Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suddenly Slow Machine; Problem Unknown


  • This topic is locked This topic is locked
18 replies to this topic

#1 Motanu Danila

Motanu Danila

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 21 March 2008 - 12:17 PM

Hi there BC guardians,
I'll keep it short, I know that you're busy.

Patient: Vaio laptop, Windows XP Home SP2, Intel Pentium 4, 2.8 GHz, 512Mb RAM. Antivirus: AVG; Firewall: Sunbelt free edition; bi-weekly checks with Spybot, AVG Antispyware, Ad-Aware. Monthly checks with Stinger, F-secure online scanner, Kaspersky online scanner. No problems detected in the last year. (I used to be able to run Hause Call micro and Bit Defender, but these free scanners no longer work on my machine, I don't know why - this happened about 9 months ago, without affecting the performance of my machine.)

Problem: yesterday I ran my weekly clean-up routine. Ran Spybot and AVG Spyware, and they found only a couple of cookies. I tried then to run Ad-Aware 2007, as I usually do; the update did not work, and the program froze. I tried repeatedly, but each time I received an error for the update. I tried to uninstall Ad-Aware, but failed, both with "add/remove" in control panel, and with the option in the start-up. Tried again in safe mode, also failed.

Effect: speed-wise, my computer ran ok-ish until yesterday. For some reason yesterday's exploits slowed it down considerably: it takes almost 1 minute to open Windows Explorer, or Control Panel; startup is also very slow - up to 5 minutes to get all the stuff started, and I see that the firewall is not loaded automatically. Even small, non-RAM intensive programs that usually run on low resolution (e.g. games like Allied General) run very sluggishly, and the screen scroll "stutters" constantly. Another effect is that I am no longer able to use my email. Thunderbird opens (slowly), but it does download any new messages and I cannot delete or open existing messages.

Attempted solution - I tried to use the BC checklist for slow machines. Spybot and AVG Spyware ran normally, and showed nothing. I ran Stinger, and also showed nothing. Tried to run Ad-Aware again, froze again. Tried to do a full scan with AVG antivirus, but it was exceptionally slow and I eventually had to give up (it scanned 400 files in two hours; Stinger scanned more than 300k in about 1 and 1/2 hours). F-secure online scanner was equally slow, and also had to give up.

So here's the Hijackthis log (now with the updated version).

Thank you for your help. MD

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:15:12, on 21/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\SigmaTel\C-Major Audio\stacmon.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Documents and Settings\Motanu' Felix\Application Data\My-disgo\MyKey disgo.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\philips\Philips Wireless Notebook Adapter 11ag Utility\PHCardMonitor.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\sony\photo server\appsrv\PhotoAppSrv.exe
C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe
C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LVComsX.exe
C:\WINDOWS\system32\wuauclt.exe
D:\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = http://www.club-vaio.sony-europe.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: Shell=
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\C-Major Audio\stacmon.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [My-disgo] C:\Documents and Settings\Motanu' Felix\Application Data\My-disgo\MyKey disgo.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Philips Wireless Notebook Adapter Utility.lnk = C:\Program Files\philips\Philips Wireless Notebook Adapter 11ag Utility\PHCardMonitor.exe
O4 - Global Startup: PowerPanel.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1138875909546
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/bbdesktop/...tivePreQual.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{78C864FE-C921-4AB6-A33D-7BC9F36E1B64}: NameServer = 194.102.255.2,194.102.255.3
O20 - AppInit_DLLs: interceptor.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\sony\vaio media music server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\sony\photo server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 11840 bytes

BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:18 PM

Posted 30 March 2008 - 11:43 PM

Hello Motanu Danila,

I am SifuMike and I will be helping you. :thumbsup:

When the computer is slow, use Task Manager to see what is using all the CPU.
Right-click an empty space on the system bar (grey bar at bottom of the screen) and select Task Manager.
Click the Processes tab and then click the heading CPU twice.
This will sort all processes top down by CPU usage (with the CPU hogs at the top).
Tell me what is using all the CPU.







You can try running F-Secure online scan with
SAFE MODE WITH NETWORKING
Wehn you bootup to the safe mode menu screen, select from the following option:
Safe Mode with Networking
This option loads all these files and drivers and the services and drivers necessary to start networking.

Disable your AVG antivirus before running F-Secure online scan.

Run an F-Secure online scan for Viruses, Spyware and RootKits:
Go to http://support.f-secure.com/enu/home/ols.shtml

Notes:
This scan will only work with Internet Explorer
You must have administrator rights to run this scan
This scan can take several hours, so please be patient

Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
Allow the Active X control to be installed on your computer, then click the Accept button
Click Full System Scan and allow the components to download and the scan to complete.
If malware is found, check Submit samples to F-Secure then select Automatic cleaning
When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post


If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
When the cleaning option is presented, Uncheck Submit samples to F-Secure
Click Automatic cleaning
When cleaning has finitished, click Show report (this will open an Internet Explorer window containing the report)
Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post



******************
  • Connect to the Internet, go back to AVG Anti-Spyware, select the "Update" button and click "Start update". Wait until you see the "Update successful" message. If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here.
  • Exit AVG Anti-Spyware when done - DO NOT perform a scan yet.
Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". (Note: When run in safe mode, sometimes the GUI is larger than the screen and the buttons at the bottom are partly or completely hidden, making them unaccessible for doing a scan. If this is the case, press the WINKEY + M key to "Minimize" the AVG display. Then right-click on AVG in the Task Bar and select "Maximize". If that does not help, then you may have to run your scan in normal mode and advise your helper afterwards.)

Scan with AVG Anti-Spyware as follows:
  • Click on the "Scanner" button and choose the "Settings" tab.
  • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
  • Under "How to Scan?", "Possibly unwanted software", and What to Scan?" leave all the default settings.
  • Under "Reports" select "Do not automatically generate reports" and UNcheck "Only if threats were found".
  • Click the "Scan" tab to return to scanning options.
  • Click "Complete System Scan" to start.
  • When the scan has finished, it should automatically be set to Quarantine--if not click on Recommended Action and set it there.
  • You will also be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.
IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.
  • Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop.
    A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
  • Exit AVG Anti-Spyware when done, reboot normally and submit the log report in your next response.
Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can can continue to use as an on-demand scanner or you may purchase a license to use the full version.

When done, submit the F-Secure online scan log, the AVG Anti-Spyware 7.5 log and a fresh Hijackthis log.

Edited by SifuMike, 30 March 2008 - 11:58 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Motanu Danila

Motanu Danila
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 05 April 2008 - 02:24 PM

Hi SifuMike, thanks for your help. I was away for a week, hence the delay in my answer.

Here's what I did: the list of processes using the CPU is below. Some processes are listed more than once - I copied the list exactly as it was.

Then the problems started: no matter how many times I tried, I cannot connect to the internet in safe mode. For some reason, my network card is not detected. I tried six or seven times, with the same result. I cannot complete this stage of teh solution, so what do you suggest that I do?

Thank you once again,
MD

CPU usage

System idle process
System
spoolsv.exe
AppleMobileDeviceService.exe
guard.exe
avgamsvr.exe
smss.exe
avgupsvc.exe
avgemc.exe
csrss.exe
winlogon.exe
services.exe
lsass.exe
svchost.exe
svchost.exe
svchost.exe (three times)
nvsvc32.exe
svchost.exe
svchost.exe
kpf4ss.exe
svchost.exe
svchost.exe
PhotoAppSrv.exe
HKWnd.exe
sv_httpd.exe
explorer.exe
UPnPFramework.exe
ezSP_Px.exe
jusched.exe
stacmon.exe
HKServ.exe
dslagent.exe
avgcc.exe
MyKey disgo.exe
ctfmon.exe
AcroTray.exe
PHCardMonitor.exe
kpf4gui.exe
alg.exe
WINWORD.EXE
taskmgr.exe
kpf4gui.exe
firefox.exe
aawservice.exe

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:18 PM

Posted 05 April 2008 - 02:59 PM

Hi Motanu Danila,

the list of processes using the CPU is below. Some processes are listed more than once - I copied the list exactly as it was.


I need to know the amount of CPU these processes are using. Is there any processes using very high CPU? Note it is normal for System Idle Process to be very high, as that is your free RAM.


no matter how many times I tried, I cannot connect to the internet in safe mode. For some reason, my network card is not detected.



How do you know your network card is not detected? Are you getting an error message? If so please tell me what it says.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Motanu Danila

Motanu Danila
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 05 April 2008 - 03:19 PM

I need to know the amount of CPU these processes are using. Is there any processes using very high CPU? Note it is normal for System Idle Process to be very high, as that is your free RAM.


In descending order:
firefox - 51400k
aawservice - 32224k
svchost - 29224k
explorer - 28336k (although the program is not running)
PHCardMonitor - 11984k
HKServ - 9784k
PhotoAppSrv - 8596k

Note: System Idle process only uses 220K, so I guess I have no free RAM (?)

How do you know your network card is not detected? Are you getting an error message? If so please tell me what it says.




The software of my network card says so (Philips Wireless Notebook Manager). It loads automatically at start-up, and every time I re-started it, it showed "no wireless card detected" - but that is not an error, it is a tab in the interface.

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:18 PM

Posted 05 April 2008 - 04:34 PM

Hi,

I am more interested in the CPU than the total K the processes are using. Of course, it will very greatly all depending on what you are running.

The time to check Task Manager is when you having a slow computer (like when your run F-secure online or Stinger) as that will show which processes are using CPU. Processes that are constantly high will slow your computer.

Then the problems started: no matter how many times I tried, I cannot connect to the internet in safe mode.



What do you see on your screen when you press F8 and attempt to reach the Safe Mode?
Is your screen like this one?
http://www.computerhope.com/issues/chsafe.htm#02


The software of my network card says so (Philips Wireless Notebook Manager). It loads automatically at start-up, and every time I re-started it, it showed "no wireless card detected" - but that is not an error, it is a tab in the interface.


Sorry, my expertise is malware removal, not hardware.
I suggest you go to our Hardware> Internal Hardware forum and ask them about the "no wireless card detected" message.

Do you have SpyCatcher installed on this computer?

Edited by SifuMike, 05 April 2008 - 04:39 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Motanu Danila

Motanu Danila
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 05 April 2008 - 04:59 PM

I am more interested in the CPU than the total K the processes are using.


aawservice.exe shows "99" in the CPU column. Firefox.exe shows intermittently values from 2 to 13, which decrease accordingly the value of aawservice. All the rest stay at "00".

What do you see on your screen when you press F8 and attempt to reach the Safe Mode?
Is your screen like this one?
http://www.computerhope.com/issues/chsafe.htm#02


Yes. I started the machine in "safe mode with networking". Also, the network card works well in normal mode.

Do you have SpyCatcher installed on this computer?


No.

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:18 PM

Posted 05 April 2008 - 06:31 PM

Hi,

"aawservice.exe" is the real-time protection of Ad-Watch.

Try killing it and see if that solves the problem of slowness. Refer to this LavaSoft thread::
http://www.lavasoftsupport.com/index.php?s...amp;#entry56157



Yes. I started the machine in "safe mode with networking". Also, the network card works well in normal mode.


Disable your antivirus program and try running F-Secure online scan in the normal mode.
Then run AVG Anti-Spyware in the Safe Mode.


This item...O20 - AppInit_DLLs: interceptor.dll should belong to the legitimate program "SpyCatcher", so if you dont have SpyCatcher that is very suspicious.
http://www.castlecops.com/o20list-154.html

It will be here C:\WINDOWS\System32\interceptor.dll

Please double-click on My Computer and locate the file "interceptor.dll".
Right-click on it and choose "Properties", then click on the "Version" tab at the top.
Click on "Comments", "Company", "File Version", and "Internal Name" and please post whatever the text in the box immediately to the right says for each.

Edited by SifuMike, 05 April 2008 - 06:43 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Motanu Danila

Motanu Danila
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 05 April 2008 - 09:48 PM

Hi Sifu

Some new developments: I eventually succeeded to uninstall Ad-Aware 2007; I had to first disable it using services.msc, because prior to this I was getting errors 1920 and 1921 each time I tried to change or remove it. After disabling it, it was possible to uninstall. The speed problem seems to have been resolved!



This item...O20 - AppInit_DLLs: interceptor.dll should belong to the legitimate program "SpyCatcher", so if you dont have SpyCatcher that is very suspicious.
http://www.castlecops.com/o20list-154.html

It will be here C:\WINDOWS\System32\interceptor.dll

Please double-click on My Computer and locate the file "interceptor.dll".
Right-click on it and choose "Properties", then click on the "Version" tab at the top.
Click on "Comments", "Company", "File Version", and "Internal Name" and please post whatever the text in the box immediately to the right says for each.


I could not find this item. Granted, I only looked for it after removing Ad-aware. Is there a link between the two?

Any advice about what should I do now?

Thank you, MD

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:18 PM

Posted 05 April 2008 - 09:53 PM

Hi,

The speed problem seems to have been resolved!

That is great. :thumbsup:


I could not find this item. Granted, I only looked for it after removing Ad-aware. Is there a link between the two?

I dont know. It may be part of Adaware.


We're going on a file hunt to see if we can find it.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders' and deselect (uncheck) 'hide protected operating system files (recommended)'.

Using Windows Explorer, find the following files in bold
C:\WINDOWS\System32\interceptor.dll

If you find it, then rt. click on it and look at the Properties and let me what it says.






See if you can run the two scans. try running F-Secure online scan in the normal mode.
Then run AVG Anti-Spyware in the Safe Mode.

Edited by SifuMike, 05 April 2008 - 11:42 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Motanu Danila

Motanu Danila
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 06 April 2008 - 02:55 PM

Hi Sifu. Here's the news:

We're going on a file hunt to see if we can find it.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders' and deselect (uncheck) 'hide protected operating system files (recommended)'.

Using Windows Explorer, find the following files in bold C:\WINDOWS\System32\interceptor.dll

If you find it, then rt. click on it and look at the Properties and let me what it says.


I executed all steps, but I could not find this file.


See if you can run the two scans. try running F-Secure online scan in the normal mode. Then run AVG Anti-Spyware in the Safe Mode.


I did. F-secure took almost 5 hours to complete; I pasted the report below. AVG took about two hours; report also below. I then ran Spybot, which produced no results.
So here are the reports:

F-Secure
(there's a list of files not scanned, if it is relevant I can post that too):


Result: 1 malware found
W32/Malware (virus)
C:\PROGRAM FILES\PPMATE\PPMATE.EXE (Submitted)

AVG Antispyware:
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 19:16:02 06/04/2008

+ Scan result:



:mozilla.103:C:\Documents and Settings\Motanu' Felix\Application Data\Mozilla\Firefox\Profiles\qj5t7x8r.motanu danila\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.68:C:\Documents and Settings\Motanu' Felix\Application Data\Mozilla\Firefox\Profiles\qj5t7x8r.motanu danila\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.72:C:\Documents and Settings\Motanu' Felix\Application Data\Mozilla\Firefox\Profiles\qj5t7x8r.motanu danila\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.12:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\h72q6npc.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.15:C:\Documents and Settings\Motanu' Felix\Application Data\Mozilla\Firefox\Profiles\qj5t7x8r.motanu danila\cookies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.128:C:\Documents and Settings\Motanu' Felix\Application Data\Mozilla\Firefox\Profiles\qj5t7x8r.motanu danila\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.17:C:\Documents and Settings\Motanu' Felix\Application Data\Mozilla\Firefox\Profiles\qj5t7x8r.motanu danila\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.25:C:\Documents and Settings\Motanu' Felix\Application Data\Mozilla\Firefox\Profiles\qj5t7x8r.motanu danila\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.26:C:\Documents and Settings\Motanu' Felix\Application Data\Mozilla\Firefox\Profiles\qj5t7x8r.motanu danila\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.28:C:\Documents and Settings\Motanu' Felix\Application Data\Mozilla\Firefox\Profiles\qj5t7x8r.motanu danila\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.29:C:\Documents and Settings\Motanu' Felix\Application Data\Mozilla\Firefox\Profiles\qj5t7x8r.motanu danila\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.30:C:\Documents and Settings\Motanu' Felix\Application Data\Mozilla\Firefox\Profiles\qj5t7x8r.motanu danila\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.31:C:\Documents and Settings\Motanu' Felix\Application Data\Mozilla\Firefox\Profiles\qj5t7x8r.motanu danila\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.121:C:\Documents and Settings\Motanu' Felix\Application Data\Mozilla\Firefox\Profiles\qj5t7x8r.motanu danila\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.144:C:\Documents and Settings\Motanu' Felix\Application Data\Mozilla\Firefox\Profiles\qj5t7x8r.motanu danila\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.84:C:\Documents and Settings\Motanu' Felix\Application Data\Mozilla\Firefox\Profiles\qj5t7x8r.motanu danila\cookies.txt -> TrackingCookie.Trafic : Cleaned.
:mozilla.61:C:\Documents and Settings\Motanu' Felix\Application Data\Mozilla\Firefox\Profiles\qj5t7x8r.motanu danila\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.


::Report end


I think that tracking cookies are rarely critical threats, so I do not know if these had any impact. Is there anything I should do? Should I replace Ad-Aware with another software, or are AVG ANtivirus and AVG Antispyware enough?

Thank you,
MD

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:18 PM

Posted 06 April 2008 - 04:39 PM

Hi MD,

I executed all steps, but I could not find this file.

It is probably gone. :thumbsup:


Should I replace Ad-Aware with another software, or are AVG ANtivirus and AVG Antispyware enough?


AVG Antivirus, Spybot and AVG antispyware are enough :blink:

Lets run one more scanner.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Motanu Danila

Motanu Danila
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 06 April 2008 - 06:12 PM

Copy and Paste the entire report in your next reply along with a fresh HijackThis log.


Done. Here are the results:

Malwarebytes' Anti-Malware report
Malwarebytes' Anti-Malware 1.10
Database version: 597

Scan type: Quick Scan
Objects scanned: 30676
Time elapsed: 6 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX.1 (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:07:32, on 07/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\sony\photo server\appsrv\PhotoAppSrv.exe
C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe
C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\SigmaTel\C-Major Audio\stacmon.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Documents and Settings\Motanu' Felix\Application Data\My-disgo\MyKey disgo.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\philips\Philips Wireless Notebook Adapter 11ag Utility\PHCardMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LVComsX.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Logitech\Video\AlbumDB2.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
D:\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = http://www.club-vaio.sony-europe.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\C-Major Audio\stacmon.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [My-disgo] C:\Documents and Settings\Motanu' Felix\Application Data\My-disgo\MyKey disgo.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Philips Wireless Notebook Adapter Utility.lnk = C:\Program Files\philips\Philips Wireless Notebook Adapter 11ag Utility\PHCardMonitor.exe
O4 - Global Startup: PowerPanel.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/as...rl/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1138875909546
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/bbdesktop/...tivePreQual.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{78C864FE-C921-4AB6-A33D-7BC9F36E1B64}: NameServer = 194.102.255.2,194.102.255.3
O20 - AppInit_DLLs: interceptor.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sunbelt Personal Firewall 4 (SPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\sony\vaio media music server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\vaio media platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\sony\photo server\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\sony shared\vaio media platform\UPnPFramework.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 11839 bytes


Judging from the way my machine runs now, this should make good reading :thumbsup:
MD

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:18 PM

Posted 06 April 2008 - 07:04 PM

Hi MD,

Your log looks clean! :thumbsup: Good job on the cleanup!


Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 Motanu Danila

Motanu Danila
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 07 April 2008 - 01:47 PM

Thank you very much SifuMike. My machine runs quite smoothly now - I saved a system restore point, just in case. Just to clarify one thing in my mind: do you think this was an infection, or a clash caused by Ad-Aware 2007? I've been reading around on the net, and it seems that many have been confronted with similar trouble after installing the new version. Who knows, maybe you can advise others with the same problems.
All the very best and once again thank you,
MD




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users