Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Overall Slowness - Experienced But Worried User


  • This topic is locked This topic is locked
21 replies to this topic

#16 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:17 AM

Posted 27 February 2006 - 08:57 AM

Hi Nate :thumbsup: Unless you are in a hurry, I still have things we can try, let's try this, and we are really after the tmp files, here is the first one: 1WMMB3KV\wbk7DD.tmp

Download Killbox from here: http://forum.malwareremoval.com/viewtopic.php?t=320 Make sure you take the time to read the instructions so you will know what you are doing. Let me know if this fixes it.

Thanks...Phil
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

BC AdBot (Login to Remove)

 


#17 natedees

natedees
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 01 March 2006 - 02:47 AM

Phil - Killbox is impressive - did the job with authority. Thanks a ton for that tip. I have a clean Kaspersky scan finally - I can't believe it. I think we are about done - the system is getting pretty clean - I was going to tell you we were all done and that it was awesome working with you etc, but I did a final HJT log for good measure and was reminded - I still never found a couple of these exe files: scvvhost and msdxmlc. I even copied the link directly and killbox said the file "did not seem to exist" (for both). Confused..

Logfile of HijackThis v1.99.1
Scan saved at 1:38:03 AM, on 3/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKCU\..\Run: [msdxmlc] C:\WINDOWS\System32\msdxmlc.exe
O4 - HKCU\..\Run: [Microsoft Windows Update] scvvhost.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://www.support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136492339265
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136496386468
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{87A132AA-D8F0-4A24-8689-0C7CFA468F3A}: NameServer = 24.29.1.218,24.29.1.219
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

#18 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:17 AM

Posted 01 March 2006 - 07:12 AM

OK Mike, we have those two lines still:
This one: C:\WINDOWS\System32\msdxmlc.exe it is possible this is a valid file, you said here:

The folder does contain msdxmlc.dll, however. Kaspersky scan proclaims: You're clean! Jotti's scan proclaims: Found nothing (on all accounts). The same was true for the msdxmlc.exe - these filenames exist in both the system32 folder and the i386 folder: msdxmlc.ocx and msdxmlc.dll, but I scanned them using the websites you posted for checking files and they came back clean.

This folder >>> i386 folder Is where windows stores the backups so it can retrive one if needed when a file gets corrupted. We are going to assume this is a valid file and leave it alone. If you wish to investigate it further, navigate to it and right click then choose properties.

Now this one: O4 - HKCU\..\Run: [Microsoft Windows Update] scvvhost.exe is still showing in the log and this is what I get when I google it: http://www.sophos.com/virusinfo/analyses/w32forbotfh.html
Here is the rest of the google: http://www.google.com/search?sourceid=navc...=scvvhost%2Eexe
Why you are not finding it has me very puzzled, no reason to scan it because there is no doubt this is a very bad worm. The problem is that it must be located to remove it. In 99% of the cases where someone could not find an item with search it was because they made a minor error when displaying the hidden files and folders. I will post those instructions again, please go over them very carefully, Windows XP is a little different from other Operating Systems:
Double click my computers & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK" Look at this also:

MANUAL INSTR FOR ENABLE HIDDEN FILES
* Double-click My Computer.
* Click the Tools menu, and then click Folder Options.
* Click the View tab.
* Clear "Hide file extensions for known file types."
* Under the "Hidden files" folder, select "Show hidden files and folders."
* Clear "Hide protected operating system files."
* Click Apply, and then click OK.

We could also Killbox this item, but you have to find it to Killbox it. I wish I could find it for you but I can't. Here are instructions from Trend Micro for removing this if you wish to look at them:
http://www.trendmicro.com/vinfo/virusencyc...BOT.HO&VSect=Sn

This link: http://www.sophos.com/virusinfo/analyses/w32forbotdh.html also provides instructions under the Recovery Tab. This requires a registry Edit, make sure you back up your registry if you try this fix:
http://support.microsoft.com/kb/322756
http://service1.symantec.com/SUPPORT/tsgen...id/199762382617

As far as I can see, this is the only problem you have albeit it is a serious one. I also want to make sure one last time that you understand this: C:\WINDOWS\system32\svchost.exe <<< is valid and an important windows file, do not confuse it with this: scvvhost.exe

Thanks...Phil
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#19 natedees

natedees
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 06 March 2006 - 02:55 PM

Phil,

I looked at the proposed solutions to disabling scvvhost.exe by editing the registry, and searched for it using killbox. Would you believe, there were no lines in the registry in the folders mentioned in those pages for starting this file at startup. Only in one folder did I find a line for running the msdxmlc.exe file - the second file we had been chasing. I deleted that line.

I am not at home to post another HJT log. Something is still affecting the operation. Could the log be showing us something that isn't really there? What other forms does a worm or whatever this is take on? For instance, could it be running from inside a file named something else that it has corrupted?

Thanks for your thoughts,
Nathan

#20 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:17 AM

Posted 06 March 2006 - 05:24 PM

Hi Nate, I was hoping for good news :thumbsup: It's logs like this one that make we want to quit my volunteer job :flowers:
I am kind of bogged down in all we have tried and this could be some kind of rootkit: http://en.wikipedia.org/wiki/Rootkit and we may have to look to see if this is the case. Most of the rootkits that are easily removed I know, and others usually compromise the system so bad you can never feel safe and reformat is the best option. I would like a fresh start, a new HJT log and the results of a last Kaspersky scan. Please also (even if you have done so before) decribe the symptoms in as much detail as you can (it could be something other than malware) and if you are receiving any error messages, please post them "word for word".

Let's also take a look at a log by RootKitReavealer, download it from here: http://www.sysinternals.com/Utilities/RootkitRevealer.html Use these instrucitons.
Download unzip then scan .exe
when its done go file > save
attach the log back here in your next reply
Not to worry, there are alot of items and it's an intensive scan, I suggest you disconnect from the internet and leave the PC alone until its finished.

Because the log can be very large please edit out items in C:\RECYCLER\NPROTECT if there.
And C:\System Volume Information, before posting.

Thanks...Phil
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#21 natedees

natedees
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 07 March 2006 - 09:02 AM

Phil -

As for the problem in general, there is a slowness to the operation. It is like someone took half of my ram out of my computer and now i can't open more than a couple of programs before having to wait long times for the simplest tasks. It has definitely improved since we have started, however I am still worried that there is one more thing to fix to get it running as it should.

The rootkit revealer scan:

HKLM\SOFTWARE\Network Associates\TVD\Shared Components\On Access Scanner\McShield\szLastScanned 3/7/2006 1:22 AM 50 bytes Windows API length not consistent with raw hive data.

HKLM\SOFTWARE\Network Associates\TVD\Shared Components\On Access Scanner\McShield\dwFilesScanned 3/7/2006 1:22 AM 4 bytes Data mismatch between Windows API and raw hive data.

HKLM\SOFTWARE\Network Associates\TVD\Shared Components\On Access Scanner\McShield\dwLastModified 3/7/2006 1:22 AM 4 bytes Data mismatch between Windows API and raw hive data.

I looked into this just a little and found these explanations on the site you listed:

Windows API length not consistent with raw hive data.
Rootkits can attempt to hide themselves by misrepresenting the size of a Registry value so that its contents aren't visible to the Windows API. You should examine any such discrepancy, though it may also appear as a result of Registry values that change during a scan.


Data mismatch between Windows API and raw hive data.
This discrepancy will occur if a Registry value is updated while the Registry scan is in progress. Values that change frequently include timestamps such as the Microsoft SQL Server uptime value, shown below, and virus scanner "last scan" values. You should investigate any reported value to ensure that its a valid application or system Registry value.

I didn't try to analyze this yet.

I performed a Kaspersky scan - it came up clean!
I performed HJT scan:

Logfile of HijackThis v1.99.1
Scan saved at 7:52:55 AM, on 3/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://www.support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136492339265
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136496386468
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{87A132AA-D8F0-4A24-8689-0C7CFA468F3A}: NameServer = 24.29.1.218,24.29.1.219
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe

Let me know what you think - notice the scvvhost and msdxmlc is removed!

#22 pskelley

pskelley

  • Members
  • 1,487 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:17 AM

Posted 07 March 2006 - 09:52 AM

Hi Nate, I think you have a spotless HJT log, nothing showing in the Kspersky and I see nothing suspect in the results from System Intervals scan. The scan shows Network Associates changes and that changes with every database update. I see nothing of any malware in this log. I have been wrong before, but I believe something else is causing this problem. I am going to make two suggestions:

1) Register free and post here: http://forums.tomcoyote.org/index.php?showforum=83 giving detail about your problem, those folks may be able to help?

2) Register free here and run a diagnostic: http://www.pcpitstop.com/ Post the results here: http://pcpitstop.invisionzone.com/index.php?showforum=6 for expert help in understanding the results.

3) Please link me to that diagnostic information, I may also spot something.

thanks...Phil
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users