|
| ||
| Computer extremely slow - can you please help tell me what's wrong? Hello I have run HiJack This and below is my log: Logfile of HijackThis v1.98.0 Scan saved at 18:20:39, on 02/03/05 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v5.50 SP1 (5.50.4522.1800) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE C:\PROGRAM FILES\REALVNC\VNC4\WINVNC4.EXE C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\LOADQM.EXE C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE C:\PROGRAM FILES\PREVIEW ADSERVICE\PREVADSERV.EXE C:\PROGRAM FILES\PLAXO\2.1.0.80\INSTALLSTUB.EXE C:\WINDOWS\SMSS.EXE C:\PROGRAM FILES\PREVIEW ADSERVICE\PREVADKEEP.EXE C:\UNZIPPED\WINZIP\WZQKPICK.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE C:\WINDOWS\DESKTOP\HIJACK THIS\HIJACKTHIS.EXE R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btopenworld.com/togetherinternet R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btopenworld.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Together with 24/7 Internet O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\PROGRAM FILES\EPSON\EPSON WEB-TO-PAGE\EPSON WEB-TO-PAGE.DLL O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\PROGRAM FILES\EPSON\EPSON WEB-TO-PAGE\EPSON WEB-TO-PAGE.DLL O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_5_7_0.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar.dll O4 - HKLM\..\Run: [SystemTray] systray.exe O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\SVCHOST.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE O4 - HKLM\..\Run: [Preview AdService] C:\PROGRAM FILES\PREVIEW ADSERVICE\PREVADSERV.EXE O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE O4 - HKLM\..\RunServices: [WinVNC4] "C:\PROGRAM FILES\REALVNC\VNC4\WINVNC4.EXE" -noconsole -service O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe -a O4 - HKCU\..\Run: [Service Manager] C:\WINDOWS\smss.exe O4 - Startup: WinZip Quick Pick.lnk = C:\unzipped\WinZip\WZQKPICK.EXE O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmsearch.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmcache.html O8 - Extra context menu item: Similar Pages - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmsimilar.html O8 - Extra context menu item: Backward Links - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmbacklinks.html O8 - Extra context menu item: Translate into English - res://C:\WINDOWS\GOOGLETOOLBAR.DLL/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com/togetherinternet O16 - DPF: {200B9822-FDDD-4635-A8A4-066AC69ECF8A} ({200B9822-FDDD-4635-A8A4-066AC69ECF8A}) - http://gateway.ptssa.net/ws/ws.cab O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader.ocx O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by22fd.bay22.hotmail.msn.com/...s/MsnPUpld.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {38578BF0-0ABB-11D3-9330-0080C6F796A1} (Create & Print ActiveX Plug-in) - http://di.imgag.com/imgag/cp/install/AxCtp.cab O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/release/PlaxoInstall.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st_current.cab O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-18.cab O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Do...ridge-c282.cab O21 - SSODL: Linkaut - {D483EC80-4A8D-11D9-AEE4-444553540000} - C:\WINDOWS\SYSTEM\engkey.dll Can anyone please tell me which files to remove, if any? Many thanks Nicole |
| ||
| Re: Computer extremely slow - can you please help tell me what's wrong? It looks like you have two antivirus programs, Mcafee and AVG, running at the same time which can really slow down a computer. One of them needs to be removed. Personally I like AVG much better than Mcafee. Which ever one you keep, make sure it is up to date. Darrin Seats Cornerstone Computing http://www.cs-computing.biz |
| ||
| Re: Computer extremely slow - can you please help tell me what's wrong? Quote:
Thanks Darrin...I really appreciate your help! I have removed Mcafee as suggested, and kept AVG. I still feel something 'isn't quite right'. Can you see anything else that looks sinister in the HJT log file? When I type in www.trinitigiftshop.com (an online store I run), the following appears in my URL bar: http://uk.search.yahoo.com/search?fr...ftshop.com&y=y It's as though something has hijacked my browser. What do I do - help??! |
| ||
| Re: Computer extremely slow - can you please help tell me what's wrong? Darrin, I found this information on the net with regards to uk.search.yahoo.com (which I feel is hijacking my browser). Can you interpret for me what this person is saying (I'm wondering how I remove any corrupt files as I'm not a real techie). Thanks for any help.! |
| ||
| Re: Computer extremely slow - can you please help tell me what's wrong? Sorry - here's the info on uk.search.yahoo.com: VBS.QHOSTS Description Published: 01 October 2003 Description Modified: 11 January 2005 The information below provides details about this virus. Threat Assessment Wild: Low Destructiveness: Medium Pervasiveness: Very Low Risk: None Characteristics Type: Trojan Category: Win32 Also known as:: BAT.Qhosts, JS.Qhosts, Win32.Qhosts, Win32.Qhosts.F, Win32.Qhosts.H, Win32.Qhosts.J, QHosts-1 (McAfee) Immediate Protection Info eTrust Antivirus 6x/v7* (InoculateIT Engine) 23.62.59 View Removal Instructions eTrust EZ Antivirus 6.1x 6.0/4942 View Removal Instructions eTrust InoculateIT 6.0 eTrust Antivirus 6.0 23.62.59 View Removal Instructions Inoculan/InoculateIT 4.x 44.59 View Removal Instructions Vet Anti-Virus 10.5x 10.5x/4942 View Removal Instructions Vet Anti-Virus 10.6x 10.61.4942 View Removal Instructions * Includes updates for InoculateIT and eTrust InoculateIT 6.0. Download Signature Files Scan For Viruses Cleaning Utilities Submit a Virus Sample Description VBS.Qhosts is a trojan that attempts to redirect Internet domain names, mainly for intercepting queries to search engine web pages such as www.google.com. The trojan is loaded from a web page, which exploits a vulnerability in Microsoft Internet Explorer to run script with unrestricted access to the system. The vulnerability is addressed in the following Microsoft security bulletin and associated cumulative patch: http://www.microsoft.com/technet/sec...n/MS03-040.asp Once the malicious script is executed, the trojan will drop a file called AOLFIX.EXE into the Windows temporary directory. It then creates a batch file that will proceed to execute AOLFIX.EXE and delete it after the execution. AOLFIX.EXE is a batch file compiled into a Windows binary executable by the "bat2exe" utility. Once run it will check if a file called %windows%\winlog exists. If it does, the trojan does nothing and will exit. If the "winlog" file is not found the trojan tries to modify the following registry keys: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\MSTCP\ "EnableDNS"="1" "NameServer"="69.57.146.14,69.57.147.175" "HostName"="host" "Domain"="mydomain.com" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ "ProxyEnable"=dword:00000000 "MigrateProxy"=dword:00000000 HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\ "Use Search Asst"="no" "Search Page"="http://www.google.com" "Search Bar"="http://www.google.com/ie" HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL\ ""="http://www.google.com/keyword/%%s" "provider"="gogl" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\ "SearchAssistant"="http://www.google.com/ie" These settings will make an affected system use the IP addresses 69.57.146.14 and 69.57.147.175 as its DNS servers. They also change the domain name to host.mydomain.com, disable any IE proxy, and set the IE search page to point to www.google.com. These DNS name servers are probably used to redirect name queries to servers run by the trojan's author. The trojan then checks if %windows%\system32\drivers\etc\services exists. If it finds this file, it will proceed to modify the following registry keys: (note that the presence of the "services" file generally indicates that the trojan is dealing with Windows 2000 or Windows XP.) HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters "DataBasePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,68,00,65,00,6c,00,70,00,00,00 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters "DataBasePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,68,00,65,00,6c,00,70,00,00,00 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\interfaces\windows "r0x"="your s0x" HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\interfaces\windows "r0x"="your s0x" The DataBasePath value is a unicode string, which redirects Windows to load the local hosts file from the directory %windows%\help, instead of the normal location %windows%\System32\drivers\etc. The trojan will also enumerate and modify every NameServer value found under HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces and HKLM\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces recursively to make sure that the DNS servers are set to 69.57.146.14 and 69.57.147.175 for every network interface present. Next the trojan will modify the hosts file located in the %windows% directory so that the domain names of some popular search engines will resolve to the IP address 207.44.220.30. The domain names are as follows: www.google.akadns.net www.google.com google.com www.altavista.com altavista.com search.yahoo.com uk.search.yahoo.com ca.search.yahoo.com jp.search.yahoo.com au.search.yahoo.com de.search.yahoo.com search.yahoo.co.jp www.lycos.de www.lycos.ca www.lycos.jp www.lycos.co.jp alltheweb.com web.ask.com ask.com www.ask.com www.teoma.com search.aol.com www.looksmart.com auto.search.msn.com search.msn.com ca.search.msn.com fr.ca.search.msn.com search.fr.msn.be search.fr.msn.ch search.latam.yupimsn.com search.msn.at search.msn.be search.msn.ch search.msn.co.in search.msn.co.jp search.msn.co.kr search.msn.com.br search.msn.com.hk search.msn.com.my search.msn.com.sg search.msn.com.tw search.msn.co.za search.msn.de search.msn.dk search.msn.es search.msn.fi search.msn.fr search.msn.it search.msn.nl search.msn.no search.msn.se search.ninemsn.com.au search.t1msn.com.mx search.xtramsn.co.nz search.yupimsn.com uk.search.msn.com search.lycos.com www.lycos.com www.google.ca google.ca www.google.uk www.google.co.uk www.google.com.au www.google.co.jp www.google.jp www.google.at www.google.be www.google.ch www.google.de www.google.se www.google.dk www.google.fi www.google.fr www.google.com.gr www.google.com.hk www.google.ie www.google.co.il www.google.it www.google.co.kr www.google.com.mx www.google.nl www.google.co.nz www.google.pl www.google.pt www.google.com.ru www.google.com.sg www.google.co.th www.google.com.tr www.google.com.tw go.google.com google.at google.be google.de google.dk google.fi google.fr google.com.hk google.ie google.co.il google.it google.co.kr google.com.mx google.nl google.co.nz google.pl google.com.ru google.com.sg www.hotbot.com hotbot.com If the trojan finds that the services file existed in %windows%\system32\drivers\etc, the hosts file will be placed inside the %windows%\help directory instead. The trojan will finally create the file %windows%\winlog as a marker and will exit. |
| ||
| Re: Computer extremely slow - can you please help tell me what's wrong? Have you tried running Adaware and Spybot? Make sure they are updated and then run them from safe mode. You can get to safe mode by pressing F8 when the computer starts to boot. |
| ||
| Re: Computer extremely slow - can you please help tell me what's wrong? In addition to Ad-Aware and Spybot, please do the following: Go to Windows Update and get the Critical Updates for your system Get the latest version of HijackThis (currently 1.99.1) Close all browser windows, scan with the updated hijackthis, post the new log. |
| ||
| Re: Computer extremely slow - can you please help tell me what's wrong? You have a worm and a trojan. Reboot into safe mode following the instructions here and navigate to and delete the following: C:\WINDOWS\SVCHOST.EXE C:\WINDOWS\smss.exe Reboot normally after doing the above, rescan with hijackthis, then post that log here please. |
| All times are GMT -4. The time now is 7:36 am. |
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC