Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Slow XP (random only - 100% CPU, then Task Manager won't open.


  • Please log in to reply

#1
John37

John37

    New Member

  • Member
  • Pip
  • 2 posts
Hi everyone, I am a long time lurker but brand new member.

I need some help please, I'm having a bad run with Trojans etc recently (time to dump AVG I think).

Machine is running XP Pro SP3 32bit, AVG 9.0.851, Windows Firewall, behind NAT router

Have mostly cleaned out the obvious infections, but it's still acting "strangely" - so I reckon there are a few nasties lurking!

There are no longer any popups or noticeable DNS/browser/search redirects. However there are many unusual crashes, 100% CPU activity and some program lockups - but they are seemingly random and I cannot reliably reproduce them.

Any help you can give me would be greatly appreciated :)


----------------------------------------------------

BACKGROUND

Month or so back I had a TDSS infection (AntiSpywareSoft) - Cleaned most of that out (I think), machine was running OK. Then another one, slightly different but same concept - also pretty sure I cleaned that too. Both of these almost certainly got in from an outdated Java (I actually watched them getting dropped), but have now updated JRE.

A few days ago AVG Resident Shield blocked a number of attempts to load a Trojan.FakeAlert variant
- it was totally reproducable, was a webpage from a compromised server (they fixed it within about an hour)
- I found a temp file with an encrypted Javascript code injecting script.
- Attemping to open that HTML made AVG go crazy! I have removed it.

I then found a DNS redirect entry in the Registry (ProxyEnable and associated keys), that sent the browser to a strange port on 127.0.0.1 - this has already been removed.

Apart from some sluggishness and crashing, the other symptom is that "HID Input Service" won't start (error 126 - specified module could not be found). This driver is what makes the Media Keys on my keyboard work fully.

I checked that online and found that the normal "fix" is to restart the service, and if problems persist to replace the original driver files.

This service has a dependancy on Remote Procedure Call (RPC), and is loaded by "svchost.exe -k netsvcs"
Have checked that everything is set correctly in...
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HidServ\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\HidServ\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\HidServ\Parameters

Have replaced the following files with originals off WinXP disc:
%SystemRoot%\System32\hidserv.dll
%SystemRoot%\System32\drivers\mouhid.sys - v5.1.2600.0 17 Aug 2001 1:48:00pm
%SystemRoot%\System32\drivers\mouclass.sys - v5.1.2600.0 modified 17 Aug 2001 1:47:58pm

But HID Input Service still will not start! Something has hijacked whatever makes it load!

That mouclass.sys seems suspicious to me. I copy an older one back into drivers, but when I try to start HID Input service, that mouclass.sys keeps getting replaced with:
%SystemRoot%\System32\drivers\mouclass.sys - v5.1.2600.5512 modified 14 April 2008 12:09:48am

Also, machine is randomly going to 100% CPU, and when that happens Task Manager won't open. When running certain disk-intensive activities (scans, large file operations) the machine is very likely to crash or get stuck on 100% CPU. I've taken to leaving Task Manager open continually just so I can get to it :)

Hooks inside Audio may be caused by 3RVX.exe (a on-screen volume control thingy). Computer worked for years with this running, so it's probably unrelated.

----------------------------------------------------

MY ACTIONS LAST NIGHT AND TODAY...

1. Ran TFC (again)

2. Attempt Kaspersky Online Scan - crashes before completing download of definitions. Tried twice, one gave me a blue screen and reboot!

3. Ran MBRcheck - there is something odd in MBR of slave drive?

4. Ran MalwareBytes - found one Reg key, no software

5. Run GMER
Starts OK, but after a while gets really really slow - 100% CPU, unresponsive!
-left it overnight, still not sure if finished
Crashed (still occasional scanning but 100% CPU and totally unresponsive) and no reports generated.
- I have attached a photograph of screen, not sure if it was finished or not?
- I gave up on running Gmer after 5 or 6 attempts, something is blocking it!

5. Ran Rootkit Unhooker (Drivers,StealthCode,Files,CodeHooks)
At the "Files" section, it seems to lock up - I tried twice then hit cancel
Crashed (Not Reponding) but cannot close (locked by system).
Will run again without Files check if required.

Note that I have previously run Gmer, and it's never locked up or taken that long :)

----------------------------------------------------

MY LOGS - attached files

OK = MBRCheck, MALWAREBYTES, OTL (Both OTL.log and Extras.txt).

GMER - Have attached a photo of screen, this is as far as it can get up to.

I am posting this, then doing a reboot to get rid of Rootkit Unhooker which is sitting there completely hung. :)

Attached Thumbnails

  • Gmer after lockup.jpg

Attached Files


  • 0

Advertisements


#2
John37

John37

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
Hi everyone

I'm giving this thread a bump because I am really worried about continuing the use the machine as it is...

Is there anyone who can help me check what nasties still lurk within it?

Thanks, John
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP