Jump to content


Photo

Ultr-slow laptop


  • Please log in to reply
1 reply to this topic

#1 Tom Filipi

Tom Filipi

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 06 June 2007 - 05:59 PM

Hi,
I have a HP nx9600 laptop running Windows XP Pro that has been infected with something that slows it down incredibly! If I boot normally, with all startup services and start programs, there is a delay of over 11 minutes from the time I log on until the system will respond to either keyboard or mouse. The original infection may have occured when I first got the system, as I had to uninstall the Norton AV that was on it , to replace it with my (preferred) PCcillin. When I had completed the installation of PCcillin, it reported several keystroke loggers and password crackers as being on the system. I removed these immediately, but the system's performance has continued to degrade. The main symptom is continuous hard drive activity. When the drive light finally goes out, after 11 minutes, I can use the system, but it periodically goes back into a spasm of HD activitiy, when everything freezes again. When I open TaskManager, I notice multiple instances of svchost are running. Also, when I start Process Monitor, I see repeated instances of lsass associated with buffer overruns which make me suspicious (I have pasted a sample below, following the HiJackThis log).

In preparation for this post, I ran an AdAware scan, which reported (and removed) 24 tracking cookies. A subsequent SpyBot scan reported no problems, as do my routine PCcillin scans. I don't have a report from the AVG Anti-Spyware 7.5 as it has repeatedly failed to install (when I try to start it, I get a message "Connection to service failed - Please reinstall AVG Anti-Spyware 7.5"). My HijackThis log is pasted in below.
Hope someone can help.
Tom Filipi

Logfile of HijackThis v1.99.1
Scan saved at 3:07:38 PM, on 6/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.EXE
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\PROGRA~1\UnHackMe\hackmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OL\TMAS_OL.exe
C:\Documents and Settings\Thomas Filipi\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ZILLAbar BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\ZB2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\ZB2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\PROGRA~1\UnHackMe\hackmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.micr...veX/MSDcode.cab
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h50203.www5.h...DataManager.CAB
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecu...vex/TmHcmsX.CAB
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1166238280375
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\windows\SYSTEM32\WgaLogon.dll
O23 - Service: AKOLEA - Sysinternals - www.sysinternals.com - C:\windows\TEMP\AKOLEA.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: EV - Sysinternals - www.sysinternals.com - C:\Documents and Settings\Thomas Filipi\Local Settings\Temp\EV.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: HTCGSF - Sysinternals - www.sysinternals.com - C:\Documents and Settings\Thomas Filipi\Local Settings\Temp\HTCGSF.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: JZTL - Sysinternals - www.sysinternals.com - C:\Documents and Settings\Thomas Filipi\Local Settings\Temp\JZTL.exe
O23 - Service: KXIURIL - Sysinternals - www.sysinternals.com - C:\Documents and Settings\Thomas Filipi\Local Settings\Temp\KXIURIL.exe
O23 - Service: MBWDGKVGFHJM - Sysinternals - www.sysinternals.com - C:\Documents and Settings\Thomas Filipi\Local Settings\Temp\MBWDGKVGFHJM.exe
O23 - Service: NUDYG - Sysinternals - www.sysinternals.com - C:\Documents and Settings\Thomas Filipi\Local Settings\Temp\NUDYG.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
O23 - Service: PFFIAG - Sysinternals - www.sysinternals.com - C:\Documents and Settings\Thomas Filipi\Local Settings\Temp\PFFIAG.exe
O23 - Service: PHWDEOLWS - Sysinternals - www.sysinternals.com - C:\Documents and Settings\Thomas Filipi\Local Settings\Temp\PHWDEOLWS.exe
O23 - Service: QBNSFK - Sysinternals - www.sysinternals.com - C:\Documents and Settings\Thomas Filipi\Local Settings\Temp\QBNSFK.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: RYEXEO - Sysinternals - www.sysinternals.com - C:\Documents and Settings\Thomas Filipi\Local Settings\Temp\RYEXEO.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: U - Sysinternals - www.sysinternals.com - C:\Documents and Settings\Thomas Filipi\Local Settings\Temp\U.exe
O23 - Service: VFWNEFJM - Sysinternals - www.sysinternals.com - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\VFWNEFJM.exe
O23 - Service: XEAEOUNMEIB - Sysinternals - www.sysinternals.com - C:\windows\TEMP\XEAEOUNMEIB.exe

Typical process monitor listing for lsass:

207 6:52:14.6276110 PM lsass.exe 1368 RegOpenKey HKLM\SECURITY\Policy SUCCESS Desired Access: Read/Write
208 6:52:14.6276390 PM lsass.exe 1368 RegOpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Desired Access: Read
209 6:52:14.6276629 PM lsass.exe 1368 RegQueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW Length: 12
210 6:52:14.6276854 PM lsass.exe 1368 RegCloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS
211 6:52:14.6277006 PM lsass.exe 1368 RegOpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Desired Access: Read
212 6:52:14.6277214 PM lsass.exe 1368 RegQueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS Type: REG_NONE, Length: 180, Data:
213 6:52:14.6277389 PM lsass.exe 1368 RegCloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS
214 6:52:14.6280875 PM lsass.exe 1368 RegCloseKey HKLM\SECURITY\Policy SUCCESS
215 6:52:14.6288526 PM lsass.exe 1368 RegOpenKey HKLM\SECURITY\Policy SUCCESS Desired Access: Read/Write
216 6:52:14.6288793 PM lsass.exe 1368 RegOpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Desired Access: Read
217 6:52:14.6289707 PM lsass.exe 1368 RegQueryValue HKLM\SECURITY\Policy\SecDesc\(Default) BUFFER OVERFLOW Length: 12
218 6:52:14.6289916 PM lsass.exe 1368 RegCloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS
219 6:52:14.6290060 PM lsass.exe 1368 RegOpenKey HKLM\SECURITY\Policy\SecDesc SUCCESS Desired Access: Read
220 6:52:14.6290272 PM lsass.exe 1368 RegQueryValue HKLM\SECURITY\Policy\SecDesc\(Default) SUCCESS Type: REG_NONE, Length: 180, Data:
221 6:52:14.6290437 PM lsass.exe 1368 RegCloseKey HKLM\SECURITY\Policy\SecDesc SUCCESS
222 6:52:14.6293777 PM lsass.exe 1368 RegCloseKey HKLM\SECURITY\Policy SUCCESS

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 09 June 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button