure all was OK I ran both through Virustotal and it has me very worried.

Firstly what other files are infected that neither Kaspersky or Avast don't see and more importantly what are these viruses and trojans doing with my data and my pc

The other thing that is very disturbing is that what follows pasted with ctrl V not what was shown on the screen picked up with ctrl C

File ComboFix_2_.exe received on 01.18.2008 00:11:46 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 8/32 (25%)
Loading server information...
Your file is queued in position: 4.
Estimated start time is between 47 and 68 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.1.18.10 2008.01.17 -
AntiVir 7.6.0.48 2008.01.17 -
Authentium 4.93.8 2008.01.17 -
Avast 4.7.1098.0 2008.01.17 -
AVG 7.5.0.516 2008.01.17 -
BitDefender 7.2 2008.01.17 -
CAT-QuickHeal 9.00 2008.01.17 -
ClamAV 0.91.2 2008.01.17 -
DrWeb 4.44.0.09170 2008.01.17 BATCH.Virus
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5467 2008.01.17 -
Ewido 4.0 2008.01.17 -
FileAdvisor 1 2008.01.18 -
Fortinet 3.14.0.0 2008.01.17 -
F-Prot 4.4.2.54 2008.01.17 -
F-Secure 6.70.13260.0 2008.01.17 -
Ikarus T3.1.1.20 2008.01.17 -
Kaspersky 7.0.0.125 2008.01.18 -
McAfee 5210 2008.01.17 -
Microsoft 1.3109 2008.01.17 -
NOD32v2 2802 2008.01.17 archive damaged
Norman 5.80.02 2008.01.17 -
Panda 9.0.0.4 2008.01.17 Application/NirCmd.A
Prevx1 V2 2008.01.18 -
Rising 20.27.31.00 2008.01.17 Trojan.Win32.Malagent.a
Sophos 4.24.0 2008.01.17 NirCmd
Sunbelt 2.2.907.0 2008.01.17 VIPRE.Suspicious
Symantec 10 2008.01.17 -
TheHacker 6.2.9.189 2008.01.17 -
VBA32 3.12.2.5 2008.01.15 Trojan.StartPage.20448
VirusBuster 4.3.26:9 2008.01.17 -
Webwasher-Gateway 6.6.2 2008.01.17 Riskware.NirCmd.3
Additional information
File size: 1552034 bytes
MD5: 2cf8b75fb798f38824156e57ad3e7ad2
SHA1: 239e3b431c3cd6d44cca80bce589f7bfc7267d6b
PEiD: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
packers: UPX
packers: UPX, RAR
packers: PE_Patch.UPX, UPX, UPX, Autoit, PE_Patch.UPX, UPX, PE_Patch.UPX, UPX, UPX, UPX, UPX
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

[Blade81]

ComboFix.exe is not malware. The reason why scanners flag it as infected is that ComboFix uses some same kind of methods as malware uses. Difference is that ComboFix uses these for good while malware does only harm.

[Blade81]

Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.