• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Kat

Help clean a friend

10 posts in this topic

Ok, pomp. Here's the log you asked for:

 

Logfile of HijackThis v1.97.7

Scan saved at 7:03:50 PM, on 7/29/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\cisvc.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\cidaemon.exe

C:\WINDOWS\System32\cidaemon.exe

C:\Documents and Settings\Aaron's Sales\My Documents\SPYWARE PROGRAMS\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.r31.insightbb.com:8000

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - Global Startup: Digital Line Detect.lnk = ?

O4 - Global Startup: HPAiODevice(hp officejet 5100 series) - 1.lnk.disabled

O4 - Global Startup: Logitech Desktop Messenger.lnk.disabled

O4 - Global Startup: Microsoft Office.lnk.disabled

O4 - Global Startup: WinZip Quick Pick.lnk.disabled

O9 - Extra button: AIM (HKLM)

O9 - Extra button: Real.com (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon.../cx_tgctlcm.jsp

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c1...all/xscan53.cab

O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk Express Viewer Control) - http://www.autodesk.com/global/expressview...ViewerSetup.cab

O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx

 

 

 

SLOW boot times, and very poor running times.

Share this post


Link to post
Share on other sites

forgot:

 

SS&D been done, AAW been done...both removed a TON of junk. CWShredder done and removed two strains. Trojan Hunter done, and came out clean. Three separate virus scans done, and those instances are cleaned as well.

 

So..now what? LOL

Edited by Kat

Share this post


Link to post
Share on other sites

Following advice given in chat, I downloaded and ran RamCleaner. This is some of what it says now:

 

72MG free

 

Physical memory: 60% avail.

 

37% page file usage

 

Does that help any?

Share this post


Link to post
Share on other sites

I don't know if this tells us anything...but when I opened ONE IE broswer just now....NOTHING else running, just the RAMCleaner on taskbar....the RAMCleaner changed to "Critical usage..clean now" and it spiked to only having 31% available!

 

I hit the "Clean now" and it went back up to about 60% avail.

Share this post


Link to post
Share on other sites

did another virus scan. All 77,232 files are cleaned. I know something is running causing the memory to get eaten up every couple of minutes. (literally). But what?

Share this post


Link to post
Share on other sites
SLOW boot times, and very poor running times.

Greetings Kat -

 

Here's a nasty that should go.

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

 

Red Sherrif applet. Infamous for bringing a CPU to it's knees.

Share this post


Link to post
Share on other sites

Thanks for the input. I had forgotten to post another HJT log after I had already removed that last night.

 

I *THOUGHT* this morning that I had found the culprits, but no such luck. She has NOrton on here, and I ran PandaScan last night as well as Trendmicro. All three found NOTHING.

 

I downloaded AVG last night, and it ran while I was sleeping. I get up this morning, and it had detected and removed ELEVEN viruses/Trojans.

 

Downloader.Lalus.A

Dialer.7.AI

Downloader.Keenval.N

Downloader.Rameh.C

Backdoor.Ruledor.C

PSW.Bispy.A

Downloader.Keenval.C

Downloader.Keenval.J

PSW.Bispy.B

Dropper.Small.4.P

Dropper.Liba.A

 

** all were Trojan Horses. 8 of them were successfullly cleaned by AVG, three had to be manually moved to the Virus Vault when I got up this morning.

 

Boot Time is a bit faster this morning. CRAP. When I tried to click on something just now to open and check, AVG sent up warnings. The Dropper.Liba.A and the Dropper.Small.4.P are both back in the folders they started in. Both of them in the C:\System Volume Information\_restore (Big CLSID # here).dll folder.

 

Help me get rid of them!

Share this post


Link to post
Share on other sites

I also noticed that you have C:\WINDOWS\System32\cisvc.exe as a running process. While a valid file, it can be a hungry resource hog. Might explain your performance problems. I have also seen a number of reports that it can be hijacked. Could explain your infection as well.

 

I would disable it in startup rerun your scans and see what shakes out.

 

Best of luck!

IC -

Share this post


Link to post
Share on other sites

I will have her try that. I did a little research, and found a thread on Wilders' dealing with the exact same Trojans that kept reappearing. They were NOT in the C:\Sys Volume....they were actually in the System Restore. So, I turned off Sys. Restore, re-ran AVG and captured the viruses again, and then turned Sys Restore back on.

I had to leave at that point for work, so she's supposed to let me know here soon how things are running now.

Share this post


Link to post
Share on other sites

Seems to be running better, however the RAMCleaner still keeps popping up/down to only having 20-30% avail.

 

Per instructions on chat, she ran the port scanner from gnc. This is what it found:

 

Nina : but for common ports, solicited TCP packets and ping reply failes. uncolicited packets passed

Nina : open ports are 1025 host and 5000 UPnP

 

advised her to turn ON Zone Alarm *which wasn't on at the time of the scan*, and also was told to have her go to http://grc.com/unpnp/unpnp.htm

to close that 5000 port.

 

Will have her post me a new HJT log in a few minutes. She will post as "me", as I left myself logged in here on her computer. LOL

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0