Computer REALLY slow (virtual memory low?)

Discussion in 'Malware Help (A Specialist Will Reply)' started by PitKinNQ, Oct 6, 2005.

  1. PitKinNQ

    PitKinNQ Private E-2

    i have done the READ ME and followed all instructions but my computer is still running slow. I got a trojan from aim that really messed my computer up so i removed all known viruses by reading the READ ME. i am not at my home computer right now so i cant post my hijack file. also i get a thing that comes up that says virtual memory is low, when i run games ex. world of warcraft. or other programs. and when i try to minimize a program it stays on the screen (like a still picture) and when i drag (ex.folder) over it it goes away as does my icons.
    please help me i dont want to reboot my computer.
    (wil post hijack file later)
     
    PitKinNQ, Oct 6, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Oct 6, 2005
    #2
  3. PitKinNQ

    PitKinNQ Private E-2

    im sorry but i cannot attach my hijack file
    it says page cannot be siplayed when i try uploading
    is it okay if i just copy and paste it?
     
    PitKinNQ, Oct 6, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes!
     
    chaslang, Oct 6, 2005
    #4
  5. PitKinNQ

    PitKinNQ Private E-2

    Logfile of HijackThis v1.99.1
    Scan saved at 오후 4:24:10, on 10/06/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system32\z5PLZ3qT.exe
    C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
    C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\WINDOWS\system32\windir32.exe
    C:\WINDOWS\etb\pokapoka73.exe
    C:\WINDOWS\system32\hmvlfks.exe
    C:\WINDOWS\system32\windir32.exe
    C:\Program Files\Common Files\Windows\services32.exe
    C:\WINDOWS\system32\conime.exe
    C:\WINDOWS\system32\cmd.exe
    C:\Program Files\Common Files\services.exe
    C:\Program Files\KWORD\kword.exe
    C:\Program Files\KWORD\nmr.exe
    C:\WINDOWS\system32\msiexec.exe
    D:\XtraWarp.exe
    C:\HJT\HijackThis.exe

    R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\ko\msntb.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\ko\msntb.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [z5PLZ3qT] C:\windows\system32\z5PLZ3qT.exe
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
    O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
    O4 - HKLM\..\Run: [AutoLoader0FpM1aPjLWaN] "C:\WINDOWS\system32\wstim.exe"
    O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
    O4 - HKLM\..\Run: [0s6i3mS] wstim.exe
    O4 - HKLM\..\Run: [kword] C:\Program Files\KWORD\kwordup.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
    O4 - HKLM\..\Run: [ProSiteFinder] "C:\Program Files\ProSiteFinder\ProSiteFinder.exe"
    O4 - HKLM\..\Run: [System service70] C:\WINDOWS\\\etb\\pokapoka70.exe
    O4 - HKLM\..\Run: [System service72] C:\WINDOWS\\\etb\\pokapoka72.exe
    O4 - HKLM\..\Run: [System service73] C:\WINDOWS\etb\pokapoka73.exe
    O4 - HKLM\..\Run: [yrozbx] C:\WINDOWS\system32\hmvlfks.exe r
    O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] windir32.exe
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_1
    O4 - HKCU\..\Run: [Steam] D:\Program Files\Valve\Steam\Steam.exe -silent
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [AIM] D:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
    O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
    O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000080.exe
    O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000080.exe
    O4 - HKCU\..\Run: [XtraWarp] D:\XtraWarp.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
    O8 - Extra context menu item: Google 검색(&G) - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: 비슷한 페이지 - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: 이전 링크들 - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: 캐시된 페이지 스냅샷 - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: 한국어로 번역(&T) - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {3EB4F9EA-51A6-48DA-846A-0D69DCBA39EF} (DownloadManager Control) - http://download.akamaitools.com.edgesuite.net/dlmanager/live/code/IE_1070/DownloadManager.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1110676065305
    O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://support.gateway.com/eSupport/static/weblaunch/weblaunch.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
    O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://nprotect1.gravity.co.kr/nprotect/npx.cab
    O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://nprotect1.gravity.co.kr/nprotect/nPKeyCrypt/npkcx.cab
    O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: LavasoftStartupCleaner - C:\WINDOWS\vx2cleaner.dlx (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
     
    PitKinNQ, Oct 6, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Is there a reason you dit not run BitDefender online scan?
    Did you install and run Spybot?

    Do you know what this is: D:\XtraWarp.exe

    You have several problems. Let's do the below:

    Download EliteToolbar Remover do not run it yet. Just extract it to its own folder.

    And then follow the steps in this link: Running Ewido Security Suite however do not reboot into normal mode at the end of the steps of using Ewido (you will see that in the link). First complete the below scan with EliteToolbar Remover.

    Run the ETRemover_v210.exe file by double clicking on it.

    Now reboot into normal mode and attach your Ewido log, a new HJT log and tell me how these steps went. If you still cannot attach logs, post them inline.
     
    chaslang, Oct 6, 2005
    #6
  7. PitKinNQ

    PitKinNQ Private E-2

    i could not do the online scan because when i tried to it said there was an error, i did dll and run spybot, and the XtraWarp thing is something i found under the "game tweeks" download section.
    for some reason i cant go into safe mode but i can go into safe mode with networking so i did and followed the step. i ran Ewido but when i tryied running ET remover it automatically turns of the program when it starts scanning programs that autorun.
     
    PitKinNQ, Oct 7, 2005
    #7
  8. PitKinNQ

    PitKinNQ Private E-2



    Edit by chaslang: Ewido log attached
     

    Attached Files:

    Last edited by a moderator: Oct 7, 2005
    PitKinNQ, Oct 7, 2005
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try running EliteToolbar Remover again in safe mode but this time make sure your cable that connects you to the internet is physically unplugged.

    Post a new HJT log now too!
     
    chaslang, Oct 7, 2005
    #9
  10. PitKinNQ

    PitKinNQ Private E-2

    well it seems my computer got alot faster
    still a little problems here and there.
    here is my hijack file.
     

    Attached Files:

    PitKinNQ, Oct 7, 2005
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did EliteToolbar remover run in safe mode with your cable disconnected?
     
    chaslang, Oct 7, 2005
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also do you know what the below are? Ewido believes they are malware!


    O3 - Toolbar: ÄÉÀÌ¿öµå(&K) - {15746DE4-447F-4C9A-B54D-0DE78A65379E} - C:\PROGRA~1\KWORD\kwordbnd.dll
    C:\Program Files\KWORD\kword.exe
    C:\Program Files\KWORD\nmr.exe
     
    chaslang, Oct 7, 2005
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I cannot proceed with a fix until you answer my previous questions.
     
    chaslang, Oct 7, 2005
    #13
  14. PitKinNQ

    PitKinNQ Private E-2

    well it seems ET remover worked because when it got exited in safe mode with my modem off i did it again and alot of the malware was deleted.
    i do not know what kword of any of that is.
     
    PitKinNQ, Oct 7, 2005
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Look in Add/Remove programs and uninstall the below if found:
    180Solutions
    ProSiteFinder

    Please run Notepad and copy the below quoted text into a new file:

    Save the file to your Desktop as remove.bat and make sure the "Save as type" field says "All files". If you do not choose "All files", it will wind up being named remove.bat.txt

    Now reboot your computer into Safe Mode.

    Once in Safe Mode, double-click on remove.bat (which is on your Desktop). A window should open and close very quickly, this is normal behavior. If you receive any kind of error messages though, make sure you tell me later when you come back.

    Now continue with the below steps while you are still in safe mode. Note some processes may not be found because we are in safe mode, just continue on.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\Program Files\KWORD\kword.exe
    C:\Program Files\KWORD\nmr.exe

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O2 - BHO: Internet Explorer Web Content Catcher - {FFF4E223-7019-4ce7-BE03-D7D3C8CCE884} - C:\Program Files\DNS\Catcher.dll
    O3 - Toolbar: ÄÉÀÌ¿öµå(&K) - {15746DE4-447F-4C9A-B54D-0DE78A65379E} - C:\PROGRA~1\KWORD\kwordbnd.dll
    O4 - HKLM\..\Run: [AutoLoader0FpM1aPjLWaN] "C:\WINDOWS\system32\wstim.exe"
    O4 - HKLM\..\Run: [0s6i3mS] wstim.exe
    O4 - HKLM\..\Run: [kword] C:\Program Files\KWORD\kwordup.exe
    O4 - HKLM\..\Run: [ProSiteFinder] "C:\Program Files\ProSiteFinder\ProSiteFinder.exe"
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O20 - Winlogon Notify: LavasoftStartupCleaner - C:\WINDOWS\vx2cleaner.dlx (file missing)

    After clicking Fix, exit HJT.
    Now use Windows Explorer to delete (if found):
    C:\Program Files\ProSiteFinder <--- the whole folder
    C:\Program Files\DNS <--- the whole folder
    C:\Program Files\KWORD <--- the whole folder
    C:\WINDOWS\Nail.exe
    C:\WINDOWS\system32\wstim.exe
    C:\WINDOWS\vx2cleaner.dlx

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Oct 7, 2005
    #15

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds