Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

DSL connection slowed down: check log please


  • Please log in to reply

#1
cronopio

cronopio

    Member

  • Member
  • PipPip
  • 13 posts
Hey all,

I posted a topic here previously; I now have to confess it was about my brother's computer. :tazz:

I'm now trying to figure what's slowing down my computer's DSL connection.
Things have slowed down since I started using a wireless router (and leaving it on 24/7). I suspected spyware, but after running Windows update, Ad-aware turned up zilch. Could you examine my HJT log and confirm that there is no spyware slowing me down?

Thanks muchly,

cronopio

HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 9:45:35 PM, on 12/28/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\System32\mgabg.exe
D:\Program Files\Tiny Personal Firewall\persfw.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\System32\mspmspsv.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\inetsrv\inetinfo.exe
D:\WINNT\Explorer.EXE
D:\WINNT\System32\PDesk.exe
D:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
D:\Program Files\QuickTime\qttask.exe
D:\WINNT\system32\RUNDLL32.exe
D:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
D:\WINNT\system32\internat.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Wireless LAN Utility\Am772cfg.exe
D:\Documents and Settings\Mathijs Panhuijsen\Bureaublad\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (D:\Program Files\Netscape\Users\mathijs\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11359F4A-B191-42d7-905A-594F8CF0387B} - D:\WINNT\Downloaded Program Files\lexbar.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\winnt\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - D:\WINNT\Downloaded Program Files\lexbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\winnt\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Matrox Powerdesk] D:\WINNT\System32\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [MGA_CD_Install] F:\mgasetup.exe /No_Welcome /Lang:English
O4 - HKLM\..\Run: [mgavrtclexe] D:\WINNT\MCBin\AV\Rt\mgavrtcl.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] D:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [mssyslanhelper] D:\WINNT\system32\msmsgri32.exe
O4 - HKLM\..\Run: [Easy PDF Creator] D:\Program Files\Easy PDF Creator\EasyPDFCreator.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "D:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] D:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
O4 - HKLM\..\RunServices: [mgavrtclexe] D:\WINNT\MCBin\AV\Rt\mgavrte.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LTM2] D:\WINNT\winsys\svchost.exe
O4 - HKCU\..\Run: [Rarr] D:\Documents and Settings\Mathijs Panhuijsen\Application Data\rltp.exe
O4 - Startup: AM772CFG.lnk = D:\Program Files\Wireless LAN Utility\Am772cfg.exe
O4 - Startup: Snelkoppeling naar Ranzendsnel.lnk = ?
O8 - Extra context menu item: &Google Search - res://d:\winnt\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://d:\winnt\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\winnt\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Similar Pages - res://d:\winnt\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://d:\winnt\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .xls: D:\PROGRA~1\Netscape\COMMUN~1\Program\PLUGINS\NPDOC.DLL
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {79C03BC5-6C55-4B5B-921F-C02B6F1ABD7B} - http://404.x-share.com/vvv/Pribi.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8237.5620833333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.re...lbar/lexico.cab
  • 0

Advertisements


#2
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Click Here download the latest version of Hijack This (1.99.0). It's better able to catch the latest threats.

-=jonnyrotten=- :tazz:
  • 0

#3
cronopio

cronopio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Oops, my bad.
Here's the updated log. Please note that I did some analysis of my own and kicked out some items mentioned in the first log.

Thanks for your help,

cro

New log:

Logfile of HijackThis v1.99.0
Scan saved at 5:29:30 PM, on 12/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\System32\mgabg.exe
D:\Program Files\Tiny Personal Firewall\persfw.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\System32\mspmspsv.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\inetsrv\inetinfo.exe
D:\WINNT\Explorer.EXE
D:\WINNT\System32\PDesk.exe
D:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
D:\Program Files\QuickTime\qttask.exe
D:\WINNT\system32\RUNDLL32.exe
D:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
D:\Program Files\Common Files\Real\Update_OB\rndal.exe
D:\WINNT\system32\internat.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Wireless LAN Utility\Am772cfg.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Mathijs Panhuijsen\Bureaublad\HijackThis-1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (D:\Program Files\Netscape\Users\mathijs\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Dictionary.com - {11359F4A-B191-42d7-905A-594F8CF0387B} - D:\WINNT\Downloaded Program Files\lexbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\winnt\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - D:\WINNT\Downloaded Program Files\lexbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\winnt\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Matrox Powerdesk] D:\WINNT\System32\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [MGA_CD_Install] F:\mgasetup.exe /No_Welcome /Lang:English
O4 - HKLM\..\Run: [mgavrtclexe] D:\WINNT\MCBin\AV\Rt\mgavrtcl.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] D:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Easy PDF Creator] D:\Program Files\Easy PDF Creator\EasyPDFCreator.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "D:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] D:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
O4 - HKLM\..\RunServices: [mgavrtclexe] D:\WINNT\MCBin\AV\Rt\mgavrte.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LTM2] D:\WINNT\winsys\svchost.exe
O4 - HKCU\..\Run: [Rarr] D:\Documents and Settings\Mathijs Panhuijsen\Application Data\rltp.exe
O4 - Startup: AM772CFG.lnk = D:\Program Files\Wireless LAN Utility\Am772cfg.exe
O4 - Startup: Snelkoppeling naar Ranzendsnel.lnk = ?
O8 - Extra context menu item: &Google Search - res://d:\winnt\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://d:\winnt\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\winnt\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Similar Pages - res://d:\winnt\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://d:\winnt\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINNT\system32\msjava.dll
O9 - Extra button: (no name) - {83D5556F-4224-4fc7-A578-4D09AAD5DED4} - D:\Documents and Settings\Mathijs Panhuijsen\Local Settings\Temporary Internet Files\Content.IE5\ILDH0F60\access[2].exe (file missing)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - D:\Documents and Settings\Mathijs Panhuijsen\Local Settings\Temporary Internet Files\Content.IE5\09CHYJ4X\access[1].exe (file missing)
O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - D:\WINNT\System32\crtv2_32.dll (file missing)
O9 - Extra button: (no name) - {83D5556F-4224-4fc7-A578-4D09AAD5DED4} - D:\Documents and Settings\Mathijs Panhuijsen\Local Settings\Temporary Internet Files\Content.IE5\ILDH0F60\access[2].exe (file missing) (HKCU)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - D:\Documents and Settings\Mathijs Panhuijsen\Local Settings\Temporary Internet Files\Content.IE5\09CHYJ4X\access[1].exe (file missing) (HKCU)
O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - D:\WINNT\System32\crtv2_32.dll (file missing) (HKCU)
O12 - Plugin for .xls: D:\PROGRA~1\Netscape\COMMUN~1\Program\PLUGINS\NPDOC.DLL
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.re...lbar/lexico.cab
O23 - Service: McAfee.com AV Engine - Unknown - D:\WINNT\mcbin\av\rt\asengine.exe (file missing)
O23 - Service: Logical Disk Manager Administrative-service - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - D:\WINNT\System32\mgabg.exe
O23 - Service: Tiny Personal Firewall - Tiny Software - D:\Program Files\Tiny Personal Firewall\persfw.exe



Click Here download the latest version of Hijack This (1.99.0). It's better able to catch the latest threats.

-=jonnyrotten=- :tazz:

View Post


  • 0

#4
-=jonnyrotten=-

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Go to add/remove programs in control panel and uninstall Wild Tangent

You may wish to print out a copy of these instructions to follow while you complete this procedure.
Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.
Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "D:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKCU\..\Run: [LTM2] D:\WINNT\winsys\svchost.exe
O4 - HKCU\..\Run: [Rarr] D:\Documents and Settings\Mathijs Panhuijsen\Application Data\rltp.exe
O4 - Startup: Snelkoppeling naar Ranzendsnel.lnk = ?
O9 - Extra button: (no name) - {83D5556F-4224-4fc7-A578-4D09AAD5DED4} - D:\Documents and Settings\Mathijs Panhuijsen\Local Settings\Temporary Internet Files\Content.IE5\ILDH0F60\access[2].exe (file missing)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - D:\Documents and Settings\Mathijs Panhuijsen\Local Settings\Temporary Internet Files\Content.IE5\09CHYJ4X\access[1].exe (file missing)
O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - D:\WINNT\System32\crtv2_32.dll (file missing)
O9 - Extra button: (no name) - {83D5556F-4224-4fc7-A578-4D09AAD5DED4} - D:\Documents and Settings\Mathijs Panhuijsen\Local Settings\Temporary Internet Files\Content.IE5\ILDH0F60\access[2].exe (file missing) (HKCU)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - D:\Documents and Settings\Mathijs Panhuijsen\Local Settings\Temporary Internet Files\Content.IE5\09CHYJ4X\access[1].exe (file missing) (HKCU)
O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - D:\WINNT\System32\crtv2_32.dll (file missing) (HKCU)

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):

D:\Program Files\WildTangent

Reboot normally and post new log.

-=jonnyrotten=- :tazz:
  • 0

#5
cronopio

cronopio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hello, I did as you instructed and ran HJT immediately afterward, getting the result shown below.
Got a bit of a shock though because my LAN connection didn't work anymore. The "Snelkoppeing naar Ranzendsnel.lnk" that you told me to remove is a shortcut to that. Starting the LAN connection manually and rebooting did the trick, however.

I'll now test (in Firefox!) if my connection speed improved.

Thanks for your help,

cronopio

Logfile of HijackThis v1.99.0
Scan saved at 12:58:37 PM, on 12/30/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\System32\mgabg.exe
D:\Program Files\Tiny Personal Firewall\persfw.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\System32\mspmspsv.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\inetsrv\inetinfo.exe
D:\WINNT\Explorer.EXE
D:\WINNT\System32\PDesk.exe
D:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
D:\WINNT\system32\internat.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Wireless LAN Utility\Am772cfg.exe
D:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (D:\Program Files\Netscape\Users\mathijs\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Dictionary.com - {11359F4A-B191-42d7-905A-594F8CF0387B} - D:\WINNT\Downloaded Program Files\lexbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\winnt\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - D:\WINNT\Downloaded Program Files\lexbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\winnt\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Matrox Powerdesk] D:\WINNT\System32\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [MGA_CD_Install] F:\mgasetup.exe /No_Welcome /Lang:English
O4 - HKLM\..\Run: [mgavrtclexe] D:\WINNT\MCBin\AV\Rt\mgavrtcl.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] D:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Easy PDF Creator] D:\Program Files\Easy PDF Creator\EasyPDFCreator.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] D:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
O4 - HKLM\..\RunServices: [mgavrtclexe] D:\WINNT\MCBin\AV\Rt\mgavrte.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: AM772CFG.lnk = D:\Program Files\Wireless LAN Utility\Am772cfg.exe
O8 - Extra context menu item: &Google Search - res://d:\winnt\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://d:\winnt\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\winnt\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O8 - Extra context menu item: Similar Pages - res://d:\winnt\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://d:\winnt\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\WINNT\system32\msjava.dll
O12 - Plugin for .xls: D:\PROGRA~1\Netscape\COMMUN~1\Program\PLUGINS\NPDOC.DLL
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop...cpConnCheck.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://antu.popcap.c...aploader_v5.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.re...lbar/lexico.cab
O23 - Service: McAfee.com AV Engine - Unknown - D:\WINNT\mcbin\av\rt\asengine.exe (file missing)
O23 - Service: Logical Disk Manager Administrative-service - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - D:\WINNT\System32\mgabg.exe
O23 - Service: Tiny Personal Firewall - Tiny Software - D:\Program Files\Tiny Personal Firewall\persfw.exe





Go to add/remove programs in control panel and uninstall Wild Tangent

You may wish to print out a copy of these instructions to follow while you complete this procedure.
Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.
Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "D:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKCU\..\Run: [LTM2] D:\WINNT\winsys\svchost.exe
O4 - HKCU\..\Run: [Rarr] D:\Documents and Settings\Mathijs Panhuijsen\Application Data\rltp.exe
O4 - Startup: Snelkoppeling naar Ranzendsnel.lnk = ?
O9 - Extra button: (no name) - {83D5556F-4224-4fc7-A578-4D09AAD5DED4} - D:\Documents and Settings\Mathijs Panhuijsen\Local Settings\Temporary Internet Files\Content.IE5\ILDH0F60\access[2].exe (file missing)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - D:\Documents and Settings\Mathijs Panhuijsen\Local Settings\Temporary Internet Files\Content.IE5\09CHYJ4X\access[1].exe (file missing)
O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - D:\WINNT\System32\crtv2_32.dll (file missing)
O9 - Extra button: (no name) - {83D5556F-4224-4fc7-A578-4D09AAD5DED4} - D:\Documents and Settings\Mathijs Panhuijsen\Local Settings\Temporary Internet Files\Content.IE5\ILDH0F60\access[2].exe (file missing) (HKCU)
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - D:\Documents and Settings\Mathijs Panhuijsen\Local Settings\Temporary Internet Files\Content.IE5\09CHYJ4X\access[1].exe (file missing) (HKCU)
O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - D:\WINNT\System32\crtv2_32.dll (file missing) (HKCU)

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):

D:\Program Files\WildTangent

Reboot normally and post new log.

-=jonnyrotten=- :tazz:

View Post


  • 0

#6
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
O4 - HKCU\..\Run: [internat.exe] internat.exe <- Virus

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):
D:\WINNT\system32\internat.exe

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. :tazz:
  • 0

#7
cronopio

cronopio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
No offense, but are you SURE this is a virus?
At http://www.liutiliti...brary/internat/ I found the following description for this process:

Process File: internat or internat.exe
Process Name: Microsoft Input Locales

Description:
internat.exe is installed with Windows and is an process to providing Microsofts multi-lingual features in Microsoft Windows. This program is important for the stable and secure running of your computer and should not be terminated. internat.exe is also a process which is registered as the Win32.Lydra.a information stealing Trojan. This Trojan allows attackers to access your computer, personal data and information. It is a registered security risk and should be removed immediately. Please see additional details regarding this process

There is a system tray icon that allows me to switch from a US keyboard config to a Dutch one, which corresponds perfectly to the "legit" description above. Also, a recent virus check using http://securityresponse.symantec.com did not turn up this file as a virus.

Don't take this the wrong way, but I'm not so sure I should terminate and delete this. Can you tell me how I can verify that this is indeed the real deal (a virus), and not a genuine Windows file?

Thanks,

cronopio.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
O4 - HKCU\..\Run: [internat.exe] internat.exe <- Virus

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):
D:\WINNT\system32\internat.exe

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. :tazz:

View Post


  • 0

#8
cronopio

cronopio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Update: a Kaspersky Lab virus checker (www.kaspersky.com/scanforvirus) agrees that this file is clean.
  • 0

#9
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
I was going to have you submit to Kaspersky, good thinking! :tazz:

I should have had you check it first. ;)
  • 0

#10
cronopio

cronopio

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
No prob, I'm glad to have discovered this Kaspersky page.
However, does this mean that the rest of the HJT log is ok?
I can identify the popupcaploader entry -- it came with an online game (which may still imply malware). For the rest, I don't see anything strange myself.
Also, if you suggest deleting further files, is it ok if I use a "Delete file(s) on the next boot" feature? This is a little tool I downloaded from http://www.gibinsoft.net/gipoutils/
and so far, it's been doing its job well without me having to SafeMode back and forth.

Thanks for your assitance,

cronopio

I was going to have you submit to Kaspersky, good thinking! :tazz:

I should have had you check it first. ;)

View Post


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP