Jump to content


Photo

Slow computer


  • Please log in to reply
5 replies to this topic

#1 pcoach4u

pcoach4u

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 10 June 2004 - 12:25 AM

I am working with a clients computer that has malware on it. Very slow etc. I already have a hijack this log file, and have access to the needed tools.

Welcome guidence...


pcoach4u
*pcoach4u*

Helping people make friends with their computers since 1996

#2 [Red]

[Red]

    Developer

  • Full Member
  • Pip
  • 20 posts

Posted 10 June 2004 - 12:34 AM

Hi pcoach4u,

Could you please post a hijackthis log by coping it into a new post below and explain what seems to be the problem?

#3 pcoach4u

pcoach4u

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 10 June 2004 - 12:46 AM

Here is the log file: She mainly said generaly slower progressively. I am on it right now in my office.

Logfile of HijackThis v1.97.7
Scan saved at 10:08:16 PM, on 6/9/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\netclnt.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\WINDOWS\System32\wuamgrd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Money\System\urlmap.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dellnet.com/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program
Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common
Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5
\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program
Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [B6619DEA] C:\WINDOWS\System32\ewbgajmdgwu.exe
O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\Run: [Windows Update] C:\WINDOWS\System32\fodbvh.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\RunServices: [DD0033E1] C:\WINDOWS\System32\ewbgajmdgwu.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus C40 Series] C:\WINDOWS\System32
\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\System32\E_S5F.tmp"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1
\SNDMon.EXE
O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) -
http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {69FD62B1-0216-4C31-8D55-840ED86B7C8F} -
http://installs.hotb...rams/hotbar.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupd...icode/iuctl.CAB?
37847.6488425926
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) -
http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B40FFCFB-FF47-427F-9933-
71E13D65E59C}: NameServer = 192.168.0.1



pcoach4u
*pcoach4u*

Helping people make friends with their computers since 1996

#4 pcoach4u

pcoach4u

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 10 June 2004 - 12:52 AM

Red,

I see the dateof the infection is 5-24-04 and have deleted 6 files so far, not made any changes yet in the HJT log so it is clean for you to work with. Have identified 6 entries so far to remove.

pcoach4u
*pcoach4u*

Helping people make friends with their computers since 1996

#5 pcoach4u

pcoach4u

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 10 June 2004 - 03:54 PM

I also found the Welchia worm on there last night. At one point a re-director came up in the address bar of: http://www.rxbot.......
I forget the rest. Slammed me with TI Files.
*pcoach4u*

Helping people make friends with their computers since 1996

#6 pcoach4u

pcoach4u

    Member

  • Full Member
  • Pip
  • 15 posts

Posted 15 June 2004 - 05:06 PM

I finished this computer. It had 3 worms on it. WelchiaB, NachiaB andSDBOT Removed them all, put on AVG, Z/A and Spywareblaster.
Customer was a happy camper.


pcoach4u
*pcoach4u*

Helping people make friends with their computers since 1996




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button