[DnRusa]

Not sure if this is the correct area for this question but I have a problem and I'm not sure if it's a virus or not.

I noticed my PC slowing down to a crawl every time I rebooted (soft or hard boot). When I went to investigate I found a directory called C:/3590F75ABA9E485A9D4FF06ZZZZ..Z..Z..ZZZZ and sub-directories within it called ZZZ..ZZ.ZZZ and they keep popping up with more and more of these randomly named (all Z's)directories. Each of the sub-directories have exactly 251 files in them with the file name of, you guessed it, some variation of ZZZ's and then a new sub-directory is created and starts to populate with it's 251 files and so on. I keep deleting the directories as they pop up but so far I have been deleting for about 45 minutes (at least 200 of the sub-directories) with no end in sight....

While writting this it stopped but it took 50 minutes to do so and it seems to have deleted itself along with all of the sub-directories.... but I'm sure I haven't seen the last of it...

Any thoughts as to what is causing this? I have scanned for AV with AVG, MS Security Essentials, and Trend Micro's Housecall and each one says the PC is clean. Nothing unusual was running that I could see.

Any help would be greatly appreciated.

[Ibrad09]

Have you tried a Malwarebytes scan?

[SpiritWind]

Hi :

It is usually helpful IF people tell us the SPECIFIC
"Name" of their Operating System, such as Win XP
( SP2 or SP3 !? ), Win Vista ( Basic, etc ) or
Win 7 and IF the System is a 64 bit version !?

Generally speaking, best to check for malware OTHER
than using antiVIRUS programs, such as using
antiMALWARE programs, such as Malwarebytes
Anti-Malware ( http://www.malwarebytes.org/mbam.php )
and "SUPERAntiSpyware" ( http://www.superantispyware.com )
BOTH of which come in a FREE Version .

And even more helpful is IF people tell us the
Names ( SPECIFIC if possible ) of the security
programs currently on their computer !?

[DnRusa]

Ibrad09, on 27 February 2010 - 09:18 AM, said:

Have you tried a Malwarebytes scan?

I gave it a try and it did indeed find a few items:

Thanks for the help... hopefully that works


Malwarebytes' Anti-Malware 1.44
Database version: 3802
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/27/2010 2:40:15 PM
mbam-log-2010-02-27 (14-40-15).txt

Scan type: Full Scan (C:\|)
Objects scanned: 173261
Time elapsed: 1 hour(s), 24 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{549b5ca7-4a86-11d7-a4df-000874180bb3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Ibrad09]

Hmmm........This is an odd type of malware, it looks like it's not trying to harm your machine it looks like it's trying to slow it down though.

I know you are infected because some undetected malware is making those files.

Try Superantispyware and then post the log file of that here if it detects anything.

[DnRusa]

Ibrad09, on 27 February 2010 - 12:29 PM, said:

Hmmm........This is an odd type of malware, it looks like it's not trying to harm your machine it looks like it's trying to slow it down though.

I know you are infected because some undetected malware is making those files.

Try Superantispyware and then post the log file of that here if it detects anything.

I gave it a try and it found a few tracking cookies and that is all.

BTW - Thanks for all your help, I really appriciate it.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/28/2010 at 01:20 PM

Application Version : 4.34.1000

Core Rules Database Version : 4624
Trace Rules Database Version: 2436

Scan type : Complete Scan
Total Scan Time : 00:47:34

Memory items scanned : 564
Memory threats detected : 0
Registry items scanned : 7058
Registry threats detected : 0
File items scanned : 17062
File threats detected : 38

Adware.Tracking Cookie
C:\Documents and Settings\Dad\Cookies\dad@media6degrees[2].txt
C:\Documents and Settings\Dad\Cookies\dad@questionmarket[1].txt
C:\Documents and Settings\Dad\Cookies\dad@a1.interclick[2].txt
C:\Documents and Settings\Dad\Cookies\dad@advertising[1].txt
C:\Documents and Settings\Dad\Cookies\dad@mediaplex[1].txt
C:\Documents and Settings\Dad\Cookies\dad@draftfcb.112.2o7[1].txt
C:\Documents and Settings\Dad\Cookies\dad@casalemedia[1].txt
C:\Documents and Settings\Dad\Cookies\dad@specificmedia[1].txt
C:\Documents and Settings\Dad\Cookies\dad@doubleclick[1].txt
C:\Documents and Settings\Dad\Cookies\dad@ads.bridgetrack[2].txt
C:\Documents and Settings\Dad\Cookies\dad@content.yieldmanager[2].txt
C:\Documents and Settings\Dad\Cookies\dad@adbrite[1].txt
C:\Documents and Settings\Dad\Cookies\dad@trafficmp[1].txt
C:\Documents and Settings\Dad\Cookies\dad@realmedia[1].txt
C:\Documents and Settings\Dad\Cookies\dad@pointroll[2].txt
C:\Documents and Settings\Dad\Cookies\dad@interclick[1].txt
C:\Documents and Settings\Dad\Cookies\dad@imrworldwide[2].txt
C:\Documents and Settings\Dad\Cookies\dad@t.pointroll[1].txt
C:\Documents and Settings\Dad\Cookies\dad@specificclick[2].txt
C:\Documents and Settings\Dad\Cookies\dad@burstnet[1].txt
C:\Documents and Settings\Dad\Cookies\dad@247realmedia[1].txt
C:\Documents and Settings\Dad\Cookies\dad@ads.pointroll[1].txt
C:\Documents and Settings\Dad\Cookies\dad@iacas.adbureau[2].txt
C:\Documents and Settings\Dad\Cookies\dad@serving-sys[1].txt
C:\Documents and Settings\Dad\Cookies\dad@metroleap.rotator.hadj7.adjuggler[2].txt
C:\Documents and Settings\Dad\Cookies\dad@ad.yieldmanager[1].txt

[Ibrad09]

Have you tried any online scanners?

Also what programs do you have running in the background when the files are being created?

[DnRusa]

Ibrad09, on 28 February 2010 - 04:01 PM, said:

Have you tried any online scanners?

Also what programs do you have running in the background when the files are being created?

Sure have... I think I have hit them all.... even tried the Avast AV Boot CD and a few others that I can't remember their names about 6 in all....

The programs are the normal Windows apps (explorer, lsass, svhost, etc), AVG, ITunes, some NVIDIA drivers, Wireless Lan card Driver, and RAID card driver.... nothing out of the ordinary

[DnRusa]

I have attached some screen captures so you can see what I see... all pics have task manager in them so you can see the processes also.
Picture 1 - slow1.jpg | shows a file being generated that grows to 7+ GB then deletes itself, then,
Picture 2 - slow2.jpg | the directories start and all of them combined total 7+ GB
Picture 3 - slow3.jpg | The files found in the directories
Picture 4 - slow4.jpg | After the process completes.

I did notice CCleaner running during this and ended when the process (slow down) stopped (shows in task manager in pic 4 but did end shortly after I did the screen capture). Can CCleaner be the culprit?

[Ibrad09]

Do you have secure wiping set up on ccleaner? If so that is CCleaner wiping over the data so it's not recoverable

[DnRusa]

Ibrad09, on 01 March 2010 - 05:29 PM, said:

Do you have secure wiping set up on ccleaner? If so that is CCleaner wiping over the data so it's not recoverable

I didn't have it set but that is what was causing the problem... I uninstalled CCleaner and the problem went away.. I did 10 reboots and all was good.... I reinstalled CCleaner and everything seems ok now.... and hopefully it stays that way..

Again thanks for the help

[Ibrad09]

No problem

[valour]

Hi guys, had exactly the same thing with the same directory etc. I was also running ccleaner at the time so have uninstalled it and am trying to delete he files. Hope it works. Thanks guys.