Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Programs including IE very SLOW to open. [RESOLVED]


  • This topic is locked This topic is locked

#1
Donmulligan

Donmulligan

    Member

  • Member
  • PipPip
  • 30 posts
Hi

I've tried everything listed in the first page. Adaware, CW Shredder, Ewido scan, Trojan Hunter, and more.

All programs and windows are slow to open (e.g. My Docs, My Computer, Internet Explorer).

When using Internet Explorer, some pages simply do not appear (Hotmail). Also, some links on websites do not work (trying to book flights on ba.com - the "CONTINUE" button doesn't work. This problem appears with most websites that I use).

I have carried out an HJT scan, but don't know what to do with it. I have posted the log below - I'd appreciate any help. My life is on hold right now until this is sorted!

Logfile of HijackThis v1.99.1
Scan saved at 19:27:42, on 09/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\eDonkey2000\eDonkey2000.exe
C:\Program Files\SAMSUNG\RF KeyboardMouse\mmkbd.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Ady\LOCALS~1\Temp\Rar$EX00.625\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.supanet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.supanet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = supanet Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: d.dll - {CF418C5F-A365-4962-B945-FD528D22D96D} - C:\DOCUME~1\Ady\APPLIC~1\Diag\diag.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IW_ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [eDonkey2000] "C:\Program Files\eDonkey2000\eDonkey2000.exe" -t
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MC] C:\WINDOWS\wintrim\WINTRIM.EXE
O4 - Global Startup: RF Keyboard&Mouse Program.lnk = ?
O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.supanet.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124731025703
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{04C5ECFA-3F56-4DAE-AC4A-EBB332694925}: NameServer = 80.225.250.178 80.225.250.186
O17 - HKLM\System\CS1\Services\Tcpip\..\{04C5ECFA-3F56-4DAE-AC4A-EBB332694925}: NameServer = 195.50.80.131 195.50.80.132
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Unknown owner - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe


Thanks in anticipation. Don.
  • 0

Advertisements


#2
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :tazz:

Before we can get started on fixing your problem you must change the location of Hijackthis. It should not run directly from your desktop or a temp directory. Please create a directory on your c: drive called c:\hijackthis and download and unzip hijackthis into that directory. Run the program from that directory from now on. It is essential that you follow these steps or certain important features of the program will not function correctly.

Once you have Hijackthis running from a permanent folder, please reboot and post a new hijackthis log.
  • 0

#3
TonyKlein

TonyKlein

    Malware Expert

  • Expert
  • 642 posts
  • MVP
My apologies for butting in here, but could I first ask you to please send the contents of the C:\Documents and Settings\Ady\Application Data\Diag folder (or of course that entire "Diag" folder) to submit_stuffATxs4all.nl for analysis? (replace 'AT' by @)

We strongly suspect it doesn't belong on your computer, and we would like to have a closer look at these files!

Much appreciated :tazz:

NOTE: To avoid the risk of the folder not being found due to it having the 'Hidden' attribute, first make sure that in Folder Options > View hidden and operating system files are set to show.

After that I'll be happy to leave you in Sam's most capable hands. :)
  • 0

#4
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi Donmulligan! :tazz:

Please let me know once you have submitted that file for expert analysis and we'll get you fixed up right away.
  • 0

#5
Donmulligan

Donmulligan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Hi Buckeye and Tony

My apologies for the delay. I will get home tonight and post the required data to you immediately.

In the meantime, thank you so much for your help.

Don.
  • 0

#6
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Great!

Just make sure you remember to move Hijackthis into a permanent folder and then post a new log. Then we'll get you back up and running.
  • 0

#7
Donmulligan

Donmulligan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Tony

I've emailed you the only file that was in that diag folder.

Thanks.
Don.

Buckeye

OK - Hijackthis is now in c:\hijackthis, and I've got a new log for you. Here goes:



Logfile of HijackThis v1.99.1
Scan saved at 17:06:43, on 12/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\eDonkey2000\eDonkey2000.exe
C:\Program Files\SAMSUNG\RF KeyboardMouse\mmkbd.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\System32\svchost.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.supanet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.supanet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = supanet Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: d.dll - {CF418C5F-A365-4962-B945-FD528D22D96D} - C:\DOCUME~1\Ady\APPLIC~1\Diag\diag.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IW_ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [eDonkey2000] "C:\Program Files\eDonkey2000\eDonkey2000.exe" -t
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MC] C:\WINDOWS\wintrim\WINTRIM.EXE
O4 - Global Startup: RF Keyboard&Mouse Program.lnk = ?
O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.supanet.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124731025703
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{04C5ECFA-3F56-4DAE-AC4A-EBB332694925}: NameServer = 80.225.250.178 80.225.250.186
O17 - HKLM\System\CS1\Services\Tcpip\..\{04C5ECFA-3F56-4DAE-AC4A-EBB332694925}: NameServer = 195.50.80.131 195.50.80.132
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Unknown owner - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe


Thanks
Don.
  • 0

#8
TonyKlein

TonyKlein

    Malware Expert

  • Expert
  • 642 posts
  • MVP

Tony

I've emailed you the only file that was in that diag folder.


Thanks! :tazz:

As suspected, it's a parasite: I found the url whatyoursearchingfor.com inside.

Cheers,
  • 0

#9
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Now let's get you fixed up!


Please follow these steps:
  • Please make sure that you can View Hidden Files
    • Click Start -> My Computer
    • Select Tools -> Folder options
    • Select the View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.
    • Also make sure that 'Display the contents of system folders' is checked.
    • For more info on how to show hidden files click here.


  • Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.


    O2 - BHO: d.dll - {CF418C5F-A365-4962-B945-FD528D22D96D} - C:\DOCUME~1\Ady\APPLIC~1\Diag\diag.dll
    O4 - HKCU\..\Run: [MC] C:\WINDOWS\wintrim\WINTRIM.EXE




  • Please reboot your computer in SafeMode by doing the following:
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    • Instead of Windows loading as normal, a menu should appear
    • Select the first option, to run Windows in Safe Mode.
    • If you have trouble getting into Safe mode go here for more info.



  • Once in Safe mode, delete these files or directories (Do not be concerned if they do not exist):


    C:\DOCUME~1\Ady\APPLIC~1\Diag\diag.dll
    C:\WINDOWS\wintrim\WINTRIM.EXE
Reboot your computer to go back to normal mode.


Please run Panda Online Virus Scan
  • You must allow the active-x control to run when asked.
  • There may be files that this scan will not remove.
  • Please include that information in your next post.
Reboot and post a new hijackthis log and the info from your virus scan.
  • 0

#10
Donmulligan

Donmulligan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Buckeye

Things are looking up.

I got rid of the two HJT items. Then in Safe Mode, I deleted the files listed - the second one had already gone.

Programs, including IE, start immediately. However, I am still not able to view some web pages, such as hotmail, and some web pages do not allow me to follow certain links. This was the case with the Panda Scan - the 'Scan Now' button offered no response when clicked upon.

Anyway, I've just done another HJT log, so here you go:


Logfile of HijackThis v1.99.1
Scan saved at 19:38:27, on 12/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\eDonkey2000\eDonkey2000.exe
C:\Program Files\SAMSUNG\RF KeyboardMouse\mmkbd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.supanet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.supanet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = supanet Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IW_ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [eDonkey2000] "C:\Program Files\eDonkey2000\eDonkey2000.exe" -t
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - Global Startup: RF Keyboard&Mouse Program.lnk = ?
O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.supanet.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124731025703
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{04C5ECFA-3F56-4DAE-AC4A-EBB332694925}: NameServer = 80.225.250.178 80.225.250.186
O17 - HKLM\System\CS1\Services\Tcpip\..\{04C5ECFA-3F56-4DAE-AC4A-EBB332694925}: NameServer = 195.50.80.131 195.50.80.132
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Unknown owner - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe


Thanks.
Don.
  • 0

Advertisements


#11
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
We'll see about IE for you soon, but first let's make sure you are clean.

Please download Bit Defender 8 Free Edition
  • Install the program and then follow the prompts to download all available updates.
  • Perform a full scan on your Local drive.
  • When the scan is complete save the log and post it back here in your next reply.

  • 0

#12
Donmulligan

Donmulligan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Just started the scan Buckeye. Estimated time is one hour - I'm dog-tired so I'm off to bed. I'll post the log in 8 hours - dawn over sunny London!
  • 0

#13
Donmulligan

Donmulligan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Couldn't sleep. Here's the Bit Defender log:


//-----------------------------------------------------------------
//
// Product: BitDefender 8 Free Edition
// Version: 8.0
//
// Created on: 12/10/2005 21:56:24
//
//-----------------------------------------------------------------


Statistics

Scan path : C:\
Folders : 5397
Files : 394116
Archives : 8977
Packed files : 24388
Identified viruses : 6
Infected files : 12
Warnings : 0
Suspect files : 0
Disinfected files : 0
Deleted files : 10
Copied files : 0
Moved files : 4
Renamed files : 0
I/O errors : 26
Scan time : 00:51:59
Scan speed (files/sec) : 126

Virus definitions : 221188
Scan plugins : 13
Archive plugins : 39
Unpack plugins : 4
Mail plugins : 6
System plugins : 1

Scan options

Detection
[X] Scan boot sectors
[X] Scan archives
[X] Scan packed files
[X] Scan email

File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Copy to quarantine
[ ] Move to quarantine
[ ] Rename
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[ ] Copy to quarantine
[X] Move to quarantine
[ ] Rename
[ ] Prompt user

Scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: vscan.log
[ ] Append to existing report

Summary:

C:\WINDOWS\zip1.tmp=>(BASE64) Infected Win32.Netsky.P@mm
C:\WINDOWS\zip1.tmp=>(BASE64) Deleted
C:\WINDOWS\zip2.tmp=>(BASE64) Infected Win32.Netsky.P@mm
C:\WINDOWS\zip2.tmp=>(BASE64) Deleted
C:\WINDOWS\zip3.tmp=>(BASE64) Infected Win32.Netsky.P@mm
C:\WINDOWS\zip3.tmp=>(BASE64) Deleted
C:\Program Files\Norton AntiVirus\Quarantine\458D290C.exe=>(Quarantine-2) Infected Trojan.Downloader.Small.EN
C:\Program Files\Norton AntiVirus\Quarantine\458D290C.exe=>(Quarantine-2) Disinfection failed
C:\Program Files\Norton AntiVirus\Quarantine\458D290C.exe Moved
C:\Program Files\Norton AntiVirus\Quarantine\30014C39.exe=>(Quarantine-2) Infected Trojan.Downloader.IstBar.DA
C:\Program Files\Norton AntiVirus\Quarantine\30014C39.exe=>(Quarantine-2) Deleted
C:\Program Files\Norton AntiVirus\Quarantine\45905308.exe=>(Quarantine-2) Infected Trojan.Dropper.Delf.Z
C:\Program Files\Norton AntiVirus\Quarantine\45905308.exe=>(Quarantine-2) Disinfection failed
C:\Program Files\Norton AntiVirus\Quarantine\45905308.exe=>(Quarantine-2)=>(Embedded EXE o) Infected Trojan.Clicker.Delf.R
C:\Program Files\Norton AntiVirus\Quarantine\45905308.exe=>(Quarantine-2)=>(Embedded EXE o) Disinfection failed
C:\Program Files\Norton AntiVirus\Quarantine\45905308.exe=>(Quarantine-2)=>(Embedded EXE o) Move failed
C:\Program Files\Norton AntiVirus\Quarantine\45905308.exe Moved
C:\System Volume Information\_restore{B1AF6306-70F0-4416-91D0-2A49F3B95B86}\RP495\A0125668.exe=>(Quarantine-2) Infected Trojan.Downloader.Small.EN
C:\System Volume Information\_restore{B1AF6306-70F0-4416-91D0-2A49F3B95B86}\RP495\A0125668.exe=>(Quarantine-2) Disinfection failed
C:\System Volume Information\_restore{B1AF6306-70F0-4416-91D0-2A49F3B95B86}\RP495\A0125668.exe Moved
C:\System Volume Information\_restore{B1AF6306-70F0-4416-91D0-2A49F3B95B86}\RP495\A0125669.exe=>(Quarantine-2) Infected Trojan.Downloader.IstBar.DA
C:\System Volume Information\_restore{B1AF6306-70F0-4416-91D0-2A49F3B95B86}\RP495\A0125669.exe=>(Quarantine-2) Deleted
C:\System Volume Information\_restore{B1AF6306-70F0-4416-91D0-2A49F3B95B86}\RP495\A0125670.exe=>(Quarantine-2) Infected Trojan.Dropper.Delf.Z
C:\System Volume Information\_restore{B1AF6306-70F0-4416-91D0-2A49F3B95B86}\RP495\A0125670.exe=>(Quarantine-2) Disinfection failed
C:\System Volume Information\_restore{B1AF6306-70F0-4416-91D0-2A49F3B95B86}\RP495\A0125670.exe=>(Quarantine-2)=>(Embedded EXE o) Infected Trojan.Clicker.Delf.R
C:\System Volume Information\_restore{B1AF6306-70F0-4416-91D0-2A49F3B95B86}\RP495\A0125670.exe=>(Quarantine-2)=>(Embedded EXE o) Disinfection failed
C:\System Volume Information\_restore{B1AF6306-70F0-4416-91D0-2A49F3B95B86}\RP495\A0125670.exe=>(Quarantine-2)=>(Embedded EXE o) Move failed
C:\System Volume Information\_restore{B1AF6306-70F0-4416-91D0-2A49F3B95B86}\RP495\A0125670.exe Moved
C:\System Volume Information\_restore{B1AF6306-70F0-4416-91D0-2A49F3B95B86}\RP470\A0118552.exe=>(NSIS o)=>lzma_nsis0058 Infected Dropped:Adware.DEA.A
C:\System Volume Information\_restore{B1AF6306-70F0-4416-91D0-2A49F3B95B86}\RP470\A0118552.exe=>(NSIS o)=>lzma_nsis0058 Disinfection failed
C:\System Volume Information\_restore{B1AF6306-70F0-4416-91D0-2A49F3B95B86}\RP470\A0118552.exe=>(NSIS o)=>lzma_nsis0058 Move failed
  • 0

#14
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Good! Bit Defender took care of a few nasties.

I have one more concern from your Hijackthis log. Do you know this IP address?

195.50.80.131

It is registered to Boltblue International Ltd.
Is that familiar to you?


Is there any change in how IE is working?
  • 0

#15
Donmulligan

Donmulligan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Hi Buckeye

Yes, Bolblue is my previous ISP and I still have an E-mail account with them.

As I mentioned earlier, IE is opening immediately but there are still some problems. I cannot open certain sites - they appear to load, the blue tab at the top names the page, at the bottom left it says "Done", but the screen is blank. An example of this is www.hotmail.com.

Also, within some sites, certain links are useless, especially Javascript 'buttons'.

What next?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP