HijackThis log help required - Malware causing system crash /hang /system slow

Status
Not open for further replies.

NineMilesHigh

Posts: 56   +0
Hi,
I am looking for help analysing a HijackThis log.
PC is a Dell Dimension 4600, 2.5GB mem, running fine for 5 years.
Windows XP (SP2) with IE8,
Now crashing/hanging/going slow /freezing.
Have run AVG, Avira, Avast, MalwareBytes, SuperAntiSpyware (independently of course), but any issues found have not fixed problem.
May need rootkit removal - but first try is Hijack this.
I hope this is the correct place to post a log.
It has been attached.

Thanks for help

NineMilesHigh (NMH)
 
You need to do some housekeeping before we go forward:

You have multiple antivirus programs running: RAV, Norton and Avira:

  • Toolbar: Norton AntiVirus
    Service: Avira AntiVir Scheduler
  • This can cause a conflict that makes you more vulnerable,
  • This can slow you down.

Your main AV appears to be RAV - rav.exe is a Beijing Rising Technology Co., Ltd.\r belonging to Rising AntiVirus 2008\r from Beijing Rising Technology Co., Ltd.

If this is current and updating, you will need to remove left over entries from Norton and Avira:
Please download the Norton Removal Toolhttp://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039 and save to your desktop.

Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Double-click on the Norton Removal Tool and Run.

When finished, remove Avira:
To uninstall Avira:
  • Start> Settings> Control Panel> Add or Remove Programs (Windows 2000/ XP) or Start - Control Panel - Uninstall a program (Windows Vista / 7)
  • Wait for the list of installed programs to load, then click the name of the Avira program.
  • Click Remove next to the program's name (Windows 2000 / XP) or in the menu above the list (Windows Vista / 7).
  • Press Yes, to confirm the removal and then OK.
  • . Click Next until Finish. The software is removed.

Two programs are out of date and present additional vulnerabilities. Please update both now:
  • Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
  • Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

P2P or 'file sharing: P2P Warning:
I notice that you are using Limewire
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall Limewire for the following reasons:
  • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
  • Malware writers use these program to include malicious content.
  • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
  • The 'sharing' also includes malware that the shared system has on it.
  • Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.

When you have finished the housekeeping:

Please download ComboFix HERE:
  • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
  • Run Combo-Fix.exe and follow the prompts.
    (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
  • Wait for the scan to be completed.
  • If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Notes:

  • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please attach the report to your next reply.

Rescan with HijackThis and paste log into next reply.

You are also at great risk having so many Active X processes running (016) You have uploaders for almost everything on the internet running.
 
Thanks for advice.
I am on the case.
Norton was on PC originally as a 60 day trial and was deinstalled. Must have left over registry entries. Have run the removal tool now.
Avira wont appear in Add/Remove progams as I have previously tried to uninstall it. It said not all files were removed. I have tried Avira Removal Tool, but will try it again.

Can you advise on the ActiveX processes as I would like to get rid of some of these and clean up.

Will come back soon.

Regards
NMH
 
Combofix log

Hi.
Updated Adobe Reader.
Tried to firstly uninstall the old version of Java ,but it sat 'gathering required information' for about 20 mins - so I stopped it. On trying to install the new version, it did nothing on double-clicking. I will come back to that.
Uninstalled Limewire.
Got Combofix.
Disconnected from Internet.
Ran avunstXPeng to uninstall Avira Antivirus - although it still says 'unable to delete all components'. (It wont allow delete of the Avira directory in Program Files, anyway).
Disabled Windows Firewall
Uninstalled Rising Antivirus
Noticed that Windows Security was still saying that a virus checker was running - Avira, despite me uninstalling it earlier. Will need to come back to that.
Noticed that CCleaner is saying there is an entry with key HKLM:Run delus which is delus.exe in Local Settings\Temp folder. Some info on Internet says Delus is a trojan - but it appears to be part of Avira Antivirus. For the moment I have 'disabled' it in CCleaner and can decide later what to do with it.
Ran Combofix.
The log is attached.
I note it says I have MBR rootkit.
Won't do anything - but wait for advice.

Thanks for help.
NMH
 

Attachments

  • ComboFix.txt
    30 KB · Views: 6
Rescan with HijackThis and paste log into next reply.

I'd also like you to open the Combofix report and help me out with this:
11/20/09:
There are 29
c:\documents and settings\All Users\Application Data\AOL
performed through waol uk

waol is a high resource user. I notice the Viewpoint Toolbar was one of these installs. What I need to know is if all of you intentionally did this and/or are aware of it. Viewpoint is considered foistware> it's not malware or spyware, but is bundles with some other unrelated programs and downloaded without your knowledge or permission.

On same date:
All users. then individual users William, Fiona, Gary, HelpAssistant and LocalService all did the following:

IETldCachel: used DellDomains to remove all of the sites in the Restricted Zone.
Apparently, IE8 has its own way to handle restricted sites, and all of these additions were bogging it down.

PrivacIE: Internet Explorer 8 comes with a tool called InPrivate Filtering. Website content provided by third parties is often used to track what sites a user visits and/or to display ads. InPrivate filtering keeps these third parties from collecting information about you and may be used to block ads.

You are also running Includes America Online Launches AOL® 9.0 Security Edition which includes:
  • McAfee® VirusScan® Online,
  • McAfee® Personal Firewall Express
  • AOL® Spyware Protection with an added SpyZapper
More description HERE

So: running Avira and the Comodo firewall is going to make the system more vulnerable and slow the system down.

Are you aware of all of this?
 
Quick reply

Hi,
Sorry - I don't know what the waol activity is and whether it is something that was done accidentally - or via malware.
Viewpoint is unknown to me.
I did reinstall aol (went up to V9.0 VR) as AOL it was always hanging (to see if this would help - but it didn't).
Also upgraded IE from v7 to v8 to try to clear the issues we were having.
'Removing sites in the restricted zone' - not sure what happened there.
PrivacIE - once again this is unknown to me.

I had been looking at the Event Viewer in Administrative Tools to see what errors had been occuring to try to eliminate these when the system had been hanging/crashing. One error was around the Upload Manager which was not running in 'Services'. When I tried to start it, I got 'Account Specified for this service is different from the account specified for other services running in the same process'. The solution seemed to be to go into Upload Manager in 'Services' and change the 'Log on' from 'NT Authority \system' to 'Local System Account'.
The error went away, but I was unsure if this was the right thing to do, and would come back to it. Dont know if this is connected with any of the issues you have pointed out..

Also not aware I was running all these items under 'AOL 9.0 Security Edition', like McAfee etc...
Comodo was installed to look for malware etc - and uninstalled - so I dont know why it would still be there - possibly not uninstalled correctly?

Regarding the 'Help Assistant' entries:- A virus was found in Docs & Settings\Help Assistant\Local Settings\Temp Internet Files\Content.IE5\PSI6RQFZ\binrgn2.pdf (Exploit.pdf-JS.Gen). I think I may have deleted it manually.

Latest HijackThis log appears to make my response too long, so will have to append - sorry.

Thanks for your help.
Much appreciated.
NMH
 
I would appreciate it if you did a search in your system for all things AOL. the system is "full" of downloads and installs from AOL. There are 29 'somethings' you're not aware of!

Are there all of these users> William, Fiona, Gary, HelpAssistant and LocalService ?

Someone used DellDomains to remove all of the sites in the Restricted Zone.
 
Response...

I recently upgraded AOL to latest version in a bid to keep it up to date and see if it would clear any issues. I hoped (presumed) that it would tidy up previous versions and only run what is essential. If there are lots of AOL things running or going on, I would like to clear up.
I will run a search for everything 'AOL' and let you know.
Regarding users:
William (me), Gary and Fiona are users. The others you mention are not. Could they be created by some process? What do you advise?
Regarding restricted sites being cleared, this was not done intentionally by anyone. Could it have been done either:-
- inadvertently ...or
- by some malware

At moment, PC is running, albeit slowly. Internet Explorer hangs, then works. Event Viewer shows iexplore hangs.
Also if left idle for a while, PC hangs at 'Preparing to go into Standby mode' and cannot be woken out of it. Have to power down.

Thanks for help.
William
Will come back with the AOL info...

Thanks for help.
 
Lets get the important thing out of the way first.

Delete you copy of ComboFix.

Download ComboFix from one of these locations:

Link 1
Link 2


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to Step 1, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

Note: If you have SP3, use the SP2 package.


---------------------------------------------------------------------

Transfer all files you just downloaded, to the desktop of the infected computer.

--------------------------------------------------------------------


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

RC1-4.gif



  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


    whatnext.png



  • At the next prompt, click 'Yes' to run the full ComboFix scan.

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.
 
Uploading list of all 'AOL' files from search result... Not sure if you'll need to look at cookies etc but thought it best to give you everything If you need any more details on any files please let me know.

PS don't know if this was best way to capture this info...

1-5 (of 22)
 
Comment on AOL files

Just as a comment:-
What a lot of files -- surely must be totally unnecessary.
Makes me want to uninstall it, delete everything except the emails and reinstall again.
However, won't do anything at moment - will wait on your advice.
Meanwhile will do the Combofix /Recovery Console stuff and get back to you.

Regards
W
 
Please follow what kritius has set up for you-

I will be watching the tread. You will receive excellent help from kritius.

Please hold off on deleting or reinstalling until he can determine what is and what should and should not be on your system.

We'll clean everything up at the end.
 
Slightly gruelling session trying to get this to you. A lot of hangs and freezes, slow downs, got there in the end.

Looking forward to hearing back from you.

Thanks.
 

Attachments

  • log.txt
    23 KB · Views: 8
Click Start>Run and copy/paste the following bolded text into the Run box and click OK:

C:\Qoobox\Add-Remove Programs.txt

A report should pop open for you. Please post the contents in your next reply.



1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

Folder::
c:\program files\LimeWire

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-

Driver::

MBR::

Save this as CFScript.txt, in the same location as ComboFix.exe


CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
 
Add remove programs report and 2nd combo fix report.

Thanks.
 

Attachments

  • Add-Remove Programs.txt
    6 KB · Views: 7
  • log 2.txt
    24.6 KB · Views: 8
Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.
 
MBAM results

Hi,
Ran MBAM as requested.
Results:-

Malwarebytes' Anti-Malware 1.41
Database version: 3268
Windows 5.1.2600 Service Pack 2

01/12/2009 21:00:10
mbam-log-2009-12-01 (21-00-10).txt

Scan type: Quick Scan
Objects scanned: 175686
Time elapsed: 9 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
I'll let kritius handle this since he requested it. Might be a good idea to confer with all the users and ask who is putting what on the system!
 
Quick reply

Hi -
There are only 4 users and only 2 of these would install anything.
There has always been a Firewall, AntiVirus (typically AVG) and Ad-Aware on the system.
Various other AntiVirus and Malware removal progs have been installed at various times and the previous one removed.
There is certainly a fair bit of music content on the PC related to Cubase and Reason.
Limewire (which you advised against) has been removed.
AOL and Internet Explorer have been uninstalled and reinstalled around the time the probs occurred, to try to clear any issues - but it would appear not all uninstalls were finished cleanly.
For the moment I have installed Avira as the AntiVirus prog and removed AVG.

As an aside we have a disk error at boot time. It checks the C: drive for consistency and fails due to 'an unexpected error occurred'. If you try to run chkdsk /f it cannot lock the drive as it says it is in use. If you run it without the /f it finds some errors, but obviously cannot fix them (without the /f).
After that error, the PC comes up fine and is running OK'ish.

Will await your advice - but at some stage I would like to clear out some of the ActiveX components you mentioned in a previous post, and consider what action we take on the possible rootkit MBR issue that came up earlier.

Pls advise.
Thanks.

W.
 
NMH, no rootkit showed in the last Combofix report.

When kritius has finished:

For the Active X Objects (016) I've listed the ones running below.This is something extra I help out with when I have time. Please print it out. Do a search for any processes you don't recognize. I've marked some. If you no longer use it delete it. If you're not using it now but might in the future, Disable it.For any you Delete, check Add/Remove Programs to see if there is a related program.

Open IE> Tools> Manage add-ons>> there are two settings for the dialog box: add-ons being used now and add-on previously used. Look in both sections. Change setting as appropriate to Disable or Delete. The fewer of these you have, the better the system security.
------------------------------------------------
You have 3 of these running:
Facebook Photo Uploader 5: Disable one
Face Book Photo Uploader 4: Disable two
Facebook Photo Uploader 5

You have 2 of these running:
MySpace Uploader Control- Disable one
MySpace Uploader Control

MSN Photo Upload Tool (file = MsnPUpld.dll")> used in Hotmail to select photos.

Reference the following site for handling these MSN Game Active X Objects:
http://zone.msn.com/en/support/article/support3800.htm

MessengerStatsClient
ZoneChess Object (MSN Messenger)
MSN Games - Installer


QDiagAOLCCUpdateObj Class) AOL Computer Check> Disable

For SimCity, look for patches here if still playing: http://simcity.ea.com/update/index_update.php
If not, delete both.
EARTPatchX Class- SimCity
MaxisSimCity4PatcherX Control Sim City

Online AV scans:
download.bitdefender- Disable
HouseCall Control- Disable

Java Runtime Environment 1.6.0> Disable> update to correct v6.u17>
[*]Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.

AxisCamControl.ocx- Chesscam> unless you're really into chess and watch it all day. Disable.

ScorchPlugin Class

Auto_Installer/dwnldr.cab (Stopzilla)

Shockwave Flash Object?

getPlusPlus/1.6/gp.cab (Adobe)>> Disable. To quote an Adobe Forum member: "crapware' component stealth-installed by the Flash plugin"
 
Status
Not open for further replies.
Back