I need some help please, I'm having a bad run with Trojans etc recently (time to dump AVG I think).
Machine is running XP Pro SP3 32bit, AVG 9.0.851, Windows Firewall, behind NAT router
Have mostly cleaned out the obvious infections, but it's still acting "strangely" - so I reckon there are a few nasties lurking!
There are no longer any popups or noticeable DNS/browser/search redirects. However there are many unusual crashes, 100% CPU activity and some program lockups - but they are seemingly random and I cannot reliably reproduce them.
Any help you can give me would be greatly appreciated
----------------------------------------------------
BACKGROUND
Month or so back I had a TDSS infection (AntiSpywareSoft) - Cleaned most of that out (I think), machine was running OK. Then another one, slightly different but same concept - also pretty sure I cleaned that too. Both of these almost certainly got in from an outdated Java (I actually watched them getting dropped), but have now updated JRE.
A few days ago AVG Resident Shield blocked a number of attempts to load a Trojan.FakeAlert variant
- it was totally reproducable, was a webpage from a compromised server (they fixed it within about an hour)
- I found a temp file with an encrypted Javascript code injecting script.
- Attemping to open that HTML made AVG go crazy! I have removed it.
I then found a DNS redirect entry in the Registry (ProxyEnable and associated keys), that sent the browser to a strange port on 127.0.0.1 - this has already been removed.
Apart from some sluggishness and crashing, the other symptom is that "HID Input Service" won't start (error 126 - specified module could not be found). This driver is what makes the Media Keys on my keyboard work fully.
I checked that online and found that the normal "fix" is to restart the service, and if problems persist to replace the original driver files.
This service has a dependancy on Remote Procedure Call (RPC), and is loaded by "svchost.exe -k netsvcs"
Have checked that everything is set correctly in...
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HidServ\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\HidServ\Parameters
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\HidServ\Parameters
Have replaced the following files with originals off WinXP disc:
%SystemRoot%\System32\hidserv.dll
%SystemRoot%\System32\drivers\mouhid.sys - v5.1.2600.0 17 Aug 2001 1:48:00pm
%SystemRoot%\System32\drivers\mouclass.sys - v5.1.2600.0 modified 17 Aug 2001 1:47:58pm
But HID Input Service still will not start! Something has hijacked whatever makes it load!
That mouclass.sys seems suspicious to me. I copy an older one back into drivers, but when I try to start HID Input service, that mouclass.sys keeps getting replaced with:
%SystemRoot%\System32\drivers\mouclass.sys - v5.1.2600.5512 modified 14 April 2008 12:09:48am
Also, machine is randomly going to 100% CPU, and when that happens Task Manager won't open. When running certain disk-intensive activities (scans, large file operations) the machine is very likely to crash or get stuck on 100% CPU. I've taken to leaving Task Manager open continually just so I can get to it
Hooks inside Audio may be caused by 3RVX.exe (a on-screen volume control thingy). Computer worked for years with this running, so it's probably unrelated.
----------------------------------------------------
MY ACTIONS LAST NIGHT AND TODAY...
1. Ran TFC (again)
2. Attempt Kaspersky Online Scan - crashes before completing download of definitions. Tried twice, one gave me a blue screen and reboot!
3. Ran MBRcheck - there is something odd in MBR of slave drive?
4. Ran MalwareBytes - found one Reg key, no software
5. Run GMER
Starts OK, but after a while gets really really slow - 100% CPU, unresponsive!
-left it overnight, still not sure if finished
Crashed (still occasional scanning but 100% CPU and totally unresponsive) and no reports generated.
- I have attached a photograph of screen, not sure if it was finished or not?
- I gave up on running Gmer after 5 or 6 attempts, something is blocking it!
5. Ran Rootkit Unhooker (Drivers,StealthCode,Files,CodeHooks)
At the "Files" section, it seems to lock up - I tried twice then hit cancel
Crashed (Not Reponding) but cannot close (locked by system).
Will run again without Files check if required.
Note that I have previously run Gmer, and it's never locked up or taken that long
----------------------------------------------------
MY LOGS - attached files
OK = MBRCheck, MALWAREBYTES, OTL (Both OTL.log and Extras.txt).
GMER - Have attached a photo of screen, this is as far as it can get up to.
I am posting this, then doing a reboot to get rid of Rootkit Unhooker which is sitting there completely hung.