Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32? Infection


  • Please log in to reply
3 replies to this topic

#1 nattynooy

nattynooy

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 03 February 2008 - 01:31 PM

Hi there,

Recently my computer has started to take 10+ mins to book once the Windows start screen appears, it hangs and loads extremely slowly. The performance of the computer is really poor also running about 50-60% usage at most times.

I have ran the following with limited success (found some cookies etc and the Win32 virus which was claimed to be removed)

Spybot
Adaware
Stinger
Kaspersky firewall and virus scan
Defrag
Cleaned up disk by removing all non essential apps

Anyway here is my log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:30:17, on 03/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Admin\LOCALS~1\Temp\Rar$EX00.172\HijackThis.exe

O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5543] command /c del "C:\Documents and Settings\Admin\Application Data\AdwareAlert\Log\2007 Nov 12 - 06_14_19 PM_843.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3759] cmd /c del "C:\Documents and Settings\Admin\Application Data\AdwareAlert\Log\2007 Nov 12 - 06_14_19 PM_843.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6870] command /c del "C:\Documents and Settings\Admin\Application Data\AdwareAlert\Log\2007 Nov 12 - 06_14_27 PM_750.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9227] cmd /c del "C:\Documents and Settings\Admin\Application Data\AdwareAlert\Log\2007 Nov 12 - 06_14_27 PM_750.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9664] command /c del "C:\WINDOWS\system32\libeay32.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2390] cmd /c del "C:\WINDOWS\system32\libeay32.dll_old"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB7634] command /c del "C:\Documents and Settings\Admin\Application Data\AdwareAlert\Log\2007 Nov 12 - 06_14_19 PM_843.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3121] cmd /c del "C:\Documents and Settings\Admin\Application Data\AdwareAlert\Log\2007 Nov 12 - 06_14_19 PM_843.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4688] command /c del "C:\Documents and Settings\Admin\Application Data\AdwareAlert\Log\2007 Nov 12 - 06_14_27 PM_750.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1984] cmd /c del "C:\Documents and Settings\Admin\Application Data\AdwareAlert\Log\2007 Nov 12 - 06_14_27 PM_750.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1766] command /c del "C:\WINDOWS\system32\libeay32.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7906] cmd /c del "C:\WINDOWS\system32\libeay32.dll_old"
O4 - Startup: TVersity.lnk = C:\Program Files\TVersity\Media Server\TVersity.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O20 - AppInit_DLLs: rsvpspsys.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll rsvpspsys.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 5522 bytes



Hope you can help

BC AdBot (Login to Remove)

 


m

#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:39 AM

Posted 08 February 2008 - 05:39 PM

Hello nattynooy and welcome to the BC HijackThis forum. I don't see any signs of viruses or malware in the log. It's clean.

One thing that might be causing it it TeaTimer. There are a number of entires that are showing that should have been removed when Windows was booting.

Try this:

To disable TeaTimer do the following:
  • Start Spybot-S&D.
  • Go to the Mode menu, and make sure Advanced Mode is selected.
  • On the left hand side, choose Tools and then click on Resident.
  • Uncheck Resident TeaTimer and choose OK for any further prompts.
  • Restart your computer.
Boot the machine up a couple of times and see if it's any better. If not, we can try a different scanner and see if that shows anything. If that comes up clean we'll send you over to the XP Forum and let the techs there take a look at it.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 nattynooy

nattynooy
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 09 February 2008 - 04:24 AM

Thanks Old timer that has helped greatly.

What do I lose my removing Tea timer? Am I at risk?

I am still running about about 15% CPU constantly, is that Kaspersky? Is 15% normal/acceptable?

Edited by nattynooy, 09 February 2008 - 04:24 AM.


#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:10:39 AM

Posted 09 February 2008 - 11:27 AM

Hi nattynooy. You don't really gain or lose anything by having TeaTimer running or not. I personally would not have it running. There are various security applications that prevent changes to the registry. While that can be a good thing, the problem occurs when when malware makes a change that TeaTimer cannot prevent. Then along comes an anti-virus or anti-spyware applications and tries to change it and TeaTimer disallows it. That's what happened here. It actually blocked itself (Spybot) from making some needed changes lol. While good in theory, sometimes these types of applicaitons can cause more harm than good. That's just my opinion.

15% cpu utilization isn't too bad unless it is slowing down the machine's performance. You can see what applicaiton it is by going to Task Manager and checking the Processes tab. To get to Task Manager press Ctrl-Alt-Delete at the same time. The Processes tab will list all of the running processes and how much cpu time each is using. I just had a similar issue today. I use AntiVir and an update overnight caused AntiVir to overwhelm the cpu. A couple of reboots and it was back to normal.

Let me know if you have any further quesitons.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users