PDA

View Full Version : Is anyone monitoring the Spybot slow scanspeed forum?



grokboyer
2006-01-10, 07:43
Am I suposed to post over here? It implied that we should keep our slow scan conversation over here:
http://forums.spybot.info/showthread.php?t=1469
but I'm not seeing any experts replying to us.
Should I repost here?

LonnyRJones
2006-01-10, 15:32
Hi grokboyer

Make a fresh Hijackthis log and post it here please

grokboyer
2006-01-11, 00:27
Logfile of HijackThis v1.99.1
Scan saved at 5:24:14 PM, on 1/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\_Utils\SYS\SpyWare\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\_Apps\Text\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe /auto
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - Global Startup: WinBar2.lnk = C:\Program Files\_Utils\SYS\WinBar1.95\WinBar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Advanced Properties - http://www.advancedpropertiesie.com/advprops/advprop.php?rd=1054093218517
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\_Apps\Text\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {31E06FD8-C2C4-49A3-A8E2-85F1218D890C} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {31E06FD8-C2C4-49A3-A8E2-85F1218D890C} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {9C3A02E8-0A7B-4C33-8261-E5B021E6FDB0} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9C3A02E8-0A7B-4C33-8261-E5B021E6FDB0} - (no file) (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000075-9980-0010-8000-00AA00389B71} -
O16 - DPF: {00000112-0000-0010-8000-00AA00389B71} -
O16 - DPF: {11311111-1111-1111-1111-111111111157} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {33363249-0000-0010-8000-00AA00389B71} -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129384937623
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.biz/fvlite/fvliteY.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.4.1_01) -
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://grokboyer.no-ip.org/tsweb/msrdp.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} -
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{064D63BA-05FF-496E-9FFD-84D041AA3B07}: NameServer = 85.255.115.86,85.255.112.84
O17 - HKLM\System\CCS\Services\Tcpip\..\{18FA6431-ACA0-4AA2-8FBE-AE4C2837A08E}: NameServer = 85.255.115.86,85.255.112.84
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3939B05-6DAE-49F3-8A8B-4754B635E0E4}: NameServer = 85.255.115.86,85.255.112.84
O17 - HKLM\System\CS1\Services\Tcpip\..\{064D63BA-05FF-496E-9FFD-84D041AA3B07}: NameServer = 85.255.115.86,85.255.112.84
O17 - HKLM\System\CS2\Services\Tcpip\..\{064D63BA-05FF-496E-9FFD-84D041AA3B07}: NameServer = 85.255.115.86,85.255.112.84
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll

LonnyRJones
2006-01-11, 04:42
Hi

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items(if there):

O9 - Extra button: Microsoft AntiSpyware helper - {31E06FD8-C2C4-49A3-A8E2-85F1218D890C} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {31E06FD8-C2C4-49A3-A8E2-85F1218D890C} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {9C3A02E8-0A7B-4C33-8261-E5B021E6FDB0} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9C3A02E8-0A7B-4C33-8261-E5B021E6FDB0} - (no file) (HKCU)
O16 - DPF: {00000075-9980-0010-8000-00AA00389B71} -
O16 - DPF: {00000112-0000-0010-8000-00AA00389B71} -
O16 - DPF: {11311111-1111-1111-1111-111111111157} -
O16 - DPF: {33363249-0000-0010-8000-00AA00389B71} -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{064D63BA-05FF-496E-9FFD-84D041AA3B07}: NameServer = 85.255.115.86,85.255.112.84
O17 - HKLM\System\CCS\Services\Tcpip\..\{18FA6431-ACA0-4AA2-8FBE-AE4C2837A08E}: NameServer = 85.255.115.86,85.255.112.84
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3939B05-6DAE-49F3-8A8B-4754B635E0E4}: NameServer = 85.255.115.86,85.255.112.84
O17 - HKLM\System\CS1\Services\Tcpip\..\{064D63BA-05FF-496E-9FFD-84D041AA3B07}: NameServer = 85.255.115.86,85.255.112.84
O17 - HKLM\System\CS2\Services\Tcpip\..\{064D63BA-05FF-496E-9FFD-84D041AA3B07}: NameServer = 85.255.115.86,85.255.112.84

If you see an entry as well in your O4 lines in hijackthis, starting with dm... for example:
O4 - HKLM\..\Run: [dm***.exe] C:\WINDOWS\system32\dm***.exe (the *** stand for random letters)
or starting with hg***.exe for example:
O4 - HKLM\..\Run: [hg***.exe] C:\Windows\System32\hg***.exe
or starting with cs***.exe for example:
O4 - HKLM\..\Run: [cscyd.exe] cscyd.exe
Check it as well. If your not sure, leave it and only check the ones I asked you to check
===========================================================
Click Fix Checked. Close HijackThis, and click OK to proceed.


Finally, please post the contents of report.txt (it should open), along with a new HijackThis log.
I see msconfig has been used, re-enable anything you have disabled since the problems started then get that hijackthis log, also where is your antivirus program ?

grokboyer
2006-01-11, 11:53
I've turned off my AV and everything else, to eliminate the possibility that they were interferring with Spybot and being the problem and so that they were out of our way during this debugging.
I will be turning all that back on once I believe we've solved this. I'm going to test Spybot now, then, if all is well with Spybot, restore all the normal stuff and then run another HJT to post here. I have Norton AV Corp Ed.
=======================================================
Fixwareout ver 1.003
Last edited 12/5/2005
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\tzemd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\golmedi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\CSOHR.EXE
C:\WINDOWS\SYSTEM32\DMEZT.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

==================================================
Logfile of HijackThis v1.99.1
Scan saved at 4:40:48 AM, on 1/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\_Utils\SYS\WinBar1.95\WinBar.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\_Utils\SYS\SpyWare\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\_Apps\Text\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe /auto
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - Global Startup: WinBar2.lnk = C:\Program Files\_Utils\SYS\WinBar1.95\WinBar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Advanced Properties - http://www.advancedpropertiesie.com/advprops/advprop.php?rd=1054093218517
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\_Apps\Text\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129384937623
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.biz/fvlite/fvliteY.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.4.1_01) -
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://grokboyer.no-ip.org/tsweb/msrdp.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} -
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} -
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll

LonnyRJones
2006-01-11, 14:15
Hi

Manualy delete these two files
C:\WINDOWS\SYSTEM32\CSOHR.EXE
C:\WINDOWS\SYSTEM32\DMEZT.EXE

Your sun java appears outdated, Update suns java manualy
Sun Java V1.5.0_06 is Available: http://java.com/en/index.jsp
Afterwards Turn off it's auto-updater,(Its buggy) , in control panel java >
update tab uncheck its option to update automatically.
After you install the newer version its important to uninstall the old versions, via addremove programs.

Check for problems with SSD and let us know how long it takes
Post a new HJT log with all your normal startups

tashi
2006-01-15, 00:48
grokboyer, how is it going? Could we see the fresh hjt log please.

tashi
2006-01-22, 08:16
Due to lack of a response this topic will be archived.