Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Executing files can take as long as two minutes before actual load


  • This topic is locked This topic is locked
12 replies to this topic

#1 waynestir

waynestir

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 30 June 2010 - 08:16 PM

quad core 3.19 GHz
AMD Phenom[tm] III X4 955
4 Gb Ram
750 Gb HD
running XP Pro 64 bit SP2 and all latest updates
Using ESET NOD32 V4 and Spybot Search & Destroy to protect my system. with weekly scans scheduled.



Whenever I execute any type of file the system can take as long as two minutes to load the file. As well the right click menu takes equally as long. Being familiar with a few utilities that have worked great for me in the past I tried them as my spyware and antivirus programs have not detected anything. Combofix will not run on 64bit windows so I used sdfix instead. the catch me portion of the program caught this info

detected NTDLL code modification:
ZwEnumerateKey 0 != 47, ZwQueryKey 0 != 19, ZwOpenKey 0 != 15, ZwClose 0 != 12, ZwEnumerateValueKey 0 != 16, ZwQueryValueKey 0 != 20, ZwOpenFile 0 != 48, ZwQueryDirectoryFile 0 != 50, ZwQuerySystemInformation 0 != 51Initialization error

detected NTDLL code modification:
ZwEnumerateKey 0 != 47, ZwQueryKey 0 != 19, ZwOpenKey 0 != 15, ZwClose 0 != 12, ZwEnumerateValueKey 0 != 16, ZwQueryValueKey 0 != 20, ZwOpenFile 0 != 48, ZwQueryDirectoryFile 0 != 50, ZwQuerySystemInformation 0 != 51Initialization error

detected NTDLL code modification:
ZwEnumerateKey 0 != 47, ZwQueryKey 0 != 19, ZwOpenKey 0 != 15, ZwClose 0 != 12, ZwEnumerateValueKey 0 != 16, ZwQueryValueKey 0 != 20, ZwOpenFile 0 != 48, ZwQueryDirectoryFile 0 != 50, ZwQuerySystemInformation 0 != 51Initialization error


there were some various registry keys deleted but no real threats found that I saw.

Have not generated log with HiJackThis.

I have tried reseting file associations with no luck on completing the tast. using RegVac I deleted all associations listed.
I've also tried defraging system with both provided and 3rd party programs (Ultra Defrag). still the same issue remains.

Other than taking a long time to open even something as simple as a text file the OS appears to be in complete working order.

Any thoughts?

EDIT: Moved from XP to Am I Infected forum ~ Hamluis.

Edited by hamluis, 05 July 2010 - 09:10 AM.


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 56,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:06:15 PM

Posted 01 July 2010 - 07:28 AM

What errors does Event Viewer reflect which might be clues?

Have you run a diagnostic on the hard drive?

How much free space on C:?

Louis

#3 waynestir

waynestir
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 01 July 2010 - 08:40 PM

I have 281Gb free on the drive but I have not run a diagnostics test on it.

there are several warnings and about 6 application errors and one application hang for internet explorer

one of the warnings reads:
LastCounter and LastHelp values of performance registry is corrupted and needs to be updated. The first and second DWORDs in Data Section are the original values while the third and forth DWORDs in Data Section are the updated new values.

another one:
A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

those were both under application section and there are a great many in security section as well. Too many to list all of them most of them from DCOM and a few sourced from SideBySide and Service Control Manager... I glanced through some of them and only saw errors reporting that most of the errors were generated because things were not installed on the system.

For instance:
Dependent Assembly Microsoft.Windows.Common-Controls could not be found and Last Error was The referenced assembly is not installed on your system.
and things like this:
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{555F3418-D99E-4E51-800A-6E89CFD8B1D7}
to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19). This security permission can be modified using the Component Services administrative tool.

I checked the drive with DataLifeGuard and all is ok.

#4 hamluis

hamluis

    Moderator


  • Moderator
  • 56,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:06:15 PM

Posted 02 July 2010 - 06:41 AM

Thanks :thumbsup:.

Let's try running the chkdsk /r command. Start/Run...type chkdsk /r and hit Enter. Type Y in next screen and hit Enter. Reboot the system...the chkdsk /r command will execute and the system will then boot into XP.

Louis

#5 waynestir

waynestir
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 04 July 2010 - 08:03 PM

Ran Check Disk Utility and all still same. No errors reported.

#6 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:15 PM

Posted 04 July 2010 - 11:38 PM

detected NTDLL code modification is most likely caused by an infection (Rustock, or some rootkit).
I suggest malware forum.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#7 waynestir

waynestir
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 05 July 2010 - 05:12 PM

In my original post the NTDLL code mod info I listed was from the log file generated by gtmer's CatchMe rootkit revealer. Not sure what it all means.

What do I need to do now?


Edit: I'm particularly paranoid by internet threats and when I set up system I never connect to internet until system has full antivirus/spyware and system updates installed manually.

Edited by waynestir, 05 July 2010 - 05:22 PM.


#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:15 PM

Posted 05 July 2010 - 05:13 PM

With the information you have provided I believe you will need help from the malware removal team. I would like you to start a new thread and post a DDS log HERE and include a link to this thread. Please make sure that you read the information about getting started before you start your thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. Help is on the way!

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#9 waynestir

waynestir
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 05 July 2010 - 07:01 PM

Will do however I am running 64 bit OS and dds doesn't work at all and gmer is quite limited on what it can check.


Posted Image

as you can see top right side I have highlighted most of the areas are gray and cannot be selected.

also re-opened DDS for screen to show it doesn't work.

Edited by waynestir, 05 July 2010 - 07:18 PM.


#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:15 PM

Posted 05 July 2010 - 07:22 PM

Just state it in your initial post.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#11 waynestir

waynestir
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 05 July 2010 - 07:46 PM

Will do ... Thanks

#12 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:04:15 PM

Posted 05 July 2010 - 07:48 PM

:thumbsup:

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#13 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:07:15 PM

Posted 06 July 2010 - 06:19 PM

Hello,

Now that you have posted a log here: http://www.bleepingcomputer.com/forums/t/329385/possible-unknown-threat-64-bit-os/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users