Att: CH Authorized Malware Removal Specialists - details and all logs included

[Skeye]

I , in true newbie fashion, posted this to the incorrect forum (Windows), so here is the break down from a couple threads:

OS: XP Home
version '02 SP3

Compaq Presario
AMD Athlon XP 2600+
2.13 GHz, 224 MD RAM

Browser: Firefox latest version

Windows security setting on High.

Skill level: I am a computer 'user', not a programmer or thoroughly understanding of a computers ins and outs. No DOS experience really. So moderate navigational ability.


After my system BOSD'd, a friend lent me his system he has had in storage for awhile. He apparently maxed most of his hard drive memory space with music programs and files mostly. It had been operating between just under a 100 MB at times(I know, this is dangerous) to just above 400. When it was around 200 I consulted with my friend on what programs I could possibly remove to free up space. We removed what should have been about 200 to 300 MB, but when I looked there was just over 300 MB.

Well, it was operating okay and staying above 300(I clear the cache and temporary files after every internet session), but then there was a small Windows security update(regarding 'remote access' threat) and shortly after that I noticed it was up over 600 MB!

Yesterday, it took a long time for the system to start up and for the user profile to get started as well, then my Windows firewall alerts me it was inactive. AVG has had the email scanner mysteriously disabled a couple times recently, but 'righted themselves'. One time about 4 of the AVG scanners were inoperative, but I restarted and it was fine.

Also, recently AVG has isolated a couple potential 'hack tools':
10/22 - C:\hp\bin\Terminator.exe
10/24 - C:\System Volume Information\_restore{long line of numbers and letters}\RP8\A0000685.exe

This second one seems to possibly be relevant to my problem:

Sometimes it will be moving along just fine and then other times super slow. After the Windows security update it seemed to be moving along great, but I am on Facebook, Youtube, Tribe.net, Myspace which seems to drag it down and fill up space even after clearing internet files. Today though, I changed some settings in the System's Performance Advanced options to see if that could help with memory usage and I was on Tribe for awhile, clicked some links to Youtube and one to the ACLU's site, and after this I check my MB and it's down a bit even after I clear things, so I decide to restart the computer because it seems that helps sometimes.

Now, usually when it is starting it goes to the screen where you have two options of what to start up in and it is set to wait only 3 seconds and loads up in what it has highlighted to begin with, and that has been Windows XP Home edition, but this time it says System Recovery Console first and WinXP H ed. second and I didn't catch it before it advanced. It gave me 3 options (2 from D:\, 1 from C:\Win XP), I was able to hit enter to have it restart and then move the bar down one to highlight WIN XP HOME and then start, it worked, but when I enter my user account both the AVG and Windows firewalls have been disabled!

I enable them and restart, but it is still wanting to start in System Recovery Console.

What is going on?!

It occurred to me that possibly this computer had been 'zombied'(not really sure how that works, but I get the gist), after the Win sec. update freed up so much space and it was moving faster, like it had disconnected something that was on here taking up space and operating time, but I really don't know.

I came to this site to post to forum, clicked on the Support graphic on the main page first, then the 'Display your system information and plugins and saw that it was recommended to update things because they have necessary security updates as well. I did Java first, odd things with Java had been happening(it was interfering with my accessing Hushmail.com) so I was hoping this would help, but after installing the Java site has a test graphic that didn't work and gave me this:

Java Plug-in 1.6.0_10
Using JRE version 1.6.0_10 Java HotSpot(TM) Client VM
User home directory = C:\Documents and Settings\S&S
----------------------------------------------------
c:   clear console window
f:   finalize objects on finalization queue
g:   garbage collect
h:   display this help message
l:   dump classloader list
m:   print memory usage
o:   trigger logging
q:   hide console
r:   reload policy configuration
s:   dump system and deployment properties
t:   dump thread list
v:   dump thread stack
x:   clear classloader cache
0-5: set trace level to <n>
----------------------------------------------------


TestVM 8.18 sc
Copyright (c) 2008 Sun Microsystems, Inc.
All Rights Reserved.
Current JRE version set in file: 
java.lang.NumberFormatException: For input string: " "
   at java.lang.NumberFormatException.forInpu tString(Unknown Source)
   at java.lang.Integer.parseInt(Unknown Source)
   at java.lang.Integer.<init>(Unknown Source)
   at testvmDynamicJavaComPopUp819.init(testvmDynamicJavaComPopUp819.java:269)
   at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
   at java.lang.Thread.run(Unknown Source)
Exception: java.lang.NumberFormatException: For input string: " "
Exception in thread "Thread-13" java.lang.NullPointerException
   at testvmDynamicJavaComPopUp819.run(testvmDynamicJavaComPopUp819.java:440)
   at java.lang.Thread.run(Unknown Source)

~~~~~~~~~~

Computer seems to be operating okay right now, not too slow, but I still want to know what is going on when it is booting up.

Thanks for any consideration.

P.S.: I forgot to mention that I ran an AVG full system scan last night as I went to bed, got up in the morning, woke it up out of 'sleep' and AVG said it didn't find anything.


8:03pm Update: Just restarted the computer and noticed that it says Microsoft Windows Recovery Console, in case that makes a difference, and now AVG says the E-mail scanner is inactive again.

~~~~~~~~~~

Monday 10/27 1:24pm update: Tried a system restore(check point 10/24) and now the boot directories are switched back to normal, with Windows XP Home first and Win Recovery Console second, boots like normal, but when I entered my user account the first time it said System Restore renamed files to preserve integrity:

Cache -----> Cache(2)
location: C:\Documents and Settings\S&S\Local Settings\Application Data\Mozilla\Firefox\Profiles\57nrewse.default

winspamcatcher.dll -----> winspamcatcher(2).dll
location: C:\Program Files\AVG\AVG8

netapi32.dll -----> netapi(3).dll
location: C:\WINDOWS\system32

AVG had 4 components off again(Firewall, Email scanner, Web Shield and Update manager). It was at the restore point where I had to do the Windows security update installation(regarding 'remote access' threat), so reinstalled and restarted. It booted okay still and the AVG Update manager was on, other 3 still off.

Did restore again(10/21), booted okay and system restore says: Restoration Incomplete. Tried this for 3 more dates back, no more before the 17th due to low disk space I believe. So at this point it is booting okay, but AVG is still messed up and it is back to loading real slowly.

I tried to do a System Restore Undo, but wouldn't do that either.

As it stands: boots okay for now....AVG8 Firewall, Email scanner, Web Shield are inactive and cannot activate. HD space real low again(was at around 600MB, but now almost 200), otherwise navigation is okay, slow but not too slow.

Thanks!   

[Skeye]

AVG8 just did an automatic update, I had attempted updates earlier today, but said none available....all still the same though.   

[Skeye]

Okay, I got started on the Malware Removal, but I am to step 4 and am down to 218 MB.

Here is my first log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/27/2008 at 05:59 PM

Application Version : 4.21.1004

Core Rules Database Version : 3610
Trace Rules Database Version: 1596

Scan type       : Complete Scan
Total Scan Time : 01:39:07

Memory items scanned      : 302
Memory threats detected   : 0
Registry items scanned    : 4416
Registry threats detected : 0
File items scanned        : 64137
File threats detected     : 2

Adware.Tracking Cookie
   C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt


I could download the other programs required to finish this, but it is getting dangerously low. What should I do?   

[Skeye]

Well after AVG did another auto update, I now have around 300 MB so I am proceeding with the program downloads and here is my second log:

Malwarebytes' Anti-Malware 1.30
Database version: 1329
Windows 5.1.2600 Service Pack 3

10/27/2008 9:06:19 PM
mbam-log-2008-10-27 (21-06-19).txt

Scan type: Quick Scan
Objects scanned: 51501
Time elapsed: 11 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cryptographic Service (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Update (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Owner\results.txt (Malware.Trace) -> Quarantined and deleted successfully.

[Skeye]

Had to remove old Java and during the time before I downloaded new version the computer seemed to run better. Forgot to check if AVG was better then, but it still has the 3 functions 'stopped/inactive'. Here is my last log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:37 PM, on 10/27/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=22028
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgemc.exe (file missing)
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgfws8.exe (file missing)
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 4480 bytes

[Skeye]

I just saw this thread this morning that addresses somewhat of what I have mentioned, which is the fluctuating usage of free space on HD:

"Memory space keeps decreasing".... Is this a virus?
http://www.computerhope.com/forum/index.php/topic,69137.0.html

This is why I mentioned the possibility of a 'zombie' attack. To me it would make sense that if the computer was being used by another party there would be fluctuations like this. Also, like I mentioned, after Windows updated with the security patch for 'remote access' the MBs went up big time.

Windows firewall is operable, but at this time AVG is still down, I am considering removing AVG and trying another security program, but hope I can get a reply soon. 

I know you guys are busy and I am grateful for all you have helped with before. 

[evilfantasy]

You keep bumping your post to the top of the forum which actually moves you farther down the waiting list. We start with oldest posts first. Chill out, this is a busy forum and only 2 of us helping here.

[evilfantasy]

After all of that waiting I don't think this is a malware problem. There are a few things to do though.

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Go to Start > Run and type notepad.exe then click OK

Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

Code: [Select]

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"AlcxMonitor"=-
Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work.

Delete the fixme.reg from the Desktop.

----------

I'm not sure what it is. Please continue in the Windows forum.

Sorry for the wait

[Skeye]

SUCCESS! Thank You evilfantasy!

Not sure what this was for, but let's hope it helps.   

There was a long list of stuff in there. Was that just a generated list of files or potential things that needed to be fixed or deleted?

This hard drive hasn't been defragged and it is mostly red. I was advised by a 'geek' buddy of mine not to worry about that, because it would take way too long and potentially do more harm than good at this point. Which seemed odd to me.

I'm still concerned about the fluctuating disk space usage, but I will check that other thread for more info.

Now my main problem is still AVG8. I noticed something while exploring it:

I went into Firewall and Tools-->Firewall Settings

And on the left menu noticed Standalone Computer (which I have this designated as, because it is not networked) and opened it and clicked on Applications. It showed a list in the main window and these three things are designated to be blocked:

- Local Security Authentication Server
- Remote Desktop Help Session Manager (which I see as probably appropriate)
- RunDLL32

I'll look to see what other forum I should post this in for AVG help, but just thought I would mention in case you know anything on this.

Thanks again for your time and efforts!

BIG Cyber Hug and/or Hi-five! 

[patio]

I was advised by a 'geek' buddy of mine not to worry about that, because it would take way too long and potentially do more harm than good at this point.

Stop taking this geek buddies advice right away...

[Skeye]

Well. I got the AVG fixed after attempting a few things on the AVG support site: I downloaded a new installer file and told it to 'repair'. Not only did it reapir, but I went from being almost down to 100 MB because of having to download all these fix programs, to 1.1 G! So I don't know, just hope it stays cool for awhile.

I opted for the AVG toolbar, let's see if that helps.

Thanks again to the CH gurus! 

And yes patio , my 'geek buddy' is a computer engineer, but I believe he thinks he knows more than he really does at times. I know where to come to when I need help now.   

Really though, he means well and has been fairly helpful before, I am just getting an idea of his limitations. lol!

Peace y'all!

[evilfantasy]

I would try a good defrag. Sometimes it works wonders...

First give the disk a good cleaning of junk files to help the defrag work faster.

Download and install CleanUp!.exe

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:

• Click Options...
  
• Move the arrow to Standard CleanUp!
  
• Uncheck the following: (if checked)
  • Delete Newsgroup cache
    
  • Delete Newsgroup Subscriptions
• Click OK

Click the CleanUp! button to start the program. Reboot/logoff when prompted.

----------

Defragment your hard drive

I suggest installing a good FREE third party defrag utility. It works much faster then the built in Windows defrag. Defraggler - http://filehippo.com/download_defraggler/

You don't have to but to help it work better you can run it in Safe Mode.

A tutorial for disc defragmentation is available at BleepingComputer.com

[Skeye]

Wow, awesome EF!   

I just had a feeling to come back here and see if there was anything else posted and boy am I glad I did.

Overall the hard drive space is fluctuating between lower 900s to just over a gig, but the CCleaner really seems to help clear out the most. It finds things that Windows and Firefox don't. It drags sometimes depending on the graphic intensity(videos and such), even after I have stopped being on those pages. Like just now, I minimized this window(no other tabs or anything else running, although I do have that AVG second icon with the triangle that says its scanning but its not as far as I can tell) and it slowly 'melted' down(like a transition in a video where the page disappears from top to bottom).

Anyway, glad to hear about CleanUp...I'll go download it now and follow these instructions and let you know how it goes. Thanks again EF, this has been a great relief.   

[evilfantasy]

Note that CCleaner only cleans the account that you are signed on to. If you have multiple users it needs to be run on each account. CleanUp works on ALL accounts.

[Skeye]

Note that CCleaner only cleans the account that you are signed on to. If you have multiple users it needs to be run on each account. CleanUp works on ALL accounts.

That's definitely good to know...should I uninstall CCleaner after I have CleanUp?

I went to the site to download CleanUp and it was down for maintenance.   

I'll check back...

I read the tutorial and noticed this:

"A partition must have 15 percent free space on the drive for the Disk Defragmenter to work properly."

D'oh! 

I only have a gig on this 32.2 G HD.    

Oh well...I'll still get CleanUp, sounds like a better program.

Oh, EF...I forgot to ask what that file you had me integrate(?) was for, what did that do?