Tech Support banner

Status
Not open for further replies.
1 - 4 of 4 Posts

·
Registered
Joined
·
26 Posts
Discussion Starter #1
I was called yesterday by a friend of the family to help with their slow system running Win XP Home Edition with SP2. It's a P4/2 GHz processor with 512 MB of ram. When I got there booting up took 20 minutes, booting down took 5 and there were pop ups appearing every minute. I loaded and ran Spybot, Norton and Zone Alarm for them and the system runs 100 times better, but still takes around 5 minutes to boot to the desktop when it used to take 30 seconds. Can you analyze this log for me and tell me what I need to do? Let me know if there's anything else I need to include for you. Thanks in advance:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\GWMDMMSG.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\system32\wjview.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Rebate_Nation\RebateNation0.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\SIERRA\CardStudio\PLNRnote.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kodak\KODAK Software
Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\Program Files\Rebate_Nation\RebateNation1.exe
C:\Program Files\websearch\websearch.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\HPHipm11.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\ServicePackFiles\reg.exe
C:\Documents and Settings\Larry\Local Settings\Temporary Internet
Files\Content.IE5\G5AN81U7\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://online.wsj.com/home/us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
O1 - Hosts: com
O1 - Hosts: com
O1 - Hosts: .com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} -
C:\DOCUME~1\Larry\LOCALS~1\Temp\pxerba.dat
O2 - BHO: CATLEvents Object - {44E5B409-35A2-4E8D-BF94-344222323A53} -
C:\DOCUME~1\Larry\LOCALS~1\Temp\savrd.dat
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CATLEvents Object - {6A06CDAD-9D2D-42A0-9C91-C0CF7CB9971B} -
C:\DOCUME~1\Larry\LOCALS~1\Temp\bksmw.dat
O2 - BHO: CATLEvents Object - {72AC6865-B1D3-4C32-A27B-4B3BF04DE655} -
C:\DOCUME~1\Larry\LOCALS~1\Temp\pxerba.dat
O2 - BHO: Google Toolbar Helper -
{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar2.dll
O2 - BHO: CATLEvents Object - {C69FA570-7FDE-4C49-A7BC-CB1CF24BE66B} -
C:\DOCUME~1\Larry\LOCALS~1\Temp\ger.dat
O2 - BHO: CATLEvents Object - {F32F8ECD-6CF3-459D-82F2-9738392C85A8} -
C:\DOCUME~1\Larry\LOCALS~1\Temp\pxerba.dat
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -
c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan -
{BA52B914-B692-46c4-B683-905236F6F655} -
c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program
Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program
Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart
11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\sysupd.exe
O4 - HKLM\..\Run: [RebateNation0] "C:\Program
Files\Rebate_Nation\RebateNation0.exe"
O4 - HKLM\..\Run: [abrexp] C:\WINDOWS\Fonts\abrexp.exe
O4 - HKLM\..\Run: [*abrexp] C:\WINDOWS\Fonts\abrexp.exe
O4 - HKLM\..\Run: [*keysrv] C:\WINDOWS\msagent\chars\keysrv.exe
O4 - HKLM\..\Run: [*cabdrv] C:\WINDOWS\cabdrv.exe
O4 - HKLM\..\Run: [*fontkb] C:\WINDOWS\inf\fontkb.exe
O4 - HKLM\..\Run: [*runkb] C:\WINDOWS\inf\runkb.exe
O4 - HKLM\..\Run: [*wmskb] C:\WINDOWS\Drivers\Ich4\wmskb.exe
O4 - HKLM\..\Run: [*runcmd] C:\WINDOWS\Fonts\runcmd.exe
O4 - HKLM\..\Run: [*tcphard] C:\WINDOWS\system32\2052\tcphard.exe
O4 - HKLM\..\Run: [*sdns] C:\WINDOWS\Config\sdns.exe
O4 - HKLM\..\Run: [*imgeula] C:\WINDOWS\security\logs\imgeula.exe
O4 - HKLM\..\Run: [*antireg] C:\WINDOWS\Fonts\antireg.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint
Manager\ViewMgr.exe
O4 - HKLM\..\Run: [*svcacc] C:\WINDOWS\svcacc.exe
O4 - HKLM\..\Run: [*faxs] C:\WINDOWS\Help\starter\faxs.exe
O4 - HKLM\..\Run: [*comvga] C:\WINDOWS\AppPatch\comvga.exe
O4 - HKLM\..\Run: [VSOCheckTask]
"c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [*runkey] C:\WINDOWS\Registration\runkey.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [*inetreg] C:\WINDOWS\security\inetreg.exe
O4 - HKLM\..\Run: [pkv] C:\WINDOWS\pkv.exe
O4 - HKLM\..\Run: [*reg] C:\WINDOWS\ServicePackFiles\reg.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe
/v=3 /cleanup
O4 - HKLM\..\RunOnce: [*reg] C:\WINDOWS\ServicePackFiles\reg.exe rerun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Larry\HXIUL.EXE
O4 - HKCU\..\RunOnce: [*WinLogon]
C:\DOCUME~1\Larry\LOCALS~1\Temp\bkinst.exe ren time:1100786159
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program
Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk =
C:\SIERRA\CardStudio\PLNRnote.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program
Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program
Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program
files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -
res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Coupons - file://C:\Program
Files\websearch\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: Rebate Nation - file://C:\Program
Files\Rebate_Nation\Sy5300\Tp5300\scri5300a.htm
O8 - Extra context menu item: Similar Pages - res://c:\program
files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -
res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
- C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com
Operating System Class) -
http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting)
- http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting)
- http://moneycentral.msn.com/cabs/pmupdate.exe
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object)
- http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {AA59BA6E-B44F-4514-AB3C-0C1DD2306FC3} (MSN Money Charting)
- http://fdl.msn.com/public/investor/v12/invinstl.exe
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr
Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {D32C3BAD-5213-49BD-A7D5-E6DE6C0D8249} (RavOnline Control)
- http://www.ravantivirus.com/scan/ravonline.cab
 

·
TSF Team Emeritus, Security Team
Joined
·
10,821 Posts
Geez Louise, that's pretty well infected there.....let's do a couple more tools before attacking the log head-on and hope some of it can be erased for us. Please post the ENTIRE log next time, including the headers.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Temp folder. This is required because HijackThis will create backups and we don't want them to be deleted.

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro. Make sure to select the Autoclean option. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Go to this site to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download Index.dat Suite to clean out all the temp folders. Run Index.dat Suite now and go to Tools->Settings. Then make sure to check the following: Cookies, History, Recent Documents, Swap File (if you have Windows 95/98), Temporary Internet Files and Temp Files. Click Save at the bottom. Then click on the Find button. Let it search. Then click on the second button on the top. This will generate a batch file. Click Next->Next->Next and it will tell you that after the next reboot/restart the file should run by itself and clean out the temp folders. To make sure it's cleaned out, go into My Computer->C: Drive and double click on the run.bat file. After that you may delete that file if you want.
 

·
Registered
Joined
·
26 Posts
Discussion Starter #3
Thanks for your help CTSNKY. I really appreciate it.

I've sent an e-mail to my friends asking them to run the virus scan and to download Ad-aware SE. I'm going to wait until I get over there to perform the rest of the functions so it might not be until tomorrow or maybe Sunday, but I will be sure to let you know what transpires!!
 
1 - 4 of 4 Posts
Status
Not open for further replies.
Top