TechSpot

HijackThis log help required - Malware causing system crash /hang /system slow

By NineMilesHigh
Nov 27, 2009
Topic Status:
Not open for further replies.
  1. NineMilesHigh

    NineMilesHigh TS Rookie Topic Starter Posts: 56

    Cleaned up ActiveX controls

    Hi,
    I have cleaned up the ActiveX controls (O16's) as advised.
    I have posted the latest HijackThis below. I would be grateful if you could take another look.
    The MBR rootkit issue appears to have gone, as you say.
    Question:- At what point was this fixed? Was it on the previous Combofix run, because I was expecting to have to do an "mbr.exe -f" to fix it but at no time did we do that.
    So I can only presume you guys did this from within Combofix. Can you confirm, as I just want to be sure we have taken specific action to get rid of it. Thanks.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 23:12:04, on 02/12/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    C:\WINDOWS\system32\dlcgcoms.exe
    C:\WINDOWS\system32\imapi.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\wbem\wmiapsrv.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Common Files\AOL\1175191946\ee\AOLSoftware.exe
    C:\WINDOWS\system32\DeltTray.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Avira\AntiVir Desktop\avcenter.exe
    C:\Program Files\Avira\AntiVir Desktop\avscan.exe
    C:\DOCUME~1\William\LOCALS~1\Temp\Temporary Directory 2 for HiJackThis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: (no name) - {56CF4856-ECB4-4e46-A897-A378821F97B9} - (no file)
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
    O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - (no file)
    O2 - BHO: (no name) - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} - (no file)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1175191946\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [DLCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [dlcgmon.exe] "C:\Program Files\Dell AIO 810\dlcgmon.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{92297B56-E83F-4818-BDF8-39A7F355CEAA}: NameServer = 192.168.2.17,213.208.106.213
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
    O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTsvcCDA.exe (file missing)
    O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 7643 bytes
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Thank you for the assistance kritius.

    For the future, don't put here:
    HJT backs up the entries that get removed. If temp files get deleted, so do they.

    Active X section looks much better! Time to finish up. Regarding the 'rootkit', if you look at the first 2 Combofix reports, it is telling you 'there might be'. Since the last report does not have this, it was not a rootkit and whateven prompted Combofix is now gone.

    There are several BHO (02) entries showing 'no file'. That does not mean there is no file. The ones I checked were all legitimate. If you want to see if any are for programs you've removed, copy the CID (example {CDEEC43D-3572-4E95-A2A5-F519D29F00C0}) into this site:
    http://www.systemlookup.com/search.php?type=clsid

    Remove all of the tools we used and the files and folders they created
    • DownloadOTCleanIt by OldTimer
    • Save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    The tool will delete itself once it finishes.

    If you are prompted to Reboot during the cleanup, select Yes.


    You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:
    • Go to Start > All Programs > Accessories > System Tools and click "System Restore".
    • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    • Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
    • Click "OK" to select the partition or drive you desire.
    • Click the "More Options" Tab.
    • Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

    You might want to delete all those AOL groups. then run this:

    TFC (Temp File Cleaner)

    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

    TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

    TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

    Empty the Recycle Bin

    If I can help you in the future, please let me know. stay safe.
  3. NineMilesHigh

    NineMilesHigh TS Rookie Topic Starter Posts: 56

    Ran OTCleanIt - new problem which then cleared.

    Hi, I followed your procedure to run OTCleanIt, which ran and requested a reboot.
    After reboot system reports no Firewall is turned on (I have Windows Firewall). Security Center gives you an option to 'Enable Now' the Firewall - but it said it could not enable it.
    Clicking on Windows Firewall in Control Panel said 'Windows could not display the Firewall settings'. I tried to stop the Windows Firewall service - in Admin Tools ( to then restart it) but it could not stop it. I then tried a procedure from MS to address this problem:- from cmd, to run dll32 setupapi,installHinfSection..etc... etc... and it failed to install.
    Tried to open Internet Explorer -- double-click did nothing.
    Then a few minutes later, for no reason that I could see, the Firewall suddenly turned on. This was about 15 mins after the reboot.
    Any thoughts/advice?
    Regards
    William
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Yes. Disable the Windows firewall.

    Get either of these free and good firewalls. Both are better than the Windows firwall:
    You should have a bi-directional firewall:
    A firewall is an important part of "layered security" in addition to an antivirus and anti-malware program for spyware/adware.
    • It can be a software program (Windows firewall, Comodo firewall, Zone Alarm firewall)
    • or hardware (as in a router) that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet.
    • If you have a bi-directional firewall, it will 'listen' at both the ports coming in and the ports going out. The means that if malware does get on the system and tries to access the internet from within your system, it will be blocked.

    I recommend either of these software firewalls.- both are free- use only one:
  5. NineMilesHigh

    NineMilesHigh TS Rookie Topic Starter Posts: 56

    Firewall problem still there

    Hi,
    Tried a reboot to see if Firewall problem had gone.
    Problem is still there - this time nothing seems to bring it back on.
    Tried the 'netsh winsock reset' from the cmd prompt mentioned in another thread - asks for a reboot, after which Firewall problem is still there.
    W.
    Oops - just before I went to post this, the firewall mysteriously turned on.
    Any idea what's going on?
    Thanks
    W.
  6. NineMilesHigh

    NineMilesHigh TS Rookie Topic Starter Posts: 56

    More info

    I understand why you recommend a better Firewall and I will certainly take your advice.
    However this current problem I think is more than a Firewall problem.
    When the problem is evident, I cannot even launch Internet Explorer or AOL.
    Also I started up MalwareBytes AntiMalware to do a scan and it just sat 'Initialising the program' and wouldn't start the scan.
    Any app seems to hang.
    When the Firewall suddenly sorted itself, MBAM now works and IE now works - everything seems fine.
    So I think the Firewall not working is symptom of a wider issue where apps are hanging.
    What do you think?
    Regards
    W.
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please start a new thread for this problem in the Windows OS Forum.
  8. kritius

    kritius TS Guru Posts: 2,087

    Copy and paste the following into notepad.

    Code:
    Windows Registry Editor Version 5.00
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall"=dword:00000001
    
    Save it as firewall.reg, double click and merge it with your registry. Is the firewall started now?
  9. NineMilesHigh

    NineMilesHigh TS Rookie Topic Starter Posts: 56

    Firewall update

    Hi. Thanks for suggestion.

    I carried out this procedure and then checked in the registry that this Firewall parameter was indeed set to 1.
    After a reboot, the problem is the same - no firewall turns on. :(
    At this point, Word and other apps can run ok, but IE will not start.
    After about 10 or 15 mins, the desktop flickers (like a kind of 'reset') and then the firewall turns on and IE (which I tried to start 10 mins ago) suddenly springs to life.
    Regards
    W.
  10. NineMilesHigh

    NineMilesHigh TS Rookie Topic Starter Posts: 56

    Original problem query

    Whilst pondering the Firewall issue, can you tell me what fundamental issues were actually found with my original problem of hangs/slow/crashes?
    I know we cleared up a number of apps (probably conflicting virus progs etc, which did not all show up in Add/Remove progs), got rid of Limewire, cleared away numerous ActiveX components etc, and this has helped the PC, no doubt. But it is not clear to me whether HijackThis and/or Combofix etc actually found and repaired any malware type issues.
    Can you let me know? :)
    Thanks
    W.
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    The malware issues were resolved.
     
  12. NineMilesHigh

    NineMilesHigh TS Rookie Topic Starter Posts: 56

    Question...

    Bobbye,
    Thanks for help with the problem.
    Can you tell me what malware was found and removed please?
    This will help us to understand the main issue that caused the trouble.
    Regards
    W.
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    No, I can't William- I don't have time to go through all your logs again. You can do that.

    What is more important is not what malware you got but some of the reasons you go it.
    Three prime reasons:

    Multiple antivirus programs running: RAV, Norton and Avira:
    P2P or 'file sharing: Limewire
    Excessive Active X Objects (016)

    Plese see this for additional reasons:
    Please follow these simple steps to keep your computer clean and secure:
    1.Disable and Enable System Restore: This will help you to drop the old restore points and set a new, clean one:

    System Restore Guide


    2.Stay current on updates:
    • Visit the Microsoft Download Sitefrequently.
      You should get All updates marked Critical and the current SP updates:Windows 2000> SP4, Windows XP> SP2, SP3, Vista> SP2
    • Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
    • Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

    3.Make Internet Explorer safer. Follow the suggestions HERE
    This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

    4.Remove Temporary Internet Files regularly: Use5. Use an AntiVirus Software(only one)
    6.Use a good, bi-directional firewall(one software firewall)
    [*]See Understanding and Using Firewalls including links to download a firewall.

    7.Consider these programs for Extra Security
    • Spywareblaster:
    • SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
    • IE/Spyad
    • This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
    • MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
    • Google Toolbar Get the free google toolbar to help stop pop up windows.

    If I can be of further assistance, please let me know. Help and support is only given in the forums but you can send a PM to me and bring my attention
    back to the thread.
  14. NineMilesHigh

    NineMilesHigh TS Rookie Topic Starter Posts: 56

    Thanks. This is all useful advice - the vast majority of which I do by default (apart from Limewire and all those activeX objects - both of which I have now addressed).
    PC much more stable. Very useful input from you and your colleagues.
    A few other issues I am trying to address in other threads, but they are not showstoppers at the moment.

    W.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.