Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

very slow pc

Started by shinpad , Aug 03 2005 08:23 AM

  • Please log in to reply

#1
shinpad
Posted 03 August 2005 - 08:23 AM

shinpad

    New Member

  • Member
  • Pip
  • 4 posts
my friends pc has ground to a halt and he cannot connect to the internet. adaware has removed a couple of trojans, but the problem persists.
the only thing he has been able to do is give me a hijackthis log. any help would be appreciated.

thanks


Logfile of HijackThis v1.99.1
Scan saved at 14:19:23, on 03/08/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\System32\ltmsg.exe
C:\WINNT\winppr32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iRiver\HSeries\iHPDetect.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\P2P Networking\P2P Networking.exe
C:\WINNT\System32\obmimkwj.exe
C:\WINNT\System32\richup.exe
C:\WINNT\timer.exe
C:\WINNT\timer.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINNT\System32\internat.exe
D:\hijackthis.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Navnt\navapw32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aol.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
F1 - win.ini: run=C:\WINNT\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\info32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINNT\System32\arqex.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINNT\System32\nsn1B9.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINNT\System32\richedtr.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINNT\System32\arqex.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [TrayX] C:\WINNT\winppr32.exe /sinc
O4 - HKLM\..\Run: [Tapicfg.exe] \tapicfg.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [HDAudio Driver] C:\WINNT\System32\ycqjplo.exe
O4 - HKLM\..\Run: [HDAudio Driver 1.0] C:\WINNT\System32\pgypadu.exe
O4 - HKLM\..\Run: [HDAudio Driver 2.0] C:\WINNT\System32\obmimkwj.exe
O4 - HKLM\..\Run: [richup] C:\WINNT\System32\richup.exe
O4 - HKLM\..\Run: [ICcontrol] C:\WINNT\iccontrol.exe
O4 - HKLM\..\Run: [Timer] C:\WINNT\timer.exe /i
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [TrayX] C:\WINNT\winppr32.exe /sinc
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.co.uk/
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....009/CTSUEng.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{68B9BAF0-B1B3-48CB-B93D-25B05ED10EAD}: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CS1\Services\Tcpip\..\{68B9BAF0-B1B3-48CB-B93D-25B05ED10EAD}: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CS2\Services\Tcpip\..\{68B9BAF0-B1B3-48CB-B93D-25B05ED10EAD}: NameServer = 69.50.176.196,195.225.176.110
O19 - User stylesheet: (file missing) (HKLM)
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINNT\System32\vbsys2.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
  • 0

Advertisements

#2
Metallica
Posted 03 August 2005 - 08:31 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Can you transfer a file to her computer?

Download and run CWShredder from:
http://www.intermute...r_download.html
Use the Fix button.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
F1 - win.ini: run=C:\WINNT\..\PROGRA~1\COMMON~1\MICROS~1\MSInfo\info32.exe

O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINNT\System32\arqex.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINNT\System32\nsn1B9.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINNT\System32\richedtr.dll

O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINNT\System32\arqex.dll

O4 - HKLM\..\Run: [TrayX] C:\WINNT\winppr32.exe /sinc
O4 - HKLM\..\Run: [Tapicfg.exe] \tapicfg.exe

O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [HDAudio Driver] C:\WINNT\System32\ycqjplo.exe
O4 - HKLM\..\Run: [HDAudio Driver 1.0] C:\WINNT\System32\pgypadu.exe
O4 - HKLM\..\Run: [HDAudio Driver 2.0] C:\WINNT\System32\obmimkwj.exe
O4 - HKLM\..\Run: [richup] C:\WINNT\System32\richup.exe
O4 - HKLM\..\Run: [ICcontrol] C:\WINNT\iccontrol.exe
O4 - HKLM\..\Run: [Timer] C:\WINNT\timer.exe /i

O4 - HKCU\..\Run: [TrayX] C:\WINNT\winppr32.exe /sinc

O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-622221193458} - file://c:\ex.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{68B9BAF0-B1B3-48CB-B93D-25B05ED10EAD}: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CS1\Services\Tcpip\..\{68B9BAF0-B1B3-48CB-B93D-25B05ED10EAD}: NameServer = 69.50.176.196,195.225.176.110
O17 - HKLM\System\CS2\Services\Tcpip\..\{68B9BAF0-B1B3-48CB-B93D-25B05ED10EAD}: NameServer = 69.50.176.196,195.225.176.110
O19 - User stylesheet: (file missing) (HKLM)
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINNT\System32\vbsys2.dll

Then reboot and post a new log. There will be more to do.

How long ago was Norton last updated?
It's a malware fest in there. Actually your friiend would be spreading the Sobig.F virus if he managed to get online.

Regards,
  • 0

#3
shinpad
Posted 03 August 2005 - 09:14 AM

shinpad

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
thanks very much for your help. i can't transfer files but i've got him to remove the stuff from hijackthis - he's rebooting now and i'll post the new scan results in a minute.

thanks
  • 0

#4
Metallica
Posted 03 August 2005 - 09:19 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
OK I'll check back later today. :tazz:
  • 0

#5
shinpad
Posted 03 August 2005 - 09:24 AM

shinpad

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
here you go mate:

Logfile of HijackThis v1.99.1
Scan saved at 16:34:35, on 03/08/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\System32\ltmsg.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iRiver\HSeries\iHPDetect.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
D:\hijackthis.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aol.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iHP-100] C:\Program Files\iRiver\HSeries\iHPDetect.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.co.uk/
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....009/CTSUEng.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\Navnt\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\Navnt\navapsvc.exe
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\Navnt\npssvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
  • 0

#6
Metallica
Posted 03 August 2005 - 11:50 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Good job. The log is clean. :tazz:

Now we need to get that computer back online.

Can you tell us how it is connected and what happens when you try to contact the internet?
Also let us know if certain aspects (like email) do work and others don't.

Anything that you think might be important.

Regards,
  • 0

#7
shinpad
Posted 03 August 2005 - 12:07 PM

shinpad

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
my mate has gone home now so i'll let you know more about it tomorrow.
thanks a lot for your help

:tazz:
  • 0

#8
Metallica
Posted 03 August 2005 - 12:18 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
OK. :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP