|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help. |
 |
|
|
Thread Tools |
01-28-2005, 05:29 PM
|
#1 (permalink) |
|
Member
Join Date: Jan 2005
Location: Virginia
Posts: 23
OS: XP
 |
Slow computer
I recently switched internets from MSN dial-up to Comcast Broadband. After I installed it, it worked fine for a while. Then, the longer I stayed on the computer, it'd go slow. Not the internet, but loading my stuff, like bringing up my documents, or music. The only way I can get it run faster is if I restart my computer but then it does it again. I use Ad-Aware, Spybot Search and Destroy, AVG free, and Zonealarm. Any ideas on why this might be happening?
Last edited by Dazed Hybrid : 01-28-2005 at 05:32 PM. |
|
     
|
|
01-28-2005, 07:30 PM
|
#2 (permalink) |
|
Knower of all that is MS
Join Date: Aug 2004
Posts: 10,755
OS: (multiple machines) 95, 98, 2K & XP Home & Pro
|
Please download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Double click on the program to run it.
1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'. 2. If you don't get the intro screen, just hit Scan and then click on Save log. 3. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. The result.txt file will open up in Notepad. Copy the whole result.txt log and post it in the forum. We do not need the original hijackthis.log (unless we ask for it). Do not fix anything in HijackThis since they may be harmless.
__________________
 GO BIG BLUE!! |
|
|
|
|
01-28-2005, 07:47 PM
|
#3 (permalink) |
|
Member
Join Date: Jan 2005
Location: Virginia
Posts: 23
OS: XP
|
I forgot to mention, every so often, the messengers crash. [AIM and Msn Messenger]
=========================================================================================================================== Log was analyzed using HijackThis Analyzer - Updated on 12/17/04 Get updates at http://www.greyknight17.com/download.htm#programs ***Security Programs Detected*** C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe c:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.0 Scan saved at 10:53:53 PM, on 1/28/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Documents and Settings\Owner\My Documents\Winamp\winampa.exe C:\Program Files\support.com\bin\tgcmd.exe C:\Program Files\LimeWire\LimeWire.exe C:\Documents and Settings\Obscured Despair\My Documents\RandomPrograms\AIM\aim.exe C:\PROGRA~1\MOZILL~1\firefox.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>;dav.calendar.msn.com F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe O4 - HKLM\..\Run: [NAV CfgWiz] c:\PROGRA~1\NORTON~1\Cfgwiz.exe /R O4 - HKLM\..\Run: [WinampAgent] C:\Documents and Settings\Owner\My Documents\Winamp\winampa.exe O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server O4 - HKCU\..\Run: [AIM] C:\Documents and Settings\Obscured Despair\My Documents\RandomPrograms\AIM\aim.exe -cnetwait.odl O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe O4 - Global Startup: customize__IE.lnk = C:\hp\REGION\customizeIe.wsf O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe O4 - Global Startup: MsnFixer.lnk = ? O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing) O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing) O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing) O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Obscured Despair\My Documents\RandomPrograms\AIM\aim.exe O9 - Extra button: Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\Program Files\Internet Explorer\Toolbar\toolbar.hta O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\Program Files\Internet Explorer\Toolbar\toolbar.hta O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.co...haringctrl.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc4.webresponse.one.microso.../TLIEFlash.CAB O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/pro...tor/WebSWK.cab O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...reShowdown.cab O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe End of HijackThis Analyzer Log. =========================================================================================================================== Last edited by Dazed Hybrid : 01-28-2005 at 07:54 PM. |
|
|
|
|
01-28-2005, 07:54 PM
|
#4 (permalink) |
|
Knower of all that is MS
Join Date: Aug 2004
Posts: 10,755
OS: (multiple machines) 95, 98, 2K & XP Home & Pro
|
Hmmmm.....nothing jumping out there.
The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Let's use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies.
__________________
GO BIG BLUE!! |
|
|
|
|
01-28-2005, 08:09 PM
|
#6 (permalink) |
|
Knower of all that is MS
Join Date: Aug 2004
Posts: 10,755
OS: (multiple machines) 95, 98, 2K & XP Home & Pro
|
Still nothing jumping out.
If you are rid of MSN, do you still use this feature? dav.calendar.msn.com If not, then..... Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): [b] R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = ;127.0.0.1;<local>;dav.calendar.msn.com Reboot and report back. I would still run those tools.
__________________
GO BIG BLUE!! |
|
|
|
|
01-29-2005, 12:42 AM
|
#7 (permalink) |
|
Member
Join Date: Jan 2005
Location: Virginia
Posts: 23
OS: XP
|
Don't know if I did this right but here are the alarms TDS-3 gave me:
Scan Control Dumped @ 03:36:22 29-01-05 Suspicious Filename: Dual extensions File: c:\documents and settings\obscured despair\my documents\my downloads\trillian-v0.74f.exe Suspicious Filename: Dual extensions File: c:\documents and settings\obscured despair\my documents\song\bsplayer100.812.exe Suspicious Filename: Dual extensions File: c:\documents and settings\owner\my documents\my downloads\trillian-v0.74d.exe Suspicious Filename: Dual extensions File: c:\hp\bin\python-2.2.1.exe Positive identification (DLL): Adware.MiniBug (dll) File: c:\program files\aws\weatherbug\minibugtransporter.dll Suspicious Filename: Dual extensions File: c:\program files\hewlett-packard\digital imaging\hpisinst\install.wse.exe Positive identification (DLL): Adware.WinPage BHO (dll) File: c:\program files\homepage\winpage.dll Positive identification: RAT.Frsk File: c:\recycler\s-1-5-21-1300003180-3168066103-3802400216-500\dc2.exe Suspicious Filename: Dual extensions File: c:\windows\bwunin-6.1.0.153.exe Positive identification (embedded in file): DDoS.RAT.SpyBot 1.2as File: c:\windows\backup\tb040129.dat Positive identification (embedded in file): DDoS.RAT.SpyBot 1.2as File: c:\windows\backup\tb040129.dat |
|
|
|
|
01-29-2005, 05:27 AM
|
#8 (permalink) |
|
Knower of all that is MS
Join Date: Aug 2004
Posts: 10,755
OS: (multiple machines) 95, 98, 2K & XP Home & Pro
|
Download KillBox (http://www.greyknight17.com/spy/KillBox.exe). Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Replace on Reboot' and check the box underneath that. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into the top line (hitting the X button for each file - choose NO when it asks if you want to reboot until you get to the last file to delete):
c:\program files\homepage\winpage.dll c:\recycler\s-1-5-21-1300003180-3168066103-3802400216-500\dc2.exe c:\windows\backup\tb040129.dat ==== Any problems now?
__________________
GO BIG BLUE!! |
|
|
|
|
01-29-2005, 04:03 PM
|
#9 (permalink) |
|
Member
Join Date: Jan 2005
Location: Virginia
Posts: 23
OS: XP
|
Well, so far it hasn't gone slow, but I haven't used it much. Though the drop down menus go kinda slow, like in wordpad, paint, MSN, AIM, ect.but thats not really annoying, and AIM keeps disconnecting me every 7 minutes. I've tried unistalling and reinstalling, but no luck.
|
|
|
|
|
01-29-2005, 04:24 PM
|
#10 (permalink) |
|
Analyst, Security Team
|
Do I see two antivirus programs running there? That's usually the cause of the slowdown. We recommend using AVG over Norton since it's free and more effective at catching the viruses/trojans.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
01-29-2005, 04:35 PM
|
#11 (permalink) |
|
Member
Join Date: Jan 2005
Location: Virginia
Posts: 23
OS: XP
|
Norton doesn't work. That's why I got AVG. Everytime I log on it says a .dll is corrupted, that and we never bought it. Just used to show something to purchase it, but then it got replaced by the correpted file message. I can use it to scan stuff, like when I receive a file, norton scans it, but that's about it. It's probably useless since it never really got updated. I'll go delete it anyways. And on Zonealarm, how can I change the anti-virus protection from norton to AVG? Will it do it on its own?
Last edited by Dazed Hybrid : 01-29-2005 at 04:37 PM. |
|
|
|
|
01-29-2005, 04:44 PM
|
#12 (permalink) |
|
Analyst, Security Team
|
OK, uninstall Norton in Safe Mode if it gives you trouble in normal mode.
ZoneAlarm should be able to detect AVG. I know some older versions don't detect it. It's not a really big deal though as long as you have AVG installed and updated requently. See if the slowdown problem is fixed after that's done.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
01-30-2005, 08:54 AM
|
#13 (permalink) |
|
Member
Join Date: Jan 2005
Location: Virginia
Posts: 23
OS: XP
|
Well, the slowdown problem seems to be fixed but AIM is still signing me out. Any ideas why it's happening? I thought maybe it was a corrupted file, so I unistalled and downloaded it again from the site and reinstalled, but it still signs me out. It says "Connection lost. Check your Internet connection."
|
|
|
|
|
01-30-2005, 12:02 PM
|
#16 (permalink) |
|
Analyst, Security Team
|
Do you still have internet connection when you get kicked off? Make sure also that your firewall program is not blocking it access. If you have a router, make sure to set the security settings to allow IM.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. |
|
|
|
|
01-30-2005, 12:12 PM
|
#17 (permalink) |
|
Member
Join Date: Jan 2005
Location: Virginia
Posts: 23
OS: XP
|
Yep. It's only that program that gets disconnected. The firewall is set to allow it to work and I don't have a router. It started doing it recently. Like 2-3 days ago. I thought maybe it was a trojan so I scanned the computer with AVG and housecall, and nothing. Then I ran ad-aware and spybot, but it only finds cookies.
|
|
|
