Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help diagnose


  • Please log in to reply
2 replies to this topic

#1 psand

psand

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 16 November 2004 - 06:45 AM

This is the log from my wife's computer which is also running very slowly.

Logfile of HijackThis v1.98.2
Scan saved at 20:21:30, on 15/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv50.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\LTSMMSG.exe
C:\WINNT\system32\tp4serv.exe
C:\Program Files\Fujitsu\BATTERYAID\BATTERYAID.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\Program Files\Motive\AsstCommon\motmon.exe
C:\WINNT\SYSTEM32\sdafwqp.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MCA133.tmp\mcappins.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE
C:\WINNT\system32\internat.exe
C:\WINNT\system32\ultraedit.exe
C:\WINNT\system32\SysHelp.exe
C:\Program Files\Fujitsu\Application Panel\AUVCore.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\WebProxy.exe
C:\WINNT\system32\ntsysman.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\f77d1zar.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [BATTERYAID] C:\Program Files\Fujitsu\BATTERYAID\BATTERYAID.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\AsstCommon\motmon.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] ntsysman.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [MSDNMess] C:\WINNT\SYSTEM32\sdafwqp.exe
O4 - HKLM\..\Run: [Ultra Edit v5.1] ultraedit.exe
O4 - HKLM\..\Run: [mcappins.exe] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MCA133.tmp\mcappins.exe" vsocfg.ini
O4 - HKLM\..\Run: [SysHelp] SysHelp.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s
O4 - HKLM\..\RunServices: [Microsoft System Checkup] ntsysman.exe
O4 - HKLM\..\RunServices: [Ultra Edit v5.1] ultraedit.exe
O4 - HKLM\..\RunServices: [SysHelp] SysHelp.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Ultra Edit v5.1] ultraedit.exe
O4 - HKCU\..\Run: [SysHelp] SysHelp.exe
O4 - Global Startup: LifeBook Application Panel.lnk = C:\Program Files\Fujitsu\Application Panel\AUVCore.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Fujitsu Service Assistant.lnk = C:\Program Files\Fujitsu Service Assistant\bin\matcli.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: 3Com Launcher.lnk = C:\Program Files\3Com\Launcher.exe
O4 - Global Startup: ntsysman.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .MOV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Dialpad Webphone - https://www.dialpad.com/md/update/cham.cab
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://bin.mcafee.com/molbin/Shared/ComCtl...22/ComCtl32.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B2F49FB} - http://stat.trafficadvance.net/dialer/305159.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FB53D9F-7530-4573-9A41-804679A9B21F}: NameServer = 165.98.148.2,165.98.145.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{441D4966-518B-426F-9E98-A2635166B426}: NameServer = 212.67.96.129 212.67.96.130
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F4E18F6-6E50-4A36-8767-282F6C68B525}: NameServer = 165.98.148.2,165.98.145.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{BC1FE013-7A4A-4CD0-AC48-5C694BEBF8A4}: NameServer = 165.98.148.2,165.98.145.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{1FB53D9F-7530-4573-9A41-804679A9B21F}: NameServer = 165.98.148.2,165.98.145.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{1FB53D9F-7530-4573-9A41-804679A9B21F}: NameServer = 165.98.148.2,165.98.145.2

Your help is very much appreciated,
Thank you

BC AdBot (Login to Remove)

 


#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:07:03 AM

Posted 16 November 2004 - 02:57 PM

Hi

It is a good ideea to print or copy these instructions because you are not able to access the Internet in SafeMode.

Make sure you are set to show hidden files and folders:
A. On the Tools menu in Windows Explorer, click Folder Options.
B. Click the View tab.
C. Under Hidden files and folders, click Show hidden files and folders.
D. Uncheck Hide extensions for known filetypes and Hide protected operating system files.
How to see hidden files in Windows

REBOOT into SafeMode by tapping F8 key repeatedly at bootup: Starting your computer in Safe mode

Run HijackThis!, press Scan, and put a check mark next to all these:

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [Microsoft System Checkup] ntsysman.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [MSDNMess] C:\WINNT\SYSTEM32\sdafwqp.exe
O4 - HKLM\..\Run: [Ultra Edit v5.1] ultraedit.exe
O4 - HKLM\..\Run: [mcappins.exe] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MCA133.tmp\mcappins.exe" vsocfg.ini
O4 - HKLM\..\Run: [SysHelp] SysHelp.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] ntsysman.exe
O4 - HKLM\..\RunServices: [Ultra Edit v5.1] ultraedit.exe
O4 - HKLM\..\RunServices: [SysHelp] SysHelp.exe
O4 - HKCU\..\Run: [Ultra Edit v5.1] ultraedit.exe
O4 - HKCU\..\Run: [SysHelp] SysHelp.exe
O4 - Global Startup: ntsysman.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O16 - DPF: {FFFF0003-0001-101A-A3C9-08002B2F49FB} - http://stat.trafficadvance.net/dialer/305159.exe


Close all other windows and browsers, and press the Fix Checked button.

Search for these files and delete them if found:
C:\WINNT\system32\ultraedit.exe <-- this file
C:\WINNT\system32\SysHelp.exe <-- this file
C:\WINNT\system32\ntsysman.exe <-- this file
syslog32.exe <-- this file
C:\WINNT\SYSTEM32\sdafwqp.exe <-- this file

Clean out temporary and Temporary Internet Files. Go to Start -> Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

Empty the Recycle Bin.

REBOOT normally.

Please check Internet Explorer settings:
Open Internet Explorer - > Tools -> Internet Options ... -> click the Security tab -> click Internet icon -> press the Custom Level ,,, button.
Under ActiveX controls and plug-ins tick:
- Download signed ActiveX controls - Prompt
- Download unsigned ActiveX controls Disable
- Initialize and script ActiveX controls not marked as safe Disable
- Run ActiveX controls and plug-ins Enabled
- Script ActiveX controls marked safe for scripting Prompt

Run an online antivirus scan at:
http://housecall.antivirus.com/
Please make sure that AutoClean is checked.

Perform a full scan here: BitDefender Free Online Virus Scan
Follow the instructions on the screen.
Tick all the boxes on the left and let him remove anything it findes.

! This is very important !: Update your Windows. Doing this will make your computer more secure. Please visit Windows Update (follow this link: http://www.windowsupdate.com) to update Windows. Follow the instructions on the screen. You may have to visit more then once Windows Update to install all updates.
Not updating Windows will leave your computer vulnerable to malware and attacks.

After the installation of the last update make sure you REBOOT the computer, run HijackThis again and post a new log please.

Edited by cryo, 16 November 2004 - 02:58 PM.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 psand

psand
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 17 November 2004 - 08:08 PM

Thank you very much for you help.
I'm still working on this.
Will be in touch again soon.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users