1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Very strange happenings with PC, possible trojan? Help please!

Discussion in 'Virus & Other Malware Removal' started by Rootman, Apr 2, 2010.

Thread Status:
Not open for further replies.
Advertisement
  1. Rootman

    Rootman Thread Starter

    Joined:
    May 1, 2009
    Messages:
    12
    Hey guys, I will try to be precise about this problem. First I will post my PC specs and I'm sure you will agree that it shouldn't be running slow. Here goes:

    Quad core processor Q8200 @2.33GHz to 2.33 GHz

    6.00 GB RAM

    600 GB Hard-drive

    ATI Radeon HD 4600 series

    -----------------------

    Ok heres the problem; up until about a week ago, I had absolutley no problem with the PC at all, afterall i've only had it about 7 months. Then my first problem was that it blue screened, it was no big deal though it turned back on, but it was EXTREMELY slow from this point forward. It takes about 30 seconds to go from the user log-in screen to reach even the first glimpse of the desktop. When i'm using the PC, most programs become non-responsive and I have to Ctrl+alt+del to get the task manager to end the process, which also takes a lot of time to access. I also noticed that my internet is also running at a snails pace, and I used to stream television from websites such 'ITVplayer' with no buffering issues, Now it buffers every 5 seconds and makes watching things impossible, even if i allow it to pause and buffer, it still stops every few seconds which leads me to believe it's a computer issue. But basically my once brilliant PC, has become unusable. The fact is, my old 2001 computer which is absolutle terrible, actually runs better than this one now. Please help!

    -------------------

    Things that I have tried:

    Norton 360 virus scan : Found 2 trojans and one piece of Adware which were "successfully removed". But the problem persists.

    Registry easy scan (full version): Corrected some registry issues, but the problem persists.

    Checking for any P2P software I may have enabled: I removed Utorrent and a random download manager but of course, the problem continues.

    Checked my processes to see if any are abnormally high, I found that svchost.exe is taking anywhere between 100,000k to 210,000k memory, but all the services seem to be legit?

    I also tried running Trojan Hunter, which found nothing.

    I was going to re-format this thing, but I have no idea how i would get the graphics card to work afterwards, as i dont have the software disk still. But I will do this if you can give me a guide on how to do it? ( It used to have intergrated graphics )

    --------------

    Is there any advice out there? I'm sure this is a malicious issue, but I can't recall doing anything unusual on this PC in the past week.

    The services I use on this PC are:

    Facebook
    MSN
    and rarely the odd MMO, but I havent played any for months. I just use this PC to chat to my girlfriend.


    Thank you for anyone who tries to help :)


    Ryan
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,774
    First Name:
    Karen
    What did Norton find (the name of the file and path to it please)?

    Click here to download HJTsetup.exe.
    • Save HJTsetup.exe to your desktop.
    • Double click on the HJTsetup.exe icon on your desktop.
    • By default it will install to C:\Program Files\Hijack This.
    • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
    • Put a check by Create a desktop icon then click Next again.
    • Continue to follow the rest of the prompts from there.
    • At the final dialogue box click Finish and it will launch Hijack This.
    • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
    • Click Save to save the log file and then the log will open in notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and Paste the log in your next reply.
    • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
     
  3. Rootman

    Rootman Thread Starter

    Joined:
    May 1, 2009
    Messages:
    12
    Thank you for your reply :) And the name of the trojan file was : 'Trojan Horse' I can't see an option to follow the path. This norton 360 Is new to me if i'm honest. And thank you I'm doing the 'Hijack This' now, I will post the results shortly.


    :) Thanks again for your support.
     
  4. Rootman

    Rootman Thread Starter

    Joined:
    May 1, 2009
    Messages:
    12
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 23:32:21, on 02/04/2010
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v7.00 (7.00.6002.18005)
    Boot mode: Normal

    Running processes:
    C:\Program Files (x86)\Intel\inteldh\common\SWUpdateClient.exe
    C:\Program Files (x86)\Java\jre6\bin\jusched.exe
    C:\Program Files (x86)\TrojanHunter 5.3\THGuard.exe
    C:\Program Files (x86)\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Program Files (x86)\Spotify\spotify.exe
    C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bt.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    F2 - REG:system.ini: UserInit=userinit.exe
    O1 - Hosts: ::1 localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360\Engine\3.8.0.41\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton 360\Engine\3.8.0.41\IPSBHO.DLL
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\3.8.0.41\coIEPlg.dll
    O4 - HKLM\..\Run: [IntelSWUpdateClient] C:\Program Files (x86)\Intel\inteldh\common\SWUpdateClient.exe
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files (x86)\TrojanHunter 5.3\THGuard.exe"
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~4\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~4\Office12\REFIEBAR.DLL
    O13 - Gopher Prefix:
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files (x86)\Norton 360\Engine\3.8.0.41\coIEPlg.dll
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
    O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
    O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
    O23 - Service: DiagnosticAgent - Intel(R) Corporation - C:\Program Files (x86)\Intel\inteldh\ManageAgent\bin\DiagnosticAgent.exe
    O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: FLEXnet Licensing Service 64 - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
    O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files (x86)\Citrix\GoToAssist\570\g2aservice.exe
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: KService - Kontiki Inc. - C:\Program Files (x86)\Kontiki\KService.exe
    O23 - Service: Turbine Message Service - Live (LiveTurbineMessageService) - Unknown owner - C:\Program Files (x86)\Turbine\Turbine Download Manager\TurbineMessageService.exe (file missing)
    O23 - Service: Turbine Network Service - Live (LiveTurbineNetworkService) - Unknown owner - C:\Program Files (x86)\Turbine\Turbine Download Manager\TurbineNetworkService.exe (file missing)
    O23 - Service: Intel(R) Con. Management Engine Local Manageability Service (LMS) - Intel Corporation - C:\Program Files\Intel\AMT\LMS.exe
    O23 - Service: ME Services Manager - Intel(R) Corporation - C:\Program Files (x86)\Intel\inteldh\msm\MSM.exe
    O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files (x86)\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: RemotingAgent - Intel(R) Corporation - C:\Program Files (x86)\Intel\inteldh\ManageAgent\bin\RemotingAgent.exe
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
    O23 - Service: Software Services Manager - Intel(R) Corporation - C:\Program Files (x86)\Intel\inteldh\common\IntelDHSvcMgr.exe
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: Audio Service (STacSV) - Unknown owner - C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_f62d1208\STacSV64.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

    --
    End of file - 9089 bytes
     
  5. Rootman

    Rootman Thread Starter

    Joined:
    May 1, 2009
    Messages:
    12
    That's what it showed, I haven't fixed anything yet :)

    Thank you again for the support lol, I hope you can find something in there, I don't care how severe it is I just want it solved! lol.
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,774
    First Name:
    Karen
    Did you try to do a system restore to before this happened?
     
  7. Rootman

    Rootman Thread Starter

    Joined:
    May 1, 2009
    Messages:
    12
    There is nothing to restore back to :( I would have tried that.

    I am happy to re-format my PC, But i'd need advice on what to do with my graphics card. How do i re-install my card after it's done? A technician installed it for me and i don't have the install disk.
     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,774
    First Name:
    Karen
    Would you like to do a clean up?

    If you want to reformat then I'll refer you to the Vista forum for assistance.
     
  9. Rootman

    Rootman Thread Starter

    Joined:
    May 1, 2009
    Messages:
    12
    I'm happy to do anything lol, thanks.
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,774
    First Name:
    Karen
    Please download Malwarebytes' Anti-Malware from Here.

    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Perform Quick Scan", then click Scan.
    • The scan may take some time to finish, so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to restart. (See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the entire report in your next reply.
    Extra Note:

    If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
     
  11. Rootman

    Rootman Thread Starter

    Joined:
    May 1, 2009
    Messages:
    12
    Alright, I already had Malware bytes like i said in my first post, I ran a "full scan" and it found nothing but i'm follow your instructions and send in the log.

    By the way my PC has also started freezing up every so often now too, I've updated my drivers in my video card but to no avail. I also tried to make the back up DVDs but after it was complete, i checked the DvDs and they said they were empty? And I can't re-burn the recovery disks because the Tech guys DVD just says "Disks already made".

    I can't win, If you guys can't help me then I will just have to go to PC world and see what they can do.


    Thanks
     
  12. Rootman

    Rootman Thread Starter

    Joined:
    May 1, 2009
    Messages:
    12
    Malwarebytes' Anti-Malware 1.41
    Database version: 3072
    Windows 6.0.6002 Service Pack 2

    07/04/2010 22:29:24
    mbam-log-2010-04-07 (22-29-24).txt

    Scan type: Quick Scan
    Objects scanned: 93131
    Time elapsed: 10 minute(s), 6 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  13. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,774
    First Name:
    Karen
    We've only just started but it is a little more difficult with 64-bit machines.

    Download OTS.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTS on your desktop.
    1. Close any open browsers.
    2. If your Real protection or Antivirus interferes with OTS, allow it to run.
    3. Open the OTS folder and double-click on OTS.exe to start the program.
    4. In Additional Scans section put a check in Disabled MS Config Items and EventViewer logs
    5. Now click the Run Scan button on the toolbar.
    6. Let it run unhindered until it finishes.
    7. When the scan is complete Notepad will open with the report file loaded in it.
    8. Save that notepad file.
    Use the Reply button, scroll down to the attachments section and attach the notepad file here.
     
  14. Rootman

    Rootman Thread Starter

    Joined:
    May 1, 2009
    Messages:
    12
    Hey cookie, My PC started to freeze up before I could even begin to download that file. I re-formatted it last night and updated my video drivers and all has been swell, I have a funny feeling someone has used my PC and ran a registry scan and deleted some essential registry components which caused havoc.

    Well there seems to be no other explaination as it stands, but anyway feel free to lock this thread now, But I am assuming it was a registry issue as it had all the correct symptoms.

    Thank you anyway for your continuous support :)

    Ryan.
     
  15. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,774
    First Name:
    Karen
    OK. Thanks for letting me know. :)
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/914334

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice