Computer Behavior Slow

Discussion in 'adware, spyware & hijack cleaning' started by SWCS, Jun 2, 2004.

Thread Status:
Not open for further replies.
  1. SWCS

    SWCS Registered Member

    Joined:
    Apr 2, 2004
    Posts:
    36
    Client claims computer behavior slow. Runs Ad-Aware frequently. I am a trainee in Spyware Info. The attached log is from client's computer. I see an lsass.exe, 3 cases of svchost.exe, a StartEAK.exe, plus two BHOs. Could you look over this log and see if you can find out what, if anything, needs to be deleted. Thanks.

    Logfile of HijackThis v1.97.7
    Scan saved at 8:57:29 AM, on 6/2/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
    C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
    C:\COMPAQ\CPQINET\CPQInet.exe
    C:\Compaq\EAKDRV\EAUSBKBD.EXE
    C:\WINDOWS\System32\Smtray.exe
    C:\WINDOWS\System32\PackethSvc.exe
    C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\Program Files\Trend Micro\Internet Security\pccguide.exe
    C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\MemoryBlaster\MemoryBlaster.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\PrintKey2000\Printkey2000.exe
    C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
    C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
    C:\Program Files\Trend Micro\Internet Security\PCClient.EXE
    C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
    C:\Documents and Settings\Paul Breininger\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://69.50.184.52/find4u/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.184.52/find4u/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.184.52/find4u/sp.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://findloss.com/home.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://findloss.com/home.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://findloss.com/home.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://findloss.com/home.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.184.52/find4u/sp.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://findloss.com/home.html
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Paul Breininger\Application Data\Mozilla\Profiles\default\kw8q00gx.slt\prefs.js)
    O1 - Hosts: 66.197.100.83 auto.search.msn.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_3.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_3.dll
    O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
    O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
    O4 - HKLM\..\Run: [Smapp] Smtray.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [hpinstantsupport] "C:\Program Files\Hewlett-Packard\hpis\bin\matcliwrapper.exe" "C:\Program Files\Hewlett-Packard\hpis\" -boot
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
    O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
    O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
    O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MemoryBlaster] C:\Program Files\MemoryBlaster\MemoryBlaster.exe
    O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe -z
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: Support (HKCU)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
    O15 - Trusted Zone: scwmls.fnismls.com
    O16 - DPF: ImageUploader - http://www.assetval.com/app/ImageUploader.CAB
    O16 - DPF: {0FF3E97F-433D-11D2-B31A-00A0C9B135DB} (CoDetectDigitalRiver Class) - http://ebot.digitalriver.com/v2.0-doc/dlwizard/wizard3.0.4.3.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://64.157.10.150/diallerfiles/013483.exe
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Well I see a CWS infection!

    I'm not sure if we are allowed to answer your log, for all I know it could be one of your exam logs o_O

    Why do you post this here instead of SWI forum? Like trainee forum?

    Watch out we all know eachother, it's a small world underground here :)

    Well euhm, ask for PV log, options 1 and 2, might be system32.dll or another variant, svchost in system32 folder are legit as you should know and the 01 hosts and 016 dialer entry needs to go asap.

    Not every BHO is bad and how could you miss that cws infection!

    Hope I have not done anything wrong here

    Cheers,
     
  3. SWCS

    SWCS Registered Member

    Joined:
    Apr 2, 2004
    Posts:
    36
    Didn't mean to alarm you. This is a genuine log. I couldn't log onto the SWI site (forums take forever to come up). Since I've posted HJTs here before, I decided to try this forum.

    "as you should know" and "how could you miss" - I'm new at this, a trainee. I know very little about HJT logs. But I'm willing to learn and I'm trying to learn. No. 1: so I won't have to bug you guys. No. 2: to help you guys out at some point in time.

    Thank you.
     
    Last edited: Jun 2, 2004
  4. SWCS

    SWCS Registered Member

    Joined:
    Apr 2, 2004
    Posts:
    36
    I am finally getting into SWI and moving about the forums. You might as well consider this situation closed. SWCS
     
  5. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Ok, good luck

    Cheers,
     
Thread Status:
Not open for further replies.