TechSpot

Virus or some other bad mojo?

By flipper
Oct 21, 2009
  1. hey all:

    The general problem is that my laptop, for the last two months or so, has been freezing a whole bunch, ranging from once a minute to once every five minutes. it just hangs there for 30 seconds or a minute, then frees itself up. or else freezes again. this happens with my browser, firefox, but in other programs too.

    i have tried going into msconfig and disabling all start up programs and non-microsoft processes and the thing still freezes. the only time it really doesn't freeze is if I do a safe boot; and then it freezes once in the beginning but then continues without freezing again, generally.

    oh, in Firefox, I've tried disabling all add-ons and whatnot and that doesn't change a thing.

    so, maybe it's a bug? i've gone through the 8 steps and everything looks pretty clean to me; but maybe you'll see differently. attached are the three requested files.

    thanks much for your help!

    flippper
     

    Attached Files:

  2. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    You got rid of tons of nasty cookies... You are missing many Microsoft Updates, including XP Service Pack 3 and IE8. You should apply any critical and hardware updates found when you run Windows Update manually and choose Custom. Update to IE8 for security reasons even if you don't use it. Keep running Windows Update until no more updates are found. Doing all this may not help with freezing and your hijackthis log is not too bad. You may have a driver or other hardware reason for the freezing. Have you run a check disk on reboot, to check your hard drive for problems?
     
  3. flipper

    flipper TS Rookie Topic Starter

    hey, thanks for the reply! actually, i'm running vista not xp, so i don't need xp sp3, do i? but the point is well taken: update Windows!

    have not run check disk on reboot; will try that today, if i can figure out how to do it.

    if the problem is driver related, do you have any suggestions to tracking it down?

    any other thoughts?

    thanks again!
     
  4. WinXPert

    WinXPert TS Guru Posts: 445

    You have your Vista CD. Boot from it, go to the command prompt and type

    CHKDSK C: /p

    if your have more drives check them all.
     
  5. flipper

    flipper TS Rookie Topic Starter

    actually, no, i don't have a Vista CD, so I went into the safe-mode recovery console and ran chkdsk from there. the /p didn't take. but the report came back with what looks like a clean bill of health -- ie, it said, '0 Kb in bad sectors.' that's the salient fact, right?

    now what?
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    flipper, I will be glad to help check for malware on the system. But I must ask that you follow my instructions only. We have as process that we go through because it works. Random suggestions can sometimes cause additional problems.The members who have replied do not have malware training and they may-or may not-luck out in finding something helpful.

    Please hold off on the previous directions- I am checking your logs now and will be back shortly.
     
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Just in case you have already read my reply, I'm making a new one because an Edit does not send feedback that there has been a reply.

    Your logs are all free from malware. But I'm concerned about the antivirus program. The HijackThis log doesn't look like it's displaying correctly- I see a Service for Norton Internet Security but no other processes running which is unusual. Is the subscription up to date and have you scannend recently?

    1) How much RAM do you have? Vista requires at least 2GB. It sounds like you may be short. And if you don't do regular maintenance to get rid of old files, you're going to freeze. The system will be forced to restart which frees memory- for a while- but the cycle starts all over again.

    2) Let's do some cleaning up:
    TFC (Temp File Cleaner)

    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

    TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

    TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

    3) Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    4) Please rescan with HijackThis when done and paste a new log into your next reply

    Attach the report from Combofix.

    To get the Tracking Cookies under control:

    For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

    For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others.

    I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
    AdBlock Plus
    Easy List

    The presence of so many Tracking Cookies can be an indication that you are not doing maintenance on the system such as disc cleanup and defrag.
     
  8. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    My bad! Tired eyes that night I guess...

    Carry on Bobbye, good to see that your are helping out :)
     
  9. flipper

    flipper TS Rookie Topic Starter

    okay, bobbye, will work through the steps and report back. thanks for your help!

    (btw/ i have 3GB RAM ...)

    okay, here's my report after doing all the above ...

    1/ in terms of the freezing, it's still happening.

    2/ i did delete 9738 temp files, freezing up 11.794gb of space!!!

    3/ the combofix file is attached.

    4/ the hijack this file is pasted.

    where do i go and what do i do next?

    thanks!

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:11:33 AM, on 10/23/2009
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v7.00 (7.00.6002.18005)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\RocketDock\RocketDock.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Windows\System32\mobsync.exe
    C:\Program Files\zabkat\xplorer2_lite\xplorer2_lite.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Windows\system32\SearchFilterHost.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netflix.com/Queue?inqt=wn&lnkctr=queueTab-ELECTRONIC
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\Snagit 9\SnagitBHO.dll
    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
    O3 - Toolbar: Snagit - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\Snagit 9\SnagitIEAddin.dll
    O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
    O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
    O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
    O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
    O9 - Extra button: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - (no file) (HKCU)
    O9 - Extra 'Tools' menuitem: Add to EverNote - {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - (no file) (HKCU)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Norton Internet Security - Unknown owner - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe (file missing)

    --
    End of file - 5497 bytes
     
  10. kritius

    kritius TS Guru Posts: 2,084

    Attach the ComboFix log perhaps?
     
  11. flipper

    flipper TS Rookie Topic Starter

    hmmm, don't know why it didn't take. i'll try again ...
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    kritius, if you pass by here again, please take a look at the end of HJT log. It doesn't seen to have the correct entries past the 09.

    flipper, have you made any changes to the Services? Short route is Start> Run> type in services.msc.
    You show only one Service running. Check yours against Black Viper's site:
    http://www.blackviper.com/WinVista/servicecfg.htm
     
  13. flipper

    flipper TS Rookie Topic Starter

    well, what i have done is disable all non-microsoft services to try to get at the problem. i did that a while ago and haven't gone back and restored those non-M services. but those are the only ones i disabled. the 'load system services' button is still checked and grayed out. also in msconfig, i disabled all but three of the start-up items.

    should i restore everything and run the tests again?
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please refer to the site I referenced to reset the Services. A TIP: Services are best handled in Safe Mode. That is because you must always check the Dependency tab when changing Services. Other Services may 'depend' on this Service to run-or-this Service may 'depend' on other Services to run.
     
  15. flipper

    flipper TS Rookie Topic Starter

    okay, i'll tackle that.

    meanwhile, i went to the cookies area in firefox/options, where you can set history settings, etc. well, my FF *only* has the history setting feature and *nothing* about cookies. i looked at the other tabs in options and none of them had anything about cookies either.

    what's up w/ that?
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I think you'll find it flipper if you check the right place. I am going on 5 years with Firefox and it hasn't moved:

    There should be three sections in the Privacy section:
    History
    Cookies
    Private Data.

    For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others.

    If you still can't find it, please tell me which version of Firefox you're using.
     
  17. flipper

    flipper TS Rookie Topic Starter

    maybe i've turned into a complete addlepate and can no longer follow simple directions and that very well may end up being the case. but for the life o me i don't see it.

    i've attached a jpg of what i do see. am i simply in the wrong place?

    i am using FF 5.2.3

    thanks again ... for your patience.
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    There is no FF 5.2.3. Do you mean v3.5.2?

    See this please:
    [​IMG]
    The Private Browsing is optional. I'm leaving this image so you know what I'm referring to.

    Edit: the image you left appears to be missing and entire section. Suggest you reinstall FF over the current install.
     
  19. flipper

    flipper TS Rookie Topic Starter

    yes, 3.5.2. and i do indeed appear to be missing a whole section.

    i'll reinstall ff over my current version and report back.

    thanks!

    edit: oh, i see what the problem is; you've got to be showing "use custom settings for history" for all the rest of the stuff; the 'remember history' setting doesn't show the cookies settings et al.

    one problem solved. many more to go ...
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Well, I learned too! Kind of wish they wouldn't go messing with these things!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...