Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Trojan, very detailed symptoms


  • Please log in to reply
1 reply to this topic

#1 animemonster

animemonster

  • Members
  • 85 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:44 PM

Posted 19 June 2009 - 09:30 PM

I like to think of myself as a pretty advanced computer user. I have multiple computers and I know how to do more than turn the blood things on. This one has me stumped.

Here's the symptoms:

slow start-up: icons appear and then "melt", for lack of a better term, before reappearing; the mouse won't click, yet there is no hourglass indicating that it's doing anything; tray icons take a long time to load; firewall keeps turning off

durning running: fan runs constantly and loudly (I have not had a chance to open it up and take a look at the set up or to dust it out, but it probably needs it)

AVG log, run from safe mode, is in next post.

Spybot: ran the first-run wizard, despiting being run previously (it was just run last week); updates dated from September of last year, despite updating every run time (including just last week); started up, restarted after updating, and disappeared, it reappeared when I was restarting computer to put it in safe mode; in safe-mode Spybot turned up the following:

2 entries for DoubleClick
Tracking cookie (Chrome: Chrome) .doubleclick.net/ (test cookie)
Tracking cookie (Chrome: Chrome) .doubleclick.net/ (id)

Immunizations ran successfully in safe mode.

Following the AVG log is also a list of start-ups that Spybot listed. One, I noticed has a very similar name to a known Trojan, but not exactly. It was crypt32chain and cryptnet, I could not find any information on those. I wish for advice on which ones are unneeded so I can hope for some quicker start-up times.

Disk Clean-Up got 386,928 KB of files, most were Temporary Internet Files which Spybot said it had deleted.

Turn off: turning off the computer is also a slow process. Many "End Task Now" boxes come up for programs I'm not aware of running.

This all got really bad this past week, I'm good about running anti-virus and anti-spyware frequently on it. Other problems have included printing which requires the printer to be turned off, the spool process ended, the printer turned back on, to delete a non-responsive job, and then off and on again to restart the spool process. That process, when in use, uses about 98 percent of the CPU.

Computer specs:
Compaq Presario SR1503WM with INtel Celeron D and Windows XP SP3.

AVG 8.5 Anti-Virus command line scanner
Copyright © 1992 - 2009 AVG Technologies
Program version 8.0.354, engine 8.0.372
Virus Database: Version 270.12.79/2186 2009-06-18

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\54d4e163b94ee760bad85657c646b9c0_3860bc8d-fc8d-483f-aa66-e27513e68480 Locked file. Not tested.
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\54d4e163b94ee760bad85657c646b9c0_d03f0fcb-7813-4f7e-bfaa-2f26e2a7368e Locked file. Not tested.
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Locked file. Not tested.
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested.
C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested.
C:\Documents and Settings\Compaq_Owner\ntuser.dat Locked file. Not tested.
C:\Documents and Settings\Compaq_Owner\ntuser.dat.LOG Locked file. Not tested.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Locked file. Not tested.
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Locked file. Not tested.
C:\Documents and Settings\NetworkService\NTUSER.DAT Locked file. Not tested.
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Locked file. Not tested.
C:\pagefile.sys Locked file. Not tested.
C:\System Volume Information\ Locked file. Not tested.
C:\WINDOWS\system32\config\default Locked file. Not tested.
C:\WINDOWS\system32\config\default.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\SAM Locked file. Not tested.
C:\WINDOWS\system32\config\SAM.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\SECURITY Locked file. Not tested.
C:\WINDOWS\system32\config\SECURITY.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\software Locked file. Not tested.
C:\WINDOWS\system32\config\software.LOG Locked file. Not tested.
C:\WINDOWS\system32\config\system Locked file. Not tested.
C:\WINDOWS\system32\config\system.LOG Locked file. Not tested.

------------------------------------------------------------
Objects scanned : 364179
Found infections : 0
Found PUPs : 0
Healed infections : 0
Healed PUPs : 0
Warnings : 0
------------------------------------------------------------


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2008-07-07 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-05-05 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2008-10-22 advcheck.dll (1.6.2.13)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-10-22 Tools.dll (2.1.6.8)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi
2009-06-02 Includes\AdwareC.sbi
2009-01-22 Includes\Cookies.sbi
2009-05-19 Includes\Dialer.sbi
2009-06-02 Includes\DialerC.sbi
2009-01-22 Includes\HeavyDuty.sbi
2009-05-26 Includes\Hijackers.sbi
2009-06-09 Includes\HijackersC.sbi
2009-06-16 Includes\Keyloggers.sbi
2009-06-16 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2009-06-10 Includes\Malware.sbi
2009-06-16 Includes\MalwareC.sbi
2009-03-25 Includes\PUPS.sbi
2009-06-17 Includes\PUPSC.sbi
2009-01-22 Includes\Revision.sbi
2009-01-13 Includes\Security.sbi
2009-06-02 Includes\SecurityC.sbi
2008-06-03 Includes\Spybots.sbi
2008-06-03 Includes\SpybotsC.sbi
2009-04-07 Includes\Spyware.sbi
2009-06-02 Includes\SpywareC.sbi
2009-06-08 Includes\Tracks.uti
2009-06-17 Includes\Trojans.sbi
2009-06-17 Includes\TrojansC.sbi
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Located: HK_LM:Run, Adobe Reader Speed Launcher
command: "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
file: C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
size: 39792
MD5: 8B9145D229D4E89D15ACB820D4A3A90F

Located: HK_LM:Run, AVG8_TRAY
command: C:\PROGRA~1\AVG\AVG8\avgtray.exe
file: C:\PROGRA~1\AVG\AVG8\avgtray.exe
size: 1948440
MD5: 2588B441E5B22691E0610CF710865441

Located: HK_LM:Run, HotKeysCmds
command: C:\WINDOWS\system32\hkcmd.exe
file: C:\WINDOWS\system32\hkcmd.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, HP Component Manager
command: "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
file: C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, HP Software Update
command: "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
file: C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, HPBootOp
command: "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
file: C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, LSBWatcher
command: c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
file: c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, MCAgentExe
command: C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
file: C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, MCUpdateExe
command: C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
file: C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, MegaPanel
command: C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
file: C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-3942599917-427591157-2114624425-1009...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_CU:Run, MSMSGS
where: S-1-5-21-3942599917-427591157-2114624425-1009...
command: "C:\Program Files\Messenger\msmsgs.exe" /background
file: C:\Program Files\Messenger\msmsgs.exe
size: 1695232
MD5: 3E930C641079443D4DE036167A69CAA2

Located: HK_CU:Run, SpybotSD TeaTimer
where: S-1-5-21-3942599917-427591157-2114624425-1009...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 2260480
MD5: 390679F7A217A5E73D756276C40AE887

Located: Startup (disabled), Adobe Reader Speed Launch (DISABLED)
command: C:\PROGRA~1\Adobe\READER~1.0\Reader\READER~1.EXE
file: C:\PROGRA~1\Adobe\READER~1.0\Reader\READER~1.EXE
size: 39792
MD5: 8B9145D229D4E89D15ACB820D4A3A90F

Located: Startup (disabled), Adobe Reader Synchronizer (DISABLED)
command: C:\PROGRA~1\Adobe\READER~1.0\Reader\ADOBEC~1.EXE
file: C:\PROGRA~1\Adobe\READER~1.0\Reader\ADOBEC~1.EXE
size: 738968
MD5: 1C1C6ABBC3408A373C731EC3F41EAE16

Located: Startup (disabled), Compaq Connections (DISABLED)
command: C:\PROGRA~1\COMPAQ~1\6750491\Program\COMPAQ~1.EXE -startup
file: C:\PROGRA~1\COMPAQ~1\6750491\Program\COMPAQ~1.EXE
size: 45056
MD5: 061380AFF32EC10474B2B355499B6E35

Located: Startup (disabled), HP Digital Imaging Monitor (DISABLED)
command: C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe
file: C:\PROGRA~1\HP\DIGITA~1\bin\hpqtra08.exe
size: 241664
MD5: 16E91805CC071039372AE0037AAA9A2B

Located: Startup (disabled), HP Image Zone Fast Start (DISABLED)
command: C:\PROGRA~1\HP\DIGITA~1\bin\hpqthb08.exe -s
file: C:\PROGRA~1\HP\DIGITA~1\bin\hpqthb08.exe
size: 53248
MD5: 91C0436BD6CB73370895EF33C1C9CB47

Located: Startup (disabled), Kodak EasyShare software (DISABLED)
command: C:\PROGRA~1\Kodak\KODAKE~1\bin\EASYSH~1.EXE -hx
file: C:\PROGRA~1\Kodak\KODAKE~1\bin\EASYSH~1.EXE
size: 180224
MD5: 8066FBF476461996BD176165975A3363

Located: Startup (disabled), Kodak software updater (DISABLED)
command: C:\PROGRA~1\Kodak\KODAKS~1\7288971\Program\KODAKS~1.EXE
file: C:\PROGRA~1\Kodak\KODAKS~1\7288971\Program\KODAKS~1.EXE
size: 16423
MD5: DB9012564169875F5B2AA7F5FC4905E4

Located: Startup (disabled), SpySubtract (DISABLED)
command: C:\PROGRA~1\INTERM~1\SPYSUB~1\sslaunch.exe -autostart
file: C:\PROGRA~1\INTERM~1\SPYSUB~1\sslaunch.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: Startup (disabled), RollerCoaster Tycoon 3 Registration (DISABLED)
command: C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\{125E3834-3997-4190-8405-CBDA3BC96044}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe /remind /language=ENU /PRNM="RollerCoaster Tycoon 3"/PRMP="RCT3"/SKUN="PCXX"/GTYP="STRY"
file: C:\Documents and Settings\Compaq_Owner\Local Settings\Temp\{125E3834-3997-4190-8405-CBDA3BC96044}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, avgrsstarter (DISABLED)
command: avgrsstx.dll
file: avgrsstx.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, dimsntfy
command: %SystemRoot%\System32\dimsntfy.dll
file: %SystemRoot%\System32\dimsntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, igfxcui
command: igfxsrvc.dll
file: igfxsrvc.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

BC AdBot (Login to Remove)

 


#2 Zllio

Zllio

  • Members
  • 1,107 posts
  • OFFLINE
  •  
  • Local time:10:44 PM

Posted 22 June 2009 - 11:06 AM

Hi animemonster,

I would like for you to check some things before thinking about malware. Just for some information, let's look at a few things.

First of all, do make sure the dust is out of your fans. Don't allow the fans to spin while you're dusting them as this can damage them.

Next disconnect your computer from the internet and reboot. Does that change anything?

Then go to Start > Run and type in msconfig. In the Window that opens up, put a checkmark next to Diagnostic Startup and then click on the Startup tab. Put a check next to your antivirus and anything that is needed on your computer. Most things can be left unchecked. Then boot up your computer and see if this goes better. If it happens to go better, then this would be a sign that there's a specific problem leading to this, and you can narrow this down by adding checkmarks to half of the remaining entries and rebooting. If one of them is the culprit, your bootup will be as it was.

I would like for you to run checkdisk. To do this, open My Computer and right-click on your C drive (or whatever drive has the operating system. The select properties and in the window that opens up choose the Tools tab. The first part of that tab has a button for checking your disk. Click on that and allow it to run.

Then I would like to know about your RAM on this computer? How much do you have? Do you have the possibility of testing it on another computer? There is a way to test it directly, if you go to the following website. http://oca.microsoft.com/en/windiag.asp


Did any of the above give you more information?
Zllio




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users