Windows XP Malware Removal Cleaning Post #1

Hi, I will have to post more than once in order to upload all logs on a problem that started appearing approximately 8/15/2012.

1) Clearly describe in detail the problems you are having:

1st Symptom: When I reboot my Lenovo-E87C63AA, at Windows XP User Login prompt I receive the following dialog:

svchost.exe - Application Error

The instruction at "0x7c919af2" referenced memory at "0x00000010". The memory could not be "written".

Click on OK to terminate the program

Click on CANCEL to debug the program.

2nd Symptom: attempting to install new programs or uninstall a program leads to a timeout where the scroll bar indicator times out and stops moving forward while the Windows Task Manager shows the Task Status as "Running".

3rd Symptom: Tried booting into F8 Safe Mode and could not unless running this function from MSCONFIG.

4th Symptom: System Performance is slow, especially when shutting down and restarting. Windows Task Manager Page File Usage typically exceeds the physical 2GB RAM

2) and how long ago they started:

Approximately when Microsoft Security Essentials detected and Quarantined Adware:Win32/Adkubru on 8/15/2012 and Trojan:Win32/Comisproc on 8/21/2012 and Exploit:Java/CVE-2012-0507.CG on 08/24/2012.

I recall having a web browser Adware/Malware appear approximately this same time. Frankly I use so many browsers such as Safari, Chrome, Firefox and IE I do not recall how I removed this.

I am manually saving the Microsoft Security Essentials History on these three detected and quarantined items into a text file for analysis as these seem to be the root cause of my problems.

3) Think about what you were doing at the time.

I was trying to clean up disk space as it was more than 90% full. I had removed none essential programs and files. Had used CCleaner for the Cleaner and Registry functions. Had also used Auslogics BoostSpeed, DiskDefrag, and Registry Defrag. Everything appeared to be performing well until Lenovo ThinkVantage utilities that normally appear in the Taskbar had either there processes stopped by Auslogics or seemed to be wigging out such as the Battery status kept flashing in the Taskbar. I then rolled some of the performance tweaks back to restore them to the normal operating system profile however I am still having major issues ...

Thanks, CaptMorgan

P.S. Please take a note that several years ago I had downloaded your clean-up instructions and had several utilities that don't seem to be endorsed any longer. My apologies in advance for running SUPERAntiSpyware and Malwarebytes independently from your new guide. I also could not prevent Microsoft Security Essentials from running in realtime mode and taking action without receiving instructions first on how to remove.

Here is a summary of attached logs:

1. Microsoft Security Essentials - Microsoft Security Essentials History 08-25-2012.txt three items detected and Quarantined Adware:Win32/Adkubru on 8/15/2012 and Trojan:Win32/Comisproc on 8/21/2012 and Exploit:Java/CVE-2012-0507.CG on 08/24/2012.

2. SUPERAntiSpyware - SUPERAntiSpyware Scan Log - 08-24-2012 - 20-50-32.log found and Quarantined Adware.CouponBar
C:\WINDOWS\SYSTEM32\CPNPRT2.CID

3. RogueKiller - RKreport[1].txt multiple items found / I am not sure if 2 items were Quarantined so I am also attaching QuarantineReport.txt.

4. Malwarebytes Anti-Malware - mbam-log-2012-08-20 (12-54-03).txt ran on 8/20/12 as stand alone with Registry Keys Detected: 5
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{963B125B-8B21-49A2-A3A8-E37092276531} (PUP.Blabbers) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{963B125B-8B21-49A2-A3A8-E37092276531} (PUP.Blabbers) -> Quarantined and deleted successfully.
HKCR\bho_project.bho_object (Trojan.BHO) -> Quarantined and deleted successfully.
HKCR\bho_project.bho_object.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Google\Chrome\Extensions\kincjchfokkeneeofpeefomkikfkiedl (PUP.FCTPlugin) -> Quarantined and deleted successfully.

mbam-log-2012-08-24 (22-51-01).txt no items detected

5. TDSSKiller - TDSSKiller.2.8.8.0_24.08.2012_23.57.39_log.txt no threats detected

6. HitmanPro - HitmanPro_20120825_0825.log 4 Threats and 17 Traces with a focus on two that are suspicious based on the point in time of having system problems:
C:\WINDOWS\SYSTEM32\EGATHDRV.SYS
C:\WINDOWS\system32\ie4uinit.exe

7. MGtools - MGlogs.zip 08/25/2012 9:08 AM ... I'm going to let the experts decipher these logs!

 

Windows XP Malware Removal Cleaning Post #2

Edit: Logs

 

Welcome to MajorGeeks, krmorgan

Disable Any Disk Emulation Software (like Daemon Tools..etc) - Read and complete Step #4


Please download and run ComboFix and attach its log.
Read these instructions on how to use it: How to use ComboFix
Do not uninstall ComboFix yet as we may need it to fix remaining malware issues.

Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

 

Hey Super Malware Fighter,:cool

Thanks for your quick reply and welcoming me on board as a new member!

Please analyze the following attached logs:

1) defogger_disable_8-26-2012.log ... I realized on Saturday after sending the first post that I did not do this until after getting all of the logs. By bad!

2) ComboFix_8-26-2012.txt ... Combo Fix never created a log after auto reboot, even after 45+ mins of run time. I retrieved this report from C:\ComboFix (the instructions showed log.txt but format looks the same, so hope this works).

3) MGlogs_8-26-2012.zip ... operated smoothly.

A final footnote, I had to rely upon Revo Uninstaller yesterday to remove one remote diagnostic software that Netgear has had me install to trouble shoot their router. I also have SafeMSI.exe should any msi processes get stuck as I have further work to do with them and they might have me stand on my head some more. It might be that my computer is inhibiting the WNDR4500 from using the local network functionality of Airprint, DLNA, and ShareCloud to work as advertised ... rolleyes

Thanks!

 

Hi,

I am not finding any malware in your logs. I suspect that the computer is sluggish because there are a very high amount of programs you have installed / running at all times.

Here are my recommendations in case you wanted to try a few things. Otherwise, you are better off posting in the Software forum.

__

From Add/Remove Programs (via Control Panel), please uninstall the below (or use Revo Uninstaller):

• Adobe Shockwave Player 11.6
• AML Free Registry Cleaner 4.21
• Auslogics BoostSpeed
• Auslogics Disk Defrag
• Auslogics Registry Defrag
• Bing Bar
• CA Yahoo! Anti-Spy (remove only)
• CleanMem
• CleanUp!
• ClearType Tuning Control Panel Applet
• Coupon Printer for Windows
• Delicious Add-on for Internet Explorer <== Is actually considered adware by some AV vendors.
• Freez FLV to AVI/MPEG/WMV Converter
• Freez FLV to MP3 Converter
• Shop for HP Supplies
• Skype Click to Call
• SUPERAntiSpyware
• VideoFileDownload
• Wallpapers
• XP Themes
• Yahoo! Mail Advisor
• Yahoo! Messenger
• Yahoo! Software Update
• Yahoo! Toolbar

__

Please download Disable/Remove Windows Messenger to your desktop.

• Double-click MessengerDisable.exe to run it.
• Place checkmarks in "Uninstall Windows Messenger" and "Hide Messenger from Outlook Express"
• Click Apply
• Click Exit

__

Reboot

__

Now download fixme.zip to your desktop.

• Extract fixme.reg from fixme.zip onto your desktop.
• Now double-click fixme.reg and allow it to merge into the Windows Registry
• Let me know if the merge was successful or not.
  • If successful, reboot your PC and complete the step below too:
  • If unsuccessful, don't reboot yet and just let me know that the registry file didn't successful merge. But give me the exact error message you received.

__

Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

Hi,

Sorry for not responding due to the Labor Day holiday weekend.

I removed most of the programs you suggested with having reservations on the following either because they have recovery restore points that I don't want to lose by uninstalling them or some are OEM Microsoft OS provided and saw no value in removing them.

[*]AML Free Registry Cleaner 4.21 => Backup 12.08.17-16.10.35 8/17/2012
[*]Auslogics BoostSpeed => used (TweakManager) 8/19/2012 10:33 PM & 8/19/2012 7:27 PM
[*]Auslogics Disk Defrag => used (InternetOptimizer) 8/4/2012 2:30 AM
[*]Auslogics Registry Defrag => used (BoastSpeed) 7/15/2012 2:22 PM & 8/24/2012 10:07 PM
[*]CleanUp! Major Geeks promoted use of FreeRAM XP Pro 1.52 so left this installed ( majorgeeks.com/download.php?det=1670 )
[*]ClearType Tuning Control Panel Applet => this is Microsoft OEM software from OS, so did not remove it
[*]Wallpapers => this is Microsoft OEM software from OS, so did not remove it
[*]XP Themes => this is Lenovo Thinkpad software, so did not remove it

Having performed some further research involving the time line around middle of August 2012, I suspect that an update applied on Vuze may have contributed to infecting the computer with Malware and Trogan's that had been quarantined.

I am thinking although the performance of the computer is about the best it can be, that the infections corrupted the svchost.exe file as I am still having the same symptom on login after booting up the computer:

1st Symptom: When I reboot my Lenovo-E87C63AA, at Windows XP User Login prompt I receive the following dialog:

svchost.exe - Application Error

The instruction at "0x7c919af2" referenced memory at "0x00000010". The memory could not be "written".

Click on OK to terminate the program

Click on CANCEL to debug the program.


Please review the attached files/logs as Microsoft Security Essentials is periodically detecting Malware as of (8/28/2012) with ask.com screen capture labeled: MS Security Essentials browser hijack.jpg

I also have questions since the FixMe registry entry turned off some critical Lenovo services that I need to be able to re-enable, so how do I do that?

"SoundMAXPnP"=-
"TP4EX"=-
"TPHOTKEY"=-
"TpShocks"=-
"TPKMAPHELPER"=-

I'm also figuring my network hard drive services from Western Digital involving WD Anywhere Backup and Memeo have been disabled.

Do I just enable them in MSconfig or what would you recommend?

If we have pretty much exhausted options through the Malware Forum is it possible for me to retain our chat history while posting my concerns involving the "restoring the svchost.exe" over on the Software Forum?

Finally, if we are finished with our session ... May I uninstall Combo Fix? or should I wait until everything is indeed fixed by no longer having the Application Error at start up with svchost.exe?

Thanks and regards,

 

No problem.

It may in fact be corrupted or infected. Let's try replacing it with a different copy of svchost and see if that helps anything. I'm also going to try to add those Lenovo and sound items you wanted back into startup.

Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded earlier is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]FCopy::[/COLOR]
C:\WINDOWS\$NtServicePackUninstall$\svchost.exe | C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\$NtServicePackUninstall$\svchost.exe | C:\WINDOWS\ServicePackFiles\i386\svchost.exe
C:\WINDOWS\$NtServicePackUninstall$\svchost.exe | C:\WINDOWS\ERDNT\cache\svchost.exe
[COLOR="DarkRed"]Registry::[/COLOR]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
"TP4EX"="tp4ex.exe"
"TPHOTKEY"="C:\\Program Files\\Lenovo\\HOTKEY\\TPOSDSVC.exe"
"TpShocks"="TpShocks.exe"
"TPKMAPHELPER"="C:\\Program Files\\ThinkPad\\Utilities\\TpKmapAp.exe -helper"

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.

This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

Did you intend on attaching a picture here for me to review involving MSE? I didn't see it in your previous post.

 

I haven't been able to try out your startup changes yet as I'm away from my home. I was limited in uploading files, so here actually two MSE for your review dated 8/25 and 8/28. I'm having problems uploading the txt 8/25 file, so you might not be able to see it (So I'm going to copy and paste it here).

Also were you going to attach a different copy of svchost or suggest where I should go to down load it from?

 

That CFScript should take the appropriate actions. No downloading required.

 

Hi Super Malware Fighter,

I feel like I'm beginning to grasp at straws to find a solution to the svchost application error ... :confused

1. I have attached the ComboFix log

2. I still have not been able to resolve the 1st Symptom.
1st Symptom: When I reboot my Lenovo-E87C63AA, at Windows XP User Login prompt I receive the following
dialog:
svchost.exe - Application Error
The instruction at "0x7c919af2" referenced memory at "0x00000010". The memory could not be "written".
Click on OK to terminate the program
Click on CANCEL to debug the program.

3. I have conducted further research on svchost errors and I am not certain if it is either a corrupted file or a corrupt or missing registry? It seems to be a very common issue (even in MajorGeeks/bleepingcomputer), but none of the following solutions fixes the problem (if it really is a problem?)

3A. support.microsoft.com/kb/972034
performed "Fix it for me" rather than proceeding with "Let me fix it myself".

=> This did not resolve the login svchost application error

3B. Svchost Process Analyzer
download.cnet.com/Svchost-Process-Analyzer/3000-8022_4-75327749.html

I installed this temporarily, then used Revo Uninstaller to remove. Attaching a few scan results "Svchost Process Analyzer Scan.jpg" and "Svchost Process Analyzer Scan Results.png"

Installed Security Task Manager temporarily, then used Revo Uninstaller to remove. I found those four atypical svchost warnings as not revealing any silver bullet: Security Task Manager PID 2032 = Lenovo; Security Task Manager PID 572 = hidden; Security Task Manager PID 3384 = hidden; Security Task Manager PID 3728 = hidden

=> This did not resolve the login svchost application error, it was purely diagnostic ...

3C. how to stop a svchost error message on start up in Win XP
http://answers.microsoft.com/en-us/...rt-up-in/5896e0a0-4ae6-4e2f-92ed-c3cc9ad43d9f

Support Engineer
Hi fjy55555,

Follow these methods in order and check which one of it helps you in fixing the issue.

Method 1: Here’s a post which addresses this issue. Follow the various suggestions given in the link below which has helped many users to fix the issue.
Error message on Boot-Up! svchost.exe - Application Error : The instruction at "0x7c91b21a" referenced memory at "0x00000010". The memory could not be "written".
Method 2: Place your computer in Clean Boot state to identify the application causing this issue.
Putting your system in clean boot state helps in identifying if any third party applications or startup items are causing the issue. If yes, you may have to contact the program manufacturer for any updates or uninstall and re-install the program.
Here’s the article you may refer to for steps with reference to the same.
How to configure Windows XP to start in a "clean boot" state
Note: After troubleshooting, make sure to put the computer to start as usual as mentioned here:
To configure Windows to use a Normal startup state
After you used the clean boot to resolve your problem, you can follow these steps to configure Windows XP to start normally.
a. Click Start, and then click Run.
b. Type msconfig, and then click OK. The System Configuration Utility dialog box is displayed.
c. Click the General tab, click Normal Startup - load all device drivers and services, and then click OK.
d. When you are prompted, click Restart to restart the computer.

=> This did not resolve the login svchost application error.

3D. How to configure Windows XP to start in a "clean boot" state
http://support.microsoft.com/kb/310353

=> This did not resolve the login svchost application error. I did not perform the optional step (#4) to permanently remove all restore points as this seemed like a risky move to do with no chance of recovery ...

4E. per http://www.bleepingcomputer.com/forums/topic261076.html

1- Go to Control Panel
2- Administrative Tools
3- Services
4- go to the following Service : ( Windows Driver Foundation - User-mode Driver Framework ) Right Click then choose Properties ----> in the start up type choose Disabled.
5- Then reboot the system.
That fixed it for me.

=> I did not try this as this seems to turn off services all together (default is Automatic)

Please let me know your thoughts on what else can be tried ... I am not sure if I should go so far as to restore the Registry entries that were backed up using AML Free Registry Cleaner 4.21 where as there is no backup for Auslogics utilities.

Thanks, CaptMorgan :major

 

I would try this. If you follow the instructions given; it doesn't disable all the services, only one (Windows Driver Foundation).

 

Since this does appear to be a malware related issue, it is time for us to remove our tools:

If you are not having any other malware related problems, it is time to do our final steps:

• Any programs we had you download and/or install can be removed at this time.
• If we had you download and run ComboFix, here is how to uninstall it:
  • Press and hold the Windows key and then press the letter R on your keyboard.
  • This opens the Run dialog box.
  • Copy and paste the below text inside the text-field:
    • "%userprofile%\desktop\ComboFix" /uninstall
  • Now press ENTER
  • ComboFix will extract its files one last time and you should receive a notification that ComboFix has been uninstalled shortly after.
• You can re-enable your Disk Emulation software at this time via DeFogger.
• If we had you create or download a registry patch or "fix" script, these can be deleted at this time.
• Go into the C:\MGtools folder and run the MGclean.bat file to remove additional traces of our tools.
• Now we will toggle System Restore to remove any infected system restore points.
  • Read this: How to Disable And Enable System Restore
• Lastly, here is a guide to protect you from future infections: How to Protect yourself from malware!
• Be safe

 

This recommendation did work on the first reboot :cool, but I need to give it some time just to ensure the system does not regress and repeat the error code again while rebooting.

Since you are characterizing this as a cleaned up Malware threat that happened around Mid-August. I still have a unanswered question, especially since I had not been instructed to disable the System Restore points. That question I raised was what I should do with the "Registry Restore point" that was created by AML Free Registry Cleaner 4.21 => Backup 12.08.17-16.10.35 8/17/2012. It is possible that it removed the Registry entry for svchost.exe. Should I restore the backup, uninstall AML and also Auslogics? Then perform the original steps to ensure I did not restore the Malware ...

1. RogueKiller
2. Malwarebytes Anti-Malware
3. TDSSKiller
4. HitmanPro
5. MGtools

or I'm I better off leaving AML and Auslogics installed on the computer and just not do anything further that might risk another infection or worse yet making my Registry corrupted and totally useless?

If I am to remove the Malware tools, is it still OK to periodically run RogueKiller through HitmanPro and must I run them in the same sequence or can I just run Malwarebytes as a stand alone to detect whether my system has become compromised by Malware? What are the guidelines moving forward on any further Malware threats?

Thanks,

 

I did instruct you to disable System Restore in order to flush the old restore points. Read my cleanup steps from post #12

__

I answered that early on when I requested that you uninstall AML Free Registry Cleaner which should delete the restore points it created. Re-read this post: #5

__

Unless you know what you're doing, I wouldn't recommend running RogueKiller or HitmanPro on your own. This is why we tell you to not fix anything it finds unless recommended to do so by a malware helper.

Malwarebytes is a bit more safe to use on your own.

Make sure to read the How to Protect yourself from malware! guide I provided you in post #12

 

Thank you. I have performed all steps except uninstalling AML Free Registry Cleaner 4.21 since this has as I previously said a Registry Restore Point dated 8/17/2012. I am not sure what good it will do for me to hang on to it, because the Registry is so down level from the add/remove programs that has taken place over these past two weeks of trouble shooting ...

My reservations in removing it was because of the multiple entries for "svchost" as I was figuring the registry entry may have been removed by mistake and thereby causing that boot error message where as rather than fixing the problem we came up with a work around in disabling it in Services.

Thanks again for your assistance as I have also installed COMODO Firewall in place of Windows SP3 Firewall. I'm also going to continue to rely upon Microsoft Security Essentials. I'm confident that it does a good enough job in real time Malware detections as well as it's quarantine functions since as an OEM product should be able to remove Malware without corruption to the OS.

Best regards,:-D

 

You're welcome. Be safe.