Malware problem: old versions of NI LabVIEW : LOGOS + Lookout Citadel Server

Malware problem: old versions of NI LabVIEW : LOGOS + Lookout Citadel Server

Hi,
I believe I have been been suffering from a malware problem posibly related to a malware exploitation of an old and no longer used version of National Instrument's LabVIEW still residing on my machine -
something that must be fairly common among those that have worked with instrumentation control.

I believe I had unwanted processes that were running on my computer, that were streaming data in and out over the internet
in a way that is not happening on other machines. Under certain circumstance they have stopped but then restarted.

When machine should be idle:
Processor : 10% to 30% (Task Manager)
(a range of processes with a few % coming and going)
Internet : 30 to 100kB.s-1 streaming in and out (McAfee)
or 2% to 5% (of 1MB/s-1?) (Task Manager)
all due to Generic Host Processes for Win 32 Services:
: Ports : 3075 5431

I believe I have a fully updated XP SP2 system with fully updated
F-Secure 5.43 virus checker, MacaAfee 7 firewall, AdAwareSE,
and Microsoft AntiSpyware 1.0.701.
I have done repeated full system scans with all, and they find nothing wrong.

TrojanHunter suggested that Dialer.BTWeb.100 was a trojan - it has been suggested to me that this is a false alarm, but it is no longer necessary, so it is now disabled.

HijackThis listed numerous running National Instruments programs, including :
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\System32\lk....dl.exe
which was started at boot time and was related to NI LOGOS

"Logos is a network communication protocol developed by National Instruments based on industry-standard UDP"
"Logos also includes the Citadel server and Time Synchronization server"
"Citadel is part of the Logos installer. Logos is National Instruments proprietary mechanism for inter-process communication used by our automation software products (Lookout, LabVIEW Datalogging and Supervisory Control). Logos also implements the Citadel server and the time synchronization server."

The version of these servers on my machine are old and probably full of holes -
I had no idea these routines were running or just not part of windows OS.
I have stopped and disabled them in systems services.

Currently my streaming I/O has stopped, but I am still worried that there
may still be holes that could allow things to start up again.

One definite problem I still have, is an IE browser hijack -
I can not change my default page :
HijackThis reports :
R0 - HKCU\Software\Microsoft\Inte.....plorer\Main,Start Page = http://www......html

I have read the MajorGeeks pages re this, and have performed the preliminary steps, but can not see a likely candidate for the guilty routine, and am not quite sure what does in the above case.

Your advice is appreciated !

 

Welcome to MajorGeeks.com, please follow the steps below:

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis:

Downloading, Installing, and Running HijackThis