system hangs for no apparent reason

Status
Not open for further replies.

yhzhuo

Posts: 17   +0
Hi, I'm new to these boards, but I'm truly amazed at the work you do here. Thanks so much for the information and help!

I've been having problems with my system of late; 2 weeks ago, my Norton/Symantec AV detected the infostealer.gampass malware, which after quite a bit of work, I seemed to have removed eventually using AVG Antispyware in Safe Mode.

Today, I'm facing another problem - my system just hangs after a little while if I plug in my internet connection. That's if I run normal mode. I'm running Safe Mode with Networking now to post this.

I've run a scan using AVG Antispyware and deleted two malicious looking spy/malwares, backdoor.agent.ahj and Trojan.Wow. Unfortunately, the problem persists. I'm attaching my hijackthis log file.

Please help?? Thanks!!!

I accidentally deleted my AVG Antispyware scan report.

AVG Antirootkit turned up nothing.

I'm attaching the combofix log file for reference as well.

Thanks a lot!
 
Hi

Your system is infected by a trojan and possibly some other malware.

First turn off system restore (XP/ME only). Learn how to do that HERE.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Run AVG antispyware scan and quarantine the items. See HERE for instructions.

After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked":

O4 - HKCU\..\Policies\Explorer\Run: [333] C:\Syswm1i\svchost.exe
O4 - HKCU\..\Policies\Explorer\Run: [4] C:\SysWsj7\svchost.exe
O9 - Extra button: ?a¡¤???2¨º¨º¨®?¦Ì3?¨¢¡Â3??¨²??1??¡ä - {022C4009-5283-4365-97BF-144054B40E2E} - http://itv.mop.com (file missing)
O9 - Extra 'Tools' menuitem: 2£¤¡ã?¦Ì?¨º¨® - {022C4009-5283-4365-97BF-144054B40E2E} - http://itv.mop.com (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {97AFC0D9-660E-4ACE-B025-46FD64AE335A} (EmailImport.EmailImportControl) - http://www.friendster.com/emailimport/ms/emailimport.cab
O23 - Service: 119DD52 - Unknown owner - C:\WINDOWS\system32\119DD52.EXE (file missing)

<edit> Please also locate the following folders and delete them, including their contents:
C:\Syswm1i\
C:\SysWsj7\

</edit>

Reboot into normal mode and rehide your OS files.

After that, I'd like you to do the following.

Please visit this link http://virusscan.jotti.org/
Click the Browse... button and navigate to the following file:
C:\Program Files\21cn\VGO\VGOIEBHO.dll
Click Open.
Please let me know the results.

After you have done the above, please post fresh HJT and AVG Antispyware logs as attachments into this thread.
 
Hi momok,

Thanks for your prompt reply.

AVG Antispyware turned up a few 'Medium' risk tracking cookies.

As for HijackThis, I deleted the 8 items you mentioned in your post. I've posted 'before' and 'after' logs for your reference.

virusscan.jotti.org reported 'Found nothing' for the file C:\Program Files\21cn\VGO\VGOIEBHO.dll.

I've deleted the two folders you mentioned, and re-hidden my OS files.

I have not re-enabled my System Restore as yet. Shall I do that?

Unfortunately, I am still unable to use internet in my normal mode; without connecting my LAN, things are fine, but once I connect it, it only takes a short while before my system hangs.

No identical/similar problem encountered so far using Safe Mode with Networking.

Thanks for the help!
 
Hello and welcome to Techspot.

For the 023 service momok told you to fix, do the following. Please forgive momok, he is only learning to do HJT logs and therefore he`s going to make mistakes from time to time.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

119DD52

Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

119DD52.EXE

Close task manager.

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O23 - Service: 119DD52 - Unknown owner - C:\WINDOWS\system32\119DD52.EXE (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\system32\119DD52.EXE

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log from normal mode.

momok: Simply fixing 023 entries doesn`t cut it I`m afraid. They are run as services and therefore the service needs to be stopped and disabled first.

Regards Howard :wave: :wave:

This thread is for the use of yhzhuo only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Hi,

I'm terribly sorry about this, I've asked you to fix two entries that you shouldn't. Many thanks to Howard for informing me.

Please run HijackThis and go to > config > backups
Place a tick beside these 2 entries:

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

This will restore the two entries.

I'd like to ask about this entry in HJT:
O16 - DPF: {FEE1002D-90A5-4A5D-AABE-01803FFBCF7A} - http://ps.itv.mop.com/update/update/GUpdate-1.0.0.10-signed.cab

Do you recognise the site, ie, use it? If not, please fix it.

Your HJT log appears clean to me. However, I cannot be sure if your system is fully clean, so I may I request you to post a fresh Combofix log too. Sorry I did not mention it in my previous post.

momok: Simply fixing 023 entries doesn`t cut it I`m afraid. They are run as services and therefore the service needs to be stopped and disabled first.
Regards Howard

Ah yes I just realised too not long ago. I am still reading some HJT tutorials online. =p Thanks.
 
Hi Howard/Momok,

Here're the results:

1) 119DD52 was already disabled in the services menu.
2) 119DD52 was not running in task manager
3) HijackThis did not report O23 - Service: 119DD52 - Unknown owner - C:\WINDOWS\system32\119DD52.EXE (file missing)
4) 119DD52.exe was not found in C:\WINDOWS\system32

I've posted a fresh HJT log for your reference. (While back in normal mode, my Internet Explorer hanged again, so I rebooted and did two HJT scans - one before I connect to the internet, and one after).

Also attached is a fresh Combofix log.

Momok: dont worry about the earlier mistaken instructions. I really appreciate the efforts you've put in. =)

(p/s: I still have not re-enabled system restore at this point in time.)

EDIT/UPDATE: :hotbounce :hotbounce
Hey folks,
My system seems to be working fine now! Everything seemed to work right after I deleted O16 - DPF: {FEE1002D-90A5-4A5D-AABE-01803FFBCF7A} - http://ps.itv.mop.com/update/update/....10-signed.cab using HijackThis.
Thanks a lot for the help!!!
Will still look forward to seeing your analyses on my HJT reports though. :giddy:
 
Have HJT fix this entry.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Other than that, your HJT log is clean.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard :)

This thread is for the use of yhzhuo only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Hi,

I believe your HJT log is clean.
With regards to combofix, I only have a nagging feeling about this particular entry - C:\WINDOWS\system32\mf3216.dll

Spent sometime researching on this file, and only Prevx detects it as malware. Not quite sure what to think of this, as I'm not an expert on combofix files. (I only checked all the entries for you in google)

Otherwise, your system should be clean, that is if you had 'unhide' all files and folders before searching for C:\WINDOWS\system32\119DD52.EXE

I believe Howard would be able to help out more.

PS. I have a hunch that your IE problems are unrelated to malware. I'm no expert on such problems though. perhaps you could provide more details on how your IE hangs/what pops up etc?
 
Here is some info on the mf3216.dll file. Prevx often is the only one to say something is nasty. That`s why it pays to research more thoroughly.

mf3216.dll
Filename Startup entry
mf3216.dll
mf3216.dll comes with a clean install of Microsoft Windows 2000 Professional. mf3216.dll is located in "C:\WINNT\system32\". [Edit]

Filename Startup entry
mf3216.dll
mf3216.dll comes with a clean install of Microsoft Windows 2000 Professional. mf3216.dll is located in "C:\WINNT\system32\dllcache\". [Edit]

On Windows XP it is also in the system32 folder.

If you`re still in any doubt, have the file checked over at Jotti`s.

Please visit this link http://virusscan.jotti.org/
* Click the Browse... button
* Navigate to the following file C:\WINDOWS\system32\mf3216.dll

* Click Open
* Please let me know the results.

Regards Howard :)

This thread is for the use of yhzhuo only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Ran the test over at Jotti's.

'Found nothing' for all scanners.

Thanks to both of you for all the assistance rendered!
 
Status
Not open for further replies.
Back