blueboxit
asked on
Possible malicious program - winlogon.exe 100% CPU usage
Greetings all...
I am working on a customer's PC and I'm pretty stuck trying to diagnose what is happening. Winlogon.exe uses 50% to 100% of the CPU processing time as soon as Windows loads.
Info:
I started work on the PC after the customer reported his computer was very slow, often froze and even fell victim to the dreaded BSOD. I ran Ewido Micro, SpyBot S&D and Ad-Aware, both in Safe Mode and with Windows loaded normally. They picked up quite a few malicious programs and happily deleted them all.
Running the anti-spyware scans again showed the PC to be clean but there were still symptoms of infection. If I connected it to the network and launched IE7, a fake anti-spyware program would launch with an icon in the system tray. It showed a warning that the PC was infected and then openned a new IE browser showing the website for the fake software. Unfortunately I did not take any notice of the program's name and force quit the advert. The system tray icon seemed to disappear at the same time and I can't get it to show itself any more.
It was at this point that I noticed winlogon.exe was using so much of the CPU. I have been searching for solutions on Google and found nothing that would point to an easy fix. I did how ever, find that malicious programs may use the winlogon.exe shell to run. I came across many people suffering from this file taking up a lot of CPU usage but the only progress they made was by posting their story on a site such as this!
Here are the HijackThis details from the PC:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:19:42, on 11/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.ex
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\system32\svchost.
C:\WINNT\System32\svchost.
C:\WINNT\system32\svchost.
C:\WINNT\system32\svchost.
C:\WINNT\system32\spoolsv.
C:\WINNT\System32\SCardSvr
C:\WINNT\SYSTEM32\DWRCS.EX
C:\Program Files\Common Files\LightScribe\LSSrvc.e
C:\Program Files\Conversions Plus\FORMATM.EXE
C:\Program Files\McAfee\Common Framework\FrameworkService
C:\Program Files\Network Associates\VirusScan\Mcshi
C:\Program Files\Network Associates\VirusScan\VsTsk
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
C:\WINNT\System32\alg.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SYSTEM32\DWRCST.e
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.e
C:\WINNT\System32\DLA\DLAC
C:\Program Files\McAfee\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTA
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.
C:\WINNT\system32\ctfmon.e
C:\Program Files\Trend Micro\HijackThis\HijackThi
C:\WINNT\system32\wbem\wmi
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O1 - Hosts: 170.46.20.102 swater01
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {465C55EC-203F-44F6-8482-E
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2
O2 - BHO: (no name) - {59CD51E3-D51B-487D-BBA7-C
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [FRYMXINS] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NC
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.e
O4 - HKLM\..\Run: [DLA] C:\WINNT\System32\DLA\DLAC
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTA
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.
O4 - HKLM\..\Run: [MacLicense] "C:\Program Files\Conversions Plus\MacLic.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.e
O4 - HKUS\S-1-5-19\..\Run: [internat.exe] internat.exe (User '?')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User '?')
O4 - HKUS\S-1-5-20\..\Run: [internat.exe] internat.exe (User '?')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User '?')
O4 - HKUS\S-1-5-21-1614895754-1
O4 - HKUS\S-1-5-18\..\Run: [internat.exe] internat.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User '?')
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O14 - IERESET.INF: START_PAGE_URL=https://apps.quantumclothing.com
O16 - DPF: {3BFFE033-BF43-11D5-A271-0
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {E6ACF817-0A85-4EBE-9F0A-0
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O20 - Winlogon Notify: niluinyl - C:\WINNT\SYSTEM32\d3d9w.dl
O20 - Winlogon Notify: tt - C:\WINNT\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EX
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.e
O23 - Service: MacFormatService - DataViz Inc. - C:\Program Files\Conversions Plus\FORMATM.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshi
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTsk
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NC
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
--
End of file - 8344 bytes
Thank you for any help or ideas!
Charlie.
I am working on a customer's PC and I'm pretty stuck trying to diagnose what is happening. Winlogon.exe uses 50% to 100% of the CPU processing time as soon as Windows loads.
Info:
I started work on the PC after the customer reported his computer was very slow, often froze and even fell victim to the dreaded BSOD. I ran Ewido Micro, SpyBot S&D and Ad-Aware, both in Safe Mode and with Windows loaded normally. They picked up quite a few malicious programs and happily deleted them all.
Running the anti-spyware scans again showed the PC to be clean but there were still symptoms of infection. If I connected it to the network and launched IE7, a fake anti-spyware program would launch with an icon in the system tray. It showed a warning that the PC was infected and then openned a new IE browser showing the website for the fake software. Unfortunately I did not take any notice of the program's name and force quit the advert. The system tray icon seemed to disappear at the same time and I can't get it to show itself any more.
It was at this point that I noticed winlogon.exe was using so much of the CPU. I have been searching for solutions on Google and found nothing that would point to an easy fix. I did how ever, find that malicious programs may use the winlogon.exe shell to run. I came across many people suffering from this file taking up a lot of CPU usage but the only progress they made was by posting their story on a site such as this!
Here are the HijackThis details from the PC:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:19:42, on 11/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.ex
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\system32\svchost.
C:\WINNT\System32\svchost.
C:\WINNT\system32\svchost.
C:\WINNT\system32\svchost.
C:\WINNT\system32\spoolsv.
C:\WINNT\System32\SCardSvr
C:\WINNT\SYSTEM32\DWRCS.EX
C:\Program Files\Common Files\LightScribe\LSSrvc.e
C:\Program Files\Conversions Plus\FORMATM.EXE
C:\Program Files\McAfee\Common Framework\FrameworkService
C:\Program Files\Network Associates\VirusScan\Mcshi
C:\Program Files\Network Associates\VirusScan\VsTsk
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
C:\WINNT\System32\alg.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SYSTEM32\DWRCST.e
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.e
C:\WINNT\System32\DLA\DLAC
C:\Program Files\McAfee\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTA
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.
C:\WINNT\system32\ctfmon.e
C:\Program Files\Trend Micro\HijackThis\HijackThi
C:\WINNT\system32\wbem\wmi
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O1 - Hosts: 170.46.20.102 swater01
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {465C55EC-203F-44F6-8482-E
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2
O2 - BHO: (no name) - {59CD51E3-D51B-487D-BBA7-C
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [FRYMXINS] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NC
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.e
O4 - HKLM\..\Run: [DLA] C:\WINNT\System32\DLA\DLAC
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTA
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.
O4 - HKLM\..\Run: [MacLicense] "C:\Program Files\Conversions Plus\MacLic.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.e
O4 - HKUS\S-1-5-19\..\Run: [internat.exe] internat.exe (User '?')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User '?')
O4 - HKUS\S-1-5-20\..\Run: [internat.exe] internat.exe (User '?')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User '?')
O4 - HKUS\S-1-5-21-1614895754-1
O4 - HKUS\S-1-5-18\..\Run: [internat.exe] internat.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User '?')
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O14 - IERESET.INF: START_PAGE_URL=https://apps.quantumclothing.com
O16 - DPF: {3BFFE033-BF43-11D5-A271-0
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {E6ACF817-0A85-4EBE-9F0A-0
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O20 - Winlogon Notify: niluinyl - C:\WINNT\SYSTEM32\d3d9w.dl
O20 - Winlogon Notify: tt - C:\WINNT\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EX
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.e
O23 - Service: MacFormatService - DataViz Inc. - C:\Program Files\Conversions Plus\FORMATM.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshi
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTsk
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NC
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
--
End of file - 8344 bytes
Thank you for any help or ideas!
Charlie.
Do you recognize this entry here as well?
O1 - Hosts: 170.46.20.102 swater01 (based on your 017 entries)
No info on Google.....
O2 - BHO: (no name) - {59CD51E3-D51B-487D-BBA7-C
This is odd...
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYGB
O1 - Hosts: 170.46.20.102 swater01 (based on your 017 entries)
No info on Google.....
O2 - BHO: (no name) - {59CD51E3-D51B-487D-BBA7-C
This is odd...
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYGB
Also, do this for me....
Start>run>cmd
paste the following line in....
reg query "hklm\SOFTWARE\Microsoft\W
Curious to see whether or not there might be other things under Winlogon.....
Start>run>cmd
paste the following line in....
reg query "hklm\SOFTWARE\Microsoft\W
Curious to see whether or not there might be other things under Winlogon.....
Your hijackthis log has multiple infections
--------------------------
Please download VundoFix.exe to your desktop.
--------------------------
http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt
--------------------------
Download Combofix and save it to your desktop.
--------------------------
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Upload the Log To any Free web Hosting
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
--------------------------
--------------------------
Please download VundoFix.exe to your desktop.
--------------------------
http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt
--------------------------
Download Combofix and save it to your desktop.
--------------------------
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Upload the Log To any Free web Hosting
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
--------------------------
ASKER
Thank you for your quick responses.
johnb6767:
SUPERAntiSpyware found 6 malicious items and around 60 tracking cookies, which were deleted.
'swater01' is the name of the customer's server so that shouldn't be a problem.
Running the reg query displayed the following: http://img.photobucket.com/albums/v109/Rozzo/Winlogonregquery.jpg
devil_himself:
VundoFix found nothing! Probably because I ran SUPERAntiSpyware before it. The log is as follows.
VundoFix V6.6.1
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Scan started at 15:26:16 11/14/2007
Listing files found while scanning....
No infected files were found.
The ComboFix log can be downloaded here: http://files.filefront.com/ComboFixtxt/;9041492;/fileinfo.html
The computer still suffers from the original problem. Here is an up-to-date HijackThis report:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:56, on 2007-11-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\System32\svchost.
C:\WINNT\system32\spoolsv.
C:\WINNT\SYSTEM32\DWRCS.EX
C:\Program Files\Common Files\LightScribe\LSSrvc.e
C:\Program Files\Conversions Plus\FORMATM.EXE
C:\Program Files\McAfee\Common Framework\FrameworkService
C:\Program Files\Network Associates\VirusScan\Mcshi
C:\Program Files\Network Associates\VirusScan\VsTsk
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
C:\WINNT\Explorer.EXE
C:\WINNT\SYSTEM32\DWRCST.e
C:\WINNT\system32\wuauclt.
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.e
C:\WINNT\System32\DLA\DLAC
C:\Program Files\McAfee\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTA
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.
C:\WINNT\system32\ctfmon.e
C:\Program Files\Trend Micro\HijackThis\HijackThi
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [FRYMXINS] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NC
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.e
O4 - HKLM\..\Run: [DLA] C:\WINNT\System32\DLA\DLAC
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTA
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.
O4 - HKLM\..\Run: [MacLicense] "C:\Program Files\Conversions Plus\MacLic.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.e
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUP
O4 - HKUS\S-1-5-19\..\Run: [internat.exe] internat.exe (User '?')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User '?')
O4 - HKUS\S-1-5-20\..\Run: [internat.exe] internat.exe (User '?')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User '?')
O4 - HKUS\S-1-5-21-1614895754-1
O4 - HKUS\S-1-5-18\..\Run: [internat.exe] internat.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User '?')
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O14 - IERESET.INF: START_PAGE_URL=https://apps.quantumclothing.com
O16 - DPF: {3BFFE033-BF43-11D5-A271-0
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {E6ACF817-0A85-4EBE-9F0A-0
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SAS
O20 - Winlogon Notify: tt - C:\WINNT\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EX
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.e
O23 - Service: MacFormatService - DataViz Inc. - C:\Program Files\Conversions Plus\FORMATM.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshi
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTsk
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NC
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
--
End of file - 7991 bytes
Mank thanks for your support.
johnb6767:
SUPERAntiSpyware found 6 malicious items and around 60 tracking cookies, which were deleted.
'swater01' is the name of the customer's server so that shouldn't be a problem.
Running the reg query displayed the following: http://img.photobucket.com/albums/v109/Rozzo/Winlogonregquery.jpg
devil_himself:
VundoFix found nothing! Probably because I ran SUPERAntiSpyware before it. The log is as follows.
VundoFix V6.6.1
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Scan started at 15:26:16 11/14/2007
Listing files found while scanning....
No infected files were found.
The ComboFix log can be downloaded here: http://files.filefront.com/ComboFixtxt/;9041492;/fileinfo.html
The computer still suffers from the original problem. Here is an up-to-date HijackThis report:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:56, on 2007-11-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon
C:\WINNT\system32\services
C:\WINNT\system32\lsass.ex
C:\WINNT\system32\svchost.
C:\WINNT\System32\svchost.
C:\WINNT\system32\spoolsv.
C:\WINNT\SYSTEM32\DWRCS.EX
C:\Program Files\Common Files\LightScribe\LSSrvc.e
C:\Program Files\Conversions Plus\FORMATM.EXE
C:\Program Files\McAfee\Common Framework\FrameworkService
C:\Program Files\Network Associates\VirusScan\Mcshi
C:\Program Files\Network Associates\VirusScan\VsTsk
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
C:\WINNT\Explorer.EXE
C:\WINNT\SYSTEM32\DWRCST.e
C:\WINNT\system32\wuauclt.
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.e
C:\WINNT\System32\DLA\DLAC
C:\Program Files\McAfee\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTA
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.
C:\WINNT\system32\ctfmon.e
C:\Program Files\Trend Micro\HijackThis\HijackThi
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-2
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-0
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [FRYMXINS] "C:\Program Files\ATI Technologies\Fire GL 3D Studio Max\atiimxgl"
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NC
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.e
O4 - HKLM\..\Run: [DLA] C:\WINNT\System32\DLA\DLAC
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTA
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.
O4 - HKLM\..\Run: [MacLicense] "C:\Program Files\Conversions Plus\MacLic.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.e
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUP
O4 - HKUS\S-1-5-19\..\Run: [internat.exe] internat.exe (User '?')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User '?')
O4 - HKUS\S-1-5-20\..\Run: [internat.exe] internat.exe (User '?')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User '?')
O4 - HKUS\S-1-5-21-1614895754-1
O4 - HKUS\S-1-5-18\..\Run: [internat.exe] internat.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User '?')
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O14 - IERESET.INF: START_PAGE_URL=https://apps.quantumclothing.com
O16 - DPF: {3BFFE033-BF43-11D5-A271-0
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {E6ACF817-0A85-4EBE-9F0A-0
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\Software\..\Telephony
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SAS
O20 - Winlogon Notify: tt - C:\WINNT\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EX
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.e
O23 - Service: MacFormatService - DataViz Inc. - C:\Program Files\Conversions Plus\FORMATM.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshi
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTsk
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NC
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
--
End of file - 7991 bytes
Mank thanks for your support.
Did you run SAS in Safe mode?
Did you intentionally install Nircmd.exe? If not, remove it....
Verify these are in fact gone....
C:\WINNT\system32\atitvo32
C:\WINNT\system32\d3d9w.dl
C:\WINNT\system32\d3d9w.dl
C:\WINNT\system32\drivers\
C:\WINNT\system32\drivers\
C:\WINNT\system32\drivers\
C:\WINNT\system32\drivers\
Look in regedit under the following keys for the services and drivers listed........
HKEY_LOCAL_MACHINE\SYSTEM\
HKEY_LOCAL_MACHINE\SYSTEM\
-------\LEGACY_IOUOKFJJ
-------\LEGACY_POOF
-------\LEGACY_WMRLHJHI
-------\iouokfjj
-------\wmrlhjhi
Or just search the registry for the above values....
DO ALL THIS IN SAFE MODE!!
Did you intentionally install Nircmd.exe? If not, remove it....
Verify these are in fact gone....
C:\WINNT\system32\atitvo32
C:\WINNT\system32\d3d9w.dl
C:\WINNT\system32\d3d9w.dl
C:\WINNT\system32\drivers\
C:\WINNT\system32\drivers\
C:\WINNT\system32\drivers\
C:\WINNT\system32\drivers\
Look in regedit under the following keys for the services and drivers listed........
HKEY_LOCAL_MACHINE\SYSTEM\
HKEY_LOCAL_MACHINE\SYSTEM\
-------\LEGACY_IOUOKFJJ
-------\LEGACY_POOF
-------\LEGACY_WMRLHJHI
-------\iouokfjj
-------\wmrlhjhi
Or just search the registry for the above values....
DO ALL THIS IN SAFE MODE!!
It is good we use CFscript to delete all the bad items using combofix ... but as you have done it manually so now just leave it ...
do some online scans
--------------------------
Run Kaspersky online virus scan Kaspersky Online Scanner.
http://www.kaspersky.com/virusscanner
After the updates have downloaded, click on the "Scan Settings" button.
Choose the "Extended database" for the scan.
Under "Please select a target to scan", click "My Computer".
Note: You have to use Internet Explorer to do the online scan.
--------------------------
After the scan post a new hijackthis log ...
do some online scans
--------------------------
Run Kaspersky online virus scan Kaspersky Online Scanner.
http://www.kaspersky.com/virusscanner
After the updates have downloaded, click on the "Scan Settings" button.
Choose the "Extended database" for the scan.
Under "Please select a target to scan", click "My Computer".
Note: You have to use Internet Explorer to do the online scan.
--------------------------
After the scan post a new hijackthis log ...
Just by looking at the hijackthis log......haven't read the combofix log yet...the upload link is really slow on my pc..it's still loading.
Please download The Avenger by Swandog46 to your Desktop.
http://swandog46.geekstogo.com/avenger.zip
*Click on Avenger.zip to open the file
*Extract avenger.exe to your desktop
Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, copy,then paste the following text(all text between the lines below):
--------------------------
Files to delete:
C:\WINNT\SYSTEM32\d3d9w.dl
Registry keys to delete:
HKLM\SOFTWARE\Microsoft\Wi
HKLM\SOFTWARE\Microsoft\Wi
--------------------------
Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.
Post the Avenger output.txt, which you can find at C:\Avenger\.txt when you've done.
And have Hijackthis fixed these entries below: (usually hiajckthis can manage to get rid of 02 entries as long as there are no 020 match, unless the match is hiding.
O2 - BHO: (no name) - {465C55EC-203F-44F6-8482-E
O2 - BHO: (no name) - {59CD51E3-D51B-487D-BBA7-C
Please download The Avenger by Swandog46 to your Desktop.
http://swandog46.geekstogo.com/avenger.zip
*Click on Avenger.zip to open the file
*Extract avenger.exe to your desktop
Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, copy,then paste the following text(all text between the lines below):
--------------------------
Files to delete:
C:\WINNT\SYSTEM32\d3d9w.dl
Registry keys to delete:
HKLM\SOFTWARE\Microsoft\Wi
HKLM\SOFTWARE\Microsoft\Wi
--------------------------
Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.
Post the Avenger output.txt, which you can find at C:\Avenger\.txt when you've done.
And have Hijackthis fixed these entries below: (usually hiajckthis can manage to get rid of 02 entries as long as there are no 020 match, unless the match is hiding.
O2 - BHO: (no name) - {465C55EC-203F-44F6-8482-E
O2 - BHO: (no name) - {59CD51E3-D51B-487D-BBA7-C
-------\LEGACY_IOUOKFJJ
-------\LEGACY_POOF
-------\LEGACY_WMRLHJHI
-------\iouokfjj
-------\wmrlhjhi
those drivers/services are bad yeah....
C:\WINNT\system32\pmhtvoet
>>Did you intentionally install Nircmd.exe? If not, remove it....<<
that file is okay, it's one of the files that combofix installed.
Was the hijackthis scan done before combofix? combofix.txt shows that the file I suggested to be deleted has already been deleted.
Try running SDFix and we'll see what it comes up with.
Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.
* Open the extracted folder and double click "RunThis.bat" to start the script.
* Type "Y" to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file "Report.txt" back
Also run this one, let's see what the log shows.(option 1 only list entries and won't delete anything)
Please download Navilog1 by IL-MAFIOSO:
http://perso.orange.fr/il.mafioso/Navifix/Navilog1.zip
* Extract its contents to the desktop.
* Double click on navilog1.exe to install it on your computer.
* When the installation is complete, the tool will start automatically.
* If it doesn't start automatically, please double click on Navilog1 shortcut on your desktop to run it.
* Press E for English from the language Menu.
* Type 1 in the next Menu to select Search and press Enter.
* Wait for the Scan to finish (It may take a reasonable amount of time)
* Press any key as requested .
* A new document will be produced: fixnavi.txt.
* Please copy/paste the contents of this report in your next reply.
* The report is also saved in the root of the directory, "%SystemDrive% ixnavi.txt". (usually C: ixnavi.txt)
-------\LEGACY_POOF
-------\LEGACY_WMRLHJHI
-------\iouokfjj
-------\wmrlhjhi
those drivers/services are bad yeah....
C:\WINNT\system32\pmhtvoet
>>Did you intentionally install Nircmd.exe? If not, remove it....<<
that file is okay, it's one of the files that combofix installed.
Was the hijackthis scan done before combofix? combofix.txt shows that the file I suggested to be deleted has already been deleted.
Try running SDFix and we'll see what it comes up with.
Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.
* Open the extracted folder and double click "RunThis.bat" to start the script.
* Type "Y" to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file "Report.txt" back
Also run this one, let's see what the log shows.(option 1 only list entries and won't delete anything)
Please download Navilog1 by IL-MAFIOSO:
http://perso.orange.fr/il.mafioso/Navifix/Navilog1.zip
* Extract its contents to the desktop.
* Double click on navilog1.exe to install it on your computer.
* When the installation is complete, the tool will start automatically.
* If it doesn't start automatically, please double click on Navilog1 shortcut on your desktop to run it.
* Press E for English from the language Menu.
* Type 1 in the next Menu to select Search and press Enter.
* Wait for the Scan to finish (It may take a reasonable amount of time)
* Press any key as requested .
* A new document will be produced: fixnavi.txt.
* Please copy/paste the contents of this report in your next reply.
* The report is also saved in the root of the directory, "%SystemDrive% ixnavi.txt". (usually C: ixnavi.txt)
ASKER
I have had to take the PC back to the customer so he can do some work this week. I will be able to continue work on it on Friday afternoon at the earliest.
Thanks for all the support. I will hopefully be able to post an update with the required data on Friday.
Thanks for all the support. I will hopefully be able to post an update with the required data on Friday.
blueboxit,
I'd thought I'd mentioned, at the moment, Combofix is not to be used till further notice from its developer.
I'd thought I'd mentioned, at the moment, Combofix is not to be used till further notice from its developer.
ASKER
Hello, and sorry for not updating the thread.
A workmate of mine took control of the job while I was on holiday. He found that when running Windows Update it kept failing on one item; the Geniune Advantage Tool. He checked Add/Remove Programs and the tool was already installed, yet Windows Update didn't seem to detect it.
He did some research and discovered that what ever was happening to the Genuine Advantage application could be causing Winlogon.exe to work constantly. As of yet we don't know exactly what is going on but it is too much of a coincidence for these problems not to be related.
A workmate of mine took control of the job while I was on holiday. He found that when running Windows Update it kept failing on one item; the Geniune Advantage Tool. He checked Add/Remove Programs and the tool was already installed, yet Windows Update didn't seem to detect it.
He did some research and discovered that what ever was happening to the Genuine Advantage application could be causing Winlogon.exe to work constantly. As of yet we don't know exactly what is going on but it is too much of a coincidence for these problems not to be related.
O20 - Winlogon Notify: niluinyl - C:\WINNT\SYSTEM32\d3d9w.dl
The nasty random dll "d3d9w.dll" that was hooked with the winlogon notify key as john6767 first indicated was the obvious likely culprit for the winlogon high cpu to start with. There were other bad files as well that were removed, but that was the one that showed in the log.
Genuine Advantage tool problem must've been on top of those as well.
The nasty random dll "d3d9w.dll" that was hooked with the winlogon notify key as john6767 first indicated was the obvious likely culprit for the winlogon high cpu to start with. There were other bad files as well that were removed, but that was the one that showed in the log.
Genuine Advantage tool problem must've been on top of those as well.
ASKER
Ok, time for an update!
I've finally had time to work on the PC again and I've made a lot of ground.
The PC looked clean but something was still making winlogon.exe use 100% CPU time (displayed as 50% because of Hyper Threading). I read about Process Explorer and got myself the latest version. This allowed me to view all running processes and see in detail what each of them was doing. One of the threads for winlogon.exe was pointing to wsil32.dll and was using all the CPU time! I could select the thread, suspend it, and suddenly the CPU usage would drop to normal idle levels.
I started doing some research for wsil32.dll (located in %systemroot%/system32/Appc
The only thing left is to find out why this machine has this Appcert folder in system32, and what is trying to read wnl32.dll. AV scanners, etc still find nothing.
I've finally had time to work on the PC again and I've made a lot of ground.
The PC looked clean but something was still making winlogon.exe use 100% CPU time (displayed as 50% because of Hyper Threading). I read about Process Explorer and got myself the latest version. This allowed me to view all running processes and see in detail what each of them was doing. One of the threads for winlogon.exe was pointing to wsil32.dll and was using all the CPU time! I could select the thread, suspend it, and suddenly the CPU usage would drop to normal idle levels.
I started doing some research for wsil32.dll (located in %systemroot%/system32/Appc
The only thing left is to find out why this machine has this Appcert folder in system32, and what is trying to read wnl32.dll. AV scanners, etc still find nothing.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
blueboxit - I wanted to thank you for pointing out the Process Explorer tool. I had a similar virus, only with explorer.exe taking up 100% CPU. The thread that was found to be causing it was wsil32.dll. I had it scanned by http://virusscan.jotti.org/ which identified it as Trojan-downloader.Win32.Ag
O20 - Winlogon Notify: tt - C:\WINNT\
These 2 are more than likely responsible for the high CPU usage...
Install the following and update it. Then boot to Safe Mode to run it....
SUPERAntiSpyware.com - AntiAdware, AntiSpyware, AntiMalware!
http://www.superantispyware.com/
One of the best on the market (and it is free, although you can upgrade and get Real Time Protection).