Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

a slow pc very slow

Started by toutou21 , Aug 20 2005 12:26 PM

  • Please log in to reply

#1
toutou21
Posted 20 August 2005 - 12:26 PM

toutou21

    Member

  • Member
  • PipPip
  • 18 posts
hi,
i don't think that a malware cause to my pc this problems tehy run very very slowly and a message shown tell that the minimal memery is not lot ???nothing show in the hijackthis log file in XP, empty !!!
but when i run the previous version of windows (ME), the hijackthis log show this :
Logfile of HijackThis v1.99.1
Scan saved at 19:24:59, on 20/08/2000
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\HCOUNT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SISTRAY.EXE
C:\WINDOWS\SYSTEM\KHOOKER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\U.S. ROBOTICS\CONTROLCENTER\REMINDER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\WUAUCLT.EXE
D:\HTJ\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wazzupnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.fr
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O1 - Hosts: 66.55.134.199 msn.com
O1 - Hosts: 66.55.134.199 www.msn.com
O1 - Hosts: 66.55.134.199 search.msn.com
O1 - Hosts: 66.55.134.199 auto.search.msn.com
O1 - Hosts: 66.55.134.199 sitefinder.verisign.com
O1 - Hosts: 66.55.134.199 sitefinder-idn.verisign.com
O2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - C:\WINDOWS\MSLAGENT\4B_1,0,1,0_MSLAGENT.DLL (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1036,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SelfHostUtil] C:\WINDOWS\selfhost.exe /L
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM\SISTRAY.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\SYSTEM\khooker.exe
O4 - HKLM\..\RunServices: [HiberMonitor] HCount.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGCOMLIB_1035.dll,InstantAccess
O4 - HKCU\..\Run: [mslagent] C:\WINDOWS\mslagent\MSLAGENT.EXE
O4 - Startup: Instant Update Reminder.lnk = C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downlo...IA/dtc32_FR.cab
O16 - DPF: {A02780C3-7F77-4E28-855B-28890F3CF37A} - http://akamai.downlo...B_1034_pack.cab
O16 - DPF: {E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} (MoneyTree Dialer) - http://xbs.mtreexxx..../fc/UniDist.CAB
O16 - DPF: {7DBFDA8E-D33B-11D4-9269-00600868E56E} (WWWInstall Class) - http://go.securelive.../WebInstall.dll
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://198.143.27.5/Other.cab
O16 - DPF: {CC110316-5BE7-4AAA-AEDD-1A5B147BE34C} (MyWebOperator Class) - http://198.143.27.14...chat/Loader.cab
O16 - DPF: {CF5F84EB-D3FC-4F98-BE3B-F5B56B962CED} - http://akamai.downlo...COMLIB_1035.cab
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downlo.../netia32_FR.cab

Please help me to resolve this problem !!!!
  • 0

Advertisements

#2
MrCharlie
Posted 20 August 2005 - 03:29 PM

MrCharlie

    Visiting Staff

  • Visiting Consultant
  • 170 posts
Welcome to the forum.

Do you recognize these files:

C:\WINDOWS\HCOUNT.EXE
EGCOMLIB_1035.dll

Close ALL programs down, leaving ONLY HijackThis running.
Place a check against the following items:

O1 - Hosts: 66.55.134.199 msn.com
O1 - Hosts: 66.55.134.199 www.msn.com
O1 - Hosts: 66.55.134.199 search.msn.com
O1 - Hosts: 66.55.134.199 auto.search.msn.com
O1 - Hosts: 66.55.134.199 sitefinder.verisign.com
O1 - Hosts: 66.55.134.199 sitefinder-idn.verisign.com
O2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - C:\WINDOWS\MSLAGENT\4B_1,0,1,0_MSLAGENT.DLL (file missing)
O4 - HKCU\..\Run: [mslagent] C:\WINDOWS\mslagent\MSLAGENT.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downlo...IA/dtc32_FR.cab
O16 - DPF: {A02780C3-7F77-4E28-855B-28890F3CF37A} - http://akamai.downlo...B_1034_pack.cab
O16 - DPF: {E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} (MoneyTree Dialer) - http://xbs.mtreexxx..../fc/UniDist.CAB
O16 - DPF: {7DBFDA8E-D33B-11D4-9269-00600868E56E} (WWWInstall Class) - http://go.securelive.../WebInstall.dll
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://198.143.27.5/Other.cab
O16 - DPF: {CC110316-5BE7-4AAA-AEDD-1A5B147BE34C} (MyWebOperator Class) - http://198.143.27.14...chat/Loader.cab
O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} - http://akamai.downlo.../netia32_FR.cab

Click on Fix Checked and exit HijackThis.

Delete this file if found:

C:\WINDOWS\mslagent\MSLAGENT.EXE
C:\WINDOWS\mslagent<----folder too

Reboot and post a fresh HijackThis log and we'll take another look. MrC
  • 0

#3
toutou21
Posted 21 August 2005 - 02:58 AM

toutou21

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
ok , i do what you told;
but when i run xp (in my d: disk) they still run slowly, very very slowly, (message of a minimale virtuel memory) i can't work anymore with my xp !!! and this is the hjthis log :

Logfile of HijackThis v1.99.1
Scan saved at 09:33:08, on 21/08/2000
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\dmadmin.exe
D:\WINDOWS\system32\userinit.exe
D:\WINDOWS\Explorer.EXE
D:\HTJ\hijackthis\HijackThis.exe

O23 - Service: Network DDE Client (NetDDEclnt) - Unknown owner - D:\WINDOWS\System32\netddeclnt.exe (file missing)

and when i choose in my (c disk) they run normaly but i can't work with all my programms :this is the new htjack log :
Logfile of HijackThis v1.99.1
Scan saved at 09:22:46, on 21/08/2000
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\HCOUNT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SISTRAY.EXE
C:\WINDOWS\SYSTEM\KHOOKER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
D:\PROGRAM FILES\QUICKTIME\QTTASK.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\U.S. ROBOTICS\CONTROLCENTER\REMINDER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\WINPHONE\WINPHONE.EXE
D:\HTJ\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wazzupnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.fr
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1036,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SelfHostUtil] C:\WINDOWS\selfhost.exe /L
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM\SISTRAY.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\SYSTEM\khooker.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\PROGRAM FILES\QUICKTIME\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [HiberMonitor] HCount.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGCOMLIB_1035.dll,InstantAccess
O4 - Startup: Instant Update Reminder.lnk = C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe
O8 - Extra context menu item: Télécharger en utilisant FlashGet - D:\PROGRAM FILES\FLASHGET\jc_link.htm
O8 - Extra context menu item: Tout télécharger en utilisant FlashGet - D:\PROGRAM FILES\FLASHGET\jc_all.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O16 - DPF: {CF5F84EB-D3FC-4F98-BE3B-F5B56B962CED} - http://akamai.downlo...COMLIB_1035.cab

please help me to resolve i need xp to work !!! thanks in advance ...
  • 0

#4
MrCharlie
Posted 21 August 2005 - 06:12 AM

MrCharlie

    Visiting Staff

  • Visiting Consultant
  • 170 posts

This is for the "ME"

Close ALL programs down, leaving ONLY HijackThis running.
Place a check against the following items:

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)

Click on Fix Checked and exit HijackThis.

I need the complete HJT log from XP - you only posted a third of it.

MrC
  • 0

#5
toutou21
Posted 21 August 2005 - 10:25 AM

toutou21

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
hi, thanks for the repply, but the htj log of xp is complete there is only one line !!! is'it anormal !!!!

the xp still very slow and when i can work, many message error appear like " you have not lot memroy to run this program" or " an error 0cx0000142"......please i need help.
  • 0

#6
MrCharlie
Posted 21 August 2005 - 03:36 PM

MrCharlie

    Visiting Staff

  • Visiting Consultant
  • 170 posts
Yes that's not a normal HJT log.
From just what I see you have the W32/Codbot-M worm
You can try this:
1 - Close all open Explorer windows and browsers
2 - Run HijackThis

In HijackThis, click on the "Open the Misc Tool Section".
Then click "Open Process Manager".
Locate one at a time, the process(es) listed below, click it, (If present.)
Click the "Kill Process" button.
The process(es) is/are:

netddeclnt.exe
Netlib.exe

CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

O23 - Service: Network DDE Client (NetDDEclnt) - Unknown owner - D:\WINDOWS\System32\netddeclnt.exe (file missing)

Click on Fix Checked and exit HijackThis.

Delete these files if found:

C:\WINDOWS\System32\netddeclnt.exe
C:\WINDOWS\System32\Netlib.exe

Have you run any programs like Spybot, AdAware, or Ewido?
Have you run an anti virus scan??
I don't see any protection on the system - no anti virus program, no firewall, it looks like you are way behind on your Windows updates also.
This leaves you wide open for problems.

Let me know, see if you can get a complete HJT log, MrC
  • 0

#7
toutou21
Posted 22 August 2005 - 06:05 AM

toutou21

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
hi,
i done what you told me, but the hjt log was the same, and i didn't find the process " netlib and netddecln", this the log file :
NB : i have, Ad aware, firefox, and spywareblaster in my pc !!!
ogfile of HijackThis v1.99.1
Scan saved at 12:54:59, on 22/08/2000
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\imapi.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\wbem\wmiapsrv.exe
D:\WINDOWS\Explorer.EXE
D:\HTJ\hijackthis\HijackThis.exe

O23 - Service: Network DDE Client (NetDDEclnt) - Unknown owner - D:\WINDOWS\System32\netddeclnt.exe (file missing)

waiting for you reply , thanks in advance.
  • 0

#8
MrCharlie
Posted 22 August 2005 - 06:02 PM

MrCharlie

    Visiting Staff

  • Visiting Consultant
  • 170 posts
I've never seen that happen with a HJT log.

The link below is an older version of HJT.
Please download and unzip it to a folder and try it - see if it gives a complete log.

http://www.bleepingc...ackThis1982.zip

Thanks, MrC
  • 0

#9
toutou21
Posted 23 August 2005 - 03:15 AM

toutou21

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
hi, i try with the old version of hjthis and this is th log file :


Scan saved at 10:14:52, on 23/08/2000
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\imapi.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\wbem\wmiapsrv.exe
D:\WINDOWS\System32\t.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Benteboula Toufik\Local Settings\Temp\Répertoire temporaire 2 pour HijackThis1982.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1030
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;cgi*.ebay.com;disney.go.com;msa_e1.ebay.com;rhapsody_app*.listen.com;<local>
O4 - Global Startup: BlueSoleil.lnk = ?
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{A760F5A3-BB80-4D42-862C-AB65B3D2B149}: NameServer = 10.10.1.202 192.168.20.5
  • 0

#10
MrCharlie
Posted 23 August 2005 - 06:42 PM

MrCharlie

    Visiting Staff

  • Visiting Consultant
  • 170 posts
This is a real weird one.

That's an incomplete log also, but I did notice this file:

D:\WINDOWS\System32\t.exe

See if you can find this file and right click on it, choose properties and see what it belongs to and do you recognize the file.

In the mean time let me seek some advice on how to proceed.

Thanks, MrC
  • 0

Advertisements

#11
MrCharlie
Posted 23 August 2005 - 07:06 PM

MrCharlie

    Visiting Staff

  • Visiting Consultant
  • 170 posts
It's hard to say what the problem is. It may be an operating system problem.

I did a search on Google using virtual memory problem XP and came up with these which may be of help:

http://aumha.org/win5/a/xpvm.php

http://www.hi.au.dk/...oscope/xppatch/

http://www.proz.com/topic/35410

http://www.theelderg...or_messages.htm

See if any of those help, you can also search for more links on Google using virtual memory problem XP
You'll get plenty of hits.

I'll see what else I can find out, MrC
  • 0

#12
toutou21
Posted 24 August 2005 - 09:13 AM

toutou21

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
hi,
i found the file "t.exe" it's an pplication created recently (20/08/05), but i trie to delete it but i can't, what i can do !!!!!
  • 0

#13
MrCharlie
Posted 24 August 2005 - 06:54 PM

MrCharlie

    Visiting Staff

  • Visiting Consultant
  • 170 posts
Lets see if you can generate a start up list:

Run HJT, click Misc Tools, click on Generate Startup Log

Post the log if you can.

Did you look at those links I gave you about virtual memory??

Thanks, MrC
  • 0

#14
MrCharlie
Posted 24 August 2005 - 07:37 PM

MrCharlie

    Visiting Staff

  • Visiting Consultant
  • 170 posts
I got a couple of suggestions from other members, lets try this:

Download and run CCleaner - it will clean out all the temp files on the system:
http://www.filehippo...d_ccleaner.html
Download, install and run it.
Use the default settings, just uncheck cookies.

=================================================================

HowToShowHiddenFiles - <---enable this


Download and unzip the KillBox to a folder.

Now open up the KillBox and copy and paste this in and hit delete, if the file exists, it will appear in blue under the window.

D:\WINDOWS\System32\t.exe

If it won't delete - use the Delete on reboot option:
Open up the KillBox.
Select the Delete on Reboot option.
In the field labeled Full Path of File to Delete copy and paste each one of these in one at a time.

D:\WINDOWS\System32\t.exe

Hit the delete button
OK
Do the next file if needed
After that LAST file path has been entered and you press OK
Reboot the computer
If you recieve an error message and your computer doesn't restart, please restart it manually.

Please check to see if there's a See if there,s also a t.dll any where on the system.
If so - we want to delete it - use the KillBox if necessary.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Let me know, MrC
  • 0

#15
toutou21
Posted 25 August 2005 - 09:38 AM

toutou21

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
hi,
ok i delete the t.exe file as you show, this the startup list :

StartupList report, 25/08/2000, 16:33:14
StartupList version: 1.52.2
Started from : D:\HTJ\hijackthis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\netdde.exe
D:\WINDOWS\system32\cisvc.exe
D:\WINDOWS\System32\imapi.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\vssvc.exe
D:\WINDOWS\System32\wbem\wmiapsrv.exe
D:\WINDOWS\System32\dmadmin.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
D:\WINDOWS\system32\cidaemon.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\HTJ\hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[D:\Documents and Settings\All Users\Menu Démarrer\Programmes\Démarrage]
BlueSoleil.lnk = ?

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = D:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Shell & screensaver key from D:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=D:\WINDOWS\MAERSK~1.SCR
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - (no file) - {A5366673-E8CA-11D3-9CD9-0090271D075B}

--------------------------------------------------

Enumerating Task Scheduler jobs:

XoftSpy.job

--------------------------------------------------

Enumerating Download Program Files:

[{41564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...01F/wmvadvd.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: D:\WINDOWS\system32\SHELL32.dll
CDBurn: D:\WINDOWS\system32\SHELL32.dll
WebCheck: *Registry key not found*
SysTray: D:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

Spool Service = t.exe

--------------------------------------------------

End of report, 3 556 bytes
Report generated in 0,521 seconds

And this is the new hjtlog file :

Logfile of HijackThis v1.99.1
Scan saved at 16:39:50, on 25/08/2000
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\netdde.exe
D:\WINDOWS\system32\cisvc.exe
D:\WINDOWS\System32\imapi.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\vssvc.exe
D:\WINDOWS\System32\wbem\wmiapsrv.exe
D:\WINDOWS\System32\dmadmin.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
D:\WINDOWS\system32\cidaemon.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\HTJ\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1030
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;cgi*.ebay.com;disney.go.com;msa_e1.ebay.com;rhapsody_app*.listen.com;<local>
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O4 - Global Startup: BlueSoleil.lnk = ?
O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{A760F5A3-BB80-4D42-862C-AB65B3D2B149}: NameServer = 10.10.1.202 192.168.20.5
O23 - Service: Network DDE Client (NetDDEclnt) - Unknown owner - D:\WINDOWS\System32\netddeclnt.exe (file missing)

i think it's a complete log see if there another problem, know th pc seems to be clean and quickly startup !!!, waiting for your response !!!! thanks a lot !!!
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP