Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Running Very Slow


  • This topic is locked This topic is locked
1 reply to this topic

#1 mistergreen

mistergreen

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:05:12 PM

Posted 01 November 2010 - 02:03 PM

When this first happened last week the computer was dragging. Today it seems better but the rootkit-like behavior still shows up in the log.

Attached are my DDS and GMER logs.


DDS (Ver_10-10-31.01) - NTFSx86
Run by 90003580 at 14:47:19.48 on Mon 11/01/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2943.1666 [GMT -4:00]

AV: eTrust ITM *On-access scanning enabled* (Outdated) {33EA71EA-56CF-40B5-A06B-BD3A27397C44}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PatchLink\Update Agent\GravitixService.exe
C:\WINDOWS\system32\PGPserv.exe
C:\Program Files\Wireless AutoSwitch\WrlsAutoSW.exs
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\AccelerometerSt.exe
C:\Program Files\CA\eTrustITM\realmon.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\PatchLink\Update Agent\pddm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\TechSmith\SnagIt 8\SnagPriv.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\90003580\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Windows Internet Explorer provided by Amtrak
uStart Page = hxxp://intranet.corp.nrpc
uDefault_Page_URL = hxxp://intranet.corp.nrpc
uSearch Bar = hxxp://search.live.com
mDefault_Page_URL = hxxp://intranet.corp.nrpc
mStart Page = hxxp://intranet.nrpc
uInternet Connection Wizard,ShellNext = hxxp://www.amtrak.com/
uInternet Settings,ProxyOverride = <local>
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [AccelerometerSysTrayApplet] c:\windows\system32\AccelerometerSt.exe
mRun: [Realtime Monitor] "c:\program files\ca\etrustitm\realmon.exe" -s
mRun: [SPP Password Expiration Check] c:\windows\system32\SppClient.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [PDDM] c:\program files\patchlink\update agent\pddm.exe
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pgptra~1.lnk - c:\windows\installer\{e19753db-3e9d-44a0-a615-ad5c3533a161}\Icon6560581611.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\snagit~1.lnk - c:\program files\techsmith\snagit 8\SnagIt32.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: GreyMSIAds = 1 (0x1)
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
uPolicies-explorer: NoSMHelp = 1 (0x1)
uPolicies-explorer: NoWindowsUpdate = 1 (0x1)
uPolicies-explorer: NoStartMenuMyMusic = 1 (0x1)
uPolicies-explorer: NoStartMenuNetworkPlaces = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoNetworkConnections = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: DisallowRun = 1 (0x1)
uPolicies-explorer: NoAutoUpdate = 0 (0x0)
uPolicies-explorer: NoChangeAnimation = 1 (0x1)
uPolicies-explorer: DisallowCpl = 1 (0x1)
uPolicies-disallowrun: 1 = bckgzm.exe
uPolicies-disallowrun: 2 = chkrzm.exe
uPolicies-disallowrun: 3 = freecell.exe
uPolicies-disallowrun: 4 = hrtzzm.exe
uPolicies-disallowrun: 5 = pinball.exe
uPolicies-disallowrun: 6 = shvlzm.exe
uPolicies-disallowrun: 7 = sol.exe
uPolicies-disallowrun: 8 = spider.exe
uPolicies-disallowrun: 9 = winmine.exe
uPolicies-system: NoDispScrSavPage = 1 (0x1)
uPolicies-system: HideLogoffScripts = 1 (0x1)
uPolicies-system: HideLogonScripts = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-system: dontdisplaylockeduserid = 1 (0x1)
mPolicies-system: RunStartupScriptSync = 1 (0x1)
mPolicies-system: HideShutdownScripts = 0 (0x0)
mPolicies-system: MaxGPOScriptWait = 90 (0x5a)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\windows\system32\PGPlsp.dll
Trusted Zone: acsbpS.coM
Trusted Zone: acsbpS.coM\*.wS
Trusted Zone: aD.nrpC
Trusted Zone: aD.nrpC\*.amtraK
Trusted Zone: amtraK.coM
Trusted Zone: appS2.nrpC
Trusted Zone: atT.coM
Trusted Zone: atT.coM\*.teleconferencE
Trusted Zone: corP.nrpC
Trusted Zone: eway.com
Trusted Zone: intraneT.nrpC
Trusted Zone: livE.coM
Trusted Zone: microsofT.coM
Trusted Zone: moredirect.com
Trusted Zone: mssepmapP01
Trusted Zone: mssepmappstG01
Trusted Zone: mssetxapP04
Trusted Zone: mssetxapP05
Trusted Zone: mssetxapptsT04
Trusted Zone: mssetxapptsT05
Trusted Zone: mssetxdevapP04
Trusted Zone: mssetxdevapP05
Trusted Zone: mssetxdevdB04
Trusted Zone: mssetxtstdB04
Trusted Zone: neC.nrpC
Trusted Zone: nrpC
Trusted Zone: phlnetiQ01
Trusted Zone: projectS.nrpC
Trusted Zone: rcpkrnwfC
Trusted Zone: rcpkrnwfC.reS.nrpC
Trusted Zone: rcpsqlreP.reS.nrpC
Trusted Zone: rcraspcR1
Trusted Zone: rcraspcR1.reS.nrpC
Trusted Zone: rcraspvP1
Trusted Zone: rcraspvP1.reS.nrpC
Trusted Zone: teamrewards.com
Trusted Zone: tesscO.coM
Trusted Zone: toreioN.coM
Trusted Zone: tripmanager.com
Trusted Zone: webeX.coM
Trusted Zone: wusvmepmapP01
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} - hxxps://vpn.amtrak.com/vdesk/cachecleaner.cab#version=6020,2008,0821,2204
DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - hxxps://vpn.amtrak.com/vdesk/terminal/f5tunsrv.cab#version=6020,2008,0821,2211
DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - hxxps://vpn.amtrak.com/vdesk/terminal/InstallerControl.cab
DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} - hxxps://vpn.amtrak.com/vdesk/terminal/f5InspectionHost.cab#version=6020,2008,0821,2206
DPF: {7E73BE8F-FD87-44EC-8E22-023D5FF960FF} - hxxps://vpn.amtrak.com/vdesk/terminal/vdeskctrl.cab#version=6020,2008,1007,1911
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} - hxxps://vpn.amtrak.com/vdesk/terminal/urxshost.cab#version=6020,2008,0821,2209
DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://vpn.amtrak.com/vdesk/terminal/urxhost.cab#version=6020,2008,0821,2207
DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} - hxxps://vpn.amtrak.com/policy/download_binary.php/win32/f5syschk.cab#Version=6020,2008,0821,2217
Handler: qrev - {9DE24BAC-FC3C-42c4-9FC4-76B3FAFDBD90} - c:\progra~1\quests~1\toadfo~1\RNetPin.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: faIPolDev - faIPolDev.dll
Notify: SoPwdClt - SPP2Clt.dll
LSA: Notification Packages = scecli PGPpwflt

============= SERVICES / DRIVERS ===============

R0 IPCDLock;Disk Performance Monitor Filter Driver;c:\windows\system32\drivers\IPCDLockXP.sys [2006-11-28 11592]
R0 IPolFilterDrv;IPolFilterDrv;c:\windows\system32\drivers\IPolFilterDrvXP.sys [2006-11-28 26440]
R0 pgpfs;PGP File Sharing;c:\windows\system32\drivers\PGPfsfd.sys [2009-8-28 136312]
R1 faARM;faARM;c:\windows\system32\drivers\faARM.sys [2009-1-13 52424]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-8-7 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-8-7 108392]
R2 Wireless_AutoSwitch;Wireless AutoSwitch;c:\program files\wireless autoswitch\WrlsAutoSW.exs [2010-5-26 145991]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-8-22 36352]

=============== Created Last 30 ================

2010-10-26 20:20:49 80384 ----a-w- C:\mbr.exe
2010-10-25 13:08:51 -------- d-----w- c:\docume~1\90003580\applic~1\Malwarebytes
2010-10-25 13:08:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-25 13:08:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-25 13:08:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-25 13:08:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================


============= FINISH: 14:47:43.84 ===============

Attached Files


The problem with reality is the lack of background music

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:12 AM

Posted 03 November 2010 - 08:24 PM

Topic closed at member's request.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users