PDA

View Full Version : Help!!!



charles19
2006-07-21, 22:04
I run Microsoft AntiSpyWare and Ad-Aware SE as well as an older symantec antivirus.

System is dog slow, cpu usage in taskmanager pegs out permanantly, coolwebsearch keeps getting removed and coming back. Dell latitude running 2k. Before I throw it in the Bay, thought I would try you guys...Help!!!

Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 11:25:41 AM, on 7/21/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\ywndceg.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Netropa\Multimedia Keyboard\mmusbkb2.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINNT\msncomm.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
C:\Program Files\Ms Office\Office\OSA.EXE
C:\WINNT\system32\qwinlsez.exe
C:\WINNT\system32\services.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINNT\inet20019\winlogon.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [fikoffr] C:\WINNT\fikoffr.exe
O4 - HKLM\..\Run: [353A3838393B433C] 2C312F2F30323A.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Timer] C:\WINNT\msncomm.exe /i
O4 - HKLM\..\Run: [0mcamcap] C:\WINNT\system32\0mcamcap.exe
O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINNT\smss.exe
O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINNT\winlogon.exe
O4 - HKLM\..\Run: [38f0c2ed.exe] C:\WINNT\system32\38f0c2ed.exe
O4 - HKLM\..\Run: [xp_system] C:\WINNT\inet20019\winlogon.exe
O4 - HKLM\..\Run: [IE Redir] C:\WINNT\ieredir.exe
O4 - HKLM\..\Run: [wvetglh] C:\WINNT\wvetglh.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINNT\system32\qwinlsez.exe FI002
O4 - HKCU\..\Run: [0mcamcap] C:\WINNT\system32\0mcamcap.exe
O4 - HKCU\..\Run: [0mcamcap] C:\WINNT\system32\0mcamcap.exe
O4 - HKCU\..\Run: [38f0c2ed.exe] C:\Documents and Settings\clane.USER-6FCBB70DC1\Local Settings\Application Data\38f0c2ed.exe
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00007.exe"
O4 - HKCU\..\Run: [xp_system] C:\WINNT\inet20019\winlogon.exe
O4 - Startup: Zeno.lnk = C:\WINNT\system32\qwinlsez.exe
O4 - Startup: Z_Start.lnk = C:\WINNT\system32\rkdsregn.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\AirPlus.exe
O4 - Global Startup: D-Link REG Utility.lnk = C:\Program Files\D-Link\AirPlus G Wireless Adapter Utility\Reg.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Ms Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://vo.uboc.com/Citrix/ICAWEB/en/ica32/wficat.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {444B911E-6E55-4A11-B3E9-0D3E21AE0437} - http://www.exfol.com/v/1/i/eins008.exe
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/sp3.02r/spyspottercabinstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3EF367DC-FC1A-4BC6-9E84-E48026696018}: Domain = uboc-ad.corp.uboc.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{3EF367DC-FC1A-4BC6-9E84-E48026696018}: NameServer = 10.150.112.106,10.20.27.242
O17 - HKLM\System\CCS\Services\Tcpip\..\{4EA1AA41-F720-4368-8534-FCDCF55CB74C}: Domain = uboc-ad.corp.uboc.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{4EA1AA41-F720-4368-8534-FCDCF55CB74C}: NameServer = 10.150.112.106,10.20.27.242
O17 - HKLM\System\CCS\Services\Tcpip\..\{8AEF2120-176A-4603-9EE4-1AC2591BF1B6}: Domain = uboc-ad.corp.uboc.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{8AEF2120-176A-4603-9EE4-1AC2591BF1B6}: NameServer = 10.150.112.106,10.20.27.242
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA1009AB-0025-41FD-A02C-342EF13799C1}: Domain = uboc-ad.corp.uboc.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA1009AB-0025-41FD-A02C-342EF13799C1}: NameServer = 10.150.112.106,10.20.27.242
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = uboc-ad.corp.uboc.com,uboc.com,maf.corp.uboc.com,setlab-ad.corp.uboc.com,corp.uboc.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = uboc-ad.corp.uboc.com,uboc.com,maf.corp.uboc.com,setlab-ad.corp.uboc.com,corp.uboc.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = uboc-ad.corp.uboc.com,uboc.com,maf.corp.uboc.com,setlab-ad.corp.uboc.com,corp.uboc.com
O20 - AppInit_DLLs: dvdplay.dll C:\WINNT\system32\winspool.dll C:\WINNT\system32\dvdplay.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O21 - SSODL: DCOM Server 2237 - {2C1CD3D7-86AC-4068-93BC-A02304BB2237} - C:\WINNT\system32\2237_27.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: Apache Tomcat tomcat (tomcat) - Unknown owner - C:\Program Files\jakarta-tomcat-5.0.28\bin\tomcat5.exe" //RS//tomcat (file missing)
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\ywndceg.exe

tashi
2006-07-25, 16:59
Hello and sorry for the wait.
If you are still in need of assistance please go here and post a link back to this topic to flag a helper.

If you have waited four days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836)


FYI, see the following procedure regarding running an on-line scan and producing the log.
Also scanning in safe mode with Spybot-S&D
BEFORE you post and who will advise you. Preliminary Steps (http://forums.spybot.info/showthread.php?t=288)

tashi
2006-07-28, 17:31
This topic is closed.

If you need it re-opened please send me a pm and provide a link to the thread.
Applies only to the original topic starter.