computer slow with popups

WingaWinga MrSouth Africa Icrontian
edited March 2006 in Spyware & Virus Removal
Hi Guys

My pa's computer is running very slowly. I suspect it is infected with spyware which the usual tools are unable to detect.
Herewith my hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 09:30:17 AM, on 27 February 2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\folding\FAH502-Console.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\slserv.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\folding\FahCore_78.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\winlog.exe
C:\WINDOWS\system32\anti_troj.exe
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\winlog.exe
C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
C:\WINDOWS\system32\anti_troj.exe
C:\Documents and Settings\ShaheedaP\Application Data\m\muk.exe
C:\Program Files\Sharp\Sharpdesk\sdFTP.exe
C:\TempBias\DropZone.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\SHAHEE~1\LOCALS~1\Temp\~162.exe
C:\Hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news24.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [winshost.exe] C:\WINDOWS\system32\winshost.exe
O4 - HKLM\..\Run: [firewall_anti] C:\WINDOWS\firewall_anti.exe
O4 - HKLM\..\Run: [auto__hloader__key] C:\WINDOWS\system32\hloader_exe.exe
O4 - HKLM\..\Run: [auto__antiav__key] C:\WINDOWS\system32\antiav_exe.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [key2] C:\WINDOWS\system32\winlog.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [anti_troj] C:\WINDOWS\system32\anti_troj.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [winshost.exe] C:\WINDOWS\system32\winshost.exe
O4 - HKCU\..\Run: [auto__hloader__key] C:\WINDOWS\system32\hloader_exe.exe
O4 - HKCU\..\Run: [auto__antiav__key] C:\WINDOWS\system32\antiav_exe.exe
O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe
O4 - HKCU\..\Run: [key2] C:\WINDOWS\system32\winlog.exe
O4 - HKCU\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"
O4 - HKCU\..\Run: [sysformat] C:\WINDOWS\system32\sysformat.exe
O4 - HKCU\..\Run: [anti_troj] C:\WINDOWS\system32\anti_troj.exe
O4 - HKCU\..\Run: [mule_st_key] C:\Documents and Settings\ShaheedaP\Application Data\m\muk.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - Startup: DropZone.lnk = C:\TempBias\DropZone.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Manengine.lnk = ?
O4 - Global Startup: Start Network Scanner Tool.lnk = C:\Program Files\Sharp\Sharpdesk\sdFTP.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = HibiscusSA.local
O17 - HKLM\Software\..\Telephony: DomainName = HibiscusSA.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = HibiscusSA.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = HibiscusSA.local
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: [email]FAH@C:+folding+FAH502-Console.exe[/email] - Stanford University - C:\folding\FAH502-Console.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)


Please look into it and let me know what steps I must take.

Comments

  • SpywareShooterSpywareShooter 127.0.0.1
    edited February 2006
    [STEP 1] Fix HijackThis Entries:
    Fix the following entries with HijackThis by placing checkmarks in the boxes next to them and clicking "Fix Checked".

    O4 - HKLM\..\Run: [winshost.exe] C:\WINDOWS\system32\winshost.exe
    O4 - HKLM\..\Run: [firewall_anti] C:\WINDOWS\firewall_anti.exe
    O4 - HKLM\..\Run: [auto__hloader__key] C:\WINDOWS\system32\hloader_exe.exe
    O4 - HKLM\..\Run: [auto__antiav__key] C:\WINDOWS\system32\antiav_exe.exe
    O4 - HKLM\..\Run: [key2] C:\WINDOWS\system32\winlog.exe
    O4 - HKLM\..\Run: [anti_troj] C:\WINDOWS\system32\anti_troj.exe
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
    O4 - HKCU\..\Run: [winshost.exe] C:\WINDOWS\system32\winshost.exe
    O4 - HKCU\..\Run: [auto__hloader__key] C:\WINDOWS\system32\hloader_exe.exe
    O4 - HKCU\..\Run: [auto__antiav__key] C:\WINDOWS\system32\antiav_exe.exe
    O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe
    O4 - HKCU\..\Run: [key2] C:\WINDOWS\system32\winlog.exe
    O4 - HKCU\..\Run: [sysformat] C:\WINDOWS\system32\sysformat.exe
    O4 - HKCU\..\Run: [anti_troj] C:\WINDOWS\system32\anti_troj.exe
    O4 - HKCU\..\Run: [mule_st_key] C:\Documents and Settings\ShaheedaP\Application Data\m\muk.exe
    O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...rch.jhtml?p=ZS

    [STEP 2] Remove Malicious Files:
    Locate the following files using Windows Explorer (the My Computer icon or shortcut) and delete them from your computer.

    C:\WINDOWS\system32\winshost.exe
    C:\WINDOWS\firewall_anti.exe
    C:\WINDOWS\system32\hloader_exe.exe
    C:\WINDOWS\system32\antiav_exe.exe
    C:\WINDOWS\system32\winlog.exe
    C:\WINDOWS\system32\anti_troj.exe
    C:\WINDOWS\system32\wintems.exe
    C:\WINDOWS\system32\sysformat.exe

    [STEP 3] Remove Malicious Folders:
    Locate the following folders using Windows Explorer (the My Computer icon or shortcut) and delete them from your computer.

    C:\PROGRAM FILES\MYWEBSEARCH\

    [STEP 4]Report Back to us:
    Once you have followed all of the steps above please reboot your computer and post a new HijackThis log.
  • WingaWinga Mr South Africa Icrontian
    edited February 2006
    Thanks SS

    I have removed the entries as requested. Some of them had to be removed in safe mode :(

    Herewith new log:

    Logfile of HijackThis v1.99.1
    Scan saved at 03:10:24 PM, on 28 February 2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\folding\FAH502-Console.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\slserv.exe
    C:\Program Files\RealVNC\WinVNC\WinVNC.exe
    C:\folding\FahCore_82.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Logiman\ManEngine.exe
    C:\Program Files\Sharp\Sharpdesk\sdFTP.exe
    C:\TempBias\DropZone.exe
    C:\Logiman\mdNitsuko_DXE.exe
    C:\Hijack this\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news24.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL (file missing)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"
    O4 - HKCU\..\Run: [sysformat] C:\WINDOWS\system32\sysformat.exe
    O4 - Startup: DropZone.lnk = C:\TempBias\DropZone.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Manengine.lnk = ?
    O4 - Global Startup: Start Network Scanner Tool.lnk = C:\Program Files\Sharp\Sharpdesk\sdFTP.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = HibiscusSA.local
    O17 - HKLM\Software\..\Telephony: DomainName = HibiscusSA.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = HibiscusSA.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = HibiscusSA.local
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: [email]FAH@C:+folding+FAH502-Console.exe[/email] - Stanford University - C:\folding\FAH502-Console.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

    Thanks
  • SpywareShooterSpywareShooter 127.0.0.1
    edited February 2006
    [STEP 1] Fix HijackThis Entries:
    Fix the following entries with HijackThis by placing checkmarks in the boxes next to them and clicking "Fix Checked".

    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL (file missing)
    O4 - HKCU\..\Run: [sysformat] C:\WINDOWS\system32\sysformat.exe

    [STEP 2] Remove Malicious Files:
    Locate the following files using Windows Explorer (the My Computer icon or shortcut) and delete them from your computer.

    C:\WINDOWS\system32\sysformat.exe

    [STEP 3]Report Back to us:
    Once you have followed all of the steps above please reboot your computer and post a new HijackThis log.
  • WingaWinga Mr South Africa Icrontian
    edited March 2006
    Herewith my new log file.

    I have noticed that a few of the malicious files I removed previously are back!!

    Logfile of HijackThis v1.99.1
    Scan saved at 08:53:59 AM, on 02 March 2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\folding\FAH502-Console.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\slserv.exe
    C:\Program Files\RealVNC\WinVNC\WinVNC.exe
    C:\folding\FahCore_82.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\system32\winlog.exe
    C:\WINDOWS\system32\anti_troj.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
    C:\WINDOWS\system32\winlog.exe
    C:\WINDOWS\system32\anti_troj.exe
    C:\Logiman\ManEngine.exe
    C:\Program Files\Sharp\Sharpdesk\sdFTP.exe
    C:\TempBias\DropZone.exe
    C:\Logiman\mdNitsuko_DXE.exe
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    P:\WINBIAS\bias.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Hijack this\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news24.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
    O4 - HKLM\..\Run: [key2] C:\WINDOWS\system32\winlog.exe
    O4 - HKLM\..\Run: [anti_troj] C:\WINDOWS\system32\anti_troj.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"
    O4 - HKCU\..\Run: [key2] C:\WINDOWS\system32\winlog.exe
    O4 - HKCU\..\Run: [anti_troj] C:\WINDOWS\system32\anti_troj.exe
    O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe
    O4 - Startup: DropZone.lnk = C:\TempBias\DropZone.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Manengine.lnk = ?
    O4 - Global Startup: Start Network Scanner Tool.lnk = C:\Program Files\Sharp\Sharpdesk\sdFTP.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = HibiscusSA.local
    O17 - HKLM\Software\..\Telephony: DomainName = HibiscusSA.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = HibiscusSA.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = HibiscusSA.local
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: [email]FAH@C:+folding+FAH502-Console.exe[/email] - Stanford University - C:\folding\FAH502-Console.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)
  • SpywareShooterSpywareShooter 127.0.0.1
    edited March 2006
    [STEP 1] Fix HijackThis Entries:
    Fix the following entries with HijackThis by placing checkmarks in the boxes next to them and clicking "Fix Checked".

    O4 - HKLM\..\Run: [key2] C:\WINDOWS\system32\winlog.exe
    O4 - HKLM\..\Run: [anti_troj] C:\WINDOWS\system32\anti_troj.exe
    O4 - HKCU\..\Run: [key2] C:\WINDOWS\system32\winlog.exe
    O4 - HKCU\..\Run: [anti_troj] C:\WINDOWS\system32\anti_troj.exe
    O4 - HKCU\..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe
    O4 - Startup: DropZone.lnk = C:\TempBias\DropZone.exe

    [STEP 2] Remove Malicious Files:
    Locate the following files using Windows Explorer (the My Computer icon or shortcut) and delete them from your computer.

    C:\WINDOWS\system32\winlog.exe
    C:\WINDOWS\system32\anti_troj.exe
    C:\WINDOWS\system32\wintems.exe
    C:\TempBias\DropZone.exe

    [STEP 3]Report Back to us:
    Once you have followed all of the steps above please reboot your computer and post a new HijackThis log.
  • WingaWinga Mr South Africa Icrontian
    edited March 2006
    Herewith my latest log file:

    Logfile of HijackThis v1.99.1
    Scan saved at 08:59:46 AM, on 06 March 2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\folding\FAH502-Console.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\slserv.exe
    C:\Program Files\RealVNC\WinVNC\WinVNC.exe
    C:\folding\FahCore_7a.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Sharp\Sharpdesk\SharpTray.exe
    C:\Logiman\ManEngine.exe
    C:\Program Files\Sharp\Sharpdesk\sdFTP.exe
    C:\TempBias\DropZone.exe
    C:\Logiman\mdNitsuko_DXE.exe
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    P:\WINBIAS\bias.exe
    C:\Logiman\ManClient.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Hijack this\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.news24.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SharpTray] "C:\Program Files\Sharp\Sharpdesk\SharpTray.exe"
    O4 - Startup: DropZone.lnk = C:\TempBias\DropZone.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Manengine.lnk = ?
    O4 - Global Startup: Start Network Scanner Tool.lnk = C:\Program Files\Sharp\Sharpdesk\sdFTP.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = HibiscusSA.local
    O17 - HKLM\Software\..\Telephony: DomainName = HibiscusSA.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = HibiscusSA.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = HibiscusSA.local
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: [email]FAH@C:+folding+FAH502-Console.exe[/email] - Stanford University - C:\folding\FAH502-Console.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)


    please note that the following entry is not a malicious file: C:\TempBias\DropZone.exe

    thanks
  • WingaWinga Mr South Africa Icrontian
    edited March 2006
    Hi SS

    Will you be able to tell me if the computer is clean or is there anything else that needs removing??
Sign In or Register to comment.