virus & spyware.

Message

ThinkPad R · #1 Post by **ThinkPad R** » Sat Mar 11, 2006 11:00 am

Hello. This is the issue.
My computer is affected by either spyware or virus.

This is what the spyware does. Any movement that I make with the mouse or program activates the spyware.

This way, one has hard time knowing if it's the spyware that's slowing down the computer or the computer itself is that slow.

I can clearly see that it is a spyware b/c my computer's paging file usage is 544MB, which is about double the amount that mine used to do.

Seriously, even when I don't do anything the CPU is about 5~7% filled.

I kept on clicking at the start button and the CPU went up to 40%.

And whatever is causing all this is running as hidden -I can't find it on my taskmanager.

Spyware doctor, ad-aware se, norton antivirus 2004, microsoft antispyware, and spybot search and destroy can't find them.

Any help? Manually? Thanks.

davidspalding · #2 Post by **davidspalding** » Sat Mar 11, 2006 3:07 pm

Youve run all that software, they all tell you you're clean, and still you think you're infected. Okaaaaay....

Tell you what, run TASKMGR and click the Processes tab, click the CPU column to sort on that, and watch and see what comes up as running and using a little nibble. Report back.

ThinkPad R · #3 Post by **ThinkPad R** » Sat Mar 11, 2006 10:26 pm

Thanks for recognizing the comical side of this situation.

Here is the list of applications running currently.

2 internet explorers
1 microsoft word
1 iTunes

Here is the list of the processors.

1. alg.exe LOCAL SERVICE 00 68K
2. iexplore.exe User 01 39,240K
3. taskmgr.exe User 01 8,864K
4. iPodService.exe SYSTEM 00 428K
5. iTunes.exe User 02 17,624K
6. cidaemon.exe SYSTEM 00 200K
7. iexplore.exe User 00 31,716K
8. WINWORD.exe User 00 11,260K
9. wdfmgr.exe LOCAL SERVICE 00 60K
10.CCAPP.EXE User 00 3,060K
11.ibmsmbus.exe SYSTEM 00 40K
12.TpKmpSvc.exe SYSTEM 00 36K
13.FreeRAM XP Pro User 00 3,584K
14.QCONSVC.EXE SYSTEM 00 60K
15.rundll32.exe User 00 648K
16.AGRSMMSG.exe User 00 456K
17.RegSrvc.exe SYSTEM 00 68K
18.PLSRemote.exe SYSTEM 00 40K
19.uvmserv.exe SYSTEM 00 64K
20. tcpsvcs.exe SYSTEM 00 40K
21.symlcsvc.exe SYSTEM 00 60K
22.fxssvc.exe SYSTEM 00 200K
23.SymWSC.exe SYSTEM 00 3,328K
24.snmp.exe SYSTEM 00 512K
25.imapi.exe SYSTEM 00 64K
26.svchost.exe SYSTEM 00 148K
27.msdtc.exe NETWORK SERVICE 00 424K
28.SAVSCAN.EXE SYSTEM 00 72K
29.jusched.exe User 00 44K
30.QCWLICON.EXE User 00 1,232K
31.iTunesHelper.exe User 00 124K
32.MDM.EXE SYSTEM 00 400K
33.tfswctrl.exe User 00 200K
34.navapsvc.exe SYSTEM 00 2,312K
35.dllhost.exe SYSTEM 00 1,008K
36.EzEjMnAp.Exe User 00 288K
37.clipsrv.exe SYSTEM 00 60K
38.dmadmin.exe SYSTEM 00 52K
39.GoogleWebAccClient.exe User 00 1,692K
40.QCTRAY.EXE User 00 2,128K
41.wmiapsrv.exe SYSTEM 00 76K
42.cisvc.exe SYSTEM 00 140K
43.TeaTimer.exe User 02 3,996K
44.SynTPEnh.exe User 00 1,684K
45.GoogleWebAccWarden.exe User 01 1,860K
46.mqsvc.exe SYSTEM 00 704K
47.ctfmon.exe User 00 408K
48.spoolsv.exe SYSTEM 00 480K
49.svchost.exe LOCAL HOST 00 996K
50.AluSchedulerSvc.exe SYSTEM 00 64K
51.svchost.exe SYSTEM 00 56K
52.aspnet_state.exe NETWORK SERVICE 00 200K
53.TPONSCR.exe User 02 340K
54.explorer.exe User 02 7,220K
55.svchost.exe NETWORK SERVICE 00 452K
56.S24EvMon.exe SYSTEM 00 388K
57.svchost.exe SYSTEM 00 5,720K
58.mqtgsvc.exe SYSTEM 00 272K
59.svchost.exe NETWORK 00 1,288K
60.TpScrex.exe User 00 164K
61.netdde.exe SYSTEM 00 708K
62.svchost.exe SYSTEM 00 308K
63.ibmpmsvc.exe SYSTEM 00 56K
64.ati2evxx.exe SYSTEM 00 416K
65.lsass.exe SYSTEM 00 1,508K
66.services.exe SYSTEM 00 988K
67.CCEVTMGR.EXE SYSTEM 00 1,744K
68.winlogon.exe SYSTEM 00 1,332K
69.csrss.exe SYSTEM 00 1,124K
70.dllhost.exe SYSTEM 00 216K
71.smss.exe SYSTEM 00 40K
72.SNDSrvc.exe SYSTEM 00 988K
73.TP98TRAY.EXE User 00 252K
74.CCSETMGR.EXE SYSTEM 00 124K
75.TPHKMGR.exe User 00 376K
76.tlntsvr.exe SYSTEM 00 76K
77.SynTPLpr.exe User 00 320K
78.snmptrap.exe LOCAL SERVICE 00 200K
79.certtool.exe User 00 436K
80.CCPROXY.EXE SYSTEM 00 2,680K
81.scardsvr.exe LOCAL SERVICE 00 36K
82.TCSSER~1.EXE vUSR_TcsServer 00 52K
83.inetinfo.exe SYSTEM 00 1,672K
84.WkDetect.exe User 00 288K
85.System SYSTEM 01 36K
86.System Idle Process SYSTEM 89 16K

86 processors! That's pretty many.

Also, remember that some processors are hidden & can't be seen on task manager.

Thanks for the help.

#4 Post by **Kyocera** » Sat Mar 11, 2006 10:28 pm

Could you post some specs on your machine too, that may help.

ThinkPad R · #5 Post by **ThinkPad R** » Sat Mar 11, 2006 11:18 pm

1.4GHz Pentium M 256MB 40 GB 4200RPM (7.82GB free) 32MB video

Windows XP Pro Service Pack 2

#6 Post by **Kyocera** » Sat Mar 11, 2006 11:22 pm

Well, you might try adding some more ram, but in the mean time try booting up in safe mode and see if you still have the slowdown.

You could also run your spyware and av programs in safe mode. Looks like you have a lot going on with that hard drive.

ThinkPad R · #7 Post by **ThinkPad R** » Sat Mar 11, 2006 11:42 pm

Thanks. Isn't Kyocera a company?

Most of the hard drive is not program but files (i.e. document, video clips).

FreeRam XP Pro says that my computer has 38 MB of RAM free.

I think it's the slow processor. CPU is the problem, I think.

Also, page file. Or is lack of RAM related to higher page file rate?

That would mean that my computer lacks RAM.

#8 Post by **Kyocera** » Sun Mar 12, 2006 12:00 am

Yes Kyocera is the company I work for. You can see the current memory usage with the Windows Task Manager in particular I would suggest you to check the "Memory Usage" and "Virtual Memory Size" and "Peak Memory Usage"columns under the Process tab (you may have to select these from the view pop up). Another option is to use more advanced Process Explorer program from Sysinternals.

You could try a diagnostic start up in System Configuaration Utility. Start >run>msconfig>general>select diagnostic startup and reboot.

Do you happen to have a lot of those desktop widgets running by any chance???

tonepaq · #9 Post by **tonepaq** » Sun Mar 12, 2006 12:29 am

86 processes

I cant get over that. I have several pc's and even on my best one {amd athalon 64 3700+ clawhammer,1gig pc3200 320gb hdd} I wont let processes exceed 30 for fear of resource hogging. 86!!!

Anyway try this run the free trial version of tune up utilities and do as it says, I personally dont think your problem involves spyware.
TuneupUtilities

If you still think its spy/adware after that, run this program(also a free trial)
Ewido

86!!!

#10 Post by **Kyocera** » Sun Mar 12, 2006 1:25 am

You can shut down a lot of these processes using the XP Task Manager.

Seriously, even when I don't do anything the CPU is about 5~7% filled.

I kept on clicking at the start button and the CPU went up to 40%.

5 to 7% is minimal, and if I click on my start menu button my cpu varies around 15% or less, but opening programs it will jump up to 30%. Select some programs to stop, and start shutting down the processes.

#11 Post by **bill bolton** » Sun Mar 12, 2006 5:15 am

tonepaq wrote:86 processes I cant get over that.

The number of processes in itself is not very significant. I'm running 88 as I type this message. With those 88 process the at rest CPU utilisation is ~ 1% (according to Rainmeter).

Cheers,

Bill

#12 Post by **carbon_unit** » Sun Mar 12, 2006 2:22 pm

Yeah Bill, but I bet you are running more than 256MB ram.

With that many processes running I would suggest more ram, at least another 256. I would be suspicious of #13 PLSRemote.exe, it does not sound good.

tonepaq · #13 Post by **tonepaq** » Sun Mar 12, 2006 2:58 pm

Good point, I didnt even bother to go over what all was running, just the amount of things that are running.

PLSRemote.exe=

RISKWARE! or potentially unwanted application. This application may have been installed by your system administrator for providing support for your machine. However this application has been used by several trojan authors and included in other trojans for malicious purposes.

ThinkPad R · #14 Post by **ThinkPad R** » Sun Mar 12, 2006 3:10 pm

Seriously? PLSRemote is a malware? I thought it was part of the system.

By the way, thanks for the ewido anti-malware & Tune up program.

Tune up program caught tons of registry unnecessities & few problems.

I'm scanning with ewido right now & I'm sure that it's going to catch some too.

So this isn't about processor, but about RAM. Right?

Wouldn't another 256MB RAM decrease my laptop's battery life?

Max battery life used to be 6hrs & usual use would last more than 4.5 hours, but now

max lasts 4.5 & usual use lasts slighlty more than 3.

I'm searching for PLSRemote but I can't. It's gone now. Perhaps Tune-up program got rid of it.

#15 Post by **Kyocera** » Sun Mar 12, 2006 6:43 pm

I think it would help your battery life, simply by decreasing the amount of virtual memory needed to run your programs, vm is using the hard drive as opposed to ram. And you would think anything that would alleviate some hard disk movement would help battery life. You definately should add another 256.

Did you ever try a dignostic start up or safe mode? I am just curious what the result would be of a nominal startup i.e. not loading all your processes.

ThinkPad R · #16 Post by **ThinkPad R** » Sun Mar 12, 2006 6:55 pm

I did & the computer was lightning fast.

I scanned & Spyware Doctor & Ad-Aware SE found some problems.

I was running Spyware Doctor & normally my CPU would be @ 100 but it was only @ 15%.

Only 10 or so processors were running. The page file rate was about 144.

I'll go for additional RAM. I put a question on the general hardware section about the subject.

#17 Post by **bill bolton** » Fri Mar 17, 2006 3:57 pm

carbon_unit wrote:Yeah Bill, but I bet you are running more than 256MB ram.

Huh? At present I'm running the same amount of RAM as tonepaq, whose comment I was specifically responding to!

Cheers,

Bill

tonepaq · #18 Post by **tonepaq** » Fri Mar 17, 2006 4:43 pm

carbon_unit was pointing out that

ThinkPad R--running 86 processes with 256mb ram
bill bolton----running 88 processes with 1024mb ram

DIGITALgimpus · #19 Post by **DIGITALgimpus** » Fri Mar 17, 2006 5:43 pm

bill bolton wrote:
tonepaq wrote:86 processes I cant get over that.
The number of processes in itself is not very significant. I'm running 88 as I type this message. With those 88 process the at rest CPU utilisation is ~ 1% (according to Rainmeter).

Cheers,

Bill

Indeed. Most people are amazed at my 80+ processes. But it doesn't matter if you have 1 or 10000.... it really doesn't.

It only matters in terms of multitasking on low end computers (RAM wise especially).

XP will put less frequently accessed data in the paging file, which is lower performance, but allows it to hold much more data than the RAM alone allows. If you run 1 or 2 programs on a typical basis, they will be in RAM, while the rest are technically in the paging file.

I personally keep a lot of programs running, right now I'm very minimal, I have only 6 windowed apps running, and lots of services (I do software and web development, so you can imagine).

With 1.5GB RAM, that's nothing. And my Idle CPU on boot, with nothing extra opened up is about ~1%. Right now with Firefox with several tabs, and a few other programs (IRC, and GAIM running) it's ranging from 2%-18% and averaging I'd say around 6%.

That's nothing.

#20 Post by **bill bolton** » Fri Mar 17, 2006 10:11 pm

tonepaq wrote:carbon_unit was pointing out that

ThinkPad R--running 86 processes with 256mb ram
bill bolton----running 88 processes with 1024mb ram

Since that wasn't what I was posting about, the relevance of the comment is still a "huh"?

Cheers,

Bill

yossarian · #21 Post by **yossarian** » Fri Mar 17, 2006 11:25 pm

I have 65 processes running and it's around 1% most of the time with 386MB of ram committed By the looks of the list you posted, I wouldn't be too worried about it aye. The only programs reporting use there are:

85.System SYSTEM 01 36K
53.TPONSCR.exe User 02 340K
54.explorer.exe User 02 7,220K
43.TeaTimer.exe User 02 3,996K
5. iTunes.exe User 02 17,624K
2. iexplore.exe User 01 39,240K
3. taskmgr.exe User 01 8,864K
45.GoogleWebAccWarden.exe User 01 1,860K

They all seem like normal programs. If you had installed R&R 2.0 you would've been faced with 'logmon.exe' which itself can use between 2% and 50% and is also not harmful. Although debatably itunes, explorer/ie and googlewebaccwarden may be bad for you

But [censored]... 256MB of ram. I wouldn't be surprised if XP's OS fingerprint was bigger than that just by itself nevermind other programs loading.

ThinkPad R · #22 Post by **ThinkPad R** » Sat Mar 18, 2006 12:19 am

I have another problem.

Everytime I right-click on a file inside a folder, explorer.exe goes up to 95%.

And right-click wont work. I cant do anything from then -the computer doesnt freeze, though.

Its just that I cant rename a folder, I cant drag it, I cant click on it in the first place...

So I thought that it was the problem with the explorer.exe.

I copied an explorer.exe onto a floppy disk --> my computer.

It still wouldnt help.

So I now know that some kind of malware is causing problems every time I right-click.

I have all the service packs installed. What should I do?

Also once the explorer.exe caused so much problem that I was forced to shut down the computer.

Remember about the CMOS problem detected by PC Doctor?

Although the pattern test didnt pass, the computer managed to boot on.

What would this mean? Thank you.

#23 Post by **Kyocera** » Sat Mar 18, 2006 8:30 am

OK this is just my opinion, because I battled with some spyware/malware two days this week on one of our secretaries desktops, about 10:30 the second night I reinstalled the OS.

Norton AV(which I hate and only used because it was already on the machine) found it but could not remove it correctly.

MS spyware beta helped but didn't get it

Adaware - same as MS spyware.

Tried several other things as well.

This stuff was pretty bad. One thing you might try first is running system file checker and see if you have a corrupted OS file. Start Run sfc /scannow and let it run. You could do the Kaspersky on line scan too.
If you get frustrated you can always save your files and start new with a restore to factory. Good luck, hope you can triumph over the evil that has landed in your midst.

ThinkPad R · #24 Post by **ThinkPad R** » Sat Mar 18, 2006 1:11 pm

C:\IBMTOOLS\APPS\RRPC\DATA2.CAB->(ishld#0003)->(ZipSfx)->VNCHOOKS.DLL

This is what Windows Defender (Beta 2), a better version of Microsoft AntiSpyware, found.

It said it was a RealVNC. Many other programs, such as Spyware Doctor, also found RealVNC.

Do everybody else find RealVNC in IBMTools in ThinkPads purchased aroudn 2004?

VNCHOOKS.DLL. Hooks? Sounds like spyware to me.

I'm not sure whether I should get rid of it.

#25 Post by **Kyocera** » Sat Mar 18, 2006 1:32 pm

I remember when i used to use Norton way back when it would always find one of my ibm files as suspect and want to let me know what it had found and if I wanted to delete it, of course i just bypassed it. You may want to search the internet with those files and see what you can dig up.

tonepaq · #26 Post by **tonepaq** » Sat Mar 18, 2006 3:33 pm

Quotes from the Spyware Information Center=

VNC stands for Virtual Network Computing. It is, in essence, a remote display system which allows you to view a computing 'desktop' environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures. "

VNC is a non-malicious Remote Access Tool, that can be uninstalled using Add/Remove Programs. It is a useful application with many valid purposes, however trojans exist which utilize VNC's code base. Such malware may covertly install VNC and automatically configure the VNC server password, that can be used by an attacker as a backdoor into the system.

ThinkPad R · #27 Post by **ThinkPad R** » Sat Mar 18, 2006 6:31 pm

I don't think any of IBM's programs would have anything to do with remote-acess.

Non of their services, programs, etc. have anything to do with remote acess, seriously.

So... should I get rid of it?

Wait before that... do everybody else have VNC hook file in their IBMTOOLS file?

Thanks.

http://safety.live.com is Windows Live Safety Center Beta & it is scanning through my system right now.

I'm serious about this -it has caught 3 problems (consisting of 5 files).

Norton hasn't caught them. I'm amazed by this -I think Norton AV is worse than this. Serious.

Also Windows Defender Beta 2 is amazing too.

I'm disappointed at the fact that when these cease to be beta, we would have to pay for them.

christopher_wolf · #28 Post by **christopher_wolf** » Sat Mar 18, 2006 7:55 pm

I checked out my system and I don't see any VNC hooks that shouldn't be there; everything seems to be normal.

I also tried out the OneCare Live Beta; didn't like it because it seemed bloated and didn't add anything of value. It didn't catch anything that AVG didn't and it hooked itself into the entire system and re-activated the Windows Firewall.

But it couldn't possibly get as bloated as the Norton AV that comes with the Factory Preload.

ThinkPad R · #29 Post by **ThinkPad R** » Sat Mar 18, 2006 9:57 pm

christopher_wolf wrote:I checked out my system and I don't see any VNC hooks that shouldn't be there; everything seems to be normal.

Do you mean that VNCHOOK shouldn't be there at all? No where in a ThinkPad?

Mine is R40. What is yours?

christopher_wolf · #30 Post by **christopher_wolf** » Sun Mar 19, 2006 3:37 am

I checked it out via AVG and some other AVs as well as that OneCare live thing (although I don't like it much at all) I get a clean bill of health.

Although I must note that if you have a VNC hook anywhere on your system, it will flag it. Regardless if it is legitimate or not. I noticed this the first time I ran the OneCare Live beta awhile back. It would always pick up VNC. Everything else came back clean so I didn't worry as I have layered firewalls, and AVG running 24/7; so there should be no problems.

Now I *would* be concerned if it picked up a VNC hook when I didn't have VNC on my system; that would have indeed concerned my and I would have probably removed it in such a situation. So the Beta is a bit aggressive in some sense, it all depends on what programs you have installed.

virus & spyware.

virus & spyware.

Who is online