Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Running Slow


  • Please log in to reply
3 replies to this topic

#1 themainman

themainman

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 28 May 2005 - 07:51 PM

My computer is taking a long time to startup...longer than it used to. Also, I get the DrWatsonPostmordem Debugger error a lot. Please look at my HJT log as well as my activescan results (the active scan results are kind of troubling...I wasn't expecting so much).

Logfile of HijackThis v1.99.1
Scan saved at 7:46:27 PM, on 5/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\netuh32.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Yahoo!\browser\YBrowser.exe
C:\DOCUME~1\RANDYG~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\fqyre.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\fqyre.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\fqyre.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\fqyre.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\fqyre.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\fqyre.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\fqyre.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {3696D411-AAFF-8B1B-AF26-A188A09E37FD} - C:\WINNT\system32\javacw.dll
O2 - BHO: Class - {DA79624D-1225-FD49-232D-78BE2061C43F} - C:\WINNT\sysns.dll
O2 - BHO: Class - {FEC8F3C3-A995-69E4-772B-B4D822AC38E8} - C:\WINNT\system32\syslz.dll
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [netuh32.exe] C:\WINNT\system32\netuh32.exe
O4 - HKLM\..\Run: [ietk.exe] C:\WINNT\ietk.exe
O4 - HKLM\..\RunOnce: [mfcak32.exe] C:\WINNT\mfcak32.exe
O4 - HKLM\..\RunOnce: [syssh32.exe] C:\WINNT\syssh32.exe
O4 - HKLM\..\RunOnce: [mfcld.exe] C:\WINNT\system32\mfcld.exe
O4 - HKLM\..\RunOnce: [iele32.exe] C:\WINNT\iele32.exe
O4 - HKLM\..\RunOnce: [crqj.exe] C:\WINNT\system32\crqj.exe
O4 - HKLM\..\RunOnce: [sysns.exe] C:\WINNT\sysns.exe
O4 - HKLM\..\RunOnce: [sysfc32.exe] C:\WINNT\sysfc32.exe
O4 - HKLM\..\RunOnce: [iedl32.exe] C:\WINNT\iedl32.exe
O4 - HKLM\..\RunOnce: [ipnv.exe] C:\WINNT\ipnv.exe
O4 - HKLM\..\RunOnce: [atlgz.exe] C:\WINNT\system32\atlgz.exe
O4 - HKLM\..\RunOnce: [msds32.exe] C:\WINNT\msds32.exe
O4 - HKLM\..\RunOnce: [apily.exe] C:\WINNT\system32\apily.exe
O4 - HKLM\..\RunOnce: [apptx32.exe] C:\WINNT\apptx32.exe
O4 - HKLM\..\RunOnce: [msyr.exe] C:\WINNT\msyr.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: 2Wire Wireless Client Manager.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINNT\mfcak32.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe

Active Scan Results:
Incident Status Location

Adware:Adware/SearchAid No disinfected C:\WINNT\system32\netuh32.exe
Adware:Adware/Startpage.AS No disinfected C:\WINNT\ietk.exe
Spyware:Spyware/Searchcentrix No disinfected Windows Registry
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Randy Green\Favorites\Only sex website.url
Adware:Adware/WildTangent No disinfected C:\WINNT\wt
Adware:Adware/ExactSearch No disinfected Windows Registry
Adware:Adware/SuperSpider No disinfected C:\WINNT\msxmidi.exe
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy Green\Favorites\Sites about\Ab scissor.url
Adware:Adware/CWS.HomeSearchAsisstantNo disinfected Windows Registry
Adware:Adware/Adsmart No disinfected C:\WINNT\sys????.exe
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Randy Green\Application Data\msjm\msiesh.dll
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Randy Green\Application Data\msjm\msiesh.dll.new
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Randy Green\Application Data\msjm\msjm.dll
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Randy Green\Application Data\msjm\msjm.dll.new
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Randy Green\Favorites\Only sex website.url
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Randy Green\Favorites\Search the web.url
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Randy Green\Favorites\Seven days of free porn.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy Green\Favorites\Sites about\Ab scissor.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy Green\Favorites\Sites about\Broadband comparison.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy Green\Favorites\Sites about\Credit counseling.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy Green\Favorites\Sites about\Credit report.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy Green\Favorites\Sites about\Crm software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy Green\Favorites\Sites about\Debt credit card.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy Green\Favorites\Sites about\Escorts.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy Green\Favorites\Sites about\Fha.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy Green\Favorites\Sites about\Health insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy Green\Favorites\Sites about\Help desk software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy Green\Favorites\Sites about\Insurance home.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy Green\Favorites\Sites about\Loan for debt consolidation.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy Green\Favorites\Sites about\Loan for people with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy Green\Favorites\Sites about\Marketing email.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy Green\Favorites\Sites about\Mortgage insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy Green\Favorites\Sites about\Mortgage life insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy Green\Favorites\Sites about\Nevada corporations.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy Green\Favorites\Sites about\Online Betting Site.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy Green\Favorites\Sites about\Online gambling casino.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy Green\Favorites\Sites about\Online instant loan.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy Green\Favorites\Sites about\Order phentermine.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy Green\Favorites\Sites about\Payroll advance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy Green\Favorites\Sites about\Personal loans online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy Green\Favorites\Sites about\Personal loans with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy Green\Favorites\Sites about\Prescription Drugs Rx Online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy Green\Favorites\Sites about\Refinancing my mortgage.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy Green\Favorites\Sites about\Tahoe vacation rental.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy Green\Favorites\Sites about\Unsecured bad credit loans.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy Green\Favorites\Sites about\Videos.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Randy Green\Favorites\Sites about\What is hydrocodone.url
Virus:VBS/Inor.AF Renamed C:\ntdetect_hta.vir
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\addac32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\addad.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\adday.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\addaz.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\addby.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\addch32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\addcs32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\adddl32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\addeh32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\addfr.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\addhb.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\addmd32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\addne32.exe
Adware:Adware/SearchExe No disinfected C:\WINNT\addnn32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\addnp.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\addnu.exe
Adware:Adware/SearchExe No disinfected C:\WINNT\addog.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\addos32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\addpd32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\addrt32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\addsd.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\addsr.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\addsz32.exe
Adware:Adware/SearchAid No disinfected C:\WINNT\addtz32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\addve32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\addvo32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\addwm.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\addyp32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\addys32.exe
Adware:Adware/SearchExe No disinfected C:\WINNT\addzk.dll
Adware:Adware/Startpage.AS No disinfected C:\WINNT\addzk.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\addzq.exe
Adware:Adware/SearchAid No disinfected C:\WINNT\addzt32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\addzy32.exe
Adware:Adware/Startpage.VQ No disinfected C:\WINNT\aduol.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\apiba32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\apibg.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\apibh32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\apibm32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\apicg32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\apiec.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\apief32.exe
Adware:Adware/SearchExe No disinfected C:\WINNT\apifm.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\apija32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\apika.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\apikw.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\apilc32.exe
Adware:Adware/SearchExe No disinfected C:\WINNT\apilo.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\apilo.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\apimd.exe
Adware:Adware/Startpage.AS No disinfected C:\WINNT\apims32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\apina.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\apiok.exe
Adware:Adware/SearchExe No disinfected C:\WINNT\apipn32.dll
Adware:Adware/SearchExe No disinfected C:\WINNT\apipr.dll
Adware:Adware/Startpage.AS No disinfected C:\WINNT\apipr.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\apire.exe
Adware:Adware/SearchExe No disinfected C:\WINNT\apirp32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\apisc32.exe
Adware:Adware/SearchExe No disinfected C:\WINNT\apisq32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\apisq32.exe
Adware:Adware/Startpage.AS No disinfected C:\WINNT\apitb32.exe
Adware:Adware/SearchExe No disinfected C:\WINNT\apivt32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\apivz32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\apiwk32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\apiwu.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\apixf32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\apiyc.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\apiye.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\apizi.exe
Adware:Adware/SearchExe No disinfected C:\WINNT\apizk32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\apizk32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\appau.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\appbg.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\appca32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\apper.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\appfe32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\appfp.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\appgh32.exe
Adware:Adware/SearchAid No disinfected C:\WINNT\appgq32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\appje32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\appjk32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\appld.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\applp.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\appmw32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\appnn.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\apppj32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\apppl32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\appqq32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\apprk.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\apprp32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\apprs32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\appsu32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\appsz.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\apptj32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\apptr.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\appwa32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\appwo32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\appxt.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\appxw.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\appyn.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\appyz.exe
Adware:Adware/SearchExe No disinfected C:\WINNT\appzg32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\atlao32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\atlcl32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\atlcx32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\atldc32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\atlfc32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\atljm.exe
Adware:Adware/SearchAid No disinfected C:\WINNT\atlkb32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\atlki32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\atlkj.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\atlkn.exe
Adware:Adware/SearchExe No disinfected C:\WINNT\atllf32.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\atlls32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINNT\atlmg.exe

BC AdBot (Login to Remove)

 


#2 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:02 AM

Posted 29 May 2005 - 02:29 PM

Hello themainman and Welcome! :thumbsup:
Sorry you're having malware trouble.

First, we need to move HijackThis from:
C:\DOCUME~1\RANDYG~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

Please do the following:
Move hijackthis to the root of your C:\drive. Double-click on My Computer; double-click on your hard drive, (usually the C:\drive) right-click on a blank area, choose New, choose Folder, name the folder hijackthis. Now, place Hijackthis.exe in this folder.

************************************************************
PLEASE PRINT OUT THESE INSTRUCTIONS BEFORE PROCEEDING.
PLEASE FOLLOW ALL THE STEPS SLOWLY AND CAREFULLY.

STEP 1:
Please make sure that you can view all hidden files.
Instructions can be found here.

STEP 2:
Please download CWShredder™ Version 2.1 here.
Save it to its own folder named CWShredder and place it at the root of your C:\drive along with HijackThis.
Don't run it yet, we will use it later.

STEP 3:
Download AboutBuster by RubbeR DuckY here
Save it to its own folder named AboutBuster and place it at the root of your C:\drive along with HijackThis.
Don't run it yet, we will use it later.

STEP 4:
Download and install the latest version of Ad-Aware SE here
NOTE: If you are still using the older Ad-Aware 6, go to Add/Remove Programs in the Control Panel and uninstall it now before installing Ad-Aware SE.
Please configure the program by following these instructions here. Before scanning click on "Check for updates now" to make sure you have the latest reference file.
Don't run it yet, we will use it later.

STEP 5:
Download the eScan Antivirus Toolkit here.
Save it to the desktop. This program is 9.9MB in size.
Don't run it yet, we will use it later.

STEP 6:
Download and install the Ewido Security Suite 3.0 1.) Download and install the Ewido Security Suite 3.0 here
2.) Double-click on the new e Ewido shortcut on the desktop to open the program.
3.) On the upper LH side column, click on the Update button.
(This will update the program with all the latest signature files.)
Don't run it yet, we will use it later.
STEP 7:
Go to Start, Run and type in services.msc and click OK. 1.) Scroll down and find the service called Remote Procedure Call (RPC) Helper
2.) When you find it, double-click on it.
3.) In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled.
4.) Now hit Apply and then Ok and close any open windows.
STEP 8:
Copy the contents of the Quote Box below to Notepad. Name the file as cwsfix.reg. Change the Save as Type to All Files, Save this file on the desktop.
Please DO NOT include the word QUOTE when saving the file.

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\11F#`I]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

STEP 9:
Please reboot into Safe Mode. For instructions click here
Get into Safe Mode using the F8 Key on your keyboard:1.) Locate the F8 key on your keyboard and then reboot your PC. (Start, Shutdown, Restart)
2.) As soon as the monitor screen goes black, immediately start tapping the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
3.) Select the option for Safe Mode using the up down arrow keys.
4.) Then press Enter on your keyboard to boot into Safe Mode.
5.) Perform all the cleaning tasks here and when you are done, reboot PC back into normal mode (Windows).
STEP 10:
From Safe Mode, double-click on CWShredder.exe to open it, click the 'Fix->' button (not 'Scan Only') and you'll be prompted that CWShredder will shutdown any Internet Explorer and Windows Media Player windows, click OK to continue and let it run completely to delete anything it finds. After its scan, click Next, then Exit.

STEP 11:
From Safe Mode, browse to C:\AboutBuster and double click on aboutbuster.exe. When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for rogue files and automatically run a second time.

STEP 12:
From Safe Mode, run the eScan Antivirus Toolkit. Please follow these instructions:1.) Double-click on the mwav.exe file saved to the desktop. A WinZip Self-Extractor will appear.
2.) Click Unzip, by default it will extract all the program files to new folder called Kaspersky at the root of the C:\drive. (C:\Kaspersky).
3.) A dialog box stating "168 file(s) unzipped successfully" will appear, click OK. After clicking ok, the eScan AntiVirus Toolkit Utility interface will appear.
4.) With the eScan interface on your desktop, make sure that the boxes under Scan Option, Memory, Registry, Startup Folders, System Folders, Services, are all checked.
5.) Check the Drive box, this will create a another Drive box below it, check this second Drive box as well, now a large window across from the second Drive box appears. In this window use the drop-down arrow and choose the drive letter of your hard drive, usually C:\.
6.) Below these boxes, make sure the box Scan All Files is checked, not Program Files.
7.) Click the Scan Clean button and let the utility run until it completes a thorough scan of your hard drive. eScan will delete any viruses or trojans it finds.
8.) When the scan has finished, the top window will read Scan Completed. To close the interface, click OK, click Exit, then click Exit again.
STEP 13:
From Safe Mode, run the Ewido Security Suite 3.0. 1.) Double-click on the e Ewido shortcut on the desktop to open the program.
2.) On the upper LH side column, click on Scanner.
3.) Click on the + Everything button.
4.) Click on the Start button.
5.) Have the program delete everything it finds.
STEP 14:
From Safe Mode, run the Ad-Aware SE program you downloaded and configured earlier.
Make sure "Perform full system scan" is checked, let it scan the hard drive and delete all entries it finds.
Be sure to run the program again a second time.

STEP 15:
Now double-click on the cwsfix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.

STEP 16:
From Safe Mode, please delete the following files and/or folders:
Go to Start, Search, For Files or Folders, and type in each file or folder name.
Scroll down and find "More Advanced Options". Make sure "Search System Folders" and "Search hidden files and folders" and "Search system subfolders" are all checked.

(These files might already be deleted.)
C:\WINNT\ietk.exe <----Delete this file.
C:\WINNT\sysns.dll <----Delete this file.
C:\WINNT\system32\syslz.dll <----Delete this file.
C:\WINNT\mfcak32.exe <----Delete this file.
C:\WINNT\system32\javacw.dll <----Delete this file.
C:\WINNT\system32\netuh32.exe <----Delete this file.

STEP 17:
Now reboot the PC back into Normal Mode (Windows), open HijackThis, click "Do a system scan and save a logfile", copy and paste the contents of the new logfile here for review.

Edited by SirJon, 29 May 2005 - 02:36 PM.


#3 themainman

themainman
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:02 AM

Posted 11 June 2005 - 02:49 PM

I appreciate the help. Sorry it took so long for me to get back to this. I began following the instructions and I was unable to get through them all at once. Then I went out of town. I just got a chance to run everything. Here is the resulting HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 2:49:00 PM, on 6/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\2Wire Wireless\Client Manager\CMTWO.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Yahoo!\browser\YBrowser.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: 2Wire Wireless Client Manager.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe

#4 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:02 AM

Posted 12 June 2005 - 11:34 AM

Nice Work! :thumbsup:
Just a few items left.

Now please close ALL open windows AND browsers, open HijackThis and put checks next to all the following, then click "Fix Checked":

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R3 - Default URLSearchHook is missing


The freeware version of WeatherBug is controversial due to its usage of adware. If you are using the freeware version of the software, I would uninstall it and install a cleaner program.
Weather Pulse is a free, excellent alternative; it comes with no adware, spyware or bundled installations of software. It can be downloaded here.

You should be good to go now.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users