Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Malware Infection


  • Please log in to reply
9 replies to this topic

#1 m.hoyer

m.hoyer

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 AM

Posted 03 December 2007 - 01:38 PM

One of our laptops has been running very slowly, particularly during the boot process, and when you shut it down it says that there is a problem with EOUWiz.exe. I haven't been able to find anything that adequately explains what that file is or why the computer won't shut down on its own. And that may be just the starting point of the problems on this computer.

I look forward to seeing your suggestions.

Mark

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:46 AM

Posted 03 December 2007 - 02:53 PM

Can you provide the exact error message?

eouwiz.exe is a process related to Intel ProSet network devices and provides additional configuration options for these devices.

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file. However, it then places itself in a different location on your computer. A file's properties may give a clue to identifying it. Right-click on the file, Properties and examine the General and Version tabs.

You can download and use Process Explorer or Glarysoft Process Manager to investigate all running processes and gather additional information to identify and resolve problems. These tools will show the process CPU usage, a description and its path location. If you right-click on the file in question and select properties, you will see more details about the file.

Anytime you come across a suspicious file which you cannot find any information, the file has a legitimate name but is not located where it is supposed to be, or you want a second opinion, submit it to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 m.hoyer

m.hoyer
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 AM

Posted 03 December 2007 - 04:34 PM

On closer inspection, it isn't an error message but an "Ending Program" message on shutdown. Once the "Ending Program" window closes, however, nothing happens. Then when you try to shut down the computer again, it says eouwiz.exe is not responding. When you close that dialog box, then nothing happens again.

I checked the location of eouwiz.exe. It's in "Program Files/Intel/Wireless/Bin, which seems to me like where it belongs. I ran Process Explorer and didn't see anything that looked inexplicable. I'm fairly confident there is some piece of malware on this computer, though, because the startup process is incredibly long and the shut down process is never completed. It also seems to work very slowly a lot of the time.

What's next?

& thanks for your help!

Mark

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:46 AM

Posted 03 December 2007 - 06:18 PM

If you have XP Pro, you can use Tasklist to display a list of active processes.
Go to Start > Run and type: cmd
press Ok
At the command prompt type: tasklist /svc >c:\taskList.txt
press Enter

Go to Start > Run and type: C:\taskList.txt
press Ok to view the list of processes

The /SVC switch shows the list of active services in each process. For help and syntax information, type the following command, and then press ENTER:
tasklist /?
or see: Syntax options

You can also use the WMI command-line utility to view and list processes.
Go to Start > Run and type: cmd
press Ok
At the command prompt type:
WMIC /OUTPUT:C:\ProcessList.txt PROCESS get Caption,Commandline,Processid
press Enter.

You can also use (type):
WMIC /OUTPUT:C:\ProcessList.txt path win32_process get Caption,Processid,Commandline
press Enter.

Go to Start > Run and type: C:\ProcessList.txt
press Ok to view the details of all the processes.

If you don't know what a process is or you come across a suspicious file, search the name using Google or the following links:
BC's File Database
BC's Startup Programs Database
File Research Center
Process ID Database
How to determine what services are running under a SVCHOST.EXE process

If you suspect malware, have you performed scans with your anti-virus and anti-malware scanning programs while in "Safe Mode"?

If you don't have any anti-virus or anti-malware programs, see BC's list of Freeware Replacements For Common Commercial Apps. There are several free online anti-virus scans listed which you can perform. I would also recommend that you download and scan with SUPERAntiSpyware Free in "Safe Mode".
Please update the defintions before performing a scan. If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 m.hoyer

m.hoyer
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 AM

Posted 04 December 2007 - 10:33 AM

The computer in question is using XP Home. Is there a Plan B?

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:46 AM

Posted 04 December 2007 - 10:44 AM

Download and use Process Explorer as I mentioned earlier. To create a list, go to file and choose Save as... to create a log named Procexp.txt in the same folder where Process Explorer resides.

Then investigate the processes you do not recognize as I indicated in my previous post.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 m.hoyer

m.hoyer
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 AM

Posted 04 December 2007 - 12:12 PM

I don't see anything here that looks out of place. Do you?

Process PID CPU Description Company Name
System Idle Process 0
Interrupts n/a Hardware Interrupts
DPCs n/a 0.99 Deferred Procedure Calls
System 4
smss.exe 992 Windows NT Session Manager Microsoft Corporation
csrss.exe 1328 Client Server Runtime Process Microsoft Corporation
winlogon.exe 1492 Windows NT Logon Application Microsoft Corporation
services.exe 1628 Services and Controller app Microsoft Corporation
svchost.exe 1212 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1412 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1800 Generic Host Process for Win32 Services Microsoft Corporation
wuauclt.exe 4016 Windows Update Automatic Updates Microsoft Corporation
EvtEng.exe 1948 EvtEng Module Intel Corporation
S24EvMon.exe 136 Event Monitor - Supports driver extensions to NIC Driver for wireless adapters. Intel Corporation
svchost.exe 804 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1468 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 652 Spooler SubSystem App Microsoft Corporation
AOLacsd.exe 688 AOL Connectivity Service America Online, Inc.
isafe.exe 864 CA ISafe Service Computer Associates International, Inc.
CFSvcs.exe 1116 Service of ConfigFree. TOSHIBA CORPORATION
DVDRAMSV.exe 1512 Service of RAMAsst for Windows XP Matsubleepa Electric Industrial Co., Ltd.
ITMRTSVC.exe 308 eTrust PestPatrol Real-time service CA, Inc.
LxrJD31s.exe 1672
HPZipm12.exe 496 PML Driver HP
RegSrvc.exe 1892 RegSrvc Module Intel Corporation
SMAgent.exe 1976 SoundMAX service agent component Analog Devices, Inc.
svchost.exe 916 Generic Host Process for Win32 Services Microsoft Corporation
swupdtmr.exe 1092
TAPPSRV.exe 1404 TOSHIBA TAPPSRV TOSHIBA Corp.
wdfmgr.exe 1696 Windows User Mode Driver Manager Microsoft Corporation
vetmsg.exe 216 CA Anti-Virus Realtime Messaging Service CA, Inc.
alg.exe 2316 Application Layer Gateway Service Microsoft Corporation
ppctlpriv.exe 2112 CA Anti-Spyware Elevation service CA, Inc.
ccprovsp.exe 2572 CCProvSP CA, Inc.
lsass.exe 1688 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 1792 Windows Explorer Microsoft Corporation
EOUWiz.exe 3932 Ease Of Use Wizard Application Intel Corporation
type32.exe 4072 Type32.exe Microsoft Corporation
point32.exe 2232 Point32.exe Microsoft Corporation
LVCOMSX.EXE 2576 LVCom Server Logitech Inc.
gnotify.exe 2548 Gmail Notifier Google Inc.
hpwuSchd2.exe 3492 Hewlett-Packard Product Assistant Hewlett-Packard Development Company, L.P.
apdproxy.exe 2228 97.03 Adobe Photoshop Album Starter Edition 3.0 component Adobe Systems Incorporated
qttask.exe 4076 Apple Computer, Inc.
BJMYPRT.EXE 2296 Canon My Printer CANON INC.
OpWareSE4.exe 3156 OCR Aware ScanSoft, Inc.
cctray.exe 3392 0.99 CA Common Tray CA, Inc.
cappactiveprotection.exe 3816 CAPPActiveProtection Application CA, Inc.
cavrid.exe 3344 CA Anti-Virus Realtime Infection Report CA, Inc.
QOELoader.exe 2156 QOELoader Application CA
msnmsgr.exe 2600 MSN Messenger Microsoft Corporation
ctfmon.exe 3048 CTF Loader Microsoft Corporation
TOSCDSPD.exe 3416 CD/DVD Drive Acoustic Silencer TOSHIBA
msmsgs.exe 748 Windows Messenger Microsoft Corporation
GoogleToolbarNotifier.exe 1600 GoogleToolbarNotifier Google Inc.
hpqtra08.exe 3728 HP Digital Imaging Monitor Hewlett-Packard Development Company, L.P.
hpobnz08.exe 280 HP OfficeJet COM Device Objects Hewlett-Packard Co.
hposol08.exe 2568 HP OfficeJet COM Device Objects Hewlett-Packard Co.
RAMASST.exe 2992 CD Burning of Windows XP disabling tool for DVD MULTI Drive Matsubleepa Electric Industrial Co., Ltd.
procexp.exe 716 0.99 Sysinternals Process Explorer Sysinternals

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:46 AM

Posted 04 December 2007 - 02:22 PM

Nothing of concern showing so lets check for hidden malware.

Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Please download rootchk.exe and save to your desktop
  • Important: Temporarily disable any real-time monitoring programs (see note below).
  • Disconnect from the Internet.
  • Double-click on rootchk.exe to run the program.
  • A command prompt window will open as the scan begins and then close.
  • When the scan is completed, a logfile named rootlog.txt will open and be saved to the root directory usually C:\.
  • Copy and paste the contents of the log into your next reply.
  • Re-enable active protection on any program you temporarily disabled.
Note: To avoid false positives, it is important that you temporarily disable ZoneAlarm Pro firewall or any other security program that protects your registry before running a rootchk scan. Click on this link to see a list of other programs that should be temporarily disabled.

Please download AVG Anti-Rootkit and save to your desktop
  • Double click avgarkt-setup-1.1.0.42.exe to install. By default it will install to C:\Program Files\GRISOFT\AVG Anti-Rootkit
  • Accept the license and follow the prompts to install.
  • You will be asked to reboot to finish the installation so click "Finish".
  • After rebooting, double-click the icon for AVG Anti-Rootkit on your desktop.
  • You will see a window with four buttons at the bottom.
  • Click "Search For Rootkits" and the scan will begin.
  • You will see the progress bar moving from left to right. The scan will take some so be patient and let it finish.
  • When the scan has finished, a small window will open so you can view the results.
  • Right click and select "Save Result To File".
  • By default the file will be saved with a .csv extension. (You can use notepad to open the .cvs file)
  • If anything was found, click "Remove selected items"
  • If nothing was found, please click the "Perform in-depth Search" saving anything found to file as before.
Note: Close all open windows, programs, and DO NOT USE the computer while scanning. If the scan is performed while the computer is in use, false positives may appear in the scan results. This is caused by files or registry entries being deleted automatically.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 m.hoyer

m.hoyer
  • Topic Starter

  • Members
  • 43 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:46 AM

Posted 05 December 2007 - 08:54 AM

Okay. I've done all that - turned up nothing. Here's the log you suggested I post with this reply.

********************************* ROOTCHK-(25-11-07)-LOG, by ejvindh
Tue 12/04/2007 15:58:40.62

The rootkits that are detected by this tool were not found.

********************************* ROOTCHK-LOG-end


catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-04 15:58:41
Windows 5.1.2600 Service Pack 2
scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

hidden processes: 0
hidden services: 0
hidden files: 0

What's next? The computer still seems to be running slowly and now I can't get CA Anti-Spyware to do real-time protection. I turn it on, but it turns off again within a few seconds.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:46 AM

Posted 05 December 2007 - 09:29 AM

If your computer still seems to be slow, read and follow the suggestions in Slow Computer/Browser? Check here first; it may not be malware. There are reasons for slowness besides malware - i.e. disk fragmentation, disk errors, corrupt system files, too many startup programs, unnecessary services running, not enough RAM, dirty hardware components, etc. As your system gets older it becomes filled with more files/programs and has a natural tendency to slow down so cleaning and regular maintenance is essential.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users