I have some sort of Malware, requesting assistance

[Woolong]

Ok, now I've got a problem.

When my computer starts, it lags. a lot. And my CPU usage is 100%, generally. Then I get a win32 services error being closed by DEP (though I downloaded a fix for that and hopefully it's finished), and after a few minutes my computer stops acting slow. If I try to use Microsoft update, IE lags like no other and doesn't really even load.

I'm thinking I have a worm, which would make a bit of sense because I had that win32 services error on my last hard drive (which is currently a slave). And yes, I already ran a virus scan (Mcaffee).

A dll autostarts when my computer boots called nvcpl.dll, and I've been told it's a worm. However, I've also been told it's something used by nvidia's drivers, and yes, I have an nVidia graphics card.

Help is very, very much appreciated.

edit: Yes, I know I posted this below, but I figured I'd make it more convenient to those helping.

Thanks again.

 

[mechBgon]

Here's a good free antivirus: John's thread

 

[Bob Anderson]

If you don't need ctfmon.exe running, it can be turned off in XP in control panel/ regional and language settings/ languages /details/ advanced / turn off advanced text services

-Bob

 

[Steve]

1)Currently running file
2)Backup of said file
3)Cache/backup for uninstall of Windows Update

 

[Woolong]

Ok, now I've got a problem.

When my computer starts, it lags. a lot. And my CPU usage is 100%, generally. Then I get a win32 services error being closed by DEP (though I downloaded a fix for that and hopefully it's finished), and after a few minutes my computer stops acting slow. If I try to use Microsoft update, IE lags like no other and doesn't really even load.

I'm thinking I have a worm, which would make a bit of sense because I had that win32 services error on my last hard drive (which is currently a slave). And yes, I already ran a virus scan (Mcaffee).

A dll autostarts when my computer boots called nvcpl.dll, and I've been told it's a worm. However, I've also been told it's something used by nvidia's drivers, and yes, I have an nVidia graphics card.

Help is very, very much appreciated.

 

[mechBgon]

Ok, download HijackThis from here. Unzip the Zip file into a permanent folder.

Now rename the hijackthis.exe file to something else, like goawayevilworms.exe, and run it. Post the text from the logfile into the thread.

Also, I would uninstall McAfee, install a 30-day trialware of Kaspersky from here, and use that. Update it, reboot into Safe Mode, and run a full scan in Safe Mode. You'll need to start it manually by going to Start > All Programs > Kaspersky Anti-Virus 6.

 

[Woolong]

And yeah, I know that kaspersky is there. I had a portable version of it that didn't work. And I already uninstalled Mcafee.

 

[mechBgon]

Weird, it has two copies of the Windows autoupdate dealiebob running 😕 The full version of Kaspersky has rootkit detection on top of everything else, so it'll be interesting to hear if it finds anything else. But maybe it's just some faulty software making trouble, too.

 

[Woolong]

Two copies of windows update? Yeah, I think that happened. See, when I try to access update.windows.com, it loads and then locks up, forcing me to close IE. Which apparently happened twice.

Also, I'm STILL getting this error from this topic: http://forums.anandtech.com/messageview.aspx?catid=32&threadid=1977341

Same problem, different hard drive. tried the update in said topic, didn't work.

 

[Woolong]

I can't install Kaspersky. It keeps telling me to uninstall Mcafee, even though I did a while ago.

 

[mechBgon]

Originally posted by: Woolong
I can't install Kaspersky. It keeps telling me to uninstall Mcafee, even though I did a while ago.

John's got a link to a McAfee remover in his malware-removal guide, maybe that will help.

 

[Woolong]

Yeah, that did, and Kaspersky is installing now.

Some things I've noticed:
-DEP is STILL blocking Generic Host Process for Win32 services
-Upon Windows loading, svchost is hogging memory usage for up to a minute, making it nearly impossible to do anything
-Windows fix for the DEP problem didn't work

 

[Woolong]

Okay, Kaspersky only found 2 things in my F: drive. Yet I have this feeling that my problem is still here, even though after startup any lag or problems are completely gone.

I'm considering reformatting... Again. Though I'd need to completely redo my F:/ drive, deleting any and all files that aren't of my own making, which will take a long time and be a pain in the ass...

I swear, if I ever find someone who codes these kinds of things, I will beat him to death. Put a crowbar through his skull and feed his brains to hamsters.

 

[mechBgon]

Originally posted by: Woolong
Okay, Kaspersky only found 2 things in my F: drive. Yet I have this feeling that my problem is still here, even though after startup any lag or problems are completely gone.

I'm considering reformatting... Again. Though I'd need to completely redo my F:/ drive, deleting any and all files that aren't of my own making, which will take a long time and be a pain in the ass...

I swear, if I ever find someone who codes these kinds of things, I will beat him to death. Put a crowbar through his skull and feed his brains to hamsters.

Poor hamsters 🙁

What things did Kaspersky find, exactly? If you open Kaspersky and click "All threats have been neutralized," it'll list them and you can right-click > Copy their names.

 

[Woolong]

deleted: malware not-virus:Hoax.SWF.Alerter.a File: F:\Documents and Settings\Valued Customer\Local Settings\Temp\Temporary Internet Files\Content.IE5\ONRZYKLD\ad-sp2-fastclick[1].swf
deleted: Trojan program Trojan-Downloader.JS.Agent.ab File: F:\Documents and Settings\Valued Customer\Local Settings\Temp\Temporary Internet Files\Content.IE5\5O7HRJ2G\adv773[1].htm

Both don't appear to me to be problems. They're gone anyway.

And yes, both are on a secondary hard drive. They both run Windows, and I'm having the same problems as I did before, but now with more lag.

 

[mechBgon]

All things considered, if it were me, I would back up my data files, burn that whole Windows installation to the ground, unplug all unnecessary hard drives and USB drives, and then

1) unplug all network cables & wireless networking so worms can't attack

2) start Windows Setup from a (Microsoft-made) CD, decline the offer of a Repair, and delete all the disk partitions, then hit the F3 key twice to exit from Windows Setup

3) start Windows Setup a second time and follow through, keeping the system off the network so it's safe from worms

4) using a guaranteed-clean computer, download the whole SP2 installer as well as your mobo & video drivers. Put them on a CD, install SP2 first & reboot, then mobo drivers, then video drivers. If the Windows CD has SP2 already, then you're good.

5) after SP2 is installed, enable DEP all the way :camera:, connect to the network, and go online to get Windows activated & updated.

6) refuse to install anything that the old Windows installation touched, EVAR. Get your antivirus installed & updated before hitching up the other HDD, then do a full scan of all your stuff.

 

[Woolong]

Urge to kill rising...

1) unplug all network cables & wireless networking so worms can't attack

As in, put all of my files on my other drive and delete everything else off of said drive, including the WINDOWS folder?

2) start Windows Setup from a (Microsoft-made) CD, decline the offer of a Repair, and delete all the disk partitions, then hit the F3 key twice to exit from Windows Setup

Elaborate.

3) start Windows Setup a second time and follow through, keeping the system off the network so it's safe from worms

So basically a normal Windows install like when I first had this new HDD, only with no internet/network connection?

4) using a guaranteed-clean computer, download the whole SP2 installer as well as your mobo & video drivers. Put them on a CD, install SP2 first & reboot, then mobo drivers, then video drivers. If the Windows CD has SP2 already, then you're good.

I doubt I'll be able to do this on a computer other than my own. As for the drivers, I have those on discs. And what about the XP updates that came before SP2?

5) after SP2 is installed, enable DEP all the way , connect to the network, and go online to get Windows activated & updated.

So DEP on all the way, keeping any program but those that are Windows based from running? Ok, though I kinda think this'll backfire on me somehow.

6) refuse to install anything that the old Windows installation touched, EVAR. Get your antivirus installed & updated before hitching up the other HDD, then do a full scan of all your stuff.

Finally, I'm getting fresh installs of all of my programs on here, right? Also, other than this Kaspersky free trial, I have no virus protection. And since I can't (and won't) pay for it, unless I find a 'liberated' version of the program, I won't have any virus protection. Unless, of course, Microsoft releases a free version for Windows.



One more thing: I don't have basically any time on my hands to do this, so if it happens it'll take me about a week before I can do it.

 

[mechBgon]

As in, put all of my files on my other drive and delete everything else off of said drive, including the WINDOWS folder?

Exactly, yep, stash your stuff on your spare drive and then unplug it. Stuff that you truly can't live without, make a second backup on DVD or CD and test it.

So basically a normal Windows install like when I first had this new HDD, only with no internet/network connection?

Yeah. If you have a router, and know for sure that no other computers are sharing the router (wired or wirelessly) then you don't have to unplug. But if you plug directly into a cable modem or a college network without a router, and your Windows is pre-SP2, then you got to stay unconnected to avoid immediate worm pwnage.

Elaborate.

When you run Windows Setup, it'll go "HEY! I see a Windows installation in C:\Windows, should I repair it? :Q" and you don't want that, so keep on going until it lists the partitions on the hard drive. Ask yourself three times if you rescued EVARYTHING you want to keep, then delete all the partitions, exit Windows Setup by hitting F3 twice, and start it again. This ensures "no survivors" and keeps your bootup from having a stupid screen listing two installations of Windows to choose from.

I doubt I'll be able to do this on a computer other than my own. As for the drivers, I have those on discs. And what about the XP updates that came before SP2?

The updates that came before SP2 are all included in it, so you're good there. The reason for using a different computer is so that it doesn't infect the SP2 installation file and carry the infection right back in the door again on the new Windows installation. If you have no router, and need an alternate means of getting it online and patched, then enable the Internet Connection Firewall as shown in this guide, connect to the network, and then go straight to Microsoft's site and get that SP2 file and install it first thing.

So DEP on all the way, keeping any program but those that are Windows based from running? Ok, though I kinda think this'll backfire on me somehow.

Actually what it does, is it monitors all software for DEP violations and shuts them down if they break the rules. It doesn't forbid them from running.

Finally, I'm getting fresh installs of all of my programs on here, right? Also, other than this Kaspersky free trial, I have no virus protection. And since I can't (and won't) pay for it, unless I find a 'liberated' version of the program, I won't have any virus protection. Unless, of course, Microsoft releases a free version for Windows.

You're in luck 🙂 There is a free version of Kaspersky for non-commercial usage: John's thread with info & stuff. It's almost as good as the $50 version, just lacks some of the fancy features like Proactive Defense. Note that you should skip the optional toolbar :camera: during installation.

edit: fixed a busted link 😱

 

[Woolong]

Exactly, yep, stash your stuff on your spare drive and then unplug it. Stuff that you truly can't live without, make a second backup on DVD or CD and test it.

Wait, what? Maybe it's because I've got a multitude of things flowing through my head, but I didn't get that. Am I formatting both drives, or just one? Because I don't have enough CD's for my things and I lack a DVD burner.

Yeah. If you have a router, and know for sure that no other computers are sharing the router (wired or wirelessly) then you don't have to unplug. But if you plug directly into a cable modem or a college network without a router, and your Windows is pre-SP2, then you got to stay unconnected to avoid immediate worm pwnage.

So, where do I download SP2 to a disc from? I have a computer I can use, I think, but I don't know how to just download SP2. Also, I'm connected to a home network, and pulling the Ethernet cable is a possibility.

When you run Windows Setup, it'll go "HEY! I see a Windows installation in C:\Windows, should I repair it? :Q" and you don't want that, so keep on going until it lists the partitions on the hard drive. Ask yourself three times if you rescued EVARYTHING you want to keep, then delete all the partitions, exit Windows Setup by hitting F3 twice, and start it again. This ensures "no survivors" and keeps your bootup from having a stupid screen listing two installations of Windows to choose from.

Oh, I'll be asking myself more than 3 times... I'm still iffy on doing this, even though this problem, whatever it is, is a pain in the ass.

The updates that came before SP2 are all included in it, so you're good there. The reason for using a different computer is so that it doesn't infect the SP2 installation file and carry the infection right back in the door again on the new Windows installation. If you have no router, and need an alternate means of getting it online and patched, then enable the Internet Connection Firewall as shown in this guide, connect to the network, and then go straight to Microsoft's site and get that SP2 file and install it first thing.

Well, if I can get a download for SP2, this shouldn't be a problem, I guess...

Actually what it does, is it monitors all software for DEP violations and shuts them down if they break the rules. It doesn't forbid them from running.

Ok, well, that makes more sense.

You're in luck 🙂 There is a free version of Kaspersky for non-commercial usage: John's thread with info & stuff. It's almost as good as the $50 version, just lacks some of the fancy features like Proactive Defense. Note that you should skip the optional toolbar :camera: during installation.

Okay. Though I despise AOL, I suppose this is alright...



Edit: I should probably state that this rig I have is almost 4 years old and this problem, atleast the Windows DEP problem, originated on my old hard drive and kinda jumped over, I suppose, to my new HDD a week or so after the install. Is there a chance it's running from my old HDD?

 

[mechBgon]

Wait, what? Maybe it's because I've got a multitude of things flowing through my head, but I didn't get that. Am I formatting both drives, or just one? Because I don't have enough CD's for my things and I lack a DVD burner.

1) copy all your important stuff to the hard drive that you're not reinstalling Windows onto.

2) turn the computer OFF. Unplug the hard drive that you're not reinstalling Windows onto and leave it unplugged so your important stuff is safe.

3) if anything would make you 🙁🙁🙁 if it got lost somehow, then back up another copy of it onto a CD and test the backup to make sure it's readable :sun:

4) once your new Windows is installed and secure, then turn the computer OFF and hook up the other hard drive, turn the computer ON, boot up Windows, and scan the other hard drive for viruses right away.

So, where do I download SP2 to a disc from? I have a computer I can use, I think, but I don't know how to just download SP2. Also, I'm connected to a home network, and pulling the Ethernet cable is a possibility.

You can download the whole SP2 from this link.

 

[Woolong]

Okay, I'll keep this topic in mind if I ever do get around to fixing this pain in the ass. I may try running Kaspersky in safe mode... Again.

 

[mechBgon]

Sure thing 🙂 One of the reasons I harp on security pretty hard, is that an infected computer can give the bad guys information you don't want them to have. They can log your keystrokes and grab your credit-card number, eBay/PayPal/bank login credentials. They can steal the CD keys for games you've got installed. They can use your machine to send Spam, host a phishing website, all sorts of stuff. Personally I'd rather reinstall and not have to wonder if my computer is pwned by someone else.

Think it's far-fetched? There's some botnets out there with over a million home computers in them.

 

[Woolong]

And it's a shame I can't kill these worthless people. I's just a good thing I have nothing worth anything on this computer.

Edit: I do go through a router, though, does this help at all?

 

[mechBgon]

Routers are a good outer firewall layer to keep the computer from getting molested by worms or hackers on the Internet.

 

[Woolong]

It's just odd to me that it's happening... It came from my old hard drive, atleast I think, but my old hard drive didn't have the lag on startup.

Also, pictures will randomly not show up as thumbnails when I have then set to do so. What makes them thumbnails, anyway?