Win2k, SP4, Hijack log included

(Re-posted from Win2k forum.)
My friends PC is having this problem.

CPU is maxed out - 100 to 97% with a short drop that allows
some user actions to happen (each mouse-click can take up to a
minute to be executed.

System is very (i mean verrrry) slow from bootup to shutdown.

What i see is: in the Windows folder:
There is a "Temp" subfolder, it only contains 1 file - GLF60.exe.
According to the web this is some sort of a data recovery
program. Clicking on it does nothing.

I have turned the 'show all files and extensions' but nothing
happens.

Clicking on the Winnt folder does show some files/folders but
nothing like system or system32 folders. Clicking on a folder
in winnt, will open a different folder (not the folder i tried to open)
then take me back to 'My Computer'.

The task manager shows 'Services.exe' as getting 100% CPU
time. I cannot change the status of this service at all.

Whatever virus this is, its a good one (if there is such a thing.. I
can't find a solution or even a starting point to get it fixed.......



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:02:33 AM, on 9/11/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXCGserv.exe
C:\WINNT\system32\spool\DRIVERS\W32X86\3\lxdiserv.exe
C:\WINNT\system32\lxdicoms.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\SOUNDMAN.EXE
C:\Documents and Settings\Jean Spears\Application Data\U3\0000162B53713B83\LaunchPad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINNT\system32\rundll32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O15 - Trusted Zone: http://*.mcafee.com
O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: *.whataboutarabit.com
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/oneclickfix/tgctlsr.cab
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/Shared/ComCtl32/6,0,80,22/ComCtl32.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151769341078
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5263/mcfscan.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LXCGCustomerConnect - Unknown owner - C:\WINNT\system32\spool\DRIVERS\W32X86\3\\LXCGserv.exe
O23 - Service: lxcg_device - - C:\WINNT\System32\lxcgcoms.exe
O23 - Service: lxdiCATSCustConnectService - Lexmark International, Inc. - C:\WINNT\system32\spool\DRIVERS\W32X86\3\\lxdiserv.exe
O23 - Service: lxdi_device - - C:\WINNT\system32\lxdicoms.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

--
End of file - 5108 bytes


Ideas, suggestions, advice or just a thought will be welcomed,
thanks,
savagcl

 

Update:

Cannot install much of anything (programs) like MBAM, ComboFix even
Belarc. No internet connection works, cannot get into MyDocuments at all.

Worse of all, She does not have an OS disk so i can't even rew-install.

savagcl

 

Hi savagcl,

This will fit on a floppy, so transfer it over.

Please download FindAWF
Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, awf.txt will open. Please post it's contents here. **Note- whilst awf.txt is still open, you'll need to click File>Save As on the menu and save it to the floppy disk. Otherwise, if closed prior to saving, the log will be located in the user temp\FindAWF folder. That location is easily reached by clicking Start>Run and typing %temp%\FindAWF, then hit Enter.

 

noahdfear,

Thanks for the tip, I'll try it on monday and post results.

savagcl

 

Oh, I also meant to say, it's not wise to click on any exe files located in a temp folder. Many malwares install from a temp folder, and often drop exes there to do their work. Not at all uncommon for them to use a legit filename either.

 

Got it.
I dont know what she did but neither does she.

No reason or logic has ever been applied to that PC. I dont even
think its ever been defragged.

thanks,
savagcl

 

noahdfear,

FindAWF - It wouldn't run from the floppy at all.
I had to copy it to a flash drive then copy it to the root of "C" in order to
get it running.

So far its been running (according to task manager) 1 hour, 35 minutes under
option 1 (find bak files). Nothing is showing on-screen except the "Please
Wait" (based on the virus, i think maybe it has had no more than 10 minutes
of actual run time. I'm assuming its doing something.

More later,
savagcl

 

My instructions were to copy it to the Desktop and run it, not run it from a floppy. Running from C: should be fine too. Something is not right though ....... it shouldn't take more than a minute or so, unless of course you have a couple terabytes of hard drive. Try booting to safe mode and running it.

 

noahdfear,

Copying to the "C" was the only way i could run it. It wouldn't
let me get it to the desktop.

The long run time is due to the CPU using 98/100 of the processing
power. Only a bare minimal of time (1-2%) is available for running
user programs.

I'll try the safe mode but i still see almost 100% CPU usage even
in safe mode (or thinks don't run at all).

Will post back results.

Thanks,
savagcl

 

No luck running in safe mode. Says something about no IPX\??? support.

Not in front of the machine and can't remember what the "???" was.

savagcl

 

That's very odd.

I'd like to check something in particular, and you'll need to create a small batch file to run on the machine. Highlight and copy the contents of the code box below to a blank notepad. Save it to the floppy as;

Filename: check.bat
Save as type: All Files (*.*)

Code:

@echo off
echo ~~winlogon backups~~>check.txt
echo.>>check.txt
dir %Systemdrive%\winlogon.exe /a h /s >>check.txt
echo.>>check.txt
echo ~~services backups~~>>check.txt
echo.>>check.txt
dir %Systemdrive%\services.exe /a h /s >>check.txt
echo.>>check.txt
echo ~~lsass backups~~>>check.txt
echo.>>check.txt
dir %Systemdrive%\lsass.exe /a h /s >>check.txt
echo.>>check.txt
echo ~~svchost backups~~>>check.txt
echo.>>check.txt
dir %Systemdrive%\svchost.exe /a h /s >>check.txt
echo.>>check.txt
echo ~~explorer backups~~>>check.txt
echo.>>check.txt
dir %Systemdrive%\explorer.exe /a h /s >>check.txt
echo.>>check.txt
echo ~~spoolsv backups~~>>check.txt
echo.>>check.txt
dir %Systemdrive%\spoolsv.exe /a h /s >>check.txt
cls
exit

Move it from the floppy to the affected computer.
Double click check.bat to run it. It will create check.txt in the same location you placed the batch when it completes.
Please post it's contents here.


Try disabling McAfee to see if it helps with the system resources, if only long enough to run some tools.

 

Problem gone. She decided to just upgrade to Vista.

But, here is what happened with the check.bat

McCafee was already turned off. (Looking at the task manager, applications showed nothing running).

I ran check.bat from the C drive, temp folder, of the infected system for 1 hour. The CMD window stayed blank except for the blinking cursor. I got 94 bytes of info as output
(below).

I changed the bat file to turn "on" the echo and re-ran it for another hour. Same results,

Check.txt shows:
~~winlogon backups~~

Volume in drive C has no label.
Volume Serial Number is 1C2E-91B5

CMD window got as far as the winlogon.exe line

A search of "C" drive did not find a winlogon.exe.

 

PS. Thanks for all your help, noahdfear,

savagcl

 

Thanks for the followup.