Topic: Drastic system slowdown

[Jaminxz]

Yo guys, i need you help again please!!

about 90%+ of the time i use my pc to surf the net and play windows media 9 at the same time, up until a week or so ago i could do that with about 30% cpu usage ( i think i'm not too sure on the exact figures but it was pretty low).

all of a sudden my system started to go slow and slugish whilst doing this, and my cpu usage is always 100% whatever i'm doing. Originally i though it was adware.
( hence the thread http://pc-pals.com/index.php?board=27;action=display;threadid=11893 )

However i followed the advice given (cheers guys) and this hasn't solved anything. I'm pretty worried now about it being a trojan or something?

anyway does anybody have any solutions, i would grately aprechiate your help.

I know my cpu usage shouldn't be anyware near 100%. All i'm running most of the time is firewall,download manager,bt internet manager,windows media player,sound manager and the windows exe's. Like i said i was doing this last week with really low cpu usage.

[Simon]

If your CPU is 100% usage, does it not show what is using all the resources in the Task Manager processes list?

Suggest you run Hijack This and post the results on here.

I just looked at the other thread you pointed to, and Sandra suggested you ran the spyware scanners in Safe Mode, with System Restore switched off.  Have you done that?  Try both Ad Aware and Spybot, as they both spot different things.  Once you have your system clean, I suggest you install Spyware Blaster, which will help prevent spyware getting into your system in future.

Ad Aware
Spybot S&D
Spyware Blaster

[Jaminxz]

Right i did everything suggested in that thread, i ran sbybot and adware in safemode with no success.

it does list all processes in task man but i don't understand them all.

i download hijack this and here are the results -

Logfile of HijackThis v1.97.7
Scan saved at 18:14:57, on 10/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Omniquad\Omniquad Personal Firewall\OPFSVC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\wnetmgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\avserve2.exe
C:\WINDOWS\skynetave.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\BTopenworld\DialBTISurfTime.exe
C:\WINDOWS\avserve2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\skynetave.exe
C:\WINDOWS\skynetave.exe
C:\WINDOWS\avserve2.exe
C:\WINDOWS\skynetave.exe
C:\WINDOWS\skynetave.exe
C:\WINDOWS\skynetave.exe
C:\WINDOWS\skynetave.exe
C:\WINDOWS\skynetave.exe
C:\WINDOWS\skynetave.exe
C:\WINDOWS\skynetave.exe
C:\WINDOWS\avserve2.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ftp.exe
C:\Documents and Settings\Ben Williams\My Documents\Downloads\HijackThis.exe
C:\WINDOWS\skynetave.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.btinternet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btinternet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTinternet
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.btinternet.com/
O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IW ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [SupaStatus] C:\Program Files\Internet Explorer\Connection Wizard\Status.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int113779.exe -auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft System Checkup] wnetmgr.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [avserve2.exe] C:\WINDOWS\avserve2.exe
O4 - HKLM\..\Run: [skynetave.exe] C:\WINDOWS\skynetave.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] wnetmgr.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [OPF] C:\Program Files\Omniquad\Omniquad Personal Firewall\OPF.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.btinternet.com/
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C9A3FB3C-876A-4430-8554-512CA7EC539F}: NameServer = 213.1.119.100 213.1.119.99


Thanks to all who are trying to help, i ammost grateful as this is a really annoying problem.

thanks people

[Simon]

Well for a start, it looks like you've got the Sasser worm (skynetave.exe), which you will need to remove with this removal tool.  Did you update Ad Aware / Spybot, etc before running them, as they should have picked this up, as should your anti-virus software.  

Try that and see if that helps, in the meantime, we'll check out the rest of your Hijack This log, which usually rewuires someone more technical than me.

Edit: You should also visit Windows Update to get the latest Critical Updates.  More info on Sasser, including the required security patch from the link below.

http://www.microsoft.com/security/incident/sasser.asp

[Dack]

You did tell both packages to do the updates first did you? You definately have a bit of a hijack going on and both packages should have spotted them.

Failing that you need to boot in safe mode, run HJT again and fix the following items

O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [websx] C:\Program Files\websx\int113779.exe -auto VERY NASTY takes 99% processor power etc
O4 - HKLM\..\Run: [Microsoft System Checkup] wnetmgr.exe TROJAN! Keylogger
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe IRC TROJAN!
O4 - HKLM\..\Run: [avserve2.exe] C:\WINDOWS\avserve2.exe SASSER WORM
O4 - HKLM\..\Run: [skynetave.exe] C:\WINDOWS\skynetave.exe SASSER WORM
O4 - HKLM\..\RunServices: [Microsoft System Checkup] wnetmgr.exe Trojan Keylogger
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

Then install a decent antivirus, I use avast (www.avast.com) but there are lots of others AND the microsoft patches for XP.

If you use any online services I would also change their passwords too.

[Jaminxz]

righ thanks guys, i don't know what i'd do without you!! i'll get right on the case of blasting the bugger!

i download adware especially for the task, but i didn't update sbybot s&d. I don't have an anti virus, but i'll get one instantly.

I do have omniquad personal firewall, thought that might have stoped it??

also i had a problem with the hijacker tool, ot opend for about five seconds and closed.

is that the worm doing that ??

[Jaminxz]

oh for god's sake, this is an intlligent worm!!!

everytime i try to run norton,that hijack thing or the windows update for it it closes the program!!!!

what do i do now???

[Sandra]

Try this and hopefully it should enable you to get online and get the removal tool  

If you are using Microsoft® Windows® XP or Windows XP Service Pack 1 (SP1) and your computer has been infected by the Sasser worm, you can take these steps to update your software, remove the worm, and help protect against future infections.

Step 1: Disconnect from the Internet
To avoid further problems, disconnect from the Internet:

Broadband connection users: Locate the cable that runs from your external DSL or cable modem and unplug that cable either from the modem or from the telephone jack.
Dial-up connection users: Locate the cable that runs from the modem inside your computer to your telephone jack and unplug that cable either from the telephone jack or from your computer.

Step 2: Stop the Shutdown Cycle
This worm may cause LSASS.EXE to stop responding, which forces the operating system to shut down after 60 seconds. If your computer starts to shut down, follow these steps to abort any system shutdown that may be in progress.

On the taskbar at the bottom of your screen, click Start, and then click Run.
Type: cmd and then click OK.
At the command prompt, type: shutdown.exe -a and then press ENTER.
Step 3: Mitigate the Vulnerability
You can temporarily remove the vulnerability that allows the worm to infect your computer by creating a log file.

Create the log file

On the taskbar at the bottom of your screen, click Start, and then click Run.
Type: cmd and then click OK.
At the command prompt, type: echo dcpromo >%systemroot%\debug\dcpromo.log and then press ENTER.
Make the log file read-only

At the command prompt, type: attrib +R %systemroot%\debug\dcpromo.log and then press ENTER.
Step 4: Improve System Performance
If your computer is acting sluggish or if the Internet connection is slow, the worm may be flooding your local network connection. This may make it impossible for you to download and install the required software update. To improve system performance:

Press CTRL+ALT+DELETE, and then click Task Manager.
For each of the following tasks that may be listed, click the task to select it, and then click the End Task button to end it.
Any task ending with _up.exe (for example, 12345_up.exe).
Any task starting with avserve (for example, avserve.exe).
Any task starting with avserve2 (for example, avserve2.exe).
Any task starting with skynetave (for example, skynetave.exe).
hkey.exe
msiwin84.exe
wmiprvsw.exe

Note  Do not end the wmiprvse.exe task; it is a legitimate system task.

[Simon]

Alternatively, download the removal tool and Windows patch, on an uninfected machine, and put them on a CD or a floppy disc (if they fit), then start your PC in safe mode and run the removal tools and patch.  Then, while still in safe mode, run HJT, and fix anything still there from Dack's list above.

I don't want to preach, but let this be a lesson that everyone should have decent, up to date anti-virus protection installed, as it would have stopped this in it's tracks, Jam.  A firewall alone is not enough, as you have discovered.  

[Adept]

I don't want to preach, but let this be a lesson that everyone should have decent, up to date anti-virus protection installed, as it would have stopped this in it's tracks, Jam.  A firewall alone is not enough, as you have discovered.  

And there endeth today's lesson ...

[Simon]

 :chubby:

[Michelle]

I don't want to preach, but let this be a lesson that everyone should have decent, up to date anti-virus protection installed, as it would have stopped this in it's tracks, Jam.  A firewall alone is not enough, as you have discovered.  

And there endeth today's lesson ...

DOn't you just love it when he gets forceful    

[ketamininja]

WOW, now thats a lot of hijacks there lol.

SLOW PC'S AT THE MOMENT ARE CURRENTLY BEING CAUSED BY SASSER SKYNETAVE.EXE - anyone with slow pc's should look at this problem first (in general).

[Jaminxz]

right gus thanks foryou help, all is now ok.

The problems i had were

1)when i ran norton one of the virus' stoped the aplication
2)when i ran the windows.exe fix one of the virus' stoped the application
3)everytime i tried to shut my pc down it would crash and after it crashed i couldn't go into safe mode without scandisk
4)everytime i tried to run hijack this the virus closed it

i was quite lucky in stoping it, the shutdown countdown that the virus does started to countdown,and shut down my pc. I was then able to go to safe mode, deal with all the problems in hijack this, then after doing this i could install the windows patch,hoorah!!


Anyway i now have norton 2002 installed, aswell as my omniquad firewall so i should be pretty safe.
Thanks to all that helped,and every who's reading this i urge you to get an anti-virus and firewall and download the patch for this virus!!!

Just for the record,does anyone have any ideas where this could have come from??

I only downloaded a few things recently,mp3's and vids and they all worked, i am right in assuming it would be a dummy file that would contain the virus?? also i would have to execute the program wondn't i? and i don't remember doing that.


anyway,thanks again

Ben

[Simon]

The Sasser virus could have come from anywhere, Ben, you don't need to launch a file or open an e-mail attachment to get it, but you might be pleased to know they have caught the bugger who made it!

Downloading MP3s is fairly safe, as far as I am aware, apart from the obvious legal aspects, but even these can be viruses or trojans in disguise.  Just make sure you virus scan everything you download before you run it (right click > Scan with Norton anti-virus), and that you keep Norton updated regularly, even daily.

You would also be wise to install Spyware Blaster, which will help to keep you free of future spyware / adware, but again, this must be regularly updated, unless you pay for the Auto Update feature, which is just over £6 for the year.

Glad you got it sorted anyway - thanks for letting us know.