Can't do anything after start-up

[KnickNut3]

Hey, since I reformatted and added a hard drive I've been having problems. When I boot up, at least half the time, the PC won't open anything (besides the stuff it has to open at startup). It'll open Kerio, PeerGuardian, Weather Watcher, AntiVir, AIM, whatever. Then, when I try to open a folder, it either (a) won't at all, or (b) open the folder but take forever to display the contents. Often CTRL+ALT+DEL won't work. When I do get it to work it doesn't show anything using a lot of CPU or memory, and nothing besides what I know is open. It often won't reboot without hard resetting it and hoping the problem doesn't come back next time, and I've tried deactivating all but the most essential applications to the same effect. I run virus scanning regularly, as well as spyware and trojan scanning.

Today, I open Kerio while troubleshooting, and I see over 1MB/s of incoming traffic! It's at 1200 KB/s as we speak, almost constant with maybe short lulls every 20 seconds. Even if I hit "Stop AlL Traffic" it doesn't stop. I went to the overview tab but see just 2.4kb/s traffic from "System" and nothing else.

Do I have some kind of virus or triojan? 0kb/s outgoing, 1200KB/s incoming, and nothing runs right...

 

[BadThad]

Post a hijackthis log for us.

 

[KnickNut3]

Looks OK to me. I pasted it at http://hijackthis.de/ and the only unknowns were PostgreSQL and one poker installer that I removed.

Logfile of HijackThis v1.99.1
Scan saved at 1:22:49 PM, on 1/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Weather Watcher\ww.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Wallpaper Master\Wallpaper.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\Diskeeper\DkService.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
D:\Poker\PostgreSQL\bin\pg_ctl.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\PROGRA~1\Pharos\Bin\CTskMstr.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
D:\Poker\PostgreSQL\bin\postmaster.exe
D:\Poker\PostgreSQL\bin\postgres.exe
D:\Poker\PostgreSQL\bin\postgres.exe
D:\Poker\PostgreSQL\bin\postgres.exe
D:\Poker\PostgreSQL\bin\postgres.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\ObjectDock\ObjectDock.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WallpaperChanger] C:\Program Files\Wallpaper Master\Wallpaper.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Poker\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\Poker\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {360E40AA-EE8B-4101-BA67-0CAD3F7A48DD} (Nyoko Downloader Class) - http://www.gamingclubpoker.com/download_helper/Nyoko.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: PostgreSQL Database Server 8.0 (pgsql-8.0) - PostgreSQL Global Development Group - D:\Poker\PostgreSQL\bin\pg_ctl.exe
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\Pharos\Bin\CTskMstr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\Sandra\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\Sandra\RpcSandraSrv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

 

[KnickNut3]

Weird... I tried tracking bandwidth with SIW as well, and it doesn't display the huge jumps that Kerio does. It does, however, show the large CPU usage increases when Kerio shows big traffic.

On the off chance that Kerio is going nuts, I'll try installing another firewall then closing Kerio... but would appreciate the help in the meanwhile.

 

[BadThad]

Try Process Explorer, a screenshot of all the running processes would help. What is that weatherwatcher program? Personally, I'd chitcan that just add a links button to weather.com or something. Definately can all that Partypoker malware, garbage.

Why is there a SQL server running? Is this required for RoboForm?

O23 - Service: PostgreSQL Database Server 8.0 (pgsql-8.0) - PostgreSQL Global Development Group - D:\Poker\PostgreSQL\bin\pg_ctl.exe

You have macrovision content protection running on your PC! Disable it!

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

Also, you don't need the Sandra services running unless you benchmark everyday:

O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\Sandra\RpcDataSrv.exe

 

[KnickNut3]

Um, Party Poker is my job Postgresql is required to log poker statistics. (We use SQL databases) Weather watcher is the most bloat-free weather tray service, although I already disabled it for the time being.

Process Explorer won't open when I'm having these problems. When I do get it to open it doesn't show anything huge

I tried running the whole malware suite and nothing much came up. I installed Sygate and it stopped the astronomical numbers, but my mache still seems to be grinding as Sygate is wrking extremely hard to stop all this traffic apparently. If I go into the traffic log I see a ton of blocked stuff--- ICMP from 192.168.1.1 (isn't that my reference to myself? to by non-existant router/gateway?) and UDP from 152.3.xx.xxx The numbers vary but those first 4 digits are the same as my IP.

Note: If I disable the conection in "network connections" the grinding stops and I'm fine until I reactivate it.

ntoskrnl.exe ndisuio.sys are the only things it asks me about, and they seem to be ok.

HELP! Thanks...

 

[BadThad]

Do you have a router/firewall?

 

[KnickNut3]

No router--I'm on a university campus.

I've been using Kerio and Sygate as described.

OK, so some internet research on ndisuio.sys said that it does cause internal traffic that is unnecessary, and it instructed me on how to disable it. I did that, and things seemed OK but soon got worse. When going in Kerio, I saw that of my 1000KB/s traffic, 995 of it was allocated to "system," and all of that was coming "in" from 1 IP address, which has the same first two sets of numbers as my IP, but a different last two. I have no idea what's going on... If I try Sygate, it blocks all the bad stuff, but that takes so much work my computer is even more crippled.

I rebooted and still have it again, very choppy traffic going from 0 to 900KB/s and back every 8 seconds or so (with the breaks about 2-5 seconds.

UPDATE - 1100KB/s traffic in Kerio now corresponds to "DPCs" - Deferred Procedure Calls - in Process Explorer. Uses up to 50% of CPU.

 

[KnickNut3]

Still got it... This is driving me nuts... why would I be downloading nothing at 1200KB/s for 30 seconds on, 5 seconds off?

 

[RebateMonger]

Are you related to this guy, at Duke University?

He's reporting the same problem as you. Same IP address range as you.

 

[KnickNut3]

Hmm, I actually am at Duke... didn't see that thread.

Guess it's a Duke problem... our OIT is a bit incompetent at times.

Well, according to PeerGuardian, I was getting tons of hits from 137 and 138, all within Duke's range. Looks like many ISPs block UDP 137, 138, and 139 because they're frequently abused.
Text
So I blocked them via Kerio's packet filter, and they stopped showing up on PeerGuardian. I only get about 1/10 the packets now (so about 3 or 4 per second) from random 4 and 5 digit ports, but the speed is still up around 1MB/s.

Any ideas? This has been going on for weeks...

 

[Mo0o]

Ok, I've alleved this situation by plugging a router between my computer and the wall.
You can probably get a cheapy router for 10 bucks.

 

[KnickNut3]

Yeah, listen to Spidey... I'm sending them an e-mail, you should too. Call them tomorrow if you can.

 

[KnickNut3]

So, what do you suggest I say to IT tomorrow? I'm getting a pretty consistent 1MB/s stream of packets through ports 137, 138, and random 4- and 5- digit numbers from Duke web addresses? Anything hypotheses/ways to word it so they won't stupidly say "it's your machine, not our network" ?

Thanks.

 

[RebateMonger]

Originally posted by: KnickNut3
Anything hypotheses/ways to word it so they won't stupidly say "it's your machine, not our network" ?

I wouldn't worry about it much. I'm sure they've seen this before.