Jump to content
Due to inclement weather in Southwest Florida, our Clearwater support team is offline. Our other offices are available to assist you, however their responses may be delayed. We appreciate your patience and understanding during this time. ×

WinXP shutdown issues after trojan removal


Recommended Posts

Hi. I recently clicked on a piece of malware when I shouldn't have & gained a few new root folder files (90210.exe, iexploreXXX.exe) & a few corresponding registry entries. Presumably this is some kind of trojan.

I followed the forum template;

Ran MBAM, with current updates

Ran Avira anti-virus, with current updates

Ran DDS/GMER

And I also ran CC cleaner, Combofix & HijackThis

I'm reasonably certain that the malware is now gone. The computer is stable with no unexpected behavior. But the cleaning process seems to have "broken" two things. One is my computers fingerprint reader (UPEK) software. That was easily fixed by uninstalling, then reinstalling the fingerprint reader software.

So the remaining issue is that shutting down or restarting windows now takes 90 seconds, instead of the normal 2 - 3 seconds. No error messages during the shutdown & nothing that I can see in the control panel event viewer. The windows shutdown appears clean, apart from the long delay. The subsequent boot is normal & uneventful. I had no shutdown or hibernation issues prior to adopting the malware & shutdown was also normal before the malware was removed. So it would seem that the shutdown issue is an artifact of the cleaning process.

Any help or insight into how I can troubleshoot the shutdown issue would be appreciated. Or steps you think should be pursued if you believe that malware may still be active.

This is a WinXP SP3 computer. MBAM/DDS logs below & GMER/HijackThis logs attached. Thanks.

----

MBAM log

Malwarebytes' Anti-Malware 1.43

Database version: 3509

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

07/01/2010 11:44:04 AM

mbam-log-2010-01-07 (11-44-04).txt

Scan type: Full Scan (C:\|D:\|F:\|)

Objects scanned: 198915

Time elapsed: 43 minute(s), 11 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

----

----

DDS log

DDS (Ver_09-12-01.01) - NTFSx86

Run by John at 11:47:09.01 on 07/01/2010

Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16

Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.3582.2421 [GMT -8:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

svchost.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\JavaHMO\bin\Wrapper.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\java.exe

C:\Program Files\SigmaTel\C-Major Audio\DellXPM_5515v131\WDM\STacSV.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Fingerprint Reader Suite\psqltray.exe

C:\Program Files\Synaptics\SynTP\SynTPStart.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe

C:\Program Files\Dell\QuickSet\Quickset.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\DAEMON Tools Lite 4.12.2\daemon.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Documents and Settings\John\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = file:///C:/Belfry/google%20black%20homepage.html

uInternet Settings,ProxyOverride = *.local

BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 7\SnagItBHO.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 7\SnagItIEAddin.dll

TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File

uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite 4.12.2\daemon.exe" -autorun

mRun: [PSQLLauncher] "c:\program files\fingerprint reader suite\launcher.exe" /startup

mRun: [synTPStart] c:\program files\synaptics\syntp\SynTPStart.exe

mRun: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe

mRun: [Dell QuickSet] c:\program files\dell\quickset\Quickset.exe

mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"

mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab

DPF: {62789780-B744-11D0-986B-00609731A21D} - hxxp://vanmappub.vancouver.ca/download/mgaxctrl.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1260862663546

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1260063864984

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab

Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll

Notify: psfus - c:\windows\system32\psqlpwd.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Authentication Packages = msv1_0 relog_ap

LSA: Notification Packages = scecli psqlpwd

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\John\applic~1\mozilla\firefox\profiles\g8vkkk1r.default\

FF - prefs.js: browser.startup.homepage - file:///C:/Belfry/google%20black%20homepage.html

FF - component: c:\program files\mozilla firefox\components\pbgk1_9.dll

============= SERVICES / DRIVERS ===============

R0 SscRdBus;Virtual bus device (SuperSpeed LLC);c:\windows\system32\drivers\SscRdBus.sys [2007-11-16 50944]

R0 SscRdCls;RAM Disk (SuperSpeed LLC);c:\windows\system32\drivers\SscRdCls.sys [2007-11-16 37504]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-12-10 11608]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-12-10 108289]

R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-12-10 185089]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-12-10 56816]

R2 JavaHMO;JavaHMO TiVo TCM;c:\program files\javahmo\bin\Wrapper.exe [2005-2-27 110592]

R2 TiVoBeacon2;TiVo Beacon;c:\program files\common files\tivo shared\beacon\TiVoBeacon.exe [2005-2-27 928768]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-1-13 38224]

R3 OEM04Afx;Provides a software interface to control audio effects of OEM004 camera.;c:\windows\system32\drivers\OEM04Afx.sys [2008-3-14 141376]

R3 OEM04Vfx;Creative Camera OEM004 Video VFX Driver;c:\windows\system32\drivers\OEM04Vfx.sys [2008-3-14 7424]

R3 OEM04Vid;Creative Camera OEM004 Driver;c:\windows\system32\drivers\OEM04Vid.sys [2008-3-14 234720]

S2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\drivers\diginet.sys --> c:\windows\system32\drivers\diginet.sys [?]

S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2009-5-27 42112]

S3 RTCore32;RTCore32;c:\program files\rmclock 2.35\RTCore32.sys [2008-3-18 4608]

S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;c:\windows\system32\drivers\SWUSBFLT.SYS [2008-6-7 3968]

S4 Olympus DVR Service;Olympus DVR Service;c:\program files\common files\olympus shared\devicemanager\olydvrsv.exe [2008-8-5 167936]

S4 SlingAgentService;SlingAgentService;c:\program files\sling media\slingagent\SlingAgentService.exe [2009-9-25 93960]

=============== Created Last 30 ================

2010-01-07 15:45:04 98816 ----a-w- c:\windows\sed.exe

2010-01-07 15:45:04 77312 ----a-w- c:\windows\MBR.exe

2010-01-07 15:45:04 261632 ----a-w- c:\windows\PEV.exe

2010-01-07 15:45:04 161792 ----a-w- c:\windows\SWREG.exe

2010-01-07 15:43:08 0 d-----w- C:\ComboFix

2010-01-07 08:43:17 578560 -c--a-w- c:\windows\system32\dllcache\user32.dll

2010-01-07 08:41:58 0 d-----w- c:\windows\ERUNT

2009-12-19 17:31:14 0 d-----w- c:\program files\Sling Media

2009-12-19 17:31:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Sling Media

2009-12-14 20:38:55 0 d-----w- c:\docume~1\John\applic~1\BitTorrent

2009-12-14 20:38:49 0 d-----w- c:\program files\BitTorrent

2009-12-12 23:00:10 0 d-----w- c:\program files\Mozilla

2009-12-11 04:11:04 0 d--h--w- c:\windows\system32\GroupPolicy

2009-12-11 04:07:07 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-12-11 04:07:05 0 d-----w- c:\program files\Avira

2009-12-11 04:07:05 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira

==================== Find3M ====================

2009-12-30 22:55:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-30 22:54:58 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-02 00:16:08 5632 ----a-w- c:\windows\system32\drivers\StarOpen.sys

2009-11-24 18:27:37 395744 ----a-w- c:\windows\system32\drivers\timntr.sys

2009-11-24 18:27:37 39264 ----a-w- c:\windows\system32\drivers\tifsfilt.sys

2009-11-24 18:27:35 114048 ----a-w- c:\windows\system32\drivers\snapman.sys

2009-11-16 11:24:45 33824 ----a-w- c:\windows\system32\drivers\oreans32.sys

2009-11-12 21:42:16 32768 ----a-w- c:\windows\system32\drivers\taphss.sys

2009-10-29 07:46:59 832512 ------w- c:\windows\system32\wininet.dll

2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-10-29 07:46:50 17408 ----a-w- c:\windows\system32\corpol.dll

2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll

2008-11-08 21:31:57 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008110820081109\index.dat

============= FINISH: 11:47:21.42 ===============

----

Attach.zip

Link to post
Share on other sites

Probably bad form to reply to your own post here.. but as I've more or less resolved this, so I wanted to free up your time to help other posters. Feel free to ignore or close this thread. But I'll still check this thread a few more times in case anyone has any advice to add.

Here's a quick rundown that may be helpful to anyone encountering a similar situation..

Seems that one of the cleanup utilities e.g. DSS, GMER, Combofix defaulted most of my services & startup items. So a lot of services & startup items that were previously disabled or set to manual were all enabled en block. After a few dozen diagnostic boots, I narrowed the problem down to a group of 15 or so services & startup items for defunct programs. That is programs that have been long since uninstalled or that I have had disabled on every computer that I've owned since WinXP was originally released. The shutdown /restart is now back to about 2 seconds, instead of 90 - 100 seconds, so it must have been hanging on a search for or timeout regarding one of the defunct entries. As I don't need anything in this group of defunct programs, I didn't take the extra time to narrow it down further.

Although it didn't help me directly, I did find a very good windows shutdown troubleshooting page. (I have no affiliation with the site & they're not selling anything)

http://www.aumha.org/win5/a/shtdwnxp.htm

I still have one small issue. Now my wireless (Intel pro set) is taking 20 seconds to connect instead of the normal five or so. But this is a small issue. Moreover it should be relatively easy to troubleshoot, so in the absence of new symptoms, I'm considering this resolved. Thanks for this forum. Looks like a lot of good work is being done here.

Link to post
Share on other sites

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.