after trojan cleanup, system grinds to halt (freezes) after 1-2 minutes

[dan glenn]

Hi - friend of mine had problems with a (at least one) trojan
(Backdoor.Trojan was the one that his Norton Anti-Virus warned about) and
soon afterwards found that within a minute or two of booting up his system
would just freeze up. It doesn't instantly freeze up - it's like a
progressive resource hog, because immediatetly after booting up things seem
normal (no slow down) but within a minute or two things grind to a halt.
Have to power off and back on. If I turn off his services in safe mode with
msconfig and reboot into normal mode, no problems (except that without
services he can't get on net through his DSL).

System runs clean with latest versions of SpybotS&D, AdAware, McAfee and
Norton Antivirus (some worms and trojans were found but successfully
removed). Yet we still have this 'grind to a halt problem'.

Does anyone have an idea of what kind of virus/trojan/worm is responsible
for this behavior??

Any help greatly appreciated,
-dg
P.S. Here's latest HijackThis! Log:

Logfile of HijackThis v1.97.7
Scan saved at 4:56:57 PM, on 5/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MSN\MSNIA\dslmon.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\PROGRA~1\BROADJ~1\CLIENT~1\CFD.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\_Installs\Anti-Virus, etc\Hijack This\HijackThis.exe

O2 - BHO: SpywareGuard Download Protection -
{4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program
Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} -
c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common
Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe"
/checktask
O4 - HKLM\..\Run: [VirusScan Online]
"c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [DSL Connection Tool] C:\Program
Files\MSN\MSNIA\dslmon.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [MSConfig]
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SSK Service] C:\WINDOWS\winssk32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe"
/background
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &
Destroy\TeaTimer.exe
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection
Manager\CManager.exe
O4 - Startup: HiJack.lnk = C:\_Installs\Anti-Virus, etc\Hijack
This\HijackThis.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) -
http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -
http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor
Class) -
http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1079197976593
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) -
C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) -
https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating
System Class) -
http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) -
http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7B461720-5910-45A3-B617-3B53A972F209} (Pixami-PhotoWorks Upload
UI Control) - http://services.photoworks.com/Pixami/PixamiSFWUploader.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) -
https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload
Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37691.703275463
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) -
http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) -
http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting) -
http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) -
http://download.yahoo.com/dl/installs/yab_af.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload
Tool Class) -
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_2us.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -
http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) -
http://simcity.ea.com/play/classic/SimCityX.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) -
http://photos.msn.com/r/neutral/controls/MsnPUpld.cab?5,0,1730,0
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
http://www.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) -
http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -
https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software
XUpload) - http://photo.walmart.com/photo/upload/XUpload.ocx
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) -
http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4358/mcfscan.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\{0871A618-5910-4A25-ACCF-977B5FA700C1}:
NameServer = 206.13.31.12 206.13.28.12
O17 -
HKLM\System\CS1\Services\Tcpip\..\{0871A618-5910-4A25-ACCF-977B5FA700C1}:
NameServer = 206.13.31.12 206.13.28.12

 

[Conor]

Hi - friend of mine had problems with a (at least one) trojan
(Backdoor.Trojan was the one that his Norton Anti-Virus warned about) and
soon afterwards found that within a minute or two of booting up his system
would just freeze up. It doesn't instantly freeze up - it's like a
progressive resource hog, because immediatetly after booting up things seem
normal (no slow down) but within a minute or two things grind to a halt.
Have to power off and back on. If I turn off his services in safe mode with
msconfig and reboot into normal mode, no problems (except that without
services he can't get on net through his DSL).

System runs clean with latest versions of SpybotS&D, AdAware, McAfee and
Norton Antivirus (some worms and trojans were found but successfully
removed). Yet we still have this 'grind to a halt problem'.

Does anyone have an idea of what kind of virus/trojan/worm is responsible
for this behavior??

At a rough guess I'd say Spybot S&D Teatimer resident protection as it
had a serious memory leak unless he's upgraded to the non BETA release
of 1.3 out the other day.

 

[Duane Arnold]

At a rough guess I'd say Spybot S&D Teatimer resident protection as it
had a serious memory leak unless he's upgraded to the non BETA release
of 1.3 out the other day.

Sometimes, one must use other tools that are mentioned in the link to
track things down as the malware detectors cannot catch everything. One
must look for them self.

http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and
_Rootkit_Tools_in_a_Windows_Environment.html

Duane

 

[dan glenn]

At a rough guess I'd say Spybot S&D Teatimer resident protection as it
had a serious memory leak unless he's upgraded to the non BETA release
of 1.3 out the other day.


--
Conor

If you're not on somebody's shit list, you're not doing anything
worthwhile.

The Teatimer is from the non-BETA release a few days ago, and besides, this
problem was before I ever got SpyBotS&D onto his system.

Since the nature of this problem is that resources are being progressively
gobbled up as soon as startup completes, until the whole system freezes in
just a minute or two, isn't there some way that the application or process
that's doing this can be identified?

Since it doesn't happen with services turned off, I may try a 'binary
search' through the services to locate the service that causes the problem
(Enable half of them first - if it hangs the problem is in the services
enabled, if not in the services still disabled; then apply the same process
to the suspect group, etc, until narrowed down to the culprit). Once I know
the service, as long as it's not a 'crucial' service, I should be able to
just disable it and everything will be dandy. Is this logical or am I an
ignorant fool?

thanks for the input so far...
-dg

 

[Duane Arnold]

Since the nature of this problem is that resources are being
progressively gobbled up as soon as startup completes, until the whole
system freezes in just a minute or two, isn't there some way that the
application or process that's doing this can be identified?

You can use Process Explorer (free) to view all processes running on the
machine. You can also look inside each running process to see what
processes are running inside of it. Right-click a running process and go to
Properties. It will give a lot of information about a running process.

That's if you can get there fast enough to use it.

Duane

 

[dan glenn]

What I did was track down the services that were hanging the system by
disabling and enabling, etc. I found that it was Norton's Antivirus! Their
computer had McAffee also installed (it loaded first) and it seems Norton's
had some conflict with it. By disabling Norton's 2 services, the "Norton
Antivirus Auto Protect Service" and the "Norton Unerase Protection", the
system was back to normal and running fine. Gad.

But thanks for the tip on Process Explorer - I downloaded it and it will
certainly come in handy someday...

-dg