Computer running so slow its going backwards!!!

Sloganjerry

Hi All

You may remember me as having an original problem with a VX2 virus on my computer last month. Anyway thanks to the help of you techie lot I sorted that out, thanks!

Unfortunately I'm still having problems with my computer and whats more they've got worse. My computer is so slow it's unbelievable! And it seems to have a mind of its own now too. Every time I try to run a spybot or adaware scan, a message comes up in the bottom lefthand of computer screen saying 'scan aborted by user' and I have done nothing of the sort???? Its as if something is blocking me being able to remove it???? Spooky?????????

I'm posting a hijack logfile in the hope that one of you may have some idea of whats going on.

Cheers Guys,

Sloganjerry

Logfile of HijackThis v1.99.1
Scan saved at 18:44:47, on 05/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Default\Desktop\HijackThis.exe
C:\WINDOWS\system32\WgaTray.exe

O2 - BHO: AcroIEHlprObj Class - !!06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\PROGRAM FILES\EPSON\EPSON WEB-TO-PAGE\EPSON WEB-TO-PAGE.DLL
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\PROGRAM FILES\EPSON\EPSON WEB-TO-PAGE\EPSON WEB-TO-PAGE.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [EPSON Stylus C46 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P23 "EPSON Stylus C46 Series" /O6 "USB001" /M "Stylus C46"
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - !!92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: !!00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: !!2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: !!4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
O16 - DPF: !!6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138106337712
O16 - DPF: !!8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: !!9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O18 - Protocol: msnim - !!828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

Browntoa

cannot see anything wrong with that directly (although "Bearshare" can open you to the risk of Downloaded Trojans etc)

go here

http://www.f-secure.com/blacklight/

and download the latest version

run it and post the log it produces here

we are looking for "rootkit" Malware that will not be shown in a hijack this log

quote :-

Rootkits for Windows work in a different way and are typically used to hide malicious software from for example an antivirus scanner. Rootkits are typically not malicious by themselves but are used for malicious purposes by viruses, worms, backdoors and spyware. A virus combined with a rootkit produces what was known as full stealth viruses in the MS-DOS environment.


The rootkit itself does typically not cause deliberate damage. Its purpose is to hide software. But rootkits are used to hide malicious code. A virus, worm, backdoor or spyware program could remain active and undetected in a system for a long time if it uses a rootkit.
The malware may remain undetected even if the computer is protected with state-of-the-art antivirus. And the antivirus can't remove something that it can't see. The threat from modern malware combined with rootkits is very similar to full stealth viruses that caused a lot of headache during the MS-DOS era. All this makes rootkits a significant threat.
How common is the problem?
There are currently several spyware programs and viruses that use rootkits to hide. There are also a couple of publicly reported intrusions where rootkits have been used (for example the theft of the Half-Life 2 source code).
Rootkits are already quite common in spyware programs but not as common in viruses. There is clear evidence that rootkits is a technique that works in practice. But the actual threat is still small compared to the potential of this technique.

What malware uses rootkit techniques?
First of all, "real" rootkits such as Hacker Defender and FU, of course. Then some spyware/adware programs such as EliteToolbar, ProAgent, and Probot SE. Some Trojans such as Berbew/Padodor and Feutel/Hupigon, and also some worms e.g. Myfip.h and the Maslan-family.

Shouldn't antivirus detect rootkits before they go into hiding? Yes, and in some cases it will. However, rootkits are usually distributed in source code and that means a hacker can modify the rootkit until antivirus products no longer detect it. In fact, many rootkit and Trojan authors sell "undetection service" to their "customers". This means that for a certain amount of money they guarantee that the rootkit binary they sell is not at that point detected by any antivirus vendors. There are also some other features in modern antivirus products that may detect rootkits. For example F-Secure Internet Security 2005 has a feature we call "Manipulation Control". It is a behavioral blocking mechanism that prevents malicious processes from manipulating other processes. This will prevent the activation of some rootkits, but not all.

http://www.f-secure.com/blacklight/rootkit.shtml

skiddy2k

looks alright to me...
delete all your cookies and temp files (C:\Documents and Settings\[username]\Local Settings\Temporary Internet Files and C:\Documents and Settings\[username]\Local Settings\Temp)

try to do spyware & virus scans in safe-mode

try to do an online virus scan using any/all of the following (more the merrier!... if i was you, i'l use the top two scanners:
http://www.kaspersky.com/virusscanner
http://www.bitdefender.com/scan8/ie.html
http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym
http://housecall.trendmicro.com/

Browntoa

if you look back through Slogans older posts you will see that we have been through some problems before on the techie forum that we helped him remove

http://forums.moneysavingexpert.com/showthread.html?t=184462

I want to be sure we are not dealing with something else and to effectively deal with that before running anything else, so maybe it's best tha he hold fire on anything else until we have elominated Rootkit

Crabman

What kind of firewall are you using?? I'm using ZoneAlarm (free version) it's supposed to be quite good although my lappy does get very slow sometimes (centrino 1.6ghz)

Browntoa

he is using Zonealarm

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

if you read through the first part of the hijackthis log he has posted it tells you everything that is running

(not being sarky...thought it may be of interest to people )

skiddy2k

wow! i'v never seen a PC with virus/spyware in rootkits... read about it, but never thought it was a issue... guess its gonna become more of a issue now because they'r much harder to detect and get rid of!

Crabman

Browntoa wrote:

he is using Zonealarm

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

if you read through the first part of the hijackthis log he has posted it tells you everything that is running

(not being sarky...thought it may be of interest to people )

I'm not accustomed to that erm code stuff but I'm always learning thanks Browntoa :beer:

Browntoa

here's one if you want a read

http://softwaremart.biz/virus/threats/nov03/Backdoor-Isen-Rootkit.htm


real sneaky one here


http://www.pcpro.co.uk/news/87217/virus-plays-fast-and-loose-with-online-poker.html


Potentially, the author could log in to these accounts and set up a poker game against him/herself, ensuring that the victim would lose.
The components were hidden by a rootkit driver that essentially tells Windows to ignore these files, rendering them invisible to applications, including security programs such as Norton Antivirus. Indeed Checkraised.com says that when the developer built the application, each version would be submitted to the company via email and scanned for viruses. Yet the rootkit code remained undetected

Sloganjerry

Hi Browntoa

Thanks for your advice about rootkits. I ran the blacklight scan programme that you suggested but unfortunately it didn't find anything?? Here is the logfile:

06/07/06 17:26:12 [Info]: BlackLight Engine 1.0.37 initialized
06/07/06 17:26:12 [Info]: OS: 5.1 build 2600 (Service Pack 2)
06/07/06 17:26:14 [Note]: 7019 4
06/07/06 17:26:14 [Note]: 7005 0
06/07/06 17:26:21 [Note]: 7006 0
06/07/06 17:26:21 [Note]: 7011 216
06/07/06 17:26:22 [Note]: 7026 0
06/07/06 17:26:22 [Note]: 7026 0
06/07/06 17:26:49 [Note]: FSRAW library version 1.7.1015
06/07/06 17:27:50 [Note]: 7007 0

I say unfortunately because at least if it had I would have known what the problem was but not sure where that leaves me now then?

Should I try running the other scans suggested?

By the way, sometimes when I'm accessing the internet an address comes up in the righthand corner something like: 'transferring data to akai.met.ai' not sure if that is perfectlt accurate spelling but does this mean anything to you?? I am worried that someone is hacking into my details as it comes up when I do internet banking for example. If you think its significant I'll record exact details,:undecided

Cheers All,

Sloganjerry

albertross_2

http://www.sysinternals.com/Utilities/RootkitRevealer.html