View Full Version : pc has become very slow
Hello!
It is my first post here. Hopefully someone can help me. My pc has suddenly become very slow. I have ran HiJackThis and saved the log file. Can I post it here?
Thanks for helping!
pskelley
2006-03-18, 00:20
Hello and welcome to the forum. You should review all of the important "Pinned" information at the top of the page. Make sure you follow these instruction: http://forums.spybot.info/showthread.php?t=288
Thanks...pskelley
Safer Networking Forums
Thank you for helping me.
Earlier this evening I ran the McAfee antivirus program, then Spybot and removed some malware, but it is still very slow compare to before.
Here is the HJT logfile.
Logfile of HijackThis v1.99.1
Scan saved at 00:29:51, on 18-03-2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\NETWOR~1\MCAFEE~1\FireSvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINNT\system32\rundll32.exe
C:\mousepad3.exe
C:\Program Files\Eraser\eraser.exe
C:\PROGRA~1\COMMON~1\frrw\frrwm.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\COMMON~1\frrw\frrwa.exe
C:\Documents and Settings\gd.GD-OAK9IFJ8JT4G\Desktop\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [bxmon] rundll32.exe C:\WINNT\system32\bxmon.dll,start
O4 - HKLM\..\Run: [ifdrv] rundll32.exe C:\WINNT\system32\ifdrv.dll,start
O4 - HKLM\..\Run: [mousepad] C:\\mousepad3.exe
O4 - HKLM\..\Run: [newname] C:\\newname3.exe
O4 - HKLM\..\RunServices: [System Service] S4B3R.exe
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - HKCU\..\Run: [frrw] C:\PROGRA~1\COMMON~1\frrw\frrwm.exe
O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O20 - Winlogon Notify: StillImage - C:\WINNT\system32\o8ns0i57e8.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\PROGRA~1\NETWOR~1\MCAFEE~1\FireSvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
pskelley
2006-03-18, 01:37
You are welcome, before I look at the log, I need to advise you that:
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000) <<< your version of Internet Explorer is outdated, and I see no critical updates for the version you are running? My suggestion would be to click on Internet Explorer > Tools > Windows Updates and allow Windows to update your Operating System if any critical updates are missing and to follow Microsoft's suggestion for your browser. I have seen people gamble with an old version of IE but never without critical updates.
I need some help, there are two programs running I am not finding much information about:
O4 - HKLM\..\Run: rundll32.exe C:\WINNT\system32\bxmon.dll,start
O4 - HKLM\..\Run: [ifdrv] rundll32.exe C:\WINNT\system32\ifdrv.dll,start
If you know what they are, let me know. If not use these free online scans to find out if they are malware or valid. I will highlite the file to be searched in red. You will probably need to enabled hidden files and folders to find them: http://www.xtra.co.nz/help/0,,4155-1916458,00.html
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
You have a nice collection of malware and this one: Variant of Adware.Look2Mewe need to remove first.
Thanks to Atribune and any others who helped with this fix
Please download Look2Me-Destroyer.exe (http://www.atribune.org/ccount/click.php?id=7) to your desktop.
Close all windows before continuing.
Double-click [b]Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.
If you receive a message from your firewall about this program accessing the internet please allow it.
If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
More info:
If for some reason Look2Me-Destroyer doesn't reopen check that task scheduler is running.
If it isnt you can use sc.exe to start it
start>run sc start schedule press enter.
Post the C:\Look2Me-Destroyer.txt and a new HiJackThis log, along with any comments you think will help, and the information from the trojan scans.
We will have more to do,
Thanks...pskelley
Safer Networking Forums
Hello and thanks again for your help: I appreciate it very much.
Well, let's start from IE: I have upgraded to version 6.0 and searched for available updates following your advice. I don't know if I have done correctly.
The 2 files you mentioned (bxmon.dll and ifdrv.dll) I don't know what they are: about the first one I can tell you that at startup, on the desktop I get an error message saying "Error loading c:\winnt\system32\bxmon.dll, the specified module could not be found". The second file I cannot find it.
I installed and ran Look2Me Destroyer: it found a good number of .dll files that had been removed: I followed the procedure you described and it went fine but when I turned the computer back on, the Look2Me report was gone!! I ran it again and no files were found but now the report is there!!
I hope I am not making a mess!!
Anyway, here is the L2M report:
Look2Me-Destroyer V1.0.11
Scanning for infected files.....
Scan started at 18-03-2006 10:21:25
Attempting to delete infected files...
Making registry repairs.
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded
And here is the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 10:29:44, on 18-03-2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\NETWOR~1\MCAFEE~1\FireSvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\mousepad3.exe
C:\PROGRA~1\COMMON~1\frrw\frrwm.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe
C:\PROGRA~1\COMMON~1\frrw\frrwa.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\COMMON~1\frrw\frrwl.exe
C:\Documents and Settings\gd.GD-OAK9IFJ8JT4G\Desktop\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [bxmon] rundll32.exe C:\WINNT\system32\bxmon.dll,start
O4 - HKLM\..\Run: [mousepad] C:\\mousepad3.exe
O4 - HKLM\..\Run: [newname] C:\\newname3.exe
O4 - HKLM\..\RunServices: [System Service] S4B3R.exe
O4 - HKCU\..\Run: [frrw] C:\PROGRA~1\COMMON~1\frrw\frrwm.exe
O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142670533964
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\PROGRA~1\NETWOR~1\MCAFEE~1\FireSvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
pskelley
2006-03-18, 13:42
You are certainly welcome, and do not worry about a thing, you are doing fine. This is a complex proceedure and you have removed the first nasty:bigthumb: The two items I asked about, if you don't know them, they are probably bad. I will remove them and if you find out you needed them for some reason, you can install them again. Let's proceed like this:
I need a little more help, this time it is important that you use the scans above. You must first show hidden files and folder like this:
Double click my computers & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"
Here is the item: C:\PROGRA~1\COMMON~1\frrw\frrwm.exe and it is this: C:\Program Files\Common Files 1\frrw\frrwm.exe Open the online scanner I posted above, then click the browse button. Navigate until you have that pathway in the box to upload, then upload it. Soon you will be told if it is bad. Let me know also. I am fearful it has to do with the McAfee Desktop Firewall for Windows 2000\FireTray.exe
I am going to remove the items, but if you find that one is good, then pass over them. This is turning out to be a little complex, I have not seen some of this items before. What country are you in? Proceed like this.
1) ewido scan:
Please download Ewido Security Suite (http://www.ewido.net/en/download/) it is a trial version of the program.
Install ewido security suite
Launch ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update
Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates (http://www.ewido.net/en/download/updates/)
Once the updates are installed do the following:
Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.**
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")
2) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
O4 - HKLM\..\Run: [bxmon] rundll32.exe C:\WINNT\system32\bxmon.dll,start
O4 - HKLM\..\Run: [mousepad] C:\\mousepad3.exe
O4 - HKLM\..\Run: [newname] C:\\newname3.exe
O4 - HKLM\..\RunServices: [System Service] S4B3R.exe
O4 - HKCU\..\Run: [frrw] C:\PROGRA~1\COMMON~1\frrw\frrwm.exe
(the next two are Alexa toolbar related and resource wasters. If you do not use Alexa, then remove them)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm G
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
Close all programs but HJT and all browser windows, then click on "Fix Checked"
3) Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
RIGHT Click on Start then click on Explore. Locate and delete these items:
S4B3R.exe >>> file (this is a trojan worm, you will need to search for it to delete it. It must be deleted!!)
C:\WINNT\system32\bxmon.dll >>> file
C:\mousepad3.exe >>> file
C:\\newname3.exe >>> file
C:\PROGRAM FILES~1\COMMON FILES~1\frrw\frrwm.exe
C:\PROGRAM FILES~1\COMMON FILES~1\frrw\frrwa.exe
C:\PROGRAM FILES~1\COMMON FILES~1\frrw\frrwl.exe
<<< these three are the ones in question
Google Search finds nothing. If your online scan says any of them are not bad, skip them all. If they are bad, you only need to delete the folder: frrw to remove them all.
If you don't have a good cleaner, use this one with these instuctions:
Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.
Restart the computer and post the ewido scan results, infomation from the online scan, a new HJT log and any comments you think will help.
Thanks...Phil
Hello Phil! By the way, my name is Giancarlo: nice to meet you! And to your question about where I live I can tell you that I am from Denmark.
I followed step by step your instructions and here is what happened:
1) I scanned the file frrwm.exe and it was infected by Trojan Downloader win32.TSUpdate.n
2) I installed Ewido, updated it and made a scan. It found 60 infected items which I said to "remove" one by one as they seemed to be all adware, trojans, backdoors and so on. When the scan finished the program removed all the infected files and when I clicked on "Save report" the computer went stuck and the only thing I could do was to reset it: so no report has been saved. What should I do? Make a new scan and try to save the report again?
3) I opened Hjt and made a system scan only: I checked the boxes you told me but I have also to tell you that some of them were not there anymore, such as "O4 - HKLM\..\Run: [newname] C:\\newname3.exe" and "O4 - HKLM\..\RunServices: [System Service] S4B3R.exe". I do not use the Alexa toolbar so I checked the two boxes related to that.
I clicked on "Fix checked" and then enabled "hidden files and folders....".
4) Now comes the part I do not understand.
You write that I should locate and delete some items: how do I find them? In which folder? I tried to take a look but I cannot find them: even the folder named "frrwm" does not contain anymore the files you mention: but I can see thise files in the list of infected files Ewido put in quarantine. The folder contains now only 4 files with extension ".lck".
Has this nasty trojan worm S4B3R been removed by Ewido?
Can you explain me again what I should look for and how? I am not an expert with computers.
Anyway, here is the latest hjt logfile.
Logfile of HijackThis v1.99.1
Scan saved at 16:31:08, on 18-03-2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\PROGRA~1\NETWOR~1\MCAFEE~1\FireSvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\cmd.exe
C:\Documents and Settings\gd.GD-OAK9IFJ8JT4G\Desktop\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142670533964
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\PROGRA~1\NETWOR~1\MCAFEE~1\FireSvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
pskelley
2006-03-18, 18:03
Hello Giancarlo, It is a pleasure to meet you also, I am bumming around on the West Coast of Florida as you see. Came to Florida in 1970 to take a look. I have many friends in the Netherlands, Finland, Sweden, UK and many other coutries, but you may be the first I can call by name in Denmark:) than I can think. Let's look over your replies by number.
1) I believed that was a trojan, but not having access to your computer and the fact it was close to the Desktop Firewall it made me nervous. Best to check first, and thanks.
2) Would have been nice to see the scan results, sometimes a real bad item will not be removed and the log shows us so we can use a tool to do what ewido could not. Since you removed everything it found, it is probably not a problem. If you wish, just run another scan, which should be about clean, and post the results if it is not.
3) Perfect, I will say here that often by the time you get to removing the files and folders manually the stuff is gone, I like to do several checks to make sure nothing bad is left on the computer.
4) To attempt to explain,when I say RIGHT Click on Start then click on Explore it is the same as saying open MyComputer, open the C:\, open C:\Program files, etc.
While ewido and even HJT may have removed some of the junk, this check is to make sure, to remove any file or folder that was missed. If I say delete a file, I highlite it and that means there is only a bad file to contend with like: C:\WINNT\system32\bxmon.dll >>> file, If I say to delete a folder that means any content of the folder are also bad so there is no reason to look in side, just right click and delete. The issue at play here is the fact that HJT is a process manager. When you check and fix a line with HJT it also stops the process from running until you reboot, so you can delete the file or folder without having Windows tell you it is running and you can't delete it. I hope this makes it easier to understand. Now I will look at the log to see how you did.
Logfile of HijackThis v1.99.1 Scan saved at 16:31:08, on 18-03-2006 This log is clean of malware and you are good to go:bigthumb: Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Since you did not say, I wish to make sure you ran CCleaner because it will clean out a lot of junk that can slow you down. Especially run Issues and be sure to backup before cleaning the junk from the registry with it when you get the prompt to do so.
Because you are the first I can call by name in Denmark, here is a small tool created by Atribune (who also created the Look2Me-Destroyer.exe ) of here: http://www.atribune.org/ As far as I can see this will work on Windows2000, here is the information: http://www.atribune.org/forums/index.php?showtopic=1332
ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
Here are some others ideas that may help you run better:
http://www.microsoft.com/windows/IE/community/columns/IEtopten.mspx
http://vlaurie.com/computers2/Articles/runbetter.htm
http://www.linkgrinder.com/tutorials/10_Easy_Steps_to_Speed_Up_Your_Comp_24946_Computers_article.html
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
I wish you safe sufing...Phil:)
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
Hello Phil!
I did run CCleaner and it removed some more rubbish.
Then I made a new scan with Ewido and here is the result (this time it worked to have it saved):
-------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 23:39:45, 18-03-2006
+ Report-Checksum: 9BCB538B
+ Scan result:
C:\Documents and Settings\gd.GD-OAK9IFJ8JT4G\Cookies\gd@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\gd.GD-OAK9IFJ8JT4G\Cookies\gd@www.smartadserver[1].txt -> TrackingCookie.Smartadserver : Cleaned with backup
C:\quarantine\winsys.exe.Vir/winsys\download.exe -> Trojan.LowZones.cq : Error during cleaning
C:\quarantine\winsys.exe.Vir/winsys\index1.exe -> Trojan.LowZones.cf : Error during cleaning
::Report End
Why does it say "Error during cleaning" referring to those 2 Trojans? I noticed that during the Ewido scan my McAfee antivirus caught these Trojans and sent them into the "Quarantine" folder: is this the reason why it says "Error during cleaning"?
And here is again a new hjt logfile (hopefully still clean):
Logfile of HijackThis v1.99.1
Scan saved at 23:52:11, on 18-03-2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\PROGRA~1\NETWOR~1\MCAFEE~1\FireSvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\gd.GD-OAK9IFJ8JT4G\Desktop\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.dk/
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows 2000\FireTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142670533964
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\PROGRA~1\NETWOR~1\MCAFEE~1\FireSvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
Again, thank you very much for your help: it is good to know that here I can always find someone that is kind to help, and I am sure that sooner or later I will be here again.......it is a jungle out there!! :rolleyes:
Best regards,
Giancarlo.
pskelley
2006-03-19, 00:10
Hello Giancarlo, Your HJT log is clean, the items you are seeing are something that was quarantined by one of the tools we ran, or you ran earlier. C:\Quarantine << you can carefully right click on the folder and look at the properties to see what program make the quarantine, then delete the folder if it was one of the tools we used, but at least delete all of the contents...that is important. You should have no problem doing this, as the trojans can not run from that quarantine folder.
Oops...just notice McAfee put them there, delete the whole folder. McAfee will make a new one if it every needs to quarantine something it can not delete again.
Thanks...Phil
As the problem appears to be resolved this topic will be archived.
If you need it re-opened please send me a pm and provide a link to the thread.
Glad we could help.