Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Fix Of Virus & Malware Issue; Still A Problem


  • This topic is locked This topic is locked
2 replies to this topic

#1 GeoNOregon

GeoNOregon

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:13 PM

Posted 20 November 2010 - 03:31 AM

I've been having problems with my XP Pro SP2 box for a while. It began with a Google hijacking virus/malware that I could find very little about anywhere.

When I clicked on a Google search results link, the script blocking add-on I have installed in Firefox v.3.6.12 would stop the script and a white screen would appear with a url that started with:
hxxp://plxlestatservlce.com/
and has a long alpha-numeric string after it.

I could get past the problem most of the time if I right-clicked on the link and saved the link URL to the clipboard. I'd right-click again and choose 'Open in New Tab'. Some of the time it would work. If not, I would use another Firefox add-on to open the URL saved on the clipboard in the tab with the 'plxlestatservlce' URL string. This would always work.

I found one post about the 'http://plxlestatservlce.com/' problem when it first began. The post suggested using MalwareBytes Anti-Malware, then Combo-Fix to resolve the problem. I ran MalwareBytes, and it found bugs that I had it fix. I couldn't get ComboFix to run. ComboFix kept giving an error message that it couldn't find a file. I was in the process of sorting the problem out when my mom became sick and I had to put the problem on a back burner.

It was about 3 weeks later before I could get back to the problem. Before I could look for any new info on the Google hijacking problem, a new problem surfaced in the OS, particularly Explorer. I had been wanting to dump Norton AV, and had let the definitions expire a while back. I downloaded and installed aVast and it found problems with the following XP system files:

c:\windows\explorer.exe
c:\windows\system32\
lsass.exe
msvcrt.dll
services.exe
spoolsv.exe
svchost.exe
user32.dll
winlogon.exe
c:\windows\system32\dllcache\msvcrt.dll
c:\windows\system32\dllcache\user32.dll

The only file aVast could fix was the user32.dll in 'dllcache'. I figured the only way to fix the problem would be to find good copies of the files and replace the files using the 'Console' accessible via the XP setup process. I got good copies, and replaced them.

I re-ran aVast and got a clean bill of health.

A new Google search turned up a new post about 'http://plxlestatservlce.com/' hijacking Google. This one recommended using StopZilla to fix the problem. StopZilla found malware, trojans, etc and repaired/deleted/quarantined them. The 'http://plxlestatservlce.com/' problem went out with the trash.

I was about to celebrate when I realized the system was sluggish and not up to par. I ran Task Manager and noticed that one of the 'svchost.exe' processes seemed to be chewing up resources as fast as Task Manager could refresh, (set to High).

The good XP system files I used to fix my system came from my wife's machine. I built both computers at the same time, and except for HD size and I have a DVD burner, while she has a player, they are identical inside the box: MB, CPU, memory, video card, etc. They are twins.

When I first realized something was wrong with the svchost.exe process, I checked Task Manager on her system, and she had no svchost process eating up resources. None of the svchost.exe processes were even close to the resource usage I'm showing and her system hadn't been re-booted for several weeks. That's what leads me to think there's a problem.

Before I started this post, I re-booted the system and did a screen cap of Task Mgr shortly after the re-boot, at 0:16:05, (System Idle Process CPU Time). I just did another, at 3:35:34, (System Idle Process CPU Time). The results are below:

------------- CPU Time | Mem Usage | VM Size | Handles | USER Obj | GDI Objects
0:16:05 ====== 0:00:01 | 21,936k | 15,452k | 978 | 2 | 4
3:35:34 ====== 0:00:18 | 52,860k | 38,776k | 1,134 | 30 | 128

I have a utility called Process Explorer that reports what is running via any particular process. For this resource gulping svchost.exe, Process Explorer lists the following:

AudioSrv Windows Audio
CryptSvc CryptSvc
Dhcp DHCP Client
dmserver Logical Disk Manager
ERSvc Error Reporting Service
Event System COM+ Event System
helpsvc Help & Support
lanmanserver Server
lanmanworkstation Workstation
Netman Network Connections
Nla Network Location Awareness (NLA)
Schedule Task Scheduler
seclogon Secondary Logon
SENS System Event Notification
ShellHWDetection Shell Hardware Detection
srservice System Restore Service
W32Time Windows Time
winmgmt Windows Management Instrumentation
wscsvc Security Center
wuauserv Automatic Updates

I've only posted a Hijack This log, but I have logs or screen caps from the utilities I've used and mentioned above. If these or any others would be helpful, let me know.

AVast, Anti-Malware and StopZilla give the system a clean bill of health, but something is not right. I'm hoping someone may have experienced what I'm going through. I have never had to 'splice' OS files back into XP before, so I'm not sure if the problem is related to that, or not.

Thanks, in advance, for any help or ideas.

Sincerely,

GeoD

~~~~~~~~~~~

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:26:26 PM, on 11/19/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
U:\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
E:\Office\Atomic Clock\AtomicAlarmClock.exe
C:\Program Files\FTR\ForTheRecord\FTR.TREdge.DeviceDetector.exe
C:\WINDOWS\RTHDCPL.EXE
U:\Avast\avastUI.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\crypserv.exe
U:\Folder Size\FolderSizeSvc.exe
c:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
E:\disk.creating\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\WINDOWS\System32\svchost.exe
E:\Office\EditPad.Pro\EditPadPro.exe
U:\HiJack This\hijack.this..v.2.0.4.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=45724
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {2D0733B6-0BAC-47C1-909A-D9DB0533FFAF} - (no file)
O2 - BHO: DepositFiles.com BHO - {9DFE2FE9-CF99-4ADF-A28E-9B5ADB8DC74F} - W:\D'LOAD~1.MGR\DEPOSI~1\DEPOSI~1\DEPOSI~1.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - c:\Program Files\STOPzilla!\SZIEBHO.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Deposit IE Toolbar - {6AA40521-14E7-4B1D-B1B4-98528C1388C9} - W:\D'LOAD~1.MGR\DEPOSI~1\DEPOSI~1\DEPOSI~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SkinClock] E:\Office\Atomic Clock\AtomicAlarmClock.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [DeviceDetector] c:\Program Files\FTR\ForTheRecord\FTR.TREdge.DeviceDetector.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [avast5] "U:\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [SkinClock] E:\Office\Atomic Clock\AtomicAlarmClock.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: Download all with DF Manager - {D5AD327A-A089-4F04-89FD-4EA9812B3913} - W:\D'LOAD~1.MGR\DEPOSI~1\DEPOSI~1\DEPOSI~1.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {ACEFFC26-4628-11D1-B14A-105C01C13001} (WSpell Spelling Checker Control) - https://mercury.gale.com:1505/Per_Periodical/tools/wspell.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\acaptuser32.dll
O20 - Winlogon Notify: !SASWinLogon - U:\Super AntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: avast! Antivirus - AVAST Software - U:\Avast\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - U:\Avast\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - U:\Avast\AvastSvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - U:\Folder Size\FolderSizeSvc.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Unknown owner - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe (file missing)
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - c:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - E:\disk.creating\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - c:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
--
End of file - 6857 bytes

Edited by Orange Blossom, 20 November 2010 - 07:23 PM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 Blind Faith

Blind Faith

  • Malware Response Team
  • 4,101 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:13 AM

Posted 29 November 2010 - 04:12 PM

Hello and welcome to Bleeping Computer :welcome:

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log




Elle
Can you hear it?It's all around!

Tomar ki manè acchè?
Yadi thakè, tahalè
Ki kshama kartè paro
?



If I haven't replied in 48 hours, please feel free to send me a PM.



Posted Image

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 37,108 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:10:13 PM

Posted 22 May 2011 - 09:31 AM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Internet Security, NoScript Firefox ext.


animinionsmalltext.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users