We’d like to remind Forumites to please avoid political debate on the Forum.

This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.

📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!

Vaio laptop spyware/virus/malware

13

Comments

  • Browntoa
    Browntoa Posts: 49,612 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    May be we should try some other anti-rootkit tool. Please download GMER and extract the contents to a folder. Now, run GMER.EXE and then click the "Rootkit" tab in the main window of GMER. Here, in the right-side select these options:-
    • System
    • Devices
    • Processes
    • Libraries
    • Modules
    • Services
    • Registry
    • Files
    Next, select all the drives (like C:\, D:\ etc) from the list that is shown. And, finally click "Scan" to start the scan (do NOT select the "Show All" option). Once the scan is complete please copy the results by clicking "Copy" button and post it in your next reply.
    Ex forum ambassador

    Long term forum member
  • garcia
    garcia Posts: 214 Forumite
    Sorry I had to break off for lunch.

    I've run the file monitor thingy - looks like a really fab program. Its picked up quite a bit of activity from csrss.exe.

    Upon doing a search I get:
    " csrss.exe is a process which is registered as the W32.AGOBOT.GH worm"

    Is this true? If so how do I remove???

    Many thanks.
  • albertross_2
    albertross_2 Posts: 8,932 Forumite
    did you search for csrss or crss?

    csrss if from microsoft is legit, but some viruses are named after a legit exe.

    if you browse to c:\windows\system32 and right click on csrss.exe properties, version, fileversion, it should say 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) if legit.

    you need to run filemon at the point it slows down to catch the cause.
    Ever get the feeling you are wasting your time? :rolleyes:
  • garcia
    garcia Posts: 214 Forumite
    Thanks albertross, false alarm, my csrss is legit.

    It slows down often so its not difficult to get filemon running at such a point. However the only programs accessing seem to be legit, ie.:
    MsMpEng.exe, csrss.exe, svchost.exe, vsmon.exe, zlclient.exe, winlogon.exe

    csrss.exe gives quite a few errors, but other than that can't see anything untoward.
  • garcia
    garcia Posts: 214 Forumite
    GMER rootkit LOG

    GMER 1.0.10.10122 - http://www.gmer.net
    Rootkit 2006-07-04 17:16:12
    Windows 5.1.2600 Service Pack 2


    ---- System - GMER 1.0.10 ----

    SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
    SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
    SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
    SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
    SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
    SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
    SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
    SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
    SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
    SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
    SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
    SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
    SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
    SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
    SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
    SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
    SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
    SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
    SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
    SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
    SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
    SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
    SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess

    ---- Devices - GMER 1.0.10 ----

    Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [AAACFA80] vsdatant.sys
    Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSEIRP_MJ_READ [AAACFA80] vsdatant.sys
    Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [AAACFA80] vsdatant.sys
    Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F8ACD85A] avgtdi.sys
    Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [AAACFA80] vsdatant.sys
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [AAACFA80] vsdatant.sys
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSEIRP_MJ_READ [AAACFA80] vsdatant.sys
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [AAACFA80] vsdatant.sys
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F8ACD85A] avgtdi.sys
    Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [AAACFA80] vsdatant.sys
    Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [AAACFA80] vsdatant.sys
    Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSEIRP_MJ_READ [AAACFA80] vsdatant.sys
    Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [AAACFA80] vsdatant.sys
    Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F8ACD85A] avgtdi.sys
    Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [AAACFA80] vsdatant.sys
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [AAACFA80] vsdatant.sys
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSEIRP_MJ_READ [AAACFA80] vsdatant.sys
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [AAACFA80] vsdatant.sys
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F8ACD85A] avgtdi.sys
    Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [AAACFA80] vsdatant.sys
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [AAACFA80] vsdatant.sys
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSEIRP_MJ_READ [AAACFA80] vsdatant.sys
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [AAACFA80] vsdatant.sys
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN [F8ACD85A] avgtdi.sys
    Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT [AAACFA80] vsdatant.sys

    ---- Files - GMER 1.0.10 ----

    File C:\System Volume Information\MountPointManagerRemoteDatabase
    File C:\System Volume Information\tracking.log
    File C:\System Volume Information\_restore{B01E8ED6-95B5-4381-A1C4-8341C4F8B2E9}
    File D:\System Volume Information\MountPointManagerRemoteDatabase
    File D:\System Volume Information\tracking.log
    File D:\System Volume Information\_restore{B01E8ED6-95B5-4381-A1C4-8341C4F8B2E9}

    ---- EOF - GMER 1.0.10 ----
  • Browntoa
    Browntoa Posts: 49,612 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    vsdatant.sys

    is part of zonealarm

    there is a problem with the latest version of zonealarm....wonder if thats the problem ??

    try uninstalling it and turning on the windows one to see how things go
    Ex forum ambassador

    Long term forum member
  • pchelpman
    pchelpman Posts: 1,275 Forumite
    Part of the Furniture 1,000 Posts Name Dropper Photogenic
    Just a passing thought.

    You have mentioned "slowness" and the process MsMpEng.exe ... well, this process is, as you may know, linked to Defender. It's part of the scheduled scanning routine and, when the scans is running, it takes up a HUGE amount of the CPU and slows everything else right down.

    If you look at your task manager when it's runnning don't be surprised if it's taking up almost almost 100% of the CPU.

    Try this ... open Windows Defender by double-clicking the icon in the system tray. Click the "Stop Scan" button and you'll be back to the usual 3-5% CPU usage whilst nothing is running.

    PCHM
  • garcia
    garcia Posts: 214 Forumite
    pchelpman,
    thanks but I've only just installed windows defender (in an attempt to fix the problem).

    Also I only just updated to the latest version of zone alarm today.

    Any more suggestions?
    Thanks.
  • garcia
    garcia Posts: 214 Forumite
    Any more suggestions before I reformat the whole thing and reinstall?
  • albertross_2
    albertross_2 Posts: 8,932 Forumite
    at the poin t it slows down, there will be a process in task manager using a lot of cpu, if you can identify that, it will point us in the right direction. The process viewer link I posted is an advanced task manager that will give more information.

    Before you go down the format route, I suggest you uninstall all the extra's one by one, defender, zonealarm etc, to try and identify the culprit. (you don't have windows firewall on as well as ZA do you)? The other thing to try, is to remove all the programs from the ZA allow/deny screen, and let them re-prompt you. If you have ticked deny to a crucial process, then that could cause a stall.
    Ever get the feeling you are wasting your time? :rolleyes:
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 352.1K Banking & Borrowing
  • 253.5K Reduce Debt & Boost Income
  • 454.2K Spending & Discounts
  • 245.1K Work, Benefits & Business
  • 600.7K Mortgages, Homes & Bills
  • 177.5K Life & Family
  • 258.9K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.2K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.
Update Your Picture