1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Help...slow pc!

Discussion in 'Virus & Other Malware Removal' started by cheapshot, Oct 16, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. cheapshot

    cheapshot Thread Starter

    Joined:
    Aug 29, 2001
    Messages:
    284
    Here is my log guys...You have bailed me out before!

    Logfile of HijackThis v1.95.1
    Scan saved at 10:52:45 PM, on 10/16/2003
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    F:\WINNT\System32\smss.exe
    F:\WINNT\system32\winlogon.exe
    F:\WINNT\system32\services.exe
    F:\WINNT\system32\lsass.exe
    F:\WINNT\system32\svchost.exe
    F:\WINNT\system32\LEXBCES.EXE
    F:\WINNT\system32\spoolsv.exe
    F:\WINNT\System32\svchost.exe
    F:\Program Files\Norton AntiVirus\navapsvc.exe
    F:\WINNT\system32\regsvc.exe
    F:\WINNT\system32\MSTask.exe
    F:\WINNT\System32\WBEM\WinMgmt.exe
    F:\WINNT\system32\svchost.exe
    F:\WINNT\Explorer.EXE
    F:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    F:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    F:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
    F:\PROGRA~1\NORTON~1\navapw32.exe
    F:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    F:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    F:\PROGRA~1\COMMON~2\ADDRES~1\Winnet.exe
    F:\WINNT\System32\msbb.exe
    F:\Program Files\Bargain Buddy\bin2\bargains.exe
    F:\PROGRA~1\BROWSE~1\adblck.exe
    F:\PROGRA~1\COMMON~2\ADDRES~1\comwiz.exe
    F:\Program Files\rb32\rb32.exe
    F:\WINNT\FMSZG.exe
    F:\WINNT\System32\SahAgent.exe
    F:\WINNT\system32\msmsgri32.exe
    F:\Program Files\ClearSearch\Loader.exe
    F:\Program Files\Common files\KeenValue\KeenValue.exe
    F:\WINNT\System32\rundll32.exe
    F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\winnt\inf\tskdbg.exe
    F:\Program Files\Common files\KeenValue\KWM.exe
    F:\WINNT\System32\wuauclt.exe
    F:\Documents and Settings\Rodney & Ana Knowles\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.findwhatevernow.com/searchband/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findwhatevernow.com/portal/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = F:\WINNT\System32\blank.htm
    R3 - URLSearchHook: eUnivBHO Class - {269B6797-664E-48AA-B283-B012BDF6E525} - F:\PROGRA~1\INCRED~1\BHO\BHO.dll
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O2 - BHO: BabeIE - {00000000-0000-0000-0000-000000000000} - F:\PROGRA~1\COMMON~2\ADDRES~1\cnbabe.dll
    O2 - BHO: (no name) - {000000DA-0786-4633-87C6-1AA7A4429EF1} - F:\WINNT\System32\emesx.dll
    O2 - BHO: (no name) - {00000580-C637-11D5-831C-00105AD6ACF0} - F:\WINNT\MSView.DLL
    O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - F:\Program Files\Lycos\Sidesearch\sidesearch1311.dll
    O2 - BHO: (no name) - {00000EF1-34E3-4633-87C6-1AA7A44296DA} - F:\WINNT\System32\F1.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NavErrRedir Class - {269B6797-664E-48AA-B283-B012BDF6E525} - F:\PROGRA~1\INCRED~1\BHO\BHO.dll
    O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - F:\Program Files\NewDotNet\newdotnet5_48.dll
    O2 - BHO: (no name) - {5F5564AC-DE7A-4DCD-9296-32E71A35DCB7} - F:\PROGRA~1\BROWSE~1\bptlb.dll
    O2 - BHO: (no name) - {6085FB5B-C281-4B9C-8E5D-D2792EA30D2F} - F:\WINNT\System32\NetPal.dll
    O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - F:\Program Files\ClearSearch\IE_ClrSch.DLL
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - F:\PROGRA~1\BARGAI~1\bin2\apuc.dll
    O2 - BHO: (no name) - {D34F641F-5210-4EB0-8ED5-9179F47E15B7} - F:\PROGRA~1\BROWSE~1\blckbho.DLL
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - F:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Browser Pal Toolbar - {337D0C1D-4053-4FAB-AF2B-45C2F7B0FAA7} - F:\PROGRA~1\BROWSE~1\bptlb.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] F:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    O4 - HKLM\..\Run: [Lexmark X73 Button Manager] F:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    O4 - HKLM\..\Run: [PrinTray] F:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [NAV Agent] F:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [CreateCD50] "F:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "F:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [MoneyStartUp10.0] "F:\Program Files\Microsoft Money\System\Activation.exe"
    O4 - HKLM\..\Run: [winnet] F:\PROGRA~1\COMMON~2\ADDRES~1\Winnet.exe
    O4 - HKLM\..\Run: [msbb] F:\WINNT\System32\msbb.exe
    O4 - HKLM\..\Run: [ms32iss] F:\WINNT\web\printers\images\explorer.exe
    O4 - HKLM\..\Run: [Bargains] F:\Program Files\Bargain Buddy\bin2\bargains.exe
    O4 - HKLM\..\Run: [ccreg] F:\WINNT\System32\explorer.exe
    O4 - HKLM\..\Run: [WINSTA~1.EXE] F:\WINNT\System\WINSTA~1.EXE -b
    O4 - HKLM\..\Run: [RunWindowsUpdate] F:\WINNT\uptodate.exe
    O4 - HKLM\..\Run: [Browser Pal] F:\PROGRA~1\BROWSE~1\adblck.exe -s
    O4 - HKLM\..\Run: [rb32 lptt01] "F:\Program Files\rb32\rb32.exe"
    O4 - HKLM\..\Run: [FMSZG] F:\WINNT\FMSZG.exe
    O4 - HKLM\..\Run: [SAHAgent] F:\WINNT\System32\SahAgent.exe
    O4 - HKLM\..\Run: [mssyslanhelper] F:\WINNT\system32\msmsgri32.exe
    O4 - HKLM\..\Run: [taskdebug] c:\winnt\inf\tskdbg.exe
    O4 - HKLM\..\Run: [ClrSchLoader] F:\Program Files\ClearSearch\Loader.exe
    O4 - HKLM\..\Run: [KeenValue] F:\Program Files\Common files\KeenValue\KeenValue.exe
    O4 - HKLM\..\Run: [New.net Startup] rundll32 F:\PROGRA~1\NEWDOT~1\NEWDOT~3.DLL,NewDotNetStartup
    O4 - HKCU\..\Run: [MoneyAgent] "F:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [media_stub] C:\Program Files\ebkrdr\stub.exe
    O4 - HKCU\..\Run: [AutoUpdater] F:\WINNT\System32\aupdate.exe
    O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: KeenValue.lnk = F:\Program Files\Common Files\KeenValue\keenvalue.exe
    O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: Add A Page Note - F:\Program Files\CommonName\AddressBar\createnote.htm
    O8 - Extra context menu item: Bookmark This Page - F:\Program Files\CommonName\AddressBar\createbookmark.htm
    O8 - Extra context menu item: Email This Link - F:\Program Files\CommonName\AddressBar\emaillink.htm
    O8 - Extra context menu item: Search using CommonName - F:\Program Files\CommonName\AddressBar\navigate.htm
    O9 - Extra button: Sidesearch (HKLM)
    O9 - Extra button: Browser Pal Toolbar (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O10 - Hijacked Internet access by New.Net
    O10 - Broken Internet access because of LSP provider 'lsp.dll' missing
    O11 - Options group: [CommonName] CommonName
    O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37620.8411342593
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    You have a bunch of bad crap there.

    While waiting for more qualified help than I ;) go to add/remove programs and see if you can uninstall NEWDOTNET.
     
  3. cheapshot

    cheapshot Thread Starter

    Joined:
    Aug 29, 2001
    Messages:
    284
    I got newdot removed...I am in the process now of scanning with NAV2002 in safe mode. Seems like I picked up Backdoor.Roxy from Randex.D. I will try and delete all these files and clear the registry. Please respond soon!
     
  4. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    Be sure to update the data files for NAV prior to scanning.

    Post a new log after you delete infected files.
     
  5. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Yes you do have a lot of crap there.

    You have the RapidBlaster parasite.

    First click on the link below and it will download RBKiller.

    Close all browser windows and click on the rbkiller.exe and let it do it's thing. It can scan all running programs, detect RapidBlaster, and successfully terminate the process and remove the Run key registry entry. The newest version can also clean up various RapidBlaster remnants.

    http://www.spywareinfo.com/downloads/rbkiller/rbkiller.exe

    Restart your computer.


    Go here http://www.lavasoftusa.com/software/adaware/ and download Adaware 6

    Install the program and launch it.

    I strongly recommend that you read the help file to familiarize yourself with the program.

    Before running the scan look at the top of the main window and you will see a Gear Icon. This is where you configure the settings. Click on that and then in the next window that pops up click on the "Scanning" tab on the left side. Under "Drives and Folders" put a check by "Scan within archives" and below that under "Memory and Registry" put a check by all the options there.
    The click on the "Tweak" tab and under "Scanning engine" put a check by "Unload recognized processes during scanning" ...........then......under "Cleaning engine" put a ckeck by "Let windows remove files in use at next reboot" then click "Proceed"

    Next in the main window look in the bottom right corner and click on "Check for updates now" and get the latest referencefiles.
    After getting the latest referencefiles you are ready to scan.

    Click "Start" and in the next window make sure "Active in depth scanning" is checked then click "Next" and the scan will begin.

    When it is finished let it fix everything it finds.

    Restart your computer.

    Then go here http://spybot.eon.net.au/index.php?...n&page=download and download Spybot.

    Install the program and launch it.

    Before scanning press "Online" and "Search for Updates" .

    Put a check mark at and install all updates.

    Click "Check for Problems" and when the scan is finished let Spybot fix/remove all it finds.

    Restart your computer.

    Come back here and post another HT log and we'll get rid of what's left.
     
  6. cheapshot

    cheapshot Thread Starter

    Joined:
    Aug 29, 2001
    Messages:
    284
    Thanks dude...you are a totally righteous and ectomanical man! I shall post back with whats left soon!
     
  7. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    How soon I go to chopped liver :D :D
     
  8. cheapshot

    cheapshot Thread Starter

    Joined:
    Aug 29, 2001
    Messages:
    284
    Here is the new log:

    Logfile of HijackThis v1.95.1
    Scan saved at 1:24:49 AM, on 10/17/2003
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    F:\WINNT\System32\smss.exe
    F:\WINNT\system32\winlogon.exe
    F:\WINNT\system32\services.exe
    F:\WINNT\system32\lsass.exe
    F:\WINNT\system32\svchost.exe
    F:\WINNT\system32\LEXBCES.EXE
    F:\WINNT\system32\spoolsv.exe
    F:\WINNT\System32\svchost.exe
    F:\Program Files\Norton AntiVirus\navapsvc.exe
    F:\WINNT\system32\regsvc.exe
    F:\WINNT\system32\MSTask.exe
    F:\WINNT\System32\WBEM\WinMgmt.exe
    F:\WINNT\system32\svchost.exe
    F:\WINNT\Explorer.EXE
    F:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    F:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    F:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
    F:\PROGRA~1\NORTON~1\navapw32.exe
    F:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    F:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    F:\WINNT\System32\wuauclt.exe
    F:\Documents and Settings\Rodney & Ana Knowles\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = F:\WINNT\System32\blank.htm
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - F:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] F:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    O4 - HKLM\..\Run: [Lexmark X73 Button Manager] F:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    O4 - HKLM\..\Run: [PrinTray] F:\WINNT\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [NAV Agent] F:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [CreateCD50] "F:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "F:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [MoneyStartUp10.0] "F:\Program Files\Microsoft Money\System\Activation.exe"
    O4 - HKLM\..\Run: [ms32iss] F:\WINNT\web\printers\images\explorer.exe
    O4 - HKLM\..\Run: [ccreg] F:\WINNT\System32\explorer.exe
    O4 - HKLM\..\Run: [taskdebug] c:\winnt\inf\tskdbg.exe
    O4 - HKCU\..\Run: [MoneyAgent] "F:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: MoneySide (HKLM)
    O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37620.8411342593
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  9. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

    R3 - Default URLSearchHook is missing

    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com
    O1 - Hosts: 217.116.231.7 aimtoday.aol.com

    O4 - HKLM\..\Run: [ms32iss] F:\WINNT\web\printers\images\explorer.exe

    O4 - HKLM\..\Run: [ccreg] F:\WINNT\System32\explorer.exe

    O4 - HKLM\..\Run: [taskdebug] c:\winnt\inf\tskdbg.exe

    Restart to Safe Mode: press f8 on startup and select Safe Mode from the boot menu.

    In Safe Mode delete:

    The F:\WINNT\System32\explorer.exe
    The F:\WINNT\web\printers\images\explorer.exe
    The c:\winnt\inf\tskdbg.exe file

    Also go here http://housecall.trendmicro.com/ and do an online virus scan for a second opinion.

    The above files I am having you delete are from the backdoor.IRC.flood trojan and your Norton obviously missed them for some reason.
     
  10. cheapshot

    cheapshot Thread Starter

    Joined:
    Aug 29, 2001
    Messages:
    284
    PC is back to normal again, thanks to your keen insight. The online scan is running now and has already found files with IRCBOT and IRC FLOOD. Hopefully this will be it.
     
  11. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    We can check a final log if you want to make sure all is gone.
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/172497

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice