Laptop slow, full of trojans

Status
Not open for further replies.
F

fuzmnky

Posts: 31   +0
So my friends new laptop is moving at a crawl. I'm trying to help him but I can't seem to clean it all up.

It's running Vista Premium and when booted into normal mode, it runs real slow and the task manager shows that 800mb of the 1gb of ram is being used (from startup!). But the task manager also shows no programs sucking up that much ram, there seems to be something hidden using up half a gig somewhere and I can't get rid of it!

After numerous scans I've found many instances of Trojan.Vundo and Trojan.Zlob but the ram is still be used up!

I've ran Ccleaner, Vundofix (didn't find anything), ATFcleaner, Malwarebytes' Anti-Malware (found over 20 infected areas from the trojans), and am running spybot now and have dowloaded SuperAntispyware and will run that afterwards as well.

I just noticed that the Java is out of date and will update that as soon as S&D is done and I boot back into normal mode.

Last time I booted into normal mode after all these scans, it still had the ram used up even though it looked like the vundo trojan files hadn't started back up. What else can be back there?

I'll upload the HijackThis log.

Thanks!
 

Attachments

  • hijackthis.log
    12.2 KB · Views: 6
Try This website

http://hjt.networktechs.com/parse.php

If you will take the log you provided and paste it at this website (go throught 'parse' process following the directions) it will show you some of what is currently running on your computer.
It will also provide information of other processes found on your system. If you will take a look at this webiste this is where you can download a 'startup control panel' which also is helpful in diagnosing start-up issues with your sytem. http://www.mlin.net/StartupCPL.shtml
Regards.
 
Hey Bill!

I've been using hjt for a while now and I didn't know about that site, pretty cool.

I'll boot up the laptop and parse the log and post it soon.

I use codestuff starter to view processes and control startup files, is startupcpl better or the same?

thanks!
 
I would recommend for you to upgrad vista to SP1 then run hijackthis under normal mode. Make sure to right click and select run as admin. then attach the log here
 
I'll give it a shot but I've tried to update to sp1 twice already and it's hung up at the end of the install both times. Also, whenever I tried to run spybot, it stops with an error message, "not enough storage is available to process this command".

so I'll boot it up, post the parse and then try to update sp1 again. Third times a charm right?
right?
anyone?
:)
So here's my hijackthis parse:
http://hjt.networktechs.com/parse.php?log=543390
It recommended getting rid of something called, "Gopher Prefix:" which is fine, was on my radar anyway. But then also red flaged what looks to be the windows sidebar. Am I seeing that right? Doesn't really matter, I've already disabled it since my friend doesn't use it anyway, but just seems odd. Your thoughts?

thanks!
 
I was trying to download sp1 and I kept getting warnings from comodo firewall (that I just installed) saying that a file "spclite.exe" was trying to access files and stuff. I uploaded a few screenshots if that helps. Problem is that since I started blocking it, sp1 hasn't downloaded, are they related?

If that file is needed to download sp1, why doesn't comodo recognize it?

thanks guys.
 
ah, comodo didn't recognize it probably because it installs in a random folder on the C: each time. Got it. Thanks momok!

anyone's thoughts on the hjt?

I'll get rid of the gopher thing but I'm not sure about the sidebar ones.

Okay, I got rid of the 3 red flagged files on hjt that the website recommended and I haven't noticed a difference.

I ran a panda online scan and it didn't find anything other then a tracking cookie.

SP1 did install (thanks mamok) and I'm now downloading the newest updates.

Thing is that it's still using up most of it's memory. The laptop has 1gb and it always hovers around 800mb nomatter what programs I have running. And from the task manager, I usually don't have more then a few hundred being used (plus whatever the system is using) which should put the usage probably not above 500mb or so. So there appears to be something still trying to make this machine sluggish. Does that make sense?

When I first booted up the laptop I received 3 fake pop-ups warning me that the system was slow and that I should download their free antivirus software. I should have wrote down what they were called (something like rapid antivirus, etc.) but I haven't seen them since. Could that have anything to do with it?

I'm running out of ideas...
 
Your system is obviously infected. Yet you have not followed the 8 step malware removal sticky instructions and posted the 3 required logs. I'm afraid you won't go far and get much help without doing that.
 
Thoughts on the HJT -

Pick one security solution: Spybot Security center & McAfee appear to overlap on at least the AV protection and perhaps more. Actually, I have never called SpybotSD a security center - is this a fancy label or an upgrade package? You added firewall afterward.

Sony / VAIO o23 services are mind boggling! That must be bloating things a bit.
 
Oh, sorry momok, I completely forgot to post those after doing the scans. The only one (Malwarebytes I think) that found anything supposedly cleaned out the trojans. I'll see if I can dig up the logs and post them.

I went through the 8 step and downloaded and ran the programs asked, I just only remembered that it asked for hjt log, I didn't mean any disrespect by not posting the others. I guess I just thought that I should do the scans, not that anyone wanted to see the actual results. Again, I am familiar with posting hjt logs and had not heard of people wanting others and though I read it, it just didn't click.

to rf6647: I know, I don't much care for McAfee but it was on my friends computer so I didn't feel that I could uninstall it when I installed the other programs. I guess I probably should have disabled it, I'll look into that.

And yes, Sony loads that thing with plenty of crap if you ask me! I know he doesn't use most of their programs so I'll talk to him and disable what I can.

So I'll try to dig up those logs this afternoon and get back to you guys. Thanks for being willing and patient with me!
 
fuzmnky, if you're coming here for help with the malware problem, then this is where you post your logs, not on another site. You should also follow the sequence of cleaning and run the programs given.

Please begin with Step 1 here, complete the running of the programs, then attach all of the logs. NOTE: HijackThis is to be run after Maywarebytes and SuperAntispyware.
 
hi bobbye,

I'm sorry, I think I need to clarify for a second.

I did not post logs on another site. I've not gone to any other sites for help with this laptop. This was and is my first stop whenever I have computer issues. Usually I find my answers in other posts without needing to post for any help myself.

I saw the sticky when I first started searching for help here and I downloaded all the suggested programs and ran them. I was not familiar with needing to post virus scan logs, in my mind if the virus scanning program found any files needing to be deleted, it would flag them for me and tell me what to do. I was not aware that other people would be interested in the minute details. One did find those two trojans from my original post, I simply thought that was all the info needed from those scans. I apologize for not reading throughly enough to realize that I needed to post those logs as well. Again, I am sorry I didn't know that by not doing so I was wasting everyone's time.

If you'd like a little back story, my buddy handed this to me the day I was leaving on a weekend vacation with my wife and she was not happy about it and I tried to minimize the time I spent on it. In retrospect I should've just told him next week but by the time I realized that it was going to take a lot of time, I had already posted here and was already getting advice and thought it rude to ignore it until I got home. So I was a little rushed at first and I again apologize.

I was familiar with posting HijackThis logs, which is why I did so. Since HJT doesn't tell me what's bad I know that I would need help deciding what needed to go.

I'll go back to the sticky and run through it again. I'll post all my results and not bother with the old logs since they probably don't matter anymore.

If any of you are still willing to help me, I appreciate it!
 
thanks momok!

it took 3 hours but I finished the Malwarebytes scan. It came out clean, here's the log.

I'll update SuperAntiSpyware and run that but I'm going to bed and will post that log first thing in the morning.

I've already updated Java and I will do another hjt log after the sas scan is done.

thanks!
 
So here's my hijackthis parse:
http://hjt.networktechs.com/parse.php?log=543390
Click to expand...

I was referring to this. The site WAS recommended to you, but it shouldn't have been, so the emphasis was as much for the person who recommended it. We can't tell what has been found and removed unless we see the logs, which us why we want logs from Malwarebytes, Superantispyware and HijackThis. Unfortunately, some people run Malwarebytes and don't check to remove.

Your mban log is clean. IF you have Tracking Cookies on board, they ill show up in Superantispyware. That's also a good way for us to get some idea of sites that may be dropping the Cookies and we can give you help to limit what Cookies the system will accept.

We like HijackThis run AFTER the other programs, because it shows any 'left over' entries that need to be removed. It's an orderly process that has been found to work in the best interest of the user with the problem.
 
Hey guys,

thanks for explaining that to me bobbye I had no idea that was not kosher!

I've ran these scans so much, SAS only found one tracking cookie during this last pass. I ran a Panda scan the other day that cleaned 10 or so out.

Here's the SAS log and then the HJT one I ran afterwards.

ram is still running at over 800mb. Just weird.
 
Well, it's easy to see why so much RAM is being used! The system is running 4 antivirus programs: Avira, McAfee, Panda, Housecall and 2 firewalls: Comodo, McAfee.

Decide which you want and remove the others!
Avira/Antivir:
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
Click to expand...
McAfee:
c:\PROGRA~1\mcafee\msc\mcuimgr.exe (3 instances of the mcafee update program,like mcupdi.exe ,mcupdmgr.exe,> this process alone is a known resource hog!
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
Click to expand...
Panda:
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
Click to expand...

Housecall:
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://prerelease.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
Click to expand...

Firewalls:
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
Click to expand...

You might also want to check the multiple VAIO Services running- make sure you're using them all or disable the Startup Type.

I didn't see any malware in the log.
Check you Cookie settings. Privacy> Advanced> CHECK 'override Cookie setting'> CHECK 'accept first party Cookies'> CHECK 'block third party Cookies'> Check 'allow per session Cookies'> OK> Apply> OK.

That should bring the security level up.
 
Hey Bobbye! Alright, I'll give that a shot.

Though I may be mistaken but I think the ram issue was there before I started downloading these programs. And I even disabled McAfee's virus and firewall protection. Also Panda and TrendMicro are not stand alone programs on the laptop, but from their free online scans. After an online scan, do they run in the background? If so, that sucks.

I'll keep McAfee since I think they have it paid for already. And since that comes with a firewall, I'll get rid of Comodo too. I haven't checked into the Viao programs yet, though my friend said that it became slow, so I'm wondering how bad they were to begin with. But I don't think he used any of them except the one that controls the wireless.

Anyway, I'll try anything and I hope the problem is simply bloatware!

I'll let you know the results, thanks!
 
Re Housecall and Panda:
After an online scan, do they run in the background? If so, that sucks.
Click to expand...
Yes, they do and it does, so you have to uninstall then and delete the files.
I haven't checked into the Viao programs yet, though my friend said that it became slow, so I'm wondering how bad they were to begin with.
Click to expand...
Every computer manufacturer puts junk on a system. I think they want the user to feel that it is necessary and needed. Most of the time it isn't, but few users review the process and consider stopping and/or removing them.

It took me a year to get rid of the Dell trash and then only, finally, using the Windows Installer Cleanup Utility. So I encourage you to check those Services> Disable the Startup up type for any that aren't being use and change Startup type to Manual for those that "may" be used sometimes, but aren't needed or used always. NOTE: when changing Services, always check the Dependencies tab. It is usually easiest to change Services while in Safe Mode using Start> Run type in services.msc> access the Services here.

Remember: you want to end up with one antivirus program, one firewall and at least two spyware/adware programs.
 
Wow.. 4 AV + 2 firewalls.. that's a first. I wonder how you got infected in the first place.
On a side note, your logs are looking clean, so let us know if you face any symptoms after you are done with the 'defence maintenance' on your system.
 
I wonder how you got infected in the first place.
Click to expand...
Probably because all the security programs were creating conflicts which, instead of leaving the system with 'more' protection, left it with none! Ya think?
 
Alright so I decided to stick with McAfee since it was my friends program to begin with. (Though obviously didn't help him keep the trojans off!)

I uninstalled Avira, Panda, TrendMicro, and Comodo with ccleaner. I checked the HJT afterwards and I think ccleaner took care of all those files, though I might have missed one.

Pretty much all the Vaio services are not on the startup anymore (supposedly).

And I fixed the cookie setting.

For clarification, he only had McAfee installed on here when he asked for my help. I installed comodo, avira, etc. off of the 8-step. I knew he had McAfee but since it was already infected, I didn't think that it was worth beans at the moment so I went with Avira and Comodo since I've been using both personally. I had disabled both McAfee's Virus Detection and Firewall even though they remained installed on the machine.

Ram is better, maybe even back to normal (which is hard to say since I don't know what normal is on this laptop). Currently the ram usage is sitting at 650mb with one ie window open, HJT and the task manager. I think I'm going to knock down the Vista visuals to basic and install Firefox as well.

So is it done? My ram issue ended up being all these programs I installed to clean it up? Because that would be an easier fix then I had anticipated!

I'll upload the latest HJT log.

Let me know, and again, thanks for all the help!
 
fuzmnky said:
Pretty much all the Vaio services are not on the startup anymore (supposedly).
Click to expand...
They appear to still be there. I'm not sure if you want to actually remove them though.
I noticed that you run on only 1GB RAM for Vista. Wouldnt definitely recommend you get at least 1GB more.
 
Well that sure looks better! I have three suggestions:
1. There are a lot of Adobe processes loading at startup. Why> If a PDF document is clicked on, it will automatically open in Adobe. If you need to use other functions of the program, just open it- don't use time, space and speed carrying all those processes around. I'm not going to 'itemize' then for you- they are easily noted in the sever 08 entries.

2. The Windows Welcome Center: You might want to remove this. It automatically loads at startup and from what I'm reading, serves no particular purpose, but uses resources:
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')]
Click to expand...

You'll find two methods here:
http://www.techmixer.com/disable-windows-vista-welcome-center-when-startup/

3. As for the Sony/Vaio processes/Services, they are still automatically loading. All the 023 Services should be reset to Manual Startup type for any Services that are not immediately needed. Caution: best to do this in Safe Mode, after you have HijackThis remove the processes and always check the Dependencies tab:
Start> Run>. services.msc.

We can proceed with removing the cleanup tools and old restore points:
* Download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe)
* Click the CleanUp! button.
* It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).

Clear your existing System Restore points and establish a new clean restore point:
Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
Next, go to Start > Run and type in cleanmgr> Select the More options tab> Choose the option to clean up System Restore and OK it.
This will remove all restore points except the new one you just created.

I've had a few people tell me that the 'clean System Restore' option hasn't come up this way. IF it does not, use the Control Panel> System> System Restore tab to CHECK 'turn off System Restore'> Apply> OK> Reboot. Then go back in and UNCHECK 'turn off System Restore'> Apply> OK.

Since the laptop is still running high on using resources, I advise you to seriously consider both Disabling and reset to Manual the extraordinary number of Vaio Services.
 
Status
Not open for further replies.

Similar threads

T
System Slow During Certain Events
Replies
6
Views
1K
TheBorgInva
T
midian182
Google to delete billions of Incognito mode browsing records as part of lawsuit settlement
Replies
6
Views
133
ZedRM
ZedRM
Shawn Knight
NASA will need a miracle to fix glitched Voyager 1 probe
Replies
5
Views
209
BuckarooBonzaii
B

Latest posts

Back