Jump to content


Photo

IE (and comp?) lagged out


  • Please log in to reply
6 replies to this topic

#1 lbalceda

lbalceda

    Member

  • New Member
  • Pip
  • 3 posts

Posted 06 July 2004 - 12:48 PM

not too sure exactly what is causing this.... I leave this computer on all the time, it is a brand new server running windows 2003 server standard edition. I ran both spybot s&d and adaware -- I keep hitting fix but the problems keep coming back after every restart or even over several hours of letting the machine sit there idling.

Also, Internet Explorer is very lagged out, it used to be instantaneous but now takes a good 30 seconds to open sometimes -- it will open but be all white and semi-'frozen' until it gets around to starting the homepage [which is set to msn.com]... moving a IE window around the screen is also very lagged out.

thanks for anything,
-Luis


Logfile of HijackThis v1.98.0
Scan saved at 1:24:31 PM, on 7/6/2004
Platform: Unknown Windows (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
D:\Program Files\Symantec\pcAnywhere\awhost32.exe
d:\CFusion\Bin\cfserver.exe
d:\CFusion\Bin\cfexec.exe
d:\CFusion\Bin\cfrdsservice.exe
d:\CFusion\JRun\bin\JRun.exe
d:\CFusion\jrun\bin\jrun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
d:\CFusion\jre\bin\ntConsoleJava.exe
d:\CFusion\jre\bin\ntConsoleJava.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Seagate Software\WCS\pageserver.exe
d:\CFusion\Bin\Service_AuthSrvr.exe
d:\CFusion\Bin\Service_AzSrvr.exe
d:\CFusion\Bin\smservauth.exe
C:\Program Files\Seagate Software\WCS\WebCompServer.exe
d:\CFusion\Bin\smservaz.exe
d:\CFusion\cfam\bin\CANamingAdapter.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
D:\SCANJET\PrecisionScanPro\HPLamp.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Winamp\winampa.exe
D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\Program Files\Microsoft Visual Studio .NET 2003\Common7\IDE\devenv.exe
C:\Documents and Settings\luis\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft...=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://icc2003server...efault Web Site
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [HP Lamp] D:\SCANJET\PrecisionScanPro\HPLamp.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\\NPssView.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ICC
O17 - HKLM\Software\..\Telephony: DomainName = ICC
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ICC
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ICC
O18 - Protocol: dynascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\system32\mshtml.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

#2 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 06 July 2004 - 12:57 PM

Hi first can you search your computer for hardAdmin.htm and zip it up. Then send it to...

Here

Finally delete that file.

Then download
About:Buster and unzip it to your desktop. Start it, hit Ok, Start, And Ok again to start the scan. It will generate a log. Post that log along with a new Hijack this log here.


Ducky
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#3 lbalceda

lbalceda

    Member

  • New Member
  • Pip
  • 3 posts

Posted 06 July 2004 - 03:44 PM

not too sure, but the log from about:buster seems a little short::

About:Buster Version 1.25
Attempted Clean Of Temp folder.
Pages Reset... Done!


and new hijack this log:



Logfile of HijackThis v1.98.0
Scan saved at 4:44:36 PM, on 7/6/2004
Platform: Unknown Windows (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
D:\Program Files\Symantec\pcAnywhere\awhost32.exe
d:\CFusion\Bin\cfserver.exe
d:\CFusion\Bin\cfexec.exe
d:\CFusion\Bin\cfrdsservice.exe
d:\CFusion\JRun\bin\JRun.exe
d:\CFusion\jrun\bin\jrun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
d:\CFusion\jre\bin\ntConsoleJava.exe
d:\CFusion\jre\bin\ntConsoleJava.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Seagate Software\WCS\pageserver.exe
d:\CFusion\Bin\Service_AuthSrvr.exe
d:\CFusion\Bin\Service_AzSrvr.exe
d:\CFusion\Bin\smservauth.exe
C:\Program Files\Seagate Software\WCS\WebCompServer.exe
d:\CFusion\Bin\smservaz.exe
d:\CFusion\cfam\bin\CANamingAdapter.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
D:\SCANJET\PrecisionScanPro\HPLamp.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Winamp\winampa.exe
D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
D:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\luis\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://icc2003server...efault Web Site
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [HP Lamp] D:\SCANJET\PrecisionScanPro\HPLamp.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\\NPssView.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ICC
O17 - HKLM\Software\..\Telephony: DomainName = ICC
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ICC
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ICC
O18 - Protocol: dynascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\system32\mshtml.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

Edited by lbalceda, 06 July 2004 - 03:45 PM.


#4 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 06 July 2004 - 03:50 PM

Hi, ok you dont have that version of About:Blank.

Open Hijack This and tick the boxes next to these items...

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://icc2003server...efault Web Site


Im not sure about this item.. i think its bad (dont tick it just yet)

O18 - Protocol: dynascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\system32\mshtml.dll

Then close all windows and hit fix checked. Restart your computer.

Search your computer for

hardAdmin.htm
fpadmdll.dll

Send these files to the address above. Then delete them. Post a new Hijack This log.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#5 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 06 July 2004 - 03:53 PM

Ok i got the first file :).
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#6 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 06 July 2004 - 03:58 PM

I just updated About:Buster again. Its going to delete that file

Updated Version
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#7 lbalceda

lbalceda

    Member

  • New Member
  • Pip
  • 3 posts

Posted 06 July 2004 - 06:20 PM

uhm as soon as it delete fpadmn.dll windows starts complaining and tells me to insert the windows 2003 cd so it can re-install changed system files....

should i delete shdoclc.dll..? cuz apparently hardAdmin is inside that...?

heres a new hijackthis log just in case i guess::

Logfile of HijackThis v1.98.0
Scan saved at 7:20:26 PM, on 7/6/2004
Platform: Unknown Windows (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
D:\Program Files\Symantec\pcAnywhere\awhost32.exe
d:\CFusion\Bin\cfserver.exe
d:\CFusion\Bin\cfexec.exe
d:\CFusion\Bin\cfrdsservice.exe
d:\CFusion\JRun\bin\JRun.exe
d:\CFusion\jrun\bin\jrun.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
d:\CFusion\jre\bin\ntConsoleJava.exe
d:\CFusion\jre\bin\ntConsoleJava.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Seagate Software\WCS\pageserver.exe
d:\CFusion\Bin\Service_AuthSrvr.exe
d:\CFusion\Bin\Service_AzSrvr.exe
d:\CFusion\Bin\smservauth.exe
C:\Program Files\Seagate Software\WCS\WebCompServer.exe
d:\CFusion\Bin\smservaz.exe
d:\CFusion\cfam\bin\CANamingAdapter.exe
C:\WINDOWS\system32\Dfssvc.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
D:\SCANJET\PrecisionScanPro\HPLamp.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Winamp\winampa.exe
D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
D:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\luis\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [HP Lamp] D:\SCANJET\PrecisionScanPro\HPLamp.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = D:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\\NPssView.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ICC
O17 - HKLM\Software\..\Telephony: DomainName = ICC
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ICC
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ICC
O18 - Protocol: dynascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - %SystemRoot%\system32\mshtml.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button