Hi Telguy99
Hi,
I posted my log...here is the link:
http://www.bleepingcomputer.com/forums/topict12976.html#entry80184
Thank you
Jan
Smiles are meant to be shared,
that's why they're so contagious.
:
Hi Telguy99
I am not an analysis with the HiJackThis logs, so it is best for you
to
post
this log at one of the support forums here so that the proper experts
can
analyze it and make the proper recommendations as to what corrective
actions
you need to do, if any.
AumHa HiJackThis Forum
http://forum.aumha.org/viewforum.php?f=30
or Bleeping Computer Forum
http://www.bleepingcomputer.com/forums/forum22.html
..
(Note: You will have to Register before posting on these Forums.
Please
follow all posting instructions carefully to avoid having your log
deleted
or ignored.
If you wish, post a link here to the forum where you post your log and
we
can continue to follow the progress there.
Hope this helps
Jan
Smiles are meant to be shared,
that's why they're so contagious.
Replies are posted only to the newsgroup for the benefit or other
readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm
Logfile of HijackThis v1.99.1
Scan saved at 8:08:28 PM, on 3/7/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\Userinit.exe
C:\WINNT\Explorer.EXE
C:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [YBrowser] C:\Program
Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network
Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network
Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zzzHPSETUP] D:\Setup.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual
Networks\Visual
IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual
Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Network Associates Error Reporting Service]
"C:\Program
Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program
Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [iIWiper] C:\Program Files\iISystem
Wiper\SystemWiper.exe m
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon
2\BHODemon.exe
O4 - Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program
Files\Microsoft
Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program
Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft
Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions
present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control
Panel
present
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login -
{2499216C-4BA5-11D5-BD9C-000103C116D5} -
C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login -
{2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program
Files\Yahoo!\Common\ylogin.dll
O12 - Plugin for .pdf: C:\Program Files\Internet
Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage
Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg
Class) -
C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} -
http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl
Class) -
http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly
Picture
Upload
Plugin) -
http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro
Class) -
http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl
Class) -
http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl
Class) -
http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FFFFFFFF-CAFE-BABE-BABE-10AA0055595A} -
http://dev.truesuite.com/truewallet/TrueWalletInstall.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco
Systems,
Inc.
- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service
(dmadmin) -
VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International,
Inc. -
C:\WINNT\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network
Associates, Inc. - C:\Program Files\Network Associates\Common
Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network
Associates,
Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) -
Network
Associates, Inc. - C:\Program Files\Network
Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA
Corporation -
C:\WINNT\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs
Inc. -
C:\WINNT\system32\ZoneLabs\vsmon.exe
Also I ran the other programs in safe mode and here is what I found:
BHO helper found 1 item Adobe helper...said it was OK to keep.
About Buster found nothing
CWShredder found nothing
Adaware found 40 objects all have been deleted.
Let me know if there is anything I should do with the Hijack this
stuff.
I await your reply
:
Hi Telguy99
Well I repaired win 2000 and have reloaded all the updates....but
my
downloads are still very slow. I hooked ua nother computer to my
dsl
modem
and it is very fast so the problem is not the modem or line it
has
to
be
something on this computer...I've defragged, cleaned temp files
ran
spyware
detectors all to no avail...what else is there to do...this is
very
frustrating.
Then your system still have some kind of scumware on it. A Trojan,
malware
or hijacker. You said that you ran HiJackThis and it did not find
anything.
Is this what the experts on the forum where you posted your log
told
you?
What other removal tools have you run besides the HJT? What
spyware
removers did you run? Did you run AdAware or CWShredder?
An anti-spyware or adware removal program cannot detect or remove
malware,
hijackers, parasites or Trojans, and most anit-virus programs can't
either.
So, you need to run the programs that have the correct definitions
to
find
and remove them.
Download the following programs from another machine if necessary,
then
copy
to the affected machine, install and run them. Run the HJT again
in
Safe
Mode and post the log to the forums let the experts recheck it for
you.
Another thing, some variants of malware can replicate themselves
repeatedly
if they are not removed properly.
Run this one first:
BHODemon - Free-
http://www.definitivesolutions.com/bhodemon.htm
then run these in Safe Mode, as well as HJT:
CWShredder: Free
http://www.majorgeeks.com/download4086.html
About:Buster - Free
http://www.majorgeeks.com/download4289.html
http://www.atribune.org/downloads/AboutBuster.zip
AdAware SE - Free
http://www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button
Update before running to be sure it has the latest definitions. It
does
not
come updated.
Also, if you have any 3rd party toolbars such as Google or Yahoo,
disable
them. If you have Yahoo Companion uninstall it.
Look in the Add/Remove Programs and see if there is anything there
that
you
did not install. If so, uninstall it.
Hope this helps
Jan
Smiles are meant to be shared,
that's why they're so contagious.
Replies are posted only to the newsgroup for the benefit or other
readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm
:
Hi Bob
Hi Jan,
Thank you for the hijack this suggestion...I did download and
run
it
but
unfortunately it didn't find anything. So the problem
persists.
I've
cleaned cache, temp & temp internet files...history too. I've
defragged
all
with no help. I've disabled the firewall and
anti-virus...checked
my
router
& DSL modem all with no help...What else could be causing this
problem.
When I click download the download box comes right up and the
little
file
folder starts moving like it should but it sjust sits there
sometimes
after a
few minutes it will start downloading but then pauses again or
it
downloads
and some ridiculously slow speed like 1.2 kbps. Downloads
that
used
to
take
less than a minute now can take up to an hour.
Any help anyone has would be greatly appreciated.
There are some things that can get changed by something and just
don't
work
as they should. If you have not already done so, try doing a
repair
of
your
system and see if it helps: Here are the instructions for
properly
repairing the W2K if you need them:
How To Repair Windows 2000
Windows 2000 step by step repair instructions:
http://www.windowsreinstall.com/install/win2k/repairw2k/page1.htm
How to perform an "in place upgrade" or system repair.
http://www.techspot.com/vb/showthread.php?threadid=8356
How to perform an in place upgrade or 2000 system repair.
http://www.techspot.com/vb/showthread.php?threadid=8356
Difference between Manual and Fast repair
http://support.microsoft.com/?kbid=238359
You only need to uninstall those Service Packs that were
installed
*after*
installing IE6. You will have to go to the Windows Update and
reinstall
all
the necessary updates after the reinstall.
Hope this helps
Jan
Smiles are meant to be shared,
that's why they're so contagious.
Replies are posted only to the newsgroup for the benefit or
other
readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm
:
Hi Bob
One other thing you might try is HiJackThis. It is possible
that
there
is
some type of malware or other 3rd party software on your
system
that
is
causing the probelem, if it is not that you are limited by
the
speed
available through the site you are connected to for the
download.
If here is anything adverse on your system. HJT will be able
to
define
it
and the experts on the forum will be able to advise you of
any
corrective
action that might be necessary. The HJT program should be run
in
Safe
Mode
for best results:
How to download and install HiJackThis:
http://www.bleepingcomputer.com/forums/topict309.html
Please DO NOT post your log to this newsgroup, but to the
HiJackThis
Support
Forums below:
http://www.hijackthis.de/forum/forumdisplay.php?f=10&guestlanguageid=4
the AumHa HiJackThis Forum
http://forum.aumha.org/viewforum.php?f=30
or Bleeping Computer Forum
http://www.bleepingcomputer.com/forums/forum22.html
to allow the experts there to evaluate your log and advise
you
of
any
necessary steps to clean your system.
(Note: You will have to Register before posting on these
Forums.
Please
follow all posting instructions carefully to avoid having
your
log
deleted
or ignored.
Hope this helps
Jan
Smiles are meant to be shared,
that's why they're so contagious.
Replies are posted only to the newsgroup for the benefit or
other
readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm
I have a program that cleans temp files, cache, history etc
on
a
daily
basis...I've also run spybot search and destroy, ad-aware &
cwshedder
but
the
problem persists...Any other suggestions? Bob
:
Hi Bob
Try clearing your Temporary Interenet Files and see if
that
helps:
Safely Delete the Temporary Internet Files
http://www.mvps.org/winhelp2002/delcache.htm
Hope this helps
Jan
Smiles are meant to be shared,
that's why they're so contagious.
Replies are posted only to the newsgroup for the benefit
or
other
readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm
I recently started having the problem when I try to
download
a
file
the
download box opens and it says it's downloading but it
sometimes
takes
3
or 4
minutes before it actually statrts to download...Also
sometimes
it
will
download only part of a file and just stop in the
middle...the
download
box
stays open and it says it's downloading but nothing is
happening.
I
am
running windows 2000 and have a DSL connection. I am on
internet
explorer
6.0 sp2. Why is this happening and how can I correct
the
problem?
Any help would be greatly appreciated.
Thanks Bob
