PDA

View Full Version : Malware or Virus ?

henry crun
14th Nov 2004, 08:32
Athlon 1.6/ 512 mb ram/ XP Home/ 40 GB HD with 20 Gb free.

Have run Spybot and deleted all red entries.
Have run Adaware and deleted all entries.

Over the last few days whenever I try to scan with Norton AV (2003 updated) the CPU usage slowly increases as the scan progresses until it reaches 100%, at which point the PC locks up.

This lockup at 100% cpu usage does not always occur at the same point.
It is usually somewhere between 1/2 and 3/4 of a full scan.

On one occasion it occured when running Adaware before the scan was complete.
It will also occur running some other programs, particularly if I have two or three windows open at once

The only way I can get out of the situation is to Reset, and when it boots up again cpu usage will still be over 95% with nothing running, so I Turnoff in the normal way and wait for an hour or two.

Have run Hijackthis but when I try to submit the log I get this message


-------------------------------------
You have included too many images in your signature or in your previous post. Please go back and correct the problem and then continue again.

Images include use of smilies, the vB code [img] tag and HTML <img> tags. The use of these is all subject to them being enabled by the administrator.
-----------------------------------------
419
14th Nov 2004, 08:57
H.C.
Have another go at posting your Hijackthis log. There is a box in the "options" section (just below where you type your message) labeled "Disable smilies in this post". Make sure you tick the box, and it should work fine.

419
henry crun
14th Nov 2004, 19:31
Thanks 419. Here it is

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\MICROS~4\GAMECO~1\Common\SWTrayV4.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hjt\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EPSON Stylus C41 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C41 Series" /O6 "USB001" /M "Stylus C41"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~4\GAMECO~1\Common\SWTrayV4.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/pcpitstop.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{15255737-0014-4FE2-A56D-478C4CF578A1}: NameServer = 210.55.12.1 210.55.12.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{15255737-0014-4FE2-A56D-478C4CF578A1}: NameServer = 210.55.12.1 210.55.12.2
419
14th Nov 2004, 20:28
Glad it worked. I'm afraid that that was it as far as my knowledge goes. You will need expert help to "decode" your log.
There are a few Pruners who will be able to do that for you.

419
E-Liam
15th Nov 2004, 05:51
Hi Henry,

that's a clean log, so I'd suggest that you go here (http://housecall.trendmicro.com/housecall/start_corp.asp), and run the online virus scan; choosing the Autoclean option just before clicking the Scan button. See if that picks up whatever is causing Norton to stop working.

Cheers

Liam
Bigwings
15th Nov 2004, 08:41
HC you could also follow this link:-

http://www.grisoft.com/us/us_index.php

You can download a free copy of AVG (Anti Virus Guard). I started using this around 2 years ago and it's marvelous. Like you I was using Norton, and it was up to date. This software picked up problems that Norton had missed, give it a try.

Bigwings :D
Naples Air Center, Inc.
15th Nov 2004, 11:46
Bigwings,

You cannot run two Antivirus programs on the same computer. If you have NAV and AVG installed that the same time, you will have a lot of problems with the comp.

Take Care,

Richard
henry crun
15th Nov 2004, 18:21
E-Liam thank you for the help.

I did as you suggested and tried to run the Trend scan but it locked up as the cpu usage reached 100% after less than a minute.

Tried again some time later and this time the PC shut itself down when the scan was only about 10% complete.
Pressed the PowerOn button and nothing there at all. Switched the power off at the wall and came back about 30 minutes later, this time it booted up normally.

There is obviously something seriously wrong with it that is beyond the limited help I can give it. I shall probably take it down to my friendly computer technician soon.

Bigwings, thanks for the suggestion, I have had no complaints about NAV up to now so I will stick with it until it proves defective.
I am sure this problem is not NAV specific because it happens with other programs.