Here’s one for you:
The week before last I picked up some malware (Antispyware System Pro). When I tried to close the hijacked windows the computer froze, but not all at once: Any audio looped the last fraction of a second, I could open the Task Manager and go through the motions of closing processes but nothing happened, and finally everything but the mouse stopped working.
I eventually got the system totally clean by using several different systems but it still stops after about 10-20 minutes, especially if I am watching some video. I switch it off then on and everything is fine, so it’s not an overheating issue.
I have work to do tomorrow and am at my wits’ end. Any ideas?
Oh, I’m running NT Pro SP3
The first possibility is that your system is not properly clean. Have you manually removed the files and registry entries listed here ? If the problems persist following this, run a HijackThis log, and if you are unfamiliar with interpreting it, post the results in their forum, or here, for someone to highlight remaining malware.
Done all that. It was a couple days before I could even boot in safe mode without a BSOD.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:38:11, on 12/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\SYSTEM32\astsrv.exe
C:\Program Files\Autodesk\Data Management Server 2008\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe
C:\Program Files\Autodesk\Data Management Server 2008\Server\Webserver\Connectivity.EDMWS.Server.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla fswctrl.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\windows\system32\hkcmd.exe
C:\windows\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\windows\system32\igfxsrvc.exe
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\system32 askmgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: CacherBHO - {9B4DF450-DCC7-4B07-935D-0CD757A64583} - C:\Program Files\Moyea\YouTube FLV Downloader\MoyeaCatcher.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Autodesk DWF - {F03966D3-8EA0-47b4-BBE0-85BFE6CBC8AC} - C:\Program Files\Autodesk\Autodesk DWF Writer\DWF Addin\DWFIEAddin.dll
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla fswctrl.exe
O4 - HKLM..\Run: [avgnt] “C:\Program Files\Avira\AntiVir Desktop\avgnt.exe” /min
O4 - HKLM..\Run: [IgfxTray] C:\windows\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe
O4 - HKLM..\Run: [Persistence] C:\windows\system32\igfxpers.exe
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] “C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe” /runcleanupscript
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [VeohPlugin] “C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe”
O4 - HKCU..\Run: [swg] “C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe”
O4 - HKCU..\Run: [Google Update] “C:\Documents and Settings\Mike\Local Settings\Application Data\Google\Update\GoogleUpdate.exe” /c
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra ‘Tools’ menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra ‘Tools’ menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll ,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\SYSTEM32\astsrv.exe
O23 - Service: Autodesk Data Management Job Dispatch - Autodesk - C:\Program Files\Autodesk\Data Management Server 2008\Server\Dispatch\Connectivity.WindowsService.JobDispatch.exe
O23 - Service: Autodesk EDM Server - Autodesk - C:\Program Files\Autodesk\Data Management Server 2008\Server\Webserver\Connectivity.EDMWS.Server.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: SW Distributed TS Coordinator Service (CoordinatorServiceHost) - Dassault Systèmes SolidWorks Corp. - C:\Program Files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WUSB54GCSVC - GEMTEKS - C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
–
End of file - 8728 bytes
I don’t see anything suspicious still intact, however I’m no expert. You’ll probably have more luck on the Beeping Computer forum .
I would remove;
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
It’s also worth running Malwarebytes in safe mode, if you haven’t already.
I’ve just noticed your log says you’re running XP not NT. Did you switch off system restore when running Malwarebytes? If not do so, then run a scan in safe mode.
No, just a momentary time warp back into the 90s.
I’m finding that not allowing any audio seems to help. Reinstalled my sound driver but that didn’t work so I’m not doing anything that involves sound.
Ran it for an hour with system sounds off with no problems. Watched two minutes of Jay’s Garage and it froze.
Need to work so I disabled the onboard sound device and will shop for a new sound card later.