Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Remnants of malware lurking causing these problems?


  • Please log in to reply
24 replies to this topic

#1 CatCab

CatCab

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 04 April 2009 - 09:03 PM

Let me start by saying that this is my first post here and Hello! I am trying to get an old computer that we haven’t used much recently back in shape. It runs Windows XP. I discovered several issues with it. Specifically, it had some malware & Trojans on there. I thought they were fixed by Spybot, but the computer is still acting up. For example, it takes me several tries to update my anti malware programs, some windows updates are failing, and while it is generally acting better than I recall, the computer is still sluggish, often indicates it is low in virtual memory, and sometimes just freezes up to the point where I have to shut it off and start over. It is old and I am used to using another faster computer, so I’m not sure if this is just how it is, or my fear: that there are remnants of something nasty hiding causing all of this. I came across this terrific forum when looking for info. I am definitely a novice at this, so your expertise is much appreciated! Here’s more background and specifics to what is going on. (I apologize in advance for the length but I wanted to be as specific as I could):
1. We had Spybot Search & Destroy (version 1.4) on it. The first thing I did in my process was to update Spybot, and while it did appear to allow and download all updates, I initially could not get the newest version of Spybot to install. However, I was able to run a scan that found 4 problems (3 instances of something called Win32.Sdbot.add, and 1 of a windows security center override). During the scan, error messages popped up 3 times that said something to the effect that “there were problems in the include file c:\Program Files\Spybot-Search Destroy\Includes\Malware (Trojans…) sbi see include error log for details”. I had spybot fix the four things. Then I later tried to run spybot again, but it wouldn’t even load. So, wanting another way to check that things were gone, I then downloaded Malwarebytes anti malware, updated it, then ran a quick scan. Nothing was found there. Thinking all was ok, I removed the older version of Spybot via the control panel, then downloaded version 1.6.2, updated it, and ran a new scan. Nothing major was found. I have since run more scans on both programs that were clean.
2. The second thing I did was to install Avira AntiVir Personal to replace a Zone Alarm Anti virus suite that was out of date. I had a little trouble doing so, but was ultimately successful. I should mention that prior to any of this, ZA did run a virus scan automatically (using the outdated detections) which did come back fine. Anyway, I uninstalled ZA (which also uninstalled the firewall I was using), installed Avira, ran it and it found and quarantined one suspicious swf file as Heur/Html.malware. I’m not sure what to do with that now. A side question related to Avira is that I had understood that Avira was supposed to have a built in firewall, but my windows security center did not recognize one. Does it not contain a firewall? I turned on the Windows firewall at that point, to at least have something for the time being. Also related to Avira, next time I booted up, Avira wouldn’t start up. I suspected Spybot’s teatimer function after reading something about compatability in a thread, so I disabled it. Next reboot, it opened find. If this truly is simply a compatability issue between these two programs, would it be better for me to leave teatimer on and get a different antivirus program, or should I just keep teatimer disabled? In other words, is there a benefit to teatimer that I am not getting from anything else I have?
3. Third, I wanted to see if Windows was up to date. It is set up for automatic updates. I checked the update log, and noticed that a couple of updates failed. Specifically, there is one failed Malicious software update that failed (KB890830 with an error code of 0x8024007, and Service Pack 3 update KB936929 with an error code 0x080242006). Other windows updates have been successful. Why would these fail?
4. Lastly, In hopes of improving performance, I started to delete some old files and programs to free up space. Also, I ran disk cleanup and disk check. It did not need to be defragmented. This improved things slightly, but things are still slow. So, curious as what is running, I noted 40 processes in the Task Manager when I have no programs open. Is this a normal number?

I hope I’m just being paranoid, but I am fearful that there may be remnants still lurking from the malware that are causing the problems or even something else undetected. And, of course, I’m worried that some of my feeble attempts to fix things, may have unknowingly made it worse. I am not using the problem computer at the moment. I’m sorry about the long post with multiple questions, but what should I do next?

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:28 AM

Posted 04 April 2009 - 10:37 PM

We need to disable Spybot S&D's "TeaTimer"
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  • Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  • If prompted with a legal dialog, accept the warning.
  • Click Posted Image and then on "Advanced Mode"
    Posted Image
  • You may be presented with a warning dialog. If so, press Posted Image
  • Click on Posted Image
  • Click on Posted Image
  • Uncheck this checkbox:
    Posted Image
  • Close/Exit Spybot Search and Destroy
http://www.bleepingcomputer.com/forums/t/44694/slow-computer/

http://www.malwareremoval.com/tutorials/runningslowly.php

After you clean the 40 processes down to 30 or so, defrag

Windows won't reccomend it till it's almost too late

http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Download process explorer and run it after removing some optional ones. Under file/save as create a log and copy and paste here
Chewy

No. Try not. Do... or do not. There is no try.

#3 CatCab

CatCab
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 05 April 2009 - 08:22 AM

Thank you DaChew! I ensured Teatimer was disabled and have just started the process of doing the various steps suggested in the links you provided. I made sure Avira, Spybot and Malwarebytes were updated and am now in safe mode on that computer. Ran Avira, and it came back ok except for 4 warnings which looked to be files that could not be opened according to the report. Now doing spybot and the S&D Wizard is asking if I want to create a registry backup. Should I do this or just run the scan?

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:28 AM

Posted 05 April 2009 - 08:45 AM

A registry backup is always a good idea, loading an infected backup after the cleaning would be a bad idea
Chewy

No. Try not. Do... or do not. There is no try.

#5 CatCab

CatCab
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 05 April 2009 - 01:56 PM

Thank you! Ok, these are the steps I did since my initial post:
• Ensured teatimer was disabled.
• Updated Avira AntiVir, Spybot and Malwarebytes, and ran scans in safe mode. 4 items appeared in the warnings section on Avira (4 files that could not be opened). Spybot and Malware Bytes full scan found nothing. Rebooted.
• I manually deleted a few more programs if I knew what they were and that we wouldn’t need them. I also got rid of one user account (another administrator) because I can’t even remember why we set it up.
• Downloaded and used Malwarebyte’s Startup Lite 1.07 to check what’s loading on startup and disabled all things that came up. One I may go back later and actually remove one because I sounded like it goes with a program I previously deleted. Rebooted.
• I ran disk cleanup (removing temporary files).
• I checked the task manager, and there were now 35 processes running when I had no programs open. Not sure what else to do to get this lower.
• I defragmented.
• I downloaded Process Explorer 11.33, ran it and will post the findings in a separate reply next.

#6 CatCab

CatCab
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 05 April 2009 - 02:02 PM

Process explorer log:

Process PID CPU Description Company Name
System Idle Process 0 98.46
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 368 Windows NT Session Manager Microsoft Corporation
csrss.exe 416 Client Server Runtime Process Microsoft Corporation
winlogon.exe 440 Windows NT Logon Application Microsoft Corporation
services.exe 484 Services and Controller app Microsoft Corporation
svchost.exe 660 Generic Host Process for Win32 Services Microsoft Corporation
GoogleToolbarNotifier.exe 1948 GoogleToolbarNotifier Google Inc.
svchost.exe 708 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 748 Generic Host Process for Win32 Services Microsoft Corporation
wuauclt.exe 1876 Windows Update Automatic Updates Microsoft Corporation
svchost.exe 804 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 876 Generic Host Process for Win32 Services Microsoft Corporation
LEXBCES.EXE 964 LexBce Service Lexmark International, Inc.
spoolsv.exe 1000 Spooler SubSystem App Microsoft Corporation
sched.exe 1036 Antivirus Scheduler Avira GmbH
PackethSvc.exe 1128 Virtual Adapter Service America Online, Inc.
avguard.exe 1144 Antivirus On-Access Service Avira GmbH
AOLacsd.exe 1156 AOL Connectivity Service AOL LLC
AppleMobileDeviceService.exe 1184 Apple Mobile Device Service Apple, Inc.
AluSchedulerSvc.exe 1204 Automatic LiveUpdate Scheduler Service Symantec Corporation
alg.exe 1584 Application Layer Gateway Service Microsoft Corporation
svchost.exe 320 Generic Host Process for Win32 Services Microsoft Corporation
iPodService.exe 2184 iPodService Module Apple Inc.
lsass.exe 496 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 864 Windows Explorer Microsoft Corporation
ACMonitor_X73.exe 2028 ACMonitor Silitek Corp.
AcBtnMgr_X73.exe 2032 AcBtnMgr Jetsoft Development Company
printray.exe 1248 PrinTray Lexmark
aolsoftware.exe 904 AOL AOL LLC
devldr32.exe 228 DevLdr32 Creative Technology Ltd.
iTunesHelper.exe 400 iTunesHelper Module Apple Inc.
avgnt.exe 460 Antivirus System Tray Tool Avira GmbH
WkCalRem.exe 812 Microsoft® Works Calendar Reminder Service Microsoft® Corporation
NkvMon.exe 1080 Nikon Monitor Nikon Corporation
procexp.exe 2776 1.54 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
ctfmon.exe 2664 CTF Loader Microsoft Corporation

#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:28 AM

Posted 05 April 2009 - 06:10 PM

http://www.bleepingcomputer.com/startups/

http://www.bleepingcomputer.com/startups/c...n.exe-1121.html

http://support.microsoft.com/default.aspx?...kb;en-us;282599

I see a few more but you need to do the legwork, consider it power user 101

Run MBAM in normal mode
Chewy

No. Try not. Do... or do not. There is no try.

#8 CatCab

CatCab
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 05 April 2009 - 09:08 PM

I ran another Malware Bytes scan in normal mode. It was fine. Do you want to see the results?
And, aw shucks, I thought that Startup Lite program I downloaded did all the dirty work for me!!!
I will go through these, but I am confused as to how to distinguish the ok processes from the bad when comparing the Process explorer results up to the startup database. (the help file downloaded with the program isn't working). Will you clarify? At first glance, the ones I’ve checked so far all look bad. For example, Windows NT Session Manager, smss.exe, looks to be a Trojan. But for the next one, when I search for “Client Server Runtime Process”, I don’t get any matches. However, searching for csrss.exe yields quite a few processes that shouldn’t run, but none of them sound exactly like mine. So, maybe that one is ok. The third one, winlogon.exe looks to be malware, but the page has a warning not to confuse it with the legitimate file. How would I tell the difference?
Thank you!

#9 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:28 AM

Posted 05 April 2009 - 11:14 PM

Leave the other Microsoft Corporation files alone, if you don't use the language bar(ctfmon) disable according to the directions.

With the AVG, Aol and Apple processes running you don't need a lot of other stuff running also, especially if you never use it.

They are bad enough by themselves
Chewy

No. Try not. Do... or do not. There is no try.

#10 CatCab

CatCab
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 06 April 2009 - 09:37 AM

Ctfmon.exe is now gone. I ran Process Explorer again to verify it. I'm still confused, though, about whether I should be doing something about smss.exe though. Will you clarify?

Process explorer log:

Process PID CPU Description Company Name
System Idle Process 0 96.92
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4 1.54
smss.exe 368 Windows NT Session Manager Microsoft Corporation
csrss.exe 416 Client Server Runtime Process Microsoft Corporation
winlogon.exe 440 Windows NT Logon Application Microsoft Corporation
services.exe 484 1.54 Services and Controller app Microsoft Corporation
svchost.exe 664 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 712 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 752 Generic Host Process for Win32 Services Microsoft Corporation
wuauclt.exe 1488 Windows Update Automatic Updates Microsoft Corporation
svchost.exe 800 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 816 Generic Host Process for Win32 Services Microsoft Corporation
LEXBCES.EXE 908 LexBce Service Lexmark International, Inc.
spoolsv.exe 984 Spooler SubSystem App Microsoft Corporation
sched.exe 1040 Antivirus Scheduler Avira GmbH
PackethSvc.exe 1128 Virtual Adapter Service America Online, Inc.
avguard.exe 1144 Antivirus On-Access Service Avira GmbH
AOLacsd.exe 1156 AOL Connectivity Service AOL LLC
AppleMobileDeviceService.exe 1172 Apple Mobile Device Service Apple, Inc.
AluSchedulerSvc.exe 1200 Automatic LiveUpdate Scheduler Service Symantec Corporation
iPodService.exe 2148 iPodService Module Apple Inc.
alg.exe 2248 Application Layer Gateway Service Microsoft Corporation
lsass.exe 496 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 1712 Windows Explorer Microsoft Corporation
ACMonitor_X73.exe 1840 ACMonitor Silitek Corp.
AcBtnMgr_X73.exe 1852 AcBtnMgr Jetsoft Development Company
printray.exe 1872 PrinTray Lexmark
aolsoftware.exe 1880 AOL AOL LLC
iTunesHelper.exe 1888 iTunesHelper Module Apple Inc.
avgnt.exe 1896 Antivirus System Tray Tool Avira GmbH
GoogleToolbarNotifier.exe 1928 GoogleToolbarNotifier Google Inc.
devldr32.exe 1936 DevLdr32 Creative Technology Ltd.
WkCalRem.exe 184 Microsoft® Works Calendar Reminder Service Microsoft® Corporation
NkvMon.exe 196 Nikon Monitor Nikon Corporation
procexp.exe 2768 Sysinternals Process Explorer Sysinternals - www.sysinternals.com

#11 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:28 AM

Posted 06 April 2009 - 09:49 AM

Process PID CPU Description Company Name
System Idle Process 0 100
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 560 Windows NT Session Manager Microsoft Corporation
csrss.exe 612 Client Server Runtime Process Microsoft Corporation
winlogon.exe 640 Windows NT Logon Application Microsoft Corporation
services.exe 692 Services and Controller app Microsoft Corporation
svchost.exe 880 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 948 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1080 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1256 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1680 Spooler SubSystem App Microsoft Corporation
mbamservice.exe 1832 Malwarebytes' Anti-Malware Malwarebytes Corporation
svchost.exe 1908 Generic Host Process for Win32 Services Microsoft Corporation
alg.exe 124 Application Layer Gateway Service Microsoft Corporation
svchost.exe 1516 Generic Host Process for Win32 Services Microsoft Corporation
lsass.exe 704 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 1392 Windows Explorer Microsoft Corporation
iexplore.exe 800 Internet Explorer Microsoft Corporation
procexp.exe 340 Sysinternals Process Explorer Sysinternals - www.sysinternals.com


Here are my core files with IE open, I would never mess with them

Malware can infect them and/or hook into them but that's another can of worms

I have an expert's liscense for MBAM and betatest new releases and protection modules

Edited by DaChew, 06 April 2009 - 09:50 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#12 CatCab

CatCab
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 06 April 2009 - 10:03 AM

Thanks Chewy! I think I got it now. Plus, I just noticed and realized that a remnant from an old Symantec (Norton) program is still running. Norton has been long gone from this computer. Will look some more at these things to find others I can get rid of, and post an updated log later.

#13 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:28 AM

Posted 06 April 2009 - 10:07 AM

http://www.symantec.com/nrt/

I meant to give you this link before, oooooops
Chewy

No. Try not. Do... or do not. There is no try.

#14 CatCab

CatCab
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:28 AM

Posted 06 April 2009 - 05:13 PM

Ok, I disabled or got rid of a few more processes. I am reluctant to touch the Avira or the Microsoft items (except maybe the WksCalRem). The rest seem to have to do with the printer, sound card, aol, and I tunes, so therefore, I'm not sure what impact that will have if I disable them. However, I may ultimately delete I tunes from this computer anyway, and I guess that'll fix those. Here's the latest log:

Process PID CPU Description Company Name
System Idle Process 0 96.92
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 360 Windows NT Session Manager Microsoft Corporation
csrss.exe 416 Client Server Runtime Process Microsoft Corporation
winlogon.exe 440 Windows NT Logon Application Microsoft Corporation
services.exe 484 Services and Controller app Microsoft Corporation
svchost.exe 664 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 712 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 752 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 804 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 824 Generic Host Process for Win32 Services Microsoft Corporation
LEXBCES.EXE 992 LexBce Service Lexmark International, Inc.
spoolsv.exe 1028 Spooler SubSystem App Microsoft Corporation
sched.exe 1064 Antivirus Scheduler Avira GmbH
PackethSvc.exe 1152 Virtual Adapter Service America Online, Inc.
avguard.exe 1168 Antivirus On-Access Service Avira GmbH
AOLacsd.exe 1180 AOL Connectivity Service AOL LLC
AppleMobileDeviceService.exe 1208 Apple Mobile Device Service Apple, Inc.
iPodService.exe 2084 iPodService Module Apple Inc.
alg.exe 2168 Application Layer Gateway Service Microsoft Corporation
lsass.exe 496 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 1740 Windows Explorer Microsoft Corporation
ACMonitor_X73.exe 1980 ACMonitor Silitek Corp.
AcBtnMgr_X73.exe 1988 AcBtnMgr Jetsoft Development Company
printray.exe 2008 PrinTray Lexmark
aolsoftware.exe 2016 AOL AOL LLC
iTunesHelper.exe 2024 iTunesHelper Module Apple Inc.
avgnt.exe 2032 Antivirus System Tray Tool Avira GmbH
devldr32.exe 196 DevLdr32 Creative Technology Ltd.
WkCalRem.exe 308 Microsoft® Works Calendar Reminder Service Microsoft® Corporation
procexp.exe 2704 3.08 Sysinternals Process Explorer Sysinternals - www.sysinternals.com

#15 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:10:28 AM

Posted 06 April 2009 - 05:38 PM

Avira is a good choice, I was mistaking it for avg

Oooooops

If your internet provider is AOL then you'd better leave it alone, I have seen people install it to get AIM or just web mail

Itunes was buggy as heck with the intial releases but lately seems to be a decent program

How is your computer running?
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users