 Infection Windows 2000 |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
BleepingComputer.com > Security > HijackThis Logs and Virus/Trojan/Spyware/Malware Removal > Misplaced HJT Logs  |
 Jan 21 2008, 09:23 AM
Post
#1
|
|
|
New Member  Group: Members Posts: 1 Joined: 21-January 08 Member No.: 184,991  |
I've got this infected machine which has Windows 2000 Operating system. It is running painfully slow. 1) Task manager is disabled 2) It needs registry cleanup also. 3) when I tried to manually delete infected files line Wml.exe, lqai.exe from folders ( Infected files has copies on both the folders) In repaeearrs back. a) C:\winnt .  C:\winnt\system324) system is painfully slow Any repsponse will be highly appreciated. Please find attached herewith Hijackthis report: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:58:56 AM, on 1/21/2008 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000) Boot mode: Safe mode Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\lpcywinp.exe C:\WINNT\Explorer.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll F3 - REG:win.ini: load=C:\WINNT\system32\oppqq.exe F2 - REG:system.ini: UserInit=C:\WINNT\system32\lpcywinp.exe,C:\WINNT\system32\userinit.exe O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbHostIE.dll O4 - HKLM\..\Run: [3c1807pd] C:\WINNT\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd O4 - HKLM\..\Run: [hp 1000 firmware] C:\Program Files\hp LaserJet 1000\fwdl.exe O4 - HKLM\..\Run: [Winsock2 drivers] WINLOADER.EXE O4 - HKLM\..\Run: [Yahoo Instant Messenger] WYMSGR32.EXE O4 - HKLM\..\Run: [Windows Config] ISEAKA.EXE O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART O4 - HKLM\..\Run: [Graphics Loader v3.0] GRAICS.EXE O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1103215750\EE\AOLHostManager.exe O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe O4 - HKLM\..\Run: [VerizonServicepoint.exe] C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe O4 - HKLM\..\Run: [SpamBlocker] C:\Program Files\SpamBlockerUtility\Bin\4.8.4.0\SbOEAddOn.exe O4 - HKLM\..\Run: [Spam Blocker for Outlook Express] C:\PROGRA~1\SPAMBL~1\Bin\484~1.0\SBInst.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\j2re1.4.2_15\bin\jusched.exe" O4 - HKLM\..\Run: [ntdll.dll] "C:\PROGRA~1\PURENE~1\PORTMA~1\PO6634~1.EXE" -Run O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKCU\..\Run: [HyperSend-1-www.hypersend.com] "C:\Program Files\HyperSend\HyperSend.exe" /host=www.hypersend.com /cid=1 O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [A00F22D492.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_A00F22D492.exe O4 - HKCU\..\Run: [Oeas] "C:\PROGRA~1\YMANTE~1\mmc.exe" -vt yazb O4 - HKCU\..\Run: [kernel] C:\Program Files\kernel\kernel.exe O4 - HKCU\..\Run: [Fjnficx] "C:\Program Files\Common Files\W?nSxS\w?auboot.exe" O4 - HKCU\..\Run: [ntdll.dll] ctfmon.exe O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [Winsock2 driver] TASKMGER.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [Winsock2 drivers] orxpcrupo.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [Graphics Loader v3.0] GRAICS.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [Yahoo Instant Messenger] WYMSGR32.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [Windows Config] ISEAKA.EXE (User 'Default user') O4 - Startup: HotSync Manager.lnk = palmOne\HOTSYNC.EXE O4 - Startup: Mendi Medical Menu.lnk = C:\mms\MedicalMenu.exe O4 - Startup: PowerReg Scheduler .exe O4 - Startup: PowerReg Scheduler .exe O4 - Startup: PowerReg Scheduler .exe O4 - Startup: PowerReg Scheduler .exe O4 - Startup: PowerReg Scheduler .exe O4 - Startup: PowerReg Scheduler .exe O4 - Startup: PowerReg Scheduler .exe O4 - Startup: PowerReg Scheduler .exe O4 - Startup: PowerReg Scheduler .exe O4 - Startup: PowerReg Scheduler .exe O4 - Startup: PowerReg Scheduler .exe O4 - Startup: PowerReg Scheduler .exe O4 - Startup: PowerReg Scheduler .exe O4 - Startup: PowerReg Scheduler .exe O4 - Startup: PowerReg Scheduler .exe O4 - Startup: PowerReg Scheduler .exe O4 - Startup: PowerReg Scheduler .exe O4 - Startup: PowerReg Scheduler .exe O4 - Startup: PowerReg Scheduler .exe O4 - Startup: PowerReg Scheduler .exe O4 - Startup: PowerReg Scheduler .exe O4 - Startup: PowerReg Scheduler .exe O4 - Startup: PowerReg Scheduler .exe O4 - Startup: PowerReg Scheduler .exe O4 - Startup: PowerReg Scheduler .exe O4 - Startup: PowerReg Scheduler .exe O4 - Startup: PowerReg Scheduler .exe O4 - Startup: PowerReg Scheduler .exe O4 - Startup: Spruce - Auto Update.lnk = C:\Program Files\Spruce\Spruce.exe O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Administrator\Local Settings\Temp\T0CHD001 .exe O4 - Global Startup: DataViz Inc Messenger.lnk = Common Files\DataViz\DvzIncMsgr.exe O4 - Global Startup: Iomega QuikSync 3.lnk = Iomega QuikSync 3\quiksync3.exe O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...DSL/tgctlcm.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab O16 - DPF: {89242969-422B-46BF-B0D5-6A7B7DC4D0E0} (NAS Finder Helper) - http://192.168.101.230/nafcom.cab O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} (SbInstObj) - http://installs.spamblockerutility.com/ins...ckerutility.cab O16 - DPF: {D3B68056-8629-4E1F-A92E-B1D2CFF03B3A} (IEPrinter Class) - https://www.hipusa.com/webproxy/23331579/pr...l/RMUtilsIE.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejewele...ploader_v10.cab O16 - DPF: {F9DED47C-5B9F-4119-BAAF-E772E1BB551E} (HyperSend Agent) - https://www.hypersend.com/img/0/setup/hsc_win.exe O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe O23 - Service: IomegaAccess - Iomega Corporation - C:\WINNT\System32\IomegaAccess.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Pervasive.SQL 2000 (relational) - Pervasive Software Inc. - C:\PVSW\BIN\W3SQLMGR.EXE O23 - Service: Pervasive.SQL 2000 (transactional) - Unknown owner - C:\PVSW\BIN\NTBTRV.EXE O23 - Service: Retrospect Launcher (RetroLauncher) - EMC Dantz - C:\Program Files\Dantz\Retrospect 7.0\retrorun.exe O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE O23 - Service: Sophos Agent - Sophos Plc - C:\Program Files\Sophos\Enterprise Console\Remote Management System\ManagementAgentNT.exe O23 - Service: Sophos Certification Manager - Sophos Plc - C:\Program Files\Sophos\Enterprise Console\CertificationManagerServiceNT.exe O23 - Service: Sophos Management Service - Sophos Plc - C:\Program Files\Sophos\Enterprise Console\MgntSvc.exe O23 - Service: Sophos Message Router - Sophos Plc - C:\Program Files\Sophos\Enterprise Console\Remote Management System\RouterNT.exe O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.exe O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe -- End of file - 12646 bytes
Attached File(s)
|
 |
 
|
|
Jan 21 2008, 09:38 AM
Post
#2
|
|
 Bleepin' Conundrum Group: Global Moderator Posts: 10,633 Joined: 26-April 04 From: 65 miles due East of the "Logic Free Zone", in Md, USA Member No.: 235 |
I have moved your Topic that includes a HijackThis log here to the Misplaced HJT Logs forum. You posted your log in a forum not intended for HijackThis logs analysis and probably missed the directions we provide to those who require assistance. We can only allow topics with such logs in the HijackThis Logs and Malware Removal forum. This restriction is to ensure you get the best help available, from those who specialize in malware anlaysis and removal. It also should prevent you from receiving ineffective or even potentially dangerous advice, whether well meaning or not.
Prior to posting a HJT log, we ask that you please read and follow all instructions in the pinned topic titled Preparation Guide For Use Before Posting A Hijackthis Log. Following the steps in this Guide will allow the HJT Team to quickly help you with specific fixes for what may remain on your system. Please complete all the steps in the Guide. If you have performed some of them already, then just continue with the next. If you can't perform a step, then skip it and continue with the next. The last step will include downloading and using the most current version of HijackThis if the first line of your log does not appear as follows: Logfile of Trend Micro HijackThis v2.0.2 Please note that it is important that HijackThis be run and a log created while in normal mode. If you run it and create your log while in safe mode, you will be asked to redo it again properly. When you have completed those steps, start a new topic in the HijackThis Logs and Malware Removal forum as directed in the Guide to post a new log. Please DO NOT post any more logs to this topic, or post a log again in the wrong forum. The Misplaced HJT Logs forum is strictly a holding area where the BC Staff can assist you with preparations for and to properly post your log. If you have a question or encounter a problem in the Prep Guide, please do post back to this topic; that is what it is here for. When your new HJT log is posted in the proper forum, please reply to this topic with a link to your new topic. Once that is done, a Member of the HJT Team will analyze your log and assist you with step by step instructions to clean your computer or otherwise advise what needs to be done. Thanks for your cooperation and good luck. The BC Staff |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 9th January 2009 - 04:59 AM |
© 2003-2008 All Rights Reserved Bleeping Computer LLC.