Memory leak in Sp2?? (svchost?)

Romanov77 · 02-25-2005, 11:05 AM

Hi everybody.

A friend of mine highly recomanded me this forum, saying that you could help me.

Ive a p4 1800mhz and 512 mb of RAM.

Recently, I brough it to my uncle, to add:

A new HD (now Ive 2 of them=
A Dvd reader
A Dvd Burner.

However, my uncle installed something i didnt wanted, the SERVICE PACK 2.

Everything works fine, but:

Its like my pc is under memory leak.
Games are slower, as well as the other applications... I feel that the whole system is slowed down...

I made a scan with hijack this, and here's my log:
-------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 18.51.54, on 25/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Programmi\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programmi\IPM\Adsl\DataWay\dslstat.exe
C:\WINDOWS\system32\dslagent.exe
C:\Programmi\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\Programmi\Dc++\zDC++0.401[d5]beta\zDCPlusPlus.exe
C:\Programmi\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Alessandro\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Programmi\System Optimizer\IEHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] C:\Programmi\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Programmi\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Programmi\IPM\Adsl\DataWay\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [SCANINICIO] "C:\Programmi\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programmi\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Microsoft Update Machine] memstat.exe
O4 - HKLM\..\Run: [SDIN Adapter] sdin.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programmi\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] memstat.exe
O4 - HKLM\..\RunServices: [SDIN Adapter] sdin.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SDIN Adapter] sdin.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Collegamenti a ritroso - res://c:\programmi\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Pagine simili - res://c:\programmi\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://c:\programmi\google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O15 - Trusted Zone: www.master69.biz
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/605689.exe
O16 - DPF: {FF536F77-656B-4863-96F7-B7C8DBF342E3} (WebPhone Control) - http://www.abbeyphone.com/activex/We....5.2_light.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{66CE1236-582E-4BB3-949C-6CADA9643808}: NameServer = 85.37.17.11 151.99.125.1
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Programmi\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Programmi\Sygate\SPF\smc.exe
------------------------------------------------------------------

Pressing Ctrl-Alt delete I also noticed that a process called svchost appears 7 times and suck A LOT of memory!!

What should I do?

Im no expert and I fear to delete any of the suspicious things I saw on Hijack this.

What should I do?
Thanks in advance!

elf · 02-25-2005, 01:46 PM

Well, I'm no master at hijackthis, but I didn't see anything bad. I'll see if i can lure greyknight or horse over here to take a gander.

just FYI svchost s a legitimate file. It will show up multiple times, in fact I have it running 6 times. There is a virus that is made to mimic svchost, but they switch the v and c so it is called scvhost (just tries to trick you into thinking its legit).

If you go to your process manager (ctrl + alt + esc) it will give you a nifty graph of how much memory you have left (under "Performance" tab where it says "PF Usage")

Romanov77 · 02-25-2005, 01:58 PM

Quote:

Originally Posted by elf

Well, I'm no master at hijackthis, but I didn't see anything bad. I'll see if i can lure greyknight or horse over here to take a gander.

just FYI svchost s a legitimate file. It will show up multiple times, in fact I have it running 6 times. There is a virus that is made to mimic svchost, but they switch the v and c so it is called scvhost (just tries to trick you into thinking its legit).

If you go to your process manager (ctrl + alt + esc) it will give you a nifty graph of how much memory you have left (under "Performance" tab where it says "PF Usage")

The CPU usage is HUGE.

When the pc is idle it is around 3-10%.... when I do anything it grows!

Example: I opened Internet explorer and it reached 78%!!

All my games runs like crap...

Everything worked fine before the Service Pack2...should I unistall it??

elf · 02-25-2005, 02:07 PM

That would be worth a shot, you could also go to your start menu > all programs > Accessories > system tools > system restore.

And see about restoring your pc to before sp2 was installed.

Also, go to the processes tab and see what processes are taking up all the resources.

Romanov77 · 02-25-2005, 02:58 PM

Quote:

Originally Posted by elf

That would be worth a shot, you could also go to your start menu > all programs > Accessories > system tools > system restore.

And see about restoring your pc to before sp2 was installed.

Also, go to the processes tab and see what processes are taking up all the resources.

What do you think is better?

Unistalling the sp2 or restoring the old configuration??

About the processes, there are many of them...should I look for something suspicious in particular??

Btw, Thanks for the help!

me75006 · 02-25-2005, 02:59 PM

see if the XP firewall is slowing your games down, you can access the settings for it in the control panel.

elf · 02-25-2005, 03:15 PM

I would trying to restore first, if it doesn't get rid of SP2 try uninstalling it. Sometimes system restore doesn't work, but if it does it would probably be your best bet.

edit: I take that back you do have a couple nasties in your log. Wait for one of hte security people to head over here (jgovernco, greyknight17, horse, or one of the others)

CTSNKY · 02-25-2005, 04:57 PM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro. Just follow the instructions on the site to run the online scan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [Microsoft Update Machine] memstat.exe
O4 - HKLM\..\Run: [SDIN Adapter] sdin.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] memstat.exe
O4 - HKLM\..\RunServices: [SDIN Adapter] sdin.exe
O4 - HKCU\..\Run: [SDIN Adapter] sdin.exe
O15 - Trusted Zone: www.master69.biz
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/c...DC_1_0_0_44.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/605689.exe

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

memstat.exe
sdin.exe

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

Romanov77 · 02-26-2005, 05:27 AM

Wow CTSNKY, thats a lot of stuff!

I'll do it this afternoon!

I'll post the KRC HijackThis Analyzer result as soon as I can!

And thanks again!!

Romanov77 · 02-26-2005, 08:21 AM

Ok.

My updated panda found: W32/SDBOT.FTP virus in Windows\System32\y and disinfected it.

I followed all the instructions.

Deleted all the bad entries you said.

I tried to find the files Sdin.exe and the other, but they do not exist anymore (at least I hope)

Rebooted, and here's the Analyser log:

Note: The pc now seem to work perfectly!!!!

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 2/10/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 16.17.41, on 26/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Programmi\Sygate\SPF\smc.exe
C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
C:\Programmi\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE
C:\Programmi\IPM\Adsl\DataWay\dslstat.exe
C:\Programmi\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE
C:\Programmi\File comuni\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Messenger\msmsgs.exe
C:\Programmi\Panda Software\Panda Antivirus Platinum\pavProxy.exe
C:\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll
O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Programmi\System Optimizer\IEHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Jet Detection] C:\Programmi\Creative\SBLive\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [CTStartup] C:\Programmi\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Programmi\IPM\Adsl\DataWay\dslstat.exe icon
O4 - HKLM\..\Run: [SCANINICIO] "C:\Programmi\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programmi\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Collegamenti a ritroso - res://c:\programmi\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Pagine simili - res://c:\programmi\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Versione cache della pagina - res://c:\programmi\google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Programmi\Panda Software\Panda Antivirus Platinum\pavsrv51.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Programmi\Sygate\SPF\smc.exe

End of KRC HijackThis Analyzer Log.
====================================================================

CTSNKY · 02-26-2005, 09:36 AM

Your log is clean. If you disabled System Restore, make sure to enable it now.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial (http://www.greyknight17.com/spyware.htm#prevent) and use the tools provided.

Are there any problems now? If not, you should be set to go.

Romanov77 · 02-26-2005, 10:31 AM

Quote:

Originally Posted by CTSNKY

Your log is clean. If you disabled System Restore, make sure to enable it now.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial (http://www.greyknight17.com/spyware.htm#prevent) and use the tools provided.

Are there any problems now? If not, you should be set to go.

Done!

Everything seems to work fine now, even the mouse move more smoothly!

Thank you for the support, a lot of people recomended me this site and they were right, you guys ROCK!!!

This forum will always have his place in my IE Favorites!!!

Thanks again!!

02-25-2005, 11:05 AM	#1 (permalink)
Romanov77 Registered User Join Date: Feb 2005 Posts: 152 OS: Windows XP Sp2	Memory leak in Sp2?? (svchost?) Hi everybody. A friend of mine highly recomanded me this forum, saying that you could help me. Ive a p4 1800mhz and 512 mb of RAM. Recently, I brough it to my uncle, to add: A new HD (now Ive 2 of them= A Dvd reader A Dvd Burner. However, my uncle installed something i didnt wanted, the SERVICE PACK 2. Everything works fine, but: Its like my pc is under memory leak. Games are slower, as well as the other applications... I feel that the whole system is slowed down... I made a scan with hijack this, and here's my log: ------------------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 18.51.54, on 25/02/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Programmi\Sygate\SPF\smc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\Programmi\Panda Software\Panda Antivirus Platinum\pavsrv51.exe C:\WINDOWS\System32\svchost.exe C:\Programmi\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE C:\WINDOWS\System32\MsPMSPSv.exe C:\Programmi\IPM\Adsl\DataWay\dslstat.exe C:\WINDOWS\system32\dslagent.exe C:\Programmi\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE C:\Programmi\File comuni\Real\Update_OB\realsched.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE C:\WINDOWS\system32\ctfmon.exe C:\Programmi\Panda Software\Panda Antivirus Platinum\pavProxy.exe C:\Programmi\Dc++\zDC++0.401[d5]beta\zDCPlusPlus.exe C:\Programmi\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Alessandro\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Programmi\System Optimizer\IEHelper.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [Jet Detection] C:\Programmi\Creative\SBLive\PROGRAM\ADGJDet.exe O4 - HKLM\..\Run: [CTStartup] C:\Programmi\Creative\Splash Screen\CTEaxSpl.EXE /run O4 - HKLM\..\Run: [DSLSTATEXE] C:\Programmi\IPM\Adsl\DataWay\dslstat.exe icon O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB O4 - HKLM\..\Run: [SCANINICIO] "C:\Programmi\Panda Software\Panda Antivirus Platinum\Inicio.exe" O4 - HKLM\..\Run: [APVXDWIN] "C:\Programmi\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s O4 - HKLM\..\Run: [Microsoft Update Machine] memstat.exe O4 - HKLM\..\Run: [SDIN Adapter] sdin.exe O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62" O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Programmi\CloneCD\ElbyCheck.exe" /L ElbyCDFL O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\RunServices: [Microsoft Update Machine] memstat.exe O4 - HKLM\..\RunServices: [SDIN Adapter] sdin.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SDIN Adapter] sdin.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Collegamenti a ritroso - res://c:\programmi\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Pagine simili - res://c:\programmi\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Versione cache della pagina - res://c:\programmi\google\GoogleToolbar1.dll/cmcache.html O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe O15 - Trusted Zone: www.master69.biz O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/605689.exe O16 - DPF: {FF536F77-656B-4863-96F7-B7C8DBF342E3} (WebPhone Control) - http://www.abbeyphone.com/activex/We....5.2_light.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{66CE1236-582E-4BB3-949C-6CADA9643808}: NameServer = 85.37.17.11 151.99.125.1 O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Programmi\Panda Software\Panda Antivirus Platinum\pavsrv51.exe O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Programmi\Sygate\SPF\smc.exe ------------------------------------------------------------------ Pressing Ctrl-Alt delete I also noticed that a process called svchost appears 7 times and suck A LOT of memory!! What should I do? Im no expert and I fear to delete any of the suspicious things I saw on Hijack this. What should I do? Thanks in advance!

02-25-2005, 01:46 PM	#2 (permalink)
elf Manager, Microsoft Support Join Date: Jul 2002 Location: Knoxville, TN or Austin, TX depending Posts: 7,016 OS: WinXP Pro SP3 and Windows 7 My System	Well, I'm no master at hijackthis, but I didn't see anything bad. I'll see if i can lure greyknight or horse over here to take a gander. just FYI svchost s a legitimate file. It will show up multiple times, in fact I have it running 6 times. There is a virus that is made to mimic svchost, but they switch the v and c so it is called scvhost (just tries to trick you into thinking its legit). If you go to your process manager (ctrl + alt + esc) it will give you a nifty graph of how much memory you have left (under "Performance" tab where it says "PF Usage") __________________ If TSF has helped you, Tell us about it! or Donate to help keep the site up! I do not subscribe to threads, so if I stop replying, PM me with a link to your thread so I can find it again. Last edited by elf; 02-25-2005 at 01:47 PM.

02-25-2005, 02:07 PM	#4 (permalink)
elf Manager, Microsoft Support Join Date: Jul 2002 Location: Knoxville, TN or Austin, TX depending Posts: 7,016 OS: WinXP Pro SP3 and Windows 7 My System	That would be worth a shot, you could also go to your start menu > all programs > Accessories > system tools > system restore. And see about restoring your pc to before sp2 was installed. Also, go to the processes tab and see what processes are taking up all the resources. __________________ If TSF has helped you, Tell us about it! or Donate to help keep the site up! I do not subscribe to threads, so if I stop replying, PM me with a link to your thread so I can find it again.

02-25-2005, 03:15 PM	#7 (permalink)
elf Manager, Microsoft Support Join Date: Jul 2002 Location: Knoxville, TN or Austin, TX depending Posts: 7,016 OS: WinXP Pro SP3 and Windows 7 My System	I would trying to restore first, if it doesn't get rid of SP2 try uninstalling it. Sometimes system restore doesn't work, but if it does it would probably be your best bet. edit: I take that back you do have a couple nasties in your log. Wait for one of hte security people to head over here (jgovernco, greyknight17, horse, or one of the others) __________________ If TSF has helped you, Tell us about it! or Donate to help keep the site up! I do not subscribe to threads, so if I stop replying, PM me with a link to your thread so I can find it again. Last edited by elf; 02-25-2005 at 03:19 PM.

02-25-2005, 04:57 PM	#8 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point. If you have a fast internet connection (broadband), run an online virus scan at TrendMicro. Just follow the instructions on the site to run the online scan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan. The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O4 - HKLM\..\Run: [Microsoft Update Machine] memstat.exe O4 - HKLM\..\Run: [SDIN Adapter] sdin.exe O4 - HKLM\..\RunServices: [Microsoft Update Machine] memstat.exe O4 - HKLM\..\RunServices: [SDIN Adapter] sdin.exe O4 - HKCU\..\Run: [SDIN Adapter] sdin.exe O15 - Trusted Zone: www.master69.biz O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/c...DC_1_0_0_44.cab O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/605689.exe Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: memstat.exe sdin.exe Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. __________________ GO BIG BLUE!! Last edited by CTSNKY; 02-25-2005 at 04:45 PM.

02-25-2005, 02:59 PM	#6 (permalink)
me75006 Member Join Date: Oct 2004 Posts: 25 OS: xp	see if the XP firewall is slowing your games down, you can access the settings for it in the control panel.

02-26-2005, 05:27 AM	#9 (permalink)
Romanov77 Registered User Join Date: Feb 2005 Posts: 152 OS: Windows XP Sp2	Wow CTSNKY, thats a lot of stuff! I'll do it this afternoon! I'll post the KRC HijackThis Analyzer result as soon as I can! And thanks again!!

02-26-2005, 08:21 AM	#10 (permalink)
Romanov77 Registered User Join Date: Feb 2005 Posts: 152 OS: Windows XP Sp2	Ok. My updated panda found: W32/SDBOT.FTP virus in Windows\System32\y and disinfected it. I followed all the instructions. Deleted all the bad entries you said. I tried to find the files Sdin.exe and the other, but they do not exist anymore (at least I hope) Rebooted, and here's the Analyser log: Note: The pc now seem to work perfectly!!!! ==================================================================== Log was analyzed using KRC HijackThis Analyzer - Updated on 2/10/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 16.17.41, on 26/02/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Programmi\Sygate\SPF\smc.exe C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe C:\Programmi\Panda Software\Panda Antivirus Platinum\pavsrv51.exe C:\Programmi\Panda Software\Panda Antivirus Platinum\AVENGINE.EXE C:\Programmi\IPM\Adsl\DataWay\dslstat.exe C:\Programmi\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE C:\Programmi\File comuni\Real\Update_OB\realsched.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE C:\Programmi\QuickTime\qttask.exe C:\Programmi\Messenger\msmsgs.exe C:\Programmi\Panda Software\Panda Antivirus Platinum\pavProxy.exe C:\Hijack this\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googletoolbar1.dll O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Programmi\System Optimizer\IEHelper.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.dll O4 - HKLM\..\Run: [Jet Detection] C:\Programmi\Creative\SBLive\PROGRAM\ADGJDet.exe O4 - HKLM\..\Run: [CTStartup] C:\Programmi\Creative\Splash Screen\CTEaxSpl.EXE /run O4 - HKLM\..\Run: [DSLSTATEXE] C:\Programmi\IPM\Adsl\DataWay\dslstat.exe icon O4 - HKLM\..\Run: [SCANINICIO] "C:\Programmi\Panda Software\Panda Antivirus Platinum\Inicio.exe" O4 - HKLM\..\Run: [APVXDWIN] "C:\Programmi\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62" O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [MSMSGS] "C:\Programmi\Messenger\msmsgs.exe" /background O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Collegamenti a ritroso - res://c:\programmi\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Pagine simili - res://c:\programmi\google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Versione cache della pagina - res://c:\programmi\google\GoogleToolbar1.dll/cmcache.html O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Programmi\File comuni\EPSON\EBAPI\SAgent2.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Programmi\Panda Software\Panda Antivirus Platinum\pavsrv51.exe O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Programmi\Sygate\SPF\smc.exe End of KRC HijackThis Analyzer Log. ==================================================================== Last edited by Romanov77; 02-26-2005 at 08:26 AM.

02-26-2005, 09:36 AM	#11 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Your log is clean. If you disabled System Restore, make sure to enable it now. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial (http://www.greyknight17.com/spyware.htm#prevent) and use the tools provided. Are there any problems now? If not, you should be set to go. __________________ GO BIG BLUE!!