System resources consumed but no virus or malware?

[zer0nix]

howdy y'all... for some inexplicable reason my system has been acting slow as of late - REAL slow, like right clicking anything causes the system to hang for 15 seconds and opening anything can cause hangups that last as long as a minute... i've run the latest versions of spybot, adaware, spysweeper and nod32 but can't find any malware beyond the occasional cookie... spysweeper's startup shield does detect "svhost" and "schedulingagent," both programs which i can't seem to remove; however both entries preceded this sudden bout of extreme system slowness... i really can't explain it and it seems neither can my antivirus/malware programs...


 i am running windows 98 on a 450mhz pentium 3 with 384mb ram... here's what i get when i run hijack this 1.98:


Logfile of HijackThis v1.98.2
Scan saved at 1:24:07 PM, on 10/3/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\DISKEEPER\DKSERVICE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\ESET\NOD32KRN.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\ESET\NOD32KUI.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\OPERA7.23\OPERA.EXE
D:\TEMP\AKIRA(ALL COLOR-INCLUDE ARTBOOK)\NEW FOLDER (2)\NEW FOLDER (4)\HIJACK THIS 1.98\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R3 - Default URLSearchHook is missing
N1 - Netscape 4: user_pref("browser.startup.homepage", ""); (C:\Program Files\Netscape\Users\User1\prefs.js)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRAM FILES\FLASHGET\JCCATCH.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHELPER.DLL
O2 - BHO: (no name) - {AC73AB16-BFB2-11CA-FBAE-CA9E1863C3EF} - (no file)
O2 - BHO: (no name) - {CBB0A6A0-8430-11D4-814D-0050047090B1} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {2B8D0655-E928-6AD0-AA66-54783D97577A} - C:\WINDOWS\SYSTEM\LNNKVH.DLL (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_5_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRAM FILES\FLASHGET\FGIEBAR.DLL
O3 - Toolbar: Nocs Bar - {8E1E80F3-A3F0-41d4-BAA7-470442CFC906} - C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\NOCS.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_5_0.DLL
O4 - HKLM\..\Run: [CloneCDTray] "D:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [3dfx Tools] rundll32.exe 3dfxCmn.dll,CMNUpdateOnBoot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\RunServices: [DkService] C:\Program Files\Diskeeper\DkService.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [NOD32kernel] "C:\Program Files\Eset\nod32krn.exe"
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - Startup: Encoder Agent.lnk.disabled
O4 - Startup: ScanPanel.lnk.disabled
O4 - Startup: Kodak EasyShare software.lnk.disabled
O4 - Startup: Office Startup.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download using FlashGet - D:\PROGRAM FILES\FLASHGET\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - D:\PROGRAM FILES\FLASHGET\jc_all.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\AIM\AIM.EXE
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRAM FILES\FLASHGET\FLASHGET.EXE
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRAM FILES\FLASHGET\FLASHGET.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: Nocs Bar - {9F772CA3-F464-4654-9073-C18749E197E4} - C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\NOCS.DLL
O9 - Extra 'Tools' menuitem: Nocs Bar - {9F772CA3-F464-4654-9073-C18749E197E4} - C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\NOCS.DLL
O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
O12 - Plugin for .cgi: C:\PROGRA~1\INTERN~1\PLUGINS\NPZip-IT.dll
O12 - Plugin for .viv: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npviv32.dll
O12 - Plugin for .asx: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O12 - Plugin for .rar: C:\PROGRA~1\INTERN~1\PLUGINS\NPZip-IT.dll
O12 - Plugin for .pk3: C:\PROGRA~1\INTERN~1\PLUGINS\NPZip-IT.dll
O16 - DPF: {8D37126F-C08C-11D4-A248-005056BF3741} - http://dist02.chargitdial.com/chargitplug.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe
O16 - DPF: {7D699C5B-FA08-11D0-BC8E-0020AFFA71B6} (Atomic3D Control) - http://www.atomic3d.com/download/bin/a3dx1456.cab
O16 - DPF: {9E7138EE-4E7B-11D5-94EF-006008A4ED7F} - http://www.sex-jp.net/if02/oth/DialX16.CAB
O16 - DPF: {D22AC3EF-B7D8-11D5-A281-005056BF0101} - http://dist02.chargitdial.com/chargitplug.dll
O16 - DPF: {130AC32C-DE0D-43EF-AD82-2599E9F95153} (XEng001.XEng001Ctl) - http://www.uranus.dti.ne.jp/~picpic/001/XEng001.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {9771C160-AD19-11D5-91BE-0048546CB511} - http://216.176.203.29/data/program3/download.exe
O16 - DPF: {CF7DAC31-D63B-11D2-837B-00A0C95AB0A4} (EVA Active Control) - http://www.sharp.co.jp/sc/excite/evademo/acxeva.cab
O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} - http://www.gigex.com/tv/igor/gigexagent.dll
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://nprotect1.gravity.co.kr/nprotect/npx.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab
O16 - DPF: {8C6C6922-6258-44AC-9912-53964AC55272} (xload Class) - http://217.160.140.67/download/xloader8.cab
O16 - DPF: {8C6C6922-6258-44AC-9912-53964AC55275} (xload Class) - http://217.160.140.67/download/xloader9.cab
O16 - DPF: {5DB05CB8-7751-469D-A1DD-45C8C201C013} (Blender 3D Plug-in Active X Control) - http://download.blender.org/release/plugin...der3DPlugin.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab
O16 - DPF: {9B376BB3-73E3-11D2-8CD6-00A0C9A0F04D} (FontLapper Class) - http://www.incrementp.co.jp/pc/dynatypo/ac...vex/webfont.ocx
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {0D4B9606-1FEF-43B0-B76E-43150B060AEB} (JPEG2000 Decoder ActiveX) - file://C:\Program Files\Algo Vision LuraTech\Algo Vision LuraTech ActiveX Controls Setup\jp2x.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {20359788-0CE3-4AEC-BA27-2B36B4E2E301} - https://www.opinionsquare.com/globalconfig/...ngc_activex.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://mirror.worldwinner.com/games/v55/cu...cubis/cubis.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPD...DC_1_0_0_44.cab
O19 - User stylesheet:  (file missing)



someone, please help? http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'\' /> rebooting does not solve the problem and the slowness is something extreme... i thank y'all for your time...

[Guest]

perhaps i should mention that a virus once destroyed my norton antivirus 2004... i was unable to uninstall or reinstall the program, hence i purchased nod32...



i should mention also that looking over nod32's virus log i noted these entries:


Time   Module   Object   Name   Virus   Action   User   Info
10/3/04 8:24:23 AM   AMON   file   C:\WINDOWS\TEMP\AAWTMP\C140567\2E4D7\sbRecovery.reg   Reg/StartPage trojan   error while deleting - error quarantining the object  -  - error while deleting      
10/3/04 7:27:35 AM   AMON   file   C:\WINDOWS\TEMP\AAWTMP\C679756\2ECA5F\sbRecovery.reg   Reg/StartPage trojan   error while deleting - error while renaming - error quarantining the object  -  - error while deleting      
Time   Module   Object   Name   Virus   Action   User   Info
9/19/04 8:19:27 AM   AMON   file   C:\WINDOWS\Temporary Internet Files\Content.IE5\K1QJGH23\http[1].hta   VBS/StartPage.J trojan   error while deleting - error while deleting - error while renaming - error quarantining the object  -  - error while deleting      



PS: is there a way for me to block everything from one address (http:\\, not ip) from ever uploading content to or otherwise accessing my pc? i see a whole lot of these:

Time   Module   Object   Name   Virus   Action   User   Info
10/3/04 4:29:09 AM   IMON   file   http://www.businesschannelnews.com/page/http.asp   VBS/StartPage.J trojan   connection terminated      

-and would just like to block that page from my pc so it can never be accessed...

many thanks again!

[guestolo]

Your log isn't that bad, but let's remove some entries and get some more protection on your system

I'll assume that you installed the NOC's toolbar on purpose, so we'll leave that entry alone

Download this small utility to your desktop, this will help you delete the contents of the Temp folders
Internet Sweeper
Double click to Install, we'll run this later

Do another Scan with Hijackthis and put a check next to these entries
and then FIX CHECKED when ALL other windows are closed, including this one

O2 - BHO: (no name) - {AC73AB16-BFB2-11CA-FBAE-CA9E1863C3EF} - (no file)
O2 - BHO: (no name) - {CBB0A6A0-8430-11D4-814D-0050047090B1} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {2B8D0655-E928-6AD0-AA66-54783D97577A} - C:\WINDOWS\SYSTEM\LNNKVH.DLL (file missing)

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
The above 2 may of been set by Spybot of Spysweeper, you can fix them

O16 - DPF: {9E7138EE-4E7B-11D5-94EF-006008A4ED7F} - http://www.sex-jp.net/if02/oth/DialX16.CAB
O16 - DPF: {D22AC3EF-B7D8-11D5-A281-005056BF0101} - http://dist02.chargitdial.com/chargitplug.dll
O16 - DPF: {130AC32C-DE0D-43EF-AD82-2599E9F95153} (XEng001.XEng001Ctl) - http://www.uranus.dti.ne.jp/~picpic/001/XEng001.CAB
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://nprotect1.gravity.co.kr/nprotect/npx.cab
O16 - DPF: {8C6C6922-6258-44AC-9912-53964AC55272} (xload Class) - http://217.160.140.67/download/xloader8.cab
O16 - DPF: {8C6C6922-6258-44AC-9912-53964AC55275} (xload Class) - http://217.160.140.67/download/xloader9.cab

Open Internet Sweeper and check only these options for now
Under Microsoft Windows 98
Check>>>>Recent Documents==Recycle Bin===Temp Directory

Under Internet Explore 6
Check>>>>Cache==Cookies===History===Addresses

Under Internet Sweeper 1.8.4
Check>>>Delete Files that are in use when Windows Restarts

After you have just the above checked Click on the SWEEP button>>>Continue
Let it do it's job
RESTART your computer to Finish cleaning

After Restart
You should download the 2 utilities, they don't run in the background
They just silently help to protect your privacy---Take a look
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==IE Spyad Tutorial
Download link==IE-Spyad download link
Scroll down and click on IE-SPYAD.EXE Free!

Post back with a Fresh hijackthis log afterwards and let me know how things are going

[guestolo]

Forgot to add, you will want to completely remove Norton Antivirus 2004

You can try their utility from their website and follow the instruction outlined
Norton 2004 Uninstallation