Infected Or Not? Computer Having Problems

philber · March 29, 2008

I seem to have a trojan or malware on my computer and I have not been able to fix it. I run AVG free on my computer, download updates frequently and scan fairly routinely. In trying to solve this, I have run Panda, trendmicro, bitdefender, Kaspersky and a couple of other antivirus programs to no avail. I also regularly use ad aware and spybot, and since they did not fix the problem, ran through at least a dozen other such programs, all to no avail. I ran all of these in normal mode, and also as many of them as would operate while in Safe Mode, and still no results. I use zone alarm's free firewall, and according to shieldsup, my ports are all in stealth mode. At start up, all I have checked is zonealarm, avg antivirus,startup monitor, NvCpl and TeaTimer Spybot. I've tried numerous times to remove NvCpl as a startup item, but it ALWAYS re-inserts itself at startup, so not sure if that is related to the problem or not. It stays checked even if I uncheck it and reboot, it always resets itself to automatically load itself.

What the real problem is, is that pages do not fully load to completion, particularly on Seamonkey. I will open a page and the little egg timer symbol will permanently stay in the "incomplete" mode, and I mean I can let it go for over an hour, and it will still show the page as incompletely loaded. The green status bar indicator seen on the bottom, lower right of the screen will show mostly complete, but there is still space for several more green bars, indicating the page has not fully loaded. On the lower, bottom left I will get a message like "transferring data from.." and then the name of a website. This typically seems to be related to advertisements, like spe.atdmt.com or m1.2mdn.net and others. Or sometimes it will say "waiting for..." and the name of a website.

The only way to get the timer, status bar and "waiting for" message to end is to manually go to the Stop loading icon and click it. Then its fine and cpu usage is normal. But otherwise it hangs my computer up and makes pages slow to load once one page is not completely loaded. At times, my computer CPU usage is 100% (according to the Process Manager) and basically locks up, not being able to download information or open a new browser page. The process manager will show Seamonkey at 98/99/100% system resources. Occasionally it will show that amount for Firefox or IE when it is "locked up". And I've even seen the System Idle Process listed at 98/99/100% usage, but the overall CPU usage is listed as anywhere from 2 to 100%, so I don't know what it means when the system idle process is listed a t 100% but the CPU usage is not correlated to that high number.

Figuring all this was related to advertising sites not loading correctly, I installed adblock plus on both Mozilla, and later on Firefox. Neither situation improved. In fact, Firefox seemed worse, so I uninstalled it on both browsers. Can't say as I know how to tweak the settings on adblock, so maybe I missed something there. Next I uninstalled Seamonkey and reinstalled. No help. Then I uninstalled both Seamonkey and Firefox. No help there either.

So, am I infected with something per the below Hijackthis log taken today? If I am not infected, what would be the reason for the pages not loading fully? Any suggestions to solve that problem are appreciated, whether it is something hijackthis shows, or another idea if I appear to be clean of a virus.

Thanks for the help!!

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:29:30 PM, on 3/28/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\StartupMonitor.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hotmail.com/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascstubie.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1135824330522

O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37240.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab

O16 - DPF: {F1946764-3B40-4BE3-A87D-F371B112308F} (WPActiveX Control) - http://207.97.210.114/wp/wpax.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{4B97FFEB-7D41-450F-9BB5-6A9D7D03ADA7}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\..\{8CA005BA-32C8-44FC-8257-2E7060EAD5C4}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CS1\Services\Tcpip\..\{4B97FFEB-7D41-450F-9BB5-6A9D7D03ADA7}: NameServer = 208.67.220.220,208.67.222.222

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--

End of file - 6961 bytes

jwbirdsong · March 30, 2008

Deckard's System Scanner

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
Please attach extra.txt to your post.

To attach a file to a new post, simply

Go to the Atachments section on the post composition page.(just below the text entry window), and
copy and paste the following into the "Select a file" box:
C:\Deckard\System Scanner\extra.txt
Click Upload.

What DSS will do:

create a new System Restore point in Windows XP and Vista.
clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
Using Internet Explorer please do an online scan with Kaspersky Online Scanner
Click on Kaspersky Online Scanner
Click "I accept"
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
- The program will launch and then start to download the latest definition files.
- Once the scanner is installed and the definitions downloaded, click Next.
- Now click on Scan Settings
- In the scan settings make sure that the following are selected:
  - Scan using the following Anti-Virus database:
    - Extended (If available otherwise Standard)
    [*]Scan Options:
    - Scan Archives
    - Scan Mail Bases
  [*]Click OK
  [*]Now under select a target to scan select My Computer
  [*]The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  [*]Now click on the Save report button.
  [*]Call it Kaspersky.txt
  [*]Expand the arrow beside "file types" and save as .txt file.
  [*]Save the file to your desktop.
  [*]Copy and paste that information in your next post.
*Note
If you have Internet Explorer 7 installed:
If you have trouble getting past the initial download you may need to use the "zoom" tool at bottom right of the scanner window and increase it to 125% to see and press the "accept" button.
Page will reload and you should be able to carry on scan.
If the KAV log has your email all over it -- please attach it rather than copy/paste.

Edited March 30, 2008 by jwbirdsong

philber · March 30, 2008

Deckard's System Scanner v20071014.68

Run by Phil on 2008-03-30 15:55:28

Computer is in Normal Mode.

--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --

29: 2008-03-30 22:55:33 UTC - RP762 - Deckard's System Scanner Restore Point

28: 2008-03-30 02:21:57 UTC - RP761 - System Checkpoint

27: 2008-03-28 19:03:52 UTC - RP760 - System Checkpoint

26: 2008-03-27 01:50:07 UTC - RP759 - System Checkpoint

25: 2008-03-25 23:08:34 UTC - RP758 - System Checkpoint

-- First Restore Point --

1: 2008-02-19 20:35:19 UTC - RP734 - System Checkpoint

Backed up registry hives.

Performed disk cleanup.

-- HijackThis (run as Phil.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:00:17 PM, on 3/30/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\cisvc.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\StartupMonitor.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Documents and Settings\Phil\Desktop\dss.exe

C:\PROGRA~1\TRENDM~1\HIJACK~1\Phil.exe