Help!!Download.trojan virus, multiple worms taking over pc

lgthom · 04-Dec-2004, 10:59 PM #1

My internet explorer is extremely slow, I can't even connect to most websites, I've ran Norton antivirus scanner and it picked up the download.trojan virus and the W32Korgo.W worm. I quarantined and deleted what needed to be through norton but the pc slowed even more. I ran the online virus scan through Housecall and it picked up several other trojans such as W32Spybot worm, the wootbot.virus, and several other listings for the W32.Korgo.W worm. Seems like the harder I try to get rid of these dreadful pests, the more they replicate and slow internet explorer down even more. Most infected files and folders are in my system32 folders. There's a csrss.exe file running in the task manager that is taking up a lot of memory usage also, don't know if this is suppose to do that or not. Also my password for dial-up internet connection is constantly being changed. Here is a copy of my hijackthis logfile. Any help is greatly appreciated.

Logfile of HijackThis v1.98.2
Scan saved at 9:54:49 PM, on 12/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\windows\system32\nt\lsass.exe
C:\windows\system32\nt\services.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\System32\spool.exe
C:\WINDOWS\slrundll.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackfolder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Printer Services] spool.exe
O4 - HKLM\..\Run: [Microsoft Update] MSlti32.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\RunServices: [Printer Services] spool.exe
O4 - HKLM\..\RunServices: [Microsoft Update] MSlti32.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Printer Services] spool.exe
O4 - HKCU\..\Run: [Microsoft Update] MSlti32.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/game...s/y/dtt1_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/game...ts/y/ot0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/game.../y/mjst4_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A7F82252-EF7F-4E46-8595-84AE76D5FE03} (InstControl Class) - http://neo-toolbar.com/Inst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{512F1C60-7D36-4813-AB8C-EF250DFE371E}: NameServer = 204.68.227.1 204.68.227.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{FB37B7B0-AC76-4EDE-B22B-AA9DB0288E75}: NameServer = 204.68.227.1,204.68.227.2

Rollin' Rog · 04-Dec-2004, 11:26 PM #2

First, if you do not have the XP firewall enabled. Enable it now:

http://www.duxcw.com/faq/win/xp/firewall.htm

It also sounds like you are not up to date on your Security patches. I would highly recommend you visit Windows update and install all critical updates.

For now follow these directions:

Have these instructions printed or in a convenient Notepad (or Wordpad) file so you can view them in Safe Mode. Have "show hidden (or all) files" checked in Folder Options > View in case you have to search for any hidden files to delete. Also ensure you do NOT have "hide file extensions..." enabled in Folder Options > View

Then:

1 >> Restart in Safe Mode: http://service1.symantec.com/SUPPORT...01052409420406

2 >> In Safe Mode run HijackThis and check and "fix" the following entries:

O4 - HKLM\..\Run: [Printer Services] spool.exe
O4 - HKLM\..\Run: [Microsoft Update] MSlti32.exe

O4 - HKLM\..\RunServices: [Printer Services] spool.exe
O4 - HKLM\..\RunServices: [Microsoft Update] MSlti32.exe

O4 - HKCU\..\Run: [Printer Services] spool.exe
O4 - HKCU\..\Run: [Microsoft Update] MSlti32.exe

^^ I suspect most of the above files have already been deleted or quarantined by Symantec, but you should probably search for them as well. Do not confuse spool.exe with spoolsv.exe, a required process.

Delete this file: C:\WINDOWS\System32\spool.exe

Additional cleanup instructions: Go to the Control Panel > Internet Options applet. Clear the Temporary Internet Cache, History and Offline Content. Go to the Programs tab and select "reset web settings", including your home page if it has been altered. You can reset that later to what you desire.

Go to Start > Run, enter %temp% and then click Edit > Select All. Right click on the selected files and folders and delete them

>> Disable System Restore and run your updated Symantec AV while in Safe Mode.

Instructions on disabling (then re-enabling) System Restore:

http://service1.symantec.com/SUPPORT...7?OpenDocument

Post another Scanlog when ready and let us know what problems if any you may still be encountering.

edit

We need to know where this suspicious startup is coming from:

C:\windows\system32\nt\services.exe
C:\windows\system32\nt\lsass.exe

the "nt" folder does not look legit.

Download, unzip and run "getservice.bat" and upload the text file it produces as an attachment.

http://forums.techguy.org/attachment...chmentid=38367

lgthom · 05-Dec-2004, 12:58 AM #3

I have done all that u have said to do and upon another virus scan from norton, 2 infected files were found with the download.trojan virus again. They are as follows:

C:\Windows\system32\.pif
C:\Windows\system32\o

I quarantined both files, but Norton was unable to repair these two files. I did find and delete the spool.exe file and fixed all u suggested in hijackthis. I am getting an error message upon reboot of my pc that states "FireDaemon.exe encountered a problem and needed to close. I get this often, every time i boot up my pc. What is this firedaemon and what does it do. And should I be concerned with the csrss.exe in task manager using so much memory. Most of the time it is approximately 50% cp usage. Again i do appreciate your time and help with this problem. Here is the new hijackthis logfile.

Logfile of HijackThis v1.98.2
Scan saved at 11:54:13 PM, on 12/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system32\nt\lsass.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\windows\system32\nt\services.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\slrundll.exe
C:\WINDOWS\explorer.exe
C:\hijackfolder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/game...s/y/dtt1_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/game...ts/y/ot0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/game.../y/mjst4_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A7F82252-EF7F-4E46-8595-84AE76D5FE03} (InstControl Class) - http://neo-toolbar.com/Inst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{512F1C60-7D36-4813-AB8C-EF250DFE371E}: NameServer = 204.68.227.1 204.68.227.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{FB37B7B0-AC76-4EDE-B22B-AA9DB0288E75}: NameServer = 204.68.227.1,204.68.227.2

Also I am attaching the getservice.txt file as u requested. Again thanks for your help.

Rollin' Rog · 05-Dec-2004, 02:21 AM #4

"firedaemon.exe" is not, in itself considered malicious. However it is not a default windows file, and it is often used to install malicious files. That is what is happening here.

You have TWO service entries which need to be disabled and the folder from which they are running deleted.

First, go to Start > Run, and enter services.msc scroll to and locate the following two named services:

FireDaemon Service: lsass

FireDaemon Service: services

>> double click to access their properties.

Note that the names here "lsass" and "services" mimic two files in c:\windows\system32 which are REQUIRED services, so do not be confused by this.

>> SET EACH of these named services to DISABLED in their startup modes.

>> Now restart in Safe Mode and delete the

C:\windows\system32\nt

folder which contains all these malicious files.

For a thorough registry cleaning, you can also run regedit and navigate to the key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

>> under the services key, look for those two named services. You can right click and delete them there. Don't delete anything else there. If you are unsure, just ignore this part. With the service disabled, this is primarily housecleaning.

>> Reboot and post a new Scanlog.

lgthom · 05-Dec-2004, 08:49 AM #5

Ok, that stopped the firedaemon.exe startup problems. Again thanks for your help. Upon reboot, in task manager, the performance of the cp usage is running between 0 - 8%. Is the cpu usage suppose to be this low? Also under processes, the System Idle Process is running at 99, which before was only running around 4. I'm not familiar with how the cpu usage is suppose to be on Windows XP. It seems to me like Internet Explorer upon reboot is running some better now. Again thank u so much for your time and help. Here is the new hijackthis log file. Can u tell me what the last two entries of the logfile are all about? They both start with 017 and have something to do with the NameServer. Both of these look suspicious to me, but u guys are the pros. I just don't remember these two being there a couple weeks ago. Again thanks for the help, I just can't thank u guys enough.

Logfile of HijackThis v1.98.2
Scan saved at 7:39:54 AM, on 12/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\slrundll.exe
C:\hijackfolder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/game...s/y/dtt1_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/game...ts/y/ot0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/game.../y/mjst4_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A7F82252-EF7F-4E46-8595-84AE76D5FE03} (InstControl Class) - http://neo-toolbar.com/Inst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{512F1C60-7D36-4813-AB8C-EF250DFE371E}: NameServer = 204.68.227.1 204.68.227.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{FB37B7B0-AC76-4EDE-B22B-AA9DB0288E75}: NameServer = 204.68.227.1,204.68.227.2

lgthom · 05-Dec-2004, 10:30 AM #6

Here's another update to my last post. When connecting to the internet, the first try says unable to detect dial tone. I have to disconnect the line from the phone jack and reconnect it and then I can connect to the internet. I have to do this every time I need to connect to the internet. I tried downloading all of microsofts security updates but was unable to do that. It said it failed. Also I have tried downloading an mp3 file from winmx, but am unable to do so. Winmx has been so slow recently, and now won't even try to download anything, says it's unable to make a TCIP connection. I have no idea what this is or how to solve the issue. I'm guessing that's why I can't download microsofts security updates. The pc seems to be running some better, but again something is just not quite right about it. The system idle process in task manager is staying on 99. Is this suppose to be this way? Could winmx be corrupting my system? Again I do appreciate any help. Also don't know if this matters or not, I use to be on dsl, but reverted back to dial up, not sure if this has anything to do with my tcip or internet connectivity.

Logfile of HijackThis v1.98.2
Scan saved at 9:29:07 AM, on 12/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\slrundll.exe
C:\hijackfolder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/game...s/y/dtt1_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt3_x.cab
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/game...ts/y/ot0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/game.../y/mjst4_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A7F82252-EF7F-4E46-8595-84AE76D5FE03} (InstControl Class) - http://neo-toolbar.com/Inst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{512F1C60-7D36-4813-AB8C-EF250DFE371E}: NameServer = 204.68.227.1 204.68.227.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{FB37B7B0-AC76-4EDE-B22B-AA9DB0288E75}: NameServer = 204.68.227.1,204.68.227.2

Also can anyone tell me what the last two listings are in the hijack this log. The O17-listings. Again thanks for the help.

Rollin' Rog · 05-Dec-2004, 02:54 PM #7

First, the cpu usage you are reporting now is exactly as it should be. System Idle Process should generally be very high (this is the "idle" time) and cpu usage is normally under 8 % when nothing is being actively run or loaded.

The last two entries in the Scanlog are "nameserver" entries used to resolve Domain Names into IP addresses. These are typically installed by ISPs, but sometimes can be hijacked by malware. The ones you have are registered to:

OrgName: Mikrotec Internet Services, Inc.
OrgID: MIKR
Address: 1001 Winchester Road
City: Lexington
StateProv: KY
PostalCode: 40505
Country: US

>> I don't know how this relates to your "host" which is:

prtc-mp156.mis.net.

But Microtec is a legitimate service: http://www.dslreports.com/reviews/762

Since you say you have gone back to dialup, try checking and "fixing" those two 017 entries. Then reboot.

This might have something to do with the connectivity issues. However they could also be modem related. Did they precede this current "fix" or occur afterwards? Nothing I had you do should affect this.

By the way, check and fix this as well:

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe

Is there an "unstall" for this in Add/Remove programs?

Tag Cloud
access acer asus bios bsod computer crash driver drivers error ethernet excel freeze gaming gpu hard drive hardware hdmi internet laptop mac malware memory monitor motherboard music network printer problem ram registry router server slow software sound trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!