Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cpu Usage Shoots Up To 100 Causing Lag Spike - Hijackthis Log Inc


  • This topic is locked This topic is locked
28 replies to this topic

#1 zyao

zyao

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 02 May 2007 - 07:37 AM

Hi there, I've been getting random lag spikes and when I open up taskmanager during the lagspike it shows CPU usage shooting up to 100.

I'm assuming its down to spyware as I've checked my firewall, and it isn't my service provider either.

I've tried running Ad-aware, Spybot S + D and AVG Free, but I still have the problem.

Any help would be much appreciated. :thumbsup:

*edit*

Currently scanning with housecall, and the other recommended antivirus programs.

______________________________________


Logfile of HijackThis v1.99.1
Scan saved at 13:57:44, on 02/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\Microsoft Office\Office\Winword.exe
C:\Program Files\Steam\steam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{926A5E0D-1689-4A65-BF51-2634BCAC5849}: NameServer = 62.24.199.13,62.24.199.23
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Edited by zyao, 02 May 2007 - 08:05 AM.


BC AdBot (Login to Remove)

 


#2 zyao

zyao
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 03 May 2007 - 07:08 AM

Finished scanning with other recommended antivirus programs, still got the problem.

#3 zyao

zyao
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 05 May 2007 - 04:35 AM

bump

#4 zyao

zyao
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 05 May 2007 - 01:47 PM

bump

#5 zyao

zyao
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 07 May 2007 - 05:56 AM

anyone willing to look over this?

#6 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 08 May 2007 - 03:27 AM

Hi zyao,

bumping your own topic isn't gonna work. We always look for the oldest logs with no replies.

Download and install AVG Anti-Spyware v7.5.
  • After download, double click on the file to launch the install process.
  • Choose a language, click "OK" and then click "Next".
  • Read the "License Agreement" and click "I Agree".
  • Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
  • After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
  • Connect to the Internet, go back to AVG Anti-Spyware, select the "Update" button and click "Start update". Wait until you see the "Update successful" message. If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here.
  • Exit AVG Anti-Spyware when done - DO NOT perform a scan yet.
Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". (Note: When run in safe mode, sometimes the GUI is larger than the screen and the buttons at the bottom are partly or completely hidden, making them unaccessible for doing a scan. If this is the case, then you may have to run your scan in normal mode and advise your helper afterwards.)

Scan with AVG Anti-Spyware as follows:
  • Click on the "Scanner" button and choose the "Settings" tab.
  • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
  • Under "How to Scan?", "Possibly unwanted software", and What to Scan?" leave all the default settings.
  • Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".
  • Click the "Scan" tab to return to scanning options.
  • Click "Complete System Scan" to start.
  • When the scan has finished, it should automatically be set to Quarantine--if not click on Recommended Action and set it there.
  • You will also be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.
IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.
  • Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
  • Exit AVG Anti-Spyware when done, reboot normally and submit the log report in your next response.
Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can can continue to use as an on-demand scanner or you may purchase a license to use the full version.
Posted Image
Proud member of ASAP since 2007

#7 zyao

zyao
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 08 May 2007 - 01:07 PM

Oh, I wasn't aware of that, sorry :thumbsup:

Thanks for the feedback, I've done everything as required....

however I could not complete the scan in safemode, as "the GUI is larger than the screen and the buttons at the bottom are partly or completely hidden, making them unaccessible for doing a scan"

Here are the results for the scan

_______________________________________

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 18:55:50 08/05/2007

+ Scan result:



C:\System Volume Information\_restore{179EBE74-9DD6-4897-A3E8-E47831165963}\RP302\A0071098.dll -> Trojan.Gologger.d : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{179EBE74-9DD6-4897-A3E8-E47831165963}\RP302\A0071078.exe -> Trojan.Mygot : Cleaned with backup (quarantined).


::Report end

#8 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 08 May 2007 - 01:12 PM

Can i see a new HijackThis log please.
Posted Image
Proud member of ASAP since 2007

#9 zyao

zyao
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 08 May 2007 - 07:32 PM

Sure thing, sorry for the late reply.

_______________________________


Logfile of HijackThis v1.99.1
Scan saved at 01:28:35, on 09/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{926A5E0D-1689-4A65-BF51-2634BCAC5849}: NameServer = 62.24.199.13,62.24.199.23
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

#10 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 09 May 2007 - 07:23 AM

Hi,

I don't see malware present in your log.
But lets check wit another scanner.

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

Posted Image
Proud member of ASAP since 2007

#11 zyao

zyao
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 09 May 2007 - 10:58 AM

Hi, here are the results of the Drweb scan.

_______________________________________

ra2superhack.exe;C:\Documents and Settings\Owner\Desktop\New Folder1;Tool.GameCrack;Incurable.Moved.;


I'm still experiencing lagspikes which I wouldn't experience after I had reinstalled my Operating system.
I've run into a few nasty pieces of malware since my last complete reinstall of windows and I sorted the problem out by using system restore.
One other problem might be that I had installed windows SP2 but it was making my computer run pretty slowly for some odd reason... I uninstalled SP2 but when I rolled back my system it was to a date that my computer still had SP2...as a result I don't actually have SP2 but my computer still seems to think I do.

Could this be causing the problem? Or could it be a messed up registry as a result of some nasty encounters with malware?

:thumbsup:

#12 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 09 May 2007 - 11:07 AM

Hi, here are the results of the Drweb scan.

_______________________________________

ra2superhack.exe;C:\Documents and Settings\Owner\Desktop\New Folder1;Tool.GameCrack;Incurable.Moved.;


Been bussy on a cracksite?? Not very wise!!

Download gmer.zip and save to your desktop.
alternate download site 1
alternate download site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on "Settings", then check the first five settings:
    *System Protection and Tracing
    *Processes
    *Save created processes to the log
    *Drivers
    *Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.
Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..

Regards,

Rosty.
Posted Image
Proud member of ASAP since 2007

#13 zyao

zyao
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 09 May 2007 - 01:43 PM

Hey again, thanks for the fast response. :flowers:

As for your question, no, I myself have not been on any cracksites..

A friend wanted me to test it out on a game and sent it to me, I will be more careful in the future, sorry :thumbsup:

test results are as follows:

____________________________________


GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-05-09 19:36:16
Windows 5.1.2600 Service Pack 2


---- Kernel code sections - GMER 1.0.12 ----

? C:\WINDOWS\System32\DRIVERS\update.sys

---- User code sections - GMER 1.0.12 ----

.text C:\PROGRA~1\MSNMES~1\msnmsgr.exe[1244] WS2_32.dll!send 71AB428A 5 Bytes JMP 017248E8 C:\Program Files\MessengerPlus! 3\MsgPlusH.dll
.text C:\PROGRA~1\MSNMES~1\msnmsgr.exe[1244] WS2_32.dll!recv 71AB615A 5 Bytes JMP 017248A6 C:\Program Files\MessengerPlus! 3\MsgPlusH.dll
.text C:\PROGRA~1\MSNMES~1\msnmsgr.exe[1244] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 01724408 C:\Program Files\MessengerPlus! 3\MsgPlusH.dll
.text C:\PROGRA~1\MSNMES~1\msnmsgr.exe[1244] SHELL32.dll!Shell_NotifyIcon 7CA20C19 5 Bytes JMP 01721163 C:\Program Files\MessengerPlus! 3\MsgPlusH.dll

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE EF18CC8A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE EF1897C8
Device \FileSystem\Fastfat \Fat IRP_MJ_READ EF18560A
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE EF185AED
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION EF190958
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION EF193821
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA EF19C38A
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA EF19BD49
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS EF195BBE
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION EF196331
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION EF1A44F4
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL EF18CB37
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL EF188948
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL EF19246B
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN EF1A379D
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL EF1A2C4A
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP EF1892FD
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP EF1A31DB
Device \FileSystem\Fastfat \Fat FastIoCheckIfPossible EF19E1F9

---- Registry - GMER 1.0.12 ----

Reg \Registry\USER\S-1-5-21-790525478-1580436667-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{13403818-9BB9-1885-5EBF-2EC34B47C8FF}@abkclgoiklhfbnbfopmfbclebcjnmdeodp 0x61 0x61 0x00 0x00
Reg \Registry\USER\S-1-5-21-790525478-1580436667-1060284298-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{13403818-9BB9-1885-5EBF-2EC34B47C8FF}@bbkclgoiklhfbnbfopffkbihpcpfbkmgijgo 0x61 0x61 0x00 0x00

---- EOF - GMER 1.0.12 ----

#14 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 10 May 2007 - 07:21 AM

Looks good. how are things running?
Posted Image
Proud member of ASAP since 2007

#15 zyao

zyao
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 10 May 2007 - 07:23 AM

I'm still experiencing lagspikes which I wouldn't experience after I had reinstalled my Operating system.
I've run into a few nasty pieces of malware since my last complete reinstall of windows and I sorted the problem out by using system restore.
One other problem might be that I had installed windows SP2 but it was making my computer run pretty slowly for some odd reason... I uninstalled SP2 but when I rolled back my system it was to a date that my computer still had SP2...as a result I don't actually have SP2 but my computer still seems to think I do.

Could this be causing the problem? Or could it be a messed up registry as a result of some nasty encounters with malware?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users