Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

System seems fragile

Started by incognito167 , Nov 08 2004 03:56 AM

  • Please log in to reply

#1
incognito167
Posted 08 November 2004 - 03:56 AM

incognito167

    Member

  • Member
  • PipPip
  • 21 posts
First off, thanks for your helpful reply to my earlier post.

On Friday my broadband connection was turned on and I followed the insturctions you gave me to get various freeware.

I got the following - Grisoft AVG, Ad-aware, Spybot S&D and Spywareblaster.
Are the all running in the background automatically or do I have to do anything special.

Anyway after a bit, i got an error for lsass.exe and the computer kept shutting down. Called my techie mate and he told me to download a patch from microsoft.com. This problem was sorted.

I ran the AVG, which detected 24 viruses, which mostly seemed to be the I-worm SasserD virus - my system is clean now.

Everything is pretty much OK now, but the computer seems fragile and a bit slow. What i mean is that it takes a little longer than usual to perform its function (searching help and support, connecting to the broadband, shutting down, moving between open web pages) and also IE seems to "crash" every now and then requiring a ctrl+alt+delete (which sometimes craches itself).

I've got firefox too, and that's OK but seems a llittle slow itself.

I've got a p2p app also.

Generally everything is OK, but i am never sure if all is well or if another system freeze is around the corner.

Hopefully I have given you enough info. But if you need more let me know.

Mart.
ps - XP SP2 seems to have stopped downloading at 33% and won't continue! Any thoughts?
  • 0

Advertisements

#2
coachwife6
Posted 08 November 2004 - 04:56 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Let us take a closer look at what is running on your PC. We'll need you to use a free diagnostic tool (HiJackThis) and post a log back here with the results.

Click the HijackThis Guide in my signature, download it and follow the instructions in the guide.

Most of what it lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.
  • 0

#3
incognito167
Posted 08 November 2004 - 11:41 AM

incognito167

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Thanks. I have done a Hijack this scan and the results are below.

Logfile of HijackThis v1.98.2
Scan saved at 17:35:33, on 08/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\INTERN~2\AVG\avgserv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\IEXPLORE.EXE
C:\WINDOWS\System32\windows.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SOINTGR.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\Internet Software(2)(2)\Dragdiag.exe
C:\WINDOWS\System32\manager32.exe
C:\WINDOWS\System32\vpc32.exe
C:\PROGRA~1\INTERN~2\AVG\avgcc32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\PSD\Application Data\My-disgo\MyKey disgo.exe
C:\Program Files\Internet Software(2)(2)\DrSpeedTouch\drst.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\PSD\My Documents\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://www.coolwwwse.../z/b/x1.cgi?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.coolwwwse.../z/b/x1.cgi?101 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://www.coolwwwse.../z/b/x1.cgi?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.coolwwwse.../z/a/x1.cgi?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.coolwwwse.../z/b/x1.cgi?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.coolwwwse.../z/c/x1.cgi?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.coolwwwse.../z/b/x1.cgi?101 (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dixons.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.coolwwwse.../z/b/x1.cgi?101 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.coolwwwse.../z/b/x1.cgi?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.coolwwwse.../z/b/x1.cgi?101 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.coolwwwse.../z/b/x1.cgi?101 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.coolwwwse.../z/b/x1.cgi?101 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.coolwwwse.../z/b/x1.cgi?101 (obfuscated)
O1 - Hosts: 1123694712 auto.search.msn.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Internet Software(2)(2)\Spybot\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Internet Software(2)(2)\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Microsoft IE] IEXPLORE.EXE
O4 - HKLM\..\Run: [MS Manager32 Startup] manager32.exe
O4 - HKLM\..\Run: [skynetave.exe] C:\WINDOWS\skynetave.exe
O4 - HKLM\..\Run: [NDIS Adapter] windows.exe
O4 - HKLM\..\Run: [Microsoft Update] vpc32.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\INTERN~2\AVG\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [Microsoft IE] IEXPLORE.EXE
O4 - HKLM\..\RunServices: [MS Manager32 Startup] manager32.exe
O4 - HKLM\..\RunServices: [NDIS Adapter] windows.exe
O4 - HKLM\..\RunServices: [Microsoft Update] vpc32.exe
O4 - HKLM\..\RunOnce: [Microsoft IE] IEXPLORE.EXE
O4 - HKLM\..\RunOnce: [NDIS Adapter] windows.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [My-disgo] C:\Documents and Settings\PSD\Application Data\My-disgo\MyKey disgo.exe
O4 - HKCU\..\Run: [STManager] "C:\Program Files\Internet Software(2)(2)\DrSpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [Microsoft IE] IEXPLORE.EXE
O4 - HKCU\..\Run: [MS Manager32 Startup] manager32.exe
O4 - HKCU\..\Run: [NDIS Adapter] windows.exe
O4 - HKCU\..\Run: [Microsoft Update] vpc32.exe
O4 - HKCU\..\RunOnce: [NDIS Adapter] windows.exe
O4 - HKCU\..\RunOnce: [Microsoft IE] IEXPLORE.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.dixons.co.uk/
O15 - Trusted Zone: *.msn.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1099762247062
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A745952B-F840-456E-BF20-022EBA25A8D2}: NameServer = 158.152.1.58 158.152.1.43


Sometimes Windows Explorer freezes too.
I look forward to your reply and thank you again.
Mart.
  • 0

#4
coachwife6
Posted 08 November 2004 - 11:54 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Please run: http://cwshredder.net/
provided by Spywareinfo.com


Download Ad-aware from: http://www.geekstogo...n=download&id=5

Install the program and launch it.

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

-> Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
  • Automatically save log-file
  • Automatically quarantine objects prior to removal
  • Safe Mode (always request confirmation)
2. Click on the Scanning button on the left and select :
  • Scan Within Archives
  • Scan Active Processes
  • Scan Registry
  • Deep Scan Registry
  • Scan my IE favorites for banned URL’s
  • Scan my Hosts file
  • Under Click here to select drives + folders, choose:
  • All of your hard drives
-> Click on the Advanced button on the left and select:
  • Include additional process information
  • Include additional file information
  • Include environment information
  • Include additional object details
-> Click the Tweak button and select:
  • Under the Scanning Engine:
    • Unload recognized processes during scanning
    • Include basic Ad-aware settings in logfile
    • Include additional Ad-aware settings in logfile
  • Under the Cleaning Engine:
    • Let Windows remove files in use at next reboot
-> Click on Proceed to save the settings.

-> Click Start and on the next screen choose Activate in-depth Scan at the bottom of the page and then choose:
  • Use Custom Scanning Options
-> Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

-> Save the log file when it asks and then click Finish

-> When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).


Start Spybot S&D using the "Spybot-S&D (easy mode)" link from your Start menu . Click the Search for updates button, if any are found then click the Download Updates button. After all updates are downloaded, click the Check for problems button. When the scan is complete, place a check next to anything marked in red, then click the Fix selected problems button. You may need to run Spybot S&D multiple times to remove all infections.

Please delete your temporary files. Double Click My Computer (WinXP: Navigate to Start --->My Computer)
You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the
bottom of the fly out window. One the very first tab (General) you will see a button labeled "Disk Cleanup"...click that button.
Make sure the following are checked:
Downloaded Program Files
Temporary Internet Files and
Recycle Bin
Click OK and Disk Cleanup will delete those files for you.


When finished, Reboot your computer. Finally, reply to this post with a new HiJackThis log so we can look for any nasties that may have been missed. <_<
  • 0

#5
incognito167
Posted 09 November 2004 - 01:56 PM

incognito167

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Thanks again for your help. This computer business is really getting to me now. Everytime one thing gets take ncare of, something else pops up.

I ran ad-aware and spybot. While i was doing this, AVG pops up to tell me i'm infected. AGAIN? Honestly, these little viruses are EVIL!

Anyway, this is my hijack this log.

Logfile of HijackThis v1.98.2
Scan saved at 19:48:42, on 09/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\INTERN~2\AVG\avgserv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\windows.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SOINTGR.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\Internet Software(2)(2)\Dragdiag.exe
C:\WINDOWS\System32\manager32.exe
C:\PROGRA~1\INTERN~2\AVG\avgcc32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\PSD\Application Data\My-disgo\MyKey disgo.exe
C:\Program Files\Internet Software(2)(2)\DrSpeedTouch\drst.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Software(2)(2)\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dixons.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\INTERN~2\Spybot\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Internet Software(2)(2)\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Microsoft IE] IEXPLORE.EXE
O4 - HKLM\..\Run: [MS Manager32 Startup] manager32.exe
O4 - HKLM\..\Run: [Microsoft Update] vpc32.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\INTERN~2\AVG\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [NDIS Adapter] windows.exe
O4 - HKLM\..\RunServices: [Microsoft IE] IEXPLORE.EXE
O4 - HKLM\..\RunServices: [MS Manager32 Startup] manager32.exe
O4 - HKLM\..\RunServices: [Microsoft Update] vpc32.exe
O4 - HKLM\..\RunServices: [NDIS Adapter] windows.exe
O4 - HKLM\..\RunOnce: [NDIS Adapter] windows.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [My-disgo] C:\Documents and Settings\PSD\Application Data\My-disgo\MyKey disgo.exe
O4 - HKCU\..\Run: [STManager] "C:\Program Files\Internet Software(2)(2)\DrSpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [Microsoft IE] IEXPLORE.EXE
O4 - HKCU\..\Run: [MS Manager32 Startup] manager32.exe
O4 - HKCU\..\Run: [NDIS Adapter] windows.exe
O4 - HKCU\..\Run: [Microsoft Update] vpc32.exe
O4 - HKCU\..\RunOnce: [NDIS Adapter] windows.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.dixons.co.uk/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1099762247062
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab


XP SP 2 only downloaded to 33% and then seemed to freeze. Any ideas?

Tomorrow i'm going out to buy McAfee Virus scan and firewall - hopefully it will give me more cover. I'm sick of constantly having to sort my computer out. I can't do any proper work! It's like 2 steps forward and 3 back.

You've got to help me. Once i've got the virus and spyware under control, i'm thinking of reloading XP - how do i go about this? Will I lose any of my files?

Also, do Ad-aware, Spybot, spyware blaster all run in the background or do i have to scan everytime manually.

Thank you again. Hopefully you can appreciate my desperation for a stabile and safe computer.

Mart.
  • 0

#6
coachwife6
Posted 09 November 2004 - 02:11 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Don't download SP2 until we get this cleaned up.

You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.


O4 - HKLM\..\Run: [Microsoft IE] IEXPLORE.EXE
O4 - HKLM\..\Run: [MS Manager32 Startup] manager32.exe
O4 - HKLM\..\Run: [Microsoft Update] vpc32.exe

O4 - HKLM\..\Run: [NDIS Adapter] windows.exe
O4 - HKLM\..\RunServices: [Microsoft IE] IEXPLORE.EXE
O4 - HKLM\..\RunServices: [MS Manager32 Startup] manager32.exe
O4 - HKLM\..\RunServices: [Microsoft Update] vpc32.exe
O4 - HKLM\..\RunServices: [NDIS Adapter] windows.exe
O4 - HKLM\..\RunOnce: [NDIS Adapter] windows.exe

O4 - HKCU\..\Run: [My-disgo] C:\Documents and Settings\PSD\Application Data\My-disgo\MyKey disgo.exe

O4 - HKCU\..\Run: [Microsoft IE] IEXPLORE.EXE
O4 - HKCU\..\Run: [MS Manager32 Startup] manager32.exe
O4 - HKCU\..\Run: [NDIS Adapter] windows.exe
O4 - HKCU\..\Run: [Microsoft Update] vpc32.exe
O4 - HKCU\..\RunOnce: [NDIS Adapter] windows.exe

O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg...ntrol_v1-32.cab

Run adaware again and delete your temp. files. Reboot and post a fresh log.
  • 0

#7
incognito167
Posted 10 November 2004 - 10:31 AM

incognito167

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Right.

I did all you told me to. But when i run ad-aware, the grisoft AVG detects I.SasserD. When i run a full virus scan it finds nothing! This happened yesterday too.

I've bought McAfee Internet Security suite (Virus scan, firewall, spamkiller and a load of other stuff) and want to load it asap. I've been told to unload grisoft AVg because McAfee won't work with other virus scanners. Do i have to unload ad-aware, spybot and spyblaster if i load the McAfee stuff.

Logfile of HijackThis v1.98.2
Scan saved at 16:23:13, on 10/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\INTERN~2\AVG\avgserv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SOINTGR.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\Internet Software(2)(2)\Dragdiag.exe
C:\PROGRA~1\INTERN~2\AVG\avgcc32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Software(2)(2)\DrSpeedTouch\drst.exe
C:\Program Files\Internet Software(2)(2)\Hijack\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dixons.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\INTERN~2\Spybot\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Internet Software(2)(2)\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\INTERN~2\AVG\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [STManager] "C:\Program Files\Internet Software(2)(2)\DrSpeedTouch\drst.exe" -b
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.dixons.co.uk/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1099762247062

Above is my last log.

Thank you again for your help,. You don't know how much this means to me. |I'm at my wits end with this computer stuff. Ijust want to get on with my work and download music!

Mart.
  • 0

#8
coachwife6
Posted 10 November 2004 - 10:37 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
I don't want to tell you what to do, but if you haven't opened the McAfee, you could get enough free resources over the internet to protect your computer. But if the ease of having an all-in-one package appeals to you, go for it.

Yes, you will have to uninstall AVG before installing McAfee. You don't want two anti-virus systems running at the same time.

Keep adaware and spyblaster. They are necessary even with the best anti-virus program.
  • 0

#9
incognito167
Posted 10 November 2004 - 10:44 AM

incognito167

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
No, I haven't opened it yet.

Do ad-aware and spyblaster run in the background. If so, why do they keep finding stuff on my computer. Surely they should neutralise the threat when they've deteced one. Do i need to configure it?

THanks for your advice, it is very much appreciated.

I think i'll give the McAfee a try - got nothing to lose (apart from the £50 i just spent on it!)

Mart.
  • 0

#10
coachwife6
Posted 10 November 2004 - 10:47 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
I don't even know what 50 (L-thing) is, nor do I know how to type the (L-thing).

Spyblaster doesn't find anything...it blocks stuff. Spybot finds stuff, but I have gone to strictly using Adaware.

Are you deleting what Adaware picks up? Next time you run an adaware scan, let me know what it picks up.

ARe you cleaning out your temp files?
  • 0

#11
incognito167
Posted 10 November 2004 - 10:52 AM

incognito167

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
£50 means 50 English pounds sterling - about US$75.

Yes I delete the adaware files and i do clean out my temp files (just out of interest, why should this be done?)

Apart from ad-aware, spybot and spyblaster, which freeware apps and websites do you recommend.

Thanks. <_<
Mart
  • 0

#12
coachwife6
Posted 10 November 2004 - 10:57 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
You don't want your temp. files there because if they have junk in them they can just linger and cause problems and slow down your system. It's like changing the oil in your car.

I am on my computer 18 hours a day and I have very few problems, and all I do is:

keep windows updated
Run antivirus and keep it updated
Run Spyblaster
Run Adaware
And use Mozilla Firefox.

here are some reocmmendations from admin. - my hero. <_<

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use) Click Here.

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

These next two steps are optional, but will provide the greatest protection.
1. Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness. We usually recommend FireFox Posted Image.
2. Install Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .
  • 0

#13
incognito167
Posted 10 November 2004 - 11:01 AM

incognito167

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Thanks for your advice.

I'll try the McAfee stuff for a whie and I'll let you kow how things go.

If all goes well, i might reload XP next week!

Thanks for all of our help.
Mart <_<
  • 0

#14
CSDYER
Posted 15 November 2004 - 05:24 PM

CSDYER

    New Member

  • Member
  • Pip
  • 2 posts
Coacheswife,

I would also appreciate your advice. My Hijack scan is below.

Thanks,

Chris


Logfile of HijackThis v1.98.2
Scan saved at 5:15:18 PM, on 11/15/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\SCardSvr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\basfipm.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRpc.exe
C:\Program Files\CA\eTrust\InoculateIT\InoRT.exe
C:\Program Files\CA\eTrust\InoculateIT\InoTask.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\scagent.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\bcmwltry.exe
C:\WINNT\system32\TGBRFV_.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
C:\temp\salm.exe
C:\Program Files\Windows AdControl\WinAdCtl.exe
C:\Program Files\Windows AdControl\WinAdAlt.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\Nikon\NkView6\NkvMon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\tsdal173\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://a-search.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://MyStandard
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = laxhuf1:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 159.112.*;206.44.*;170.205.*;198.80.*;192.168.*;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
F2 - REG:system.ini: UserInit=Userinit.exe,TGBRFV_
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {857D32D0-A7B0-4E0A-A377-CFEFB442D675} - C:\WINNT\system32\nkfmjfa.dll
O3 - Toolbar: (no name) - {608C195C-6C23-4687-8211-471E1840136A} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\Program Files\CA\eTrust\InoculateIT\realmon.exe
O4 - HKLM\..\Run: [Desktop Manager] C:\Program Files\Trane Company\Desktop Manager\DESKMAN.EXE
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AeXAgentLogon] "C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe" /logon
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O12 - Plugin for .MOV: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://MyStandard
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2[bleep]ed.biz
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O16 - DPF: {074B55C0-6323-4672-138A-626B391C7D15} - http://82.179.166.72/1/rdgUS208.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...d7510b28ebf1261
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} - http://www.xxxtoolba...006_regular.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} - http://www.ysbweb.co...ysb_regular.cab
O16 - DPF: {9F77A997-F0F3-11d1-9195-00C04FC990DC} (JavaBeansBridge Object) -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://intercall.we...bex/ieatgpc.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = field.cg.na.trane.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE2F47AE-3BD8-4CB5-AA19-F6166A0FF890}: Domain = field.cg.na.trane.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = field.cg.na.trane.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = americanstandard.com,hq.cg.na.trane.com,na.trane.com,trane.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = field.cg.na.trane.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = americanstandard.com,hq.cg.na.trane.com,na.trane.com,trane.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = americanstandard.com,hq.cg.na.trane.com,na.trane.com,trane.com
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINNT\httpfilter.dll
O18 - Filter: text/plain - {EC518B8E-85A1-45F3-99FF-426CA059A906} - C:\WINNT\system32\nkfmjfa.dll
  • 0

#15
coachwife6
Posted 15 November 2004 - 08:22 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
CSDYER - Welcome to GTG. :D

Please start a new thread in the Hijack This forum and post a log and we'll get after it. It's less confusing that way. <_<
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP