Jump to content


Photo

Unusably slow PC - how many bugs are in here??


  • Please log in to reply
3 replies to this topic

#1 anastasiav

anastasiav

    Member

  • New Member
  • Pip
  • 2 posts

Posted 09 June 2004 - 10:24 PM

Thanks in advance for helping me troubleshoot a PC that is running so very slowly as to be almost totally unusable. I have run Adaware & Spybot but they may not be the most up to date (although both have been updated within the past week or so) because the download crashes the PC, so I had to run the log from Safe Mode.

Thanks --

Logfile of HijackThis v1.97.7
Scan saved at 11:02:41 PM, on 6/9/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\Explorer.EXE
D:\Documents and Settings\ivan\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.132/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.132/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by The Techsmith
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.132/index.php
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [hpfsched] D:\WINNT\hpfsched.exe
O4 - HKLM\..\Run: [NeroCheck] D:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [WinTime] D:\WINNT\system32\wintime.exe
O4 - HKLM\..\Run: [ist service uninstall] D:\WINNT\mstasks2.exe /u
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1302B0D3-3550-4A00-9A46-45EBE56EA4B7}: NameServer = 140.239.140.239
O17 - HKLM\System\CCS\Services\Tcpip\..\{8845C4FD-01B0-4894-8CE8-0E4FA3296756}: NameServer = 207.5.128.9,207.5.128.10
O17 - HKLM\System\CS1\Services\Tcpip\..\{1302B0D3-3550-4A00-9A46-45EBE56EA4B7}: NameServer = 140.239.140.239
O17 - HKLM\System\CS2\Services\Tcpip\..\{1302B0D3-3550-4A00-9A46-45EBE56EA4B7}: NameServer = 140.239.140.239

#2 discogail

discogail

    "All you need is a gorilla and a dream"

  • Emeritus
  • Pip
  • 86 posts

Posted 10 June 2004 - 01:41 AM

Download the FixBlast.exe file from:

http://securityrespo...er/FixBlast.exe

Save the file to a convenient location, such as your downloads folder or your Desktop

Close all other running programs

Double-click the FixBlast.exe file
Click Start to begin the process, and then allow the tool to run.

Restart the computer.
Run the removal tool again to ensure that the system is clean.

Then download CWShredder
http://www.spywarein.../cwshredder.zip
Unzip...Run it......press "Fix", follow its prompts & instructions.. press 'Next', and allow it to fix all it finds.
reboot......

Then go to Trend Micro Housecall
http://housecall.trendmicro.com/
and do a free...full scan and let it remove what's found.

rescan w/ HijackThis..& post your log into your next reply.

#3 anastasiav

anastasiav

    Member

  • New Member
  • Pip
  • 2 posts

Posted 11 June 2004 - 07:06 AM

Good Morning! -- Sorry for the long delay ...


I ran fixblast a total of three times - once in safe mode, and twice after a regular boot, with no results any time.

CW shredder found a couple of infected IE regestry files, and fixed them, but not much else.

I was not able to run housecall. I couldn't get it to run correctly in Mozilla, and when I reluctantly switched to IE the combination of a sustanined open internet connection and IE released such a floodgate of popups and stuff attempting to come in or run (including something that begged me repeatedly to enable ActiveX) that the CPU rapidly pegged out at 100% and the PC became unusable. However, after a rather laborius work-around I was able to install an up-to-date copy of Norton on the machine, which I ran and which found and dealt with two infected files.

(I'd also like to add, for the record, that this (if it wasn't already obvious) is not my machine ... I've dealt with mal/spy ware infections for other folks before, but I've never, ever seen anything this bad - although I bet you have!)

Anyhow, here's the log:

Logfile of HijackThis v1.97.7
Scan saved at 7:55:38 AM, on 6/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINNT\System32\svchost.exe
D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
D:\WINNT\system32\nvsvc32.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINNT\system32\kmw_run.exe
D:\WINNT\system32\wintime.exe
D:\WINNT\mstasks2.exe
D:\WINNT\system32\RUNDLL32.EXE
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Documents and Settings\ivan\Desktop\HijackThis.exe
D:\WINNT\system32\KMW_SHOW.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by The Techsmith
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [hpfsched] D:\WINNT\hpfsched.exe
O4 - HKLM\..\Run: [NeroCheck] D:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [WinTime] D:\WINNT\system32\wintime.exe
O4 - HKLM\..\Run: [ist service uninstall] D:\WINNT\mstasks2.exe /u
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8845C4FD-01B0-4894-8CE8-0E4FA3296756}: NameServer = 207.5.128.9,207.5.128.10

Thanks again for your help!

#4 discogail

discogail

    "All you need is a gorilla and a dream"

  • Emeritus
  • Pip
  • 86 posts

Posted 11 June 2004 - 11:21 AM

Now.......create a new folder...place HijackThis off the desktop & into it.......then, w/ all other browser windows closed.....& only HijackThis running.....check off:

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [WinTime] D:\WINNT\system32\wintime.exe
(:alarm: Troj/Small-AK)
O4 - HKLM\..\Run: [ist service uninstall] D:\WINNT\mstasks2.exe /u (:alarm: Troj/Dloader-W)


"Fix Checked".........Reboot to SAFE mode
How to start the computer in Safe mode

Show hidden files and folders-->
Show hidden files & folders

go to:
D:\WINNT & delete mstasks2.exe
D:\WINNT\system32 & delete wintime.exe

also,,,,,,,that's an ancient version of Internet Explorer ...........updating
http://www.microsoft...ie/default.mspx
would be a good idea..and more secure.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button