HijackThis log help required - Malware causing system crash /hang /system slow

[NineMilesHigh]

Cleaned up ActiveX controls

Hi,
I have cleaned up the ActiveX controls (O16's) as advised.
I have posted the latest HijackThis below. I would be grateful if you could take another look.
The MBR rootkit issue appears to have gone, as you say.
Question:- At what point was this fixed? Was it on the previous Combofix run, because I was expecting to have to do an "mbr.exe -f" to fix it but at no time did we do that.
So I can only presume you guys did this from within Combofix. Can you confirm, as I just want to be sure we have taken specific action to get rid of it. Thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:12:04, on 02/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\dlcgcoms.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\AOL\1175191946\ee\AOLSoftware.exe
C:\WINDOWS\system32\DeltTray.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Avira\AntiVir Desktop\avcenter.exe
C:\Program Files\Avira\AntiVir Desktop\avscan.exe
C:\DOCUME~1\William\LOCALS~1\Temp\Temporary Directory 2 for HiJackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {56CF4856-ECB4-4e46-A897-A378821F97B9} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - (no file)
O2 - BHO: (no name) - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1175191946\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [DLCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCGtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlcgmon.exe] "C:\Program Files\Dell AIO 810\dlcgmon.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{92297B56-E83F-4818-BDF8-39A7F355CEAA}: NameServer = 192.168.2.17,213.208.106.213
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTsvcCDA.exe (file missing)
O23 - Service: dlcg_device - - C:\WINDOWS\system32\dlcgcoms.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 7643 bytes

 

[Bobbye]

Thank you for the assistance kritius.

For the future, don't put here:

C:\DOCUME~1\William\LOCALS~1\Temp\Temporary Directory 2 for HiJackThis.zip\HijackThis.exe

HJT backs up the entries that get removed. If temp files get deleted, so do they.

Active X section looks much better! Time to finish up. Regarding the 'rootkit', if you look at the first 2 Combofix reports, it is telling you 'there might be'. Since the last report does not have this, it was not a rootkit and whateven prompted Combofix is now gone.

There are several BHO (02) entries showing 'no file'. That does not mean there is no file. The ones I checked were all legitimate. If you want to see if any are for programs you've removed, copy the CID (example {CDEEC43D-3572-4E95-A2A5-F519D29F00C0}) into this site:
http://www.systemlookup.com/search.php?type=clsid

Remove all of the tools we used and the files and folders they created

• DownloadOTCleanIt by OldTimer
• Save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.

The tool will delete itself once it finishes.

If you are prompted to Reboot during the cleanup, select Yes.


You should now set a new Restore Point to prevent infection from any previous Restore Points. The easiest and safest way to do this is:

• Go to Start > All Programs > Accessories > System Tools and click "System Restore".
• Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the Restore Point a name then click "Create". The new Restore Point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Go to "Disk Cleanup" which can be found by going to Start > All Programs > Accessories > System Tools.
• Click "OK" to select the partition or drive you desire.
• Click the "More Options" Tab.
• Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

You might want to delete all those AOL groups. then run this:

TFC (Temp File Cleaner)

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

Empty the Recycle Bin

If I can help you in the future, please let me know. stay safe.

 

[NineMilesHigh]

Ran OTCleanIt - new problem which then cleared.

Hi, I followed your procedure to run OTCleanIt, which ran and requested a reboot.
After reboot system reports no Firewall is turned on (I have Windows Firewall). Security Center gives you an option to 'Enable Now' the Firewall - but it said it could not enable it.
Clicking on Windows Firewall in Control Panel said 'Windows could not display the Firewall settings'. I tried to stop the Windows Firewall service - in Admin Tools ( to then restart it) but it could not stop it. I then tried a procedure from MS to address this problem:- from cmd, to run dll32 setupapi,installHinfSection..etc... etc... and it failed to install.
Tried to open Internet Explorer -- double-click did nothing.
Then a few minutes later, for no reason that I could see, the Firewall suddenly turned on. This was about 15 mins after the reboot.
Any thoughts/advice?
Regards
William

 

[Bobbye]

Any thoughts/advice?

Yes. Disable the Windows firewall.

Get either of these free and good firewalls. Both are better than the Windows firwall:
You should have a bi-directional firewall:
A firewall is an important part of "layered security" in addition to an antivirus and anti-malware program for spyware/adware.

• It can be a software program (Windows firewall, Comodo firewall, Zone Alarm firewall)
• or hardware (as in a router) that helps screen out hackers, viruses, and worms that try to reach your computer over the Internet.
• If you have a bi-directional firewall, it will 'listen' at both the ports coming in and the ports going out. The means that if malware does get on the system and tries to access the internet from within your system, it will be blocked.

I recommend either of these software firewalls.- both are free- use only one:

• Comodo
• Zone Alarm

 

[NineMilesHigh]

Firewall problem still there

Hi,
Tried a reboot to see if Firewall problem had gone.
Problem is still there - this time nothing seems to bring it back on.
Tried the 'netsh winsock reset' from the cmd prompt mentioned in another thread - asks for a reboot, after which Firewall problem is still there.
W.
Oops - just before I went to post this, the firewall mysteriously turned on.
Any idea what's going on?
Thanks
W.

 

[NineMilesHigh]

More info

I understand why you recommend a better Firewall and I will certainly take your advice.
However this current problem I think is more than a Firewall problem.
When the problem is evident, I cannot even launch Internet Explorer or AOL.
Also I started up MalwareBytes AntiMalware to do a scan and it just sat 'Initialising the program' and wouldn't start the scan.
Any app seems to hang.
When the Firewall suddenly sorted itself, MBAM now works and IE now works - everything seems fine.
So I think the Firewall not working is symptom of a wider issue where apps are hanging.
What do you think?
Regards
W.

 

[Bobbye]

Please start a new thread for this problem in the Windows OS Forum.

 

[kritius]

Copy and paste the following into notepad.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000001

Save it as firewall.reg, double click and merge it with your registry. Is the firewall started now?

 

[NineMilesHigh]

Firewall update

Hi. Thanks for suggestion.

I carried out this procedure and then checked in the registry that this Firewall parameter was indeed set to 1.
After a reboot, the problem is the same - no firewall turns on.
At this point, Word and other apps can run ok, but IE will not start.
After about 10 or 15 mins, the desktop flickers (like a kind of 'reset') and then the firewall turns on and IE (which I tried to start 10 mins ago) suddenly springs to life.
Regards
W.

 

[NineMilesHigh]

Original problem query

Whilst pondering the Firewall issue, can you tell me what fundamental issues were actually found with my original problem of hangs/slow/crashes?
I know we cleared up a number of apps (probably conflicting virus progs etc, which did not all show up in Add/Remove progs), got rid of Limewire, cleared away numerous ActiveX components etc, and this has helped the PC, no doubt. But it is not clear to me whether HijackThis and/or Combofix etc actually found and repaired any malware type issues.
Can you let me know?
Thanks
W.

 

[Bobbye]

The malware issues were resolved.

 

[NineMilesHigh]

Question...

Bobbye,
Thanks for help with the problem.
Can you tell me what malware was found and removed please?
This will help us to understand the main issue that caused the trouble.
Regards
W.

 

[Bobbye]

No, I can't William- I don't have time to go through all your logs again. You can do that.

What is more important is not what malware you got but some of the reasons you go it.
Three prime reasons:

Multiple antivirus programs running: RAV, Norton and Avira:
P2P or 'file sharing: Limewire
Excessive Active X Objects (016)

Plese see this for additional reasons:

Maintaince - what´s that?

I think many user do as described here:

14 ways to get Infected without trying

A little bit of humour but also based on fact.

1) Look for cracks, subdivided in illegal software and .....

2) Practice unsafe hex, browse the web for free pOrn

3) Look for software that adds smileys to your posts, mail etc

4) Look for kewl skins, screensavers etc

5) Look for spyware removers, concentrate on the kind that makes you pay before it removes anything

6) Install a P2P program and repeat all of the above

7) You always want the best; use p2p to download anti-virus/firewall software.

8) Do NOT pay for anything, the internet is a place where you can steal anything from everyone without even saying as much as thank you

9) Don't have/use/update antivirus/security software

10) Look for pokergames, slotmachines and other gambling outfits

11) Look for ringtones and other stuff to bling your phone

12) Click on those unexpected links and attachments in email, because you're curious...

13) Do loan your laptop to the next door neighbour for the weekend and give him your Admin account login so he can get his project done with no hassles

14) Let the Babysitter use your laptop for 'schoolwork'

Thanks to Metallica for most of those and CalamityJane, bitman, Lonny, shelf life. :

Please follow these simple steps to keep your computer clean and secure:
1.Disable and Enable System Restore: This will help you to drop the old restore points and set a new, clean one:

System Restore Guide

2.Stay current on updates:

• Visit the Microsoft Download Sitefrequently.
  You should get All updates marked Critical and the current SP updates:Windows 2000> SP4, Windows XP> SP2, SP3, Vista> SP2
• Visit this Adobe Reader site often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
• Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

3.Make Internet Explorer safer. Follow the suggestions HERE
This Tutorial will help guide you through Configuring Security Settings, Managing Active X Controls and other safety features.

4.Remove Temporary Internet Files regularly: Use

• ATF Cleaner by Atribune or
• TFC

5. Use an AntiVirus Software(only one)

• This can save you a lot of trouble with malware in the future.It should be kept updated and used to scan regularly.
• See This link for a listing of some online & their stand-alone antivirus programs:
  Virus, Spyware, and Malware Protection and Removal Resources

6.Use a good, bi-directional firewall(one software firewall)
[*]See Understanding and Using Firewalls including links to download a firewall.

7.Consider these programs for Extra Security

• Spywareblaster:
• SpywareBlaster protects against bad ActiveX. It places kill bits to stop bad Active X controls from being installed. Remember to update it regularly.
• IE/Spyad
• This places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts files This replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
• Google Toolbar Get the free google toolbar to help stop pop up windows.

If I can be of further assistance, please let me know. Help and support is only given in the forums but you can send a PM to me and bring my attention
back to the thread.

 

[NineMilesHigh]

Thanks. This is all useful advice - the vast majority of which I do by default (apart from Limewire and all those activeX objects - both of which I have now addressed).
PC much more stable. Very useful input from you and your colleagues.
A few other issues I am trying to address in other threads, but they are not showstoppers at the moment.

W.