Tech Support Forum banner
Status
Not open for further replies.

Win XP3 Home addition almost dead

2K views 3 replies 1 participant last post by  uncleserik 
#1 · (Edited by Moderator)
At August 23 computer was scanned by AVG 8.0.Couple Trojan - Horse Droppers was found and placed in vault. In panic 2 Trojan Horse Droppers was moved in “My Lockbox” for better isolation . Immediately computer became very slow. When computer was turn on next time loading was very slow , Avast and AVG showed up on task bar and then clock stopped , keyboard was not responding , clicking on task bar or screen didn’t help also. The only option to turn off by using Power Button was used. When computer was turn on 5 minutes later it loaded pretty slowly but working better.3 different System Restore points was used to hill computer but failed because something happened with restore points. Restarting computer failed and computer was turned off by power button again.On one occasion when computer turn on successfully “googling” showed up that AVG scan was making false recognizing Trojan-Horse Dropper. Based on that information 2 files was restored from “My Lockbox” and computer became more stable.It is still pretty slow during logging in or in any file opening [ but it was never nimble last 3 years ] , sometimes “ virtual memory full” message popping out following by freezing [ after Avast removed “ virtual memory full” message was not noticed and first number following “Commit Charge” sentence on lower right corner of the Task Manager dropped from 800 to 580], sometimes Recycle bin and all icons disappear for couple of seconds when exiting Firefox.
Avast local drives 2 scans reviled 11 issues ( Screen shot posted in Windows XP Support in identically named thread at 09-02-2008 11:41 PM )

List of requested logs and information:

Step 1

I have no enough knowledge to crack anything. I recalling that just couple times visited “EZtorrent” ,some site starting with “warez….” , but found anything interesting . Bleepingcomputer.com – Freeware Replacements for Common Commercial Apps. was visited multiple times (not registered) and some download made – Fast Stone Capture 5.3;My Lockbox ; SysMetrix ;Unlocker 1.8.7;What’s running.

I have: Avast antivirus free - removed
AVG 8.0 free - not removed
Comodo firewall pro free - not removed
SYPER antispyware free - removed
CCleaner - not removed
Returnil - not removed

It was not found any listed Malware which should be removed from Add / Remove Program Tab. Symantec products was used from day one but removed 3 month ago after subscription almost expired . Norton Internet Security and Norton System Works was deleted because was too heavy, freezing and slowing down PC dramatically, not updating .

Step 2

Panda Active scan 2.0 was downloaded and updated. AVG Resident shield – turned off, Comodo firewall – disabled. After all preparation finished Scan Now was clicked.
Despite Comodo firewall was disabled several pop-up alerts showed up.All the time it was clicked OK to let “Panda Active scan” perform action.
All of sadden display screen turned black and second later turn blue with following text:
A problem has been detected and Windows has been shut down to prevent damage to your computer.
IRQL_NOT_LESS_OR_EQUAL
If this is the first time you’ve seen this error screen , restart your computer. If this screen opens again follow these steps:
- Check to make sure any new hardware or software is properly installed. If this is a new installation ask you hardware or software manufacturer for any windows updates you might need
- If problem continue disable or remove any newly installed hardware or software. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components ,restart your computer , press F8 select advanced Startup Options and then select Safe Mode.
Technical information: * * * STOP: 00000000A ( 000000004 , 000000002 , 000000000 , 0804E67EDD ) [ I not sure how many ZERO was in front of letter A]
Beginning dump of physical memory. Physical memory dump complete. Contact your system administrator or technical support group for further assistance.

Computer was turn off by Power button. Couple minutes later it was turned on.
Following Microsoft error window appeared:
System has recovered from serious error . Don’t send option was chosen.
Comodo firewall showed up several pop-up messages . It was too fast and only word “ Dumpere” was noticed.
Panda security was visited again and it showed up Error report (screen shot attached)

Step 2 failed. Everything left as is..

Step 3

Spyware Blaster - loaded successfully
IE-Spyad - loaded ZonedOut v.3.5 and IE-Spyad. [ Looks like it is also performed
successfully. The only concern are where this 2 thing located.]


Step 4

No high-priority updates available.
Optional updated was checked but was ignored.( any way update for HP 2410 was not loading properly )

Step 5

Hijack This scan performed. Surprisingly it took just few seconds.[therefore”Trend MicroHijack” screen shot made just in case] It was some “Comodo firewall” activity but OK was clicked all the time to let “Hijuck” perform any actions.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:43 PM, on 9/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\Returnil\Returnil.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Rvsystem] C:\PROGRA~1\Returnil\Returnil.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [] C:\Program Files\Mozilla Firefox\firefox.exe http://www.symantec.com/techsupp/se...0000049.000000bb&c=00000082.0000006e.00000143
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08b5 -f video -m logitech -d 10.5.1.2023 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08b5 -f video -m logitech -d 10.5.1.2023 (User 'Default user')
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Lookup Word - C:\Program Files\QDictionary\dict.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: T&hesaurus - C:\Program Files\QDictionary\thes.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149562216109
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll,avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

--
End of file - 10106 bytes


I will try to attach 10 screen shots. I did my best , but any way not sure that information presented in proper manner or something not missing. Any advise will be deeply appreciated and I will try dig down as far as will be asked , just please show in detail what kind of shovel should be used.Thank you !

Here is additional screen shots.
 

Attachments

See less See more
9
#2 ·
BUMP according guidelines.
Sometimes Recycle Bin icon and SysMetrix clock disappear for 0.1 sec – 0.8 sec . when minimizing FireFox .
AVG Resident Shield Detection reported :
Virus found Win 32/Heur- C:\Program Files\FXDD-Metatrader 4 demo\liveupdate\Metalang,exe- moved to Virus Vault – 9/7/2008,10:49:56 PM .
Immediately after “Avast” removed the computer running better but it is scary to see what AVG Resident Shield Detection recognized. Computer use for now is very limited to prevent any feather infection spread beyond just repair condition and in hope of an expert help .
Also if you happen to notice anything else please help me clean or remove. Thanks in advance !
 
#3 ·
BUMP second time.

According AVG it is getting crowded.I feel packed by infection as good as fish in can.

AVG Resident shield detection

Infections - Trojan horse BackDoor.Generic10.KJH ; Trojan horse BackDoor.Generic10.KJH
Objects - C:\Program Files\Unlocker\eBay_shortcuts_1016.exe ; C:\System Volume nformation|_restore{F2681A7D-91E5-401A-AC8B-015335799DC9}\RP7
82\Ao133181.exe
Results - Bouth moved to Virus vault manualy
Detection time- 9/25/2008,11:46:03 PM ; 9/26/2008,12:12:41 AM
Object Type - file
Proces - C:\Program Files|Windows Defender\MsMpEng.Exe ; C:\Program Files|Windows Defender\MsMpEng.Exe
Thanks for the help!
 
#4 ·
Bump third time.Exactly month passed.
Guys I'm not blaming any body for delay because it is clear that too many requests in hands just few volunteers.It was big time PANIC in beginning. I'm not capable to help myself but it turned better now.
I still concern with AVG resident shied detected Trojan Horses.Why did Panda scan stopped out? Does it just an error? Do I have key loggers?
Thanks !
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top