PC slowing down

natasha5417 · #11 (**permalink**) 29-09-2005, 05:41 AM

Neil hi,

the link to the Panda scan just never opens but I've done the Bitdefender scan and here are the results. Will reboot and do a hijack this and post as well.

BitDefender Online Scanner

Scan report generated at: Thu, Sep 29, 2005 - 01:46:13

Scan path: A:\;C:\;D:\;E:\;

Statistics

Time
02:57:12

Files
543209

Folders
14091

Boot Sectors
4

Archives
2814

Packed Files
55264

Results

Identified Viruses
6

Infected Files
13

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
8

Engines Info

Virus Definitions
213150

Engine build
AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)

Scan plugins
13

Archive plugins
39

Unpack plugins
4

E-mail plugins
6

System plugins
1

Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
exe;com;dll;ocx;scr;bin;dat;386;vxd;sys;wdm;cla;cl ass;ovl;ole;hlp;doc;dot;xls;ppt;wbk;wiz;pot;ppa;xl a;xlt;vbs;vbe;mdb;rtf;htm;hta;html;xml;xtp;php;asp ;js;shs;chm;lnk;pif;prc;url;smm;pfd;msi;ini;csc;cm d;bas;

Exclude Extensions

Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes

Scanned File
Status

C:\Documents and Settings\Administrator\Recent\msmgmctl.exe.lnk=>C: \WINNT\system32\msmgmctl.exe
Infected with: Backdoor.RBot.ACT

C:\Documents and Settings\Administrator\Recent\msmgmctl.exe.lnk=>C: \WINNT\system32\msmgmctl.exe
Disinfection failed

C:\Documents and Settings\Administrator\Recent\msmgmctl.exe.lnk=>C: \WINNT\system32\msmgmctl.exe
Deleted

C:\Documents and Settings\Administrator\Recent\msmgmctl.exe.lnk
Updated

C:\WINNT\javapanel.exe
Infected with: Backdoor.SDBot.931D5995

C:\WINNT\javapanel.exe
Disinfection failed

C:\WINNT\javapanel.exe
Delete failed

C:\WINNT\system32\eraseme_13324.exe
Infected with: Backdoor.SDBot.C56CD13C

C:\WINNT\system32\eraseme_13324.exe
Deleted

C:\WINNT\system32\eraseme_22761.exe
Infected with: Backdoor.SDBot.931D5995

C:\WINNT\system32\eraseme_22761.exe
Deleted

C:\WINNT\system32\eraseme_52813.exe
Infected with: Backdoor.SDBot.C56CD13C

C:\WINNT\system32\eraseme_52813.exe
Deleted

C:\WINNT\system32\eraseme_57430.exe
Infected with: Backdoor.SDBot.C56CD13C

C:\WINNT\system32\eraseme_57430.exe
Deleted

C:\WINNT\system32\eraseme_77734.exe
Infected with: Backdoor.SDBot.931D5995

C:\WINNT\system32\eraseme_77734.exe
Deleted

C:\WINNT\system32\eraseme_81853.exe
Infected with: Backdoor.SDBot.931D5995

C:\WINNT\system32\eraseme_81853.exe
Deleted

C:\WINNT\system32\msmgmctl.exe
Infected with: Backdoor.RBot.ACT

C:\WINNT\system32\msmgmctl.exe
Disinfection failed

C:\WINNT\system32\msmgmctl.exe
Delete failed

C:\WINNT\system32\remon.sys
Infected with: Trojan.Rootkit.Agent.AB

C:\WINNT\system32\remon.sys
Disinfection failed

C:\WINNT\system32\remon.sys
Delete failed

C:\WINNT\system32\winjava.exe
Infected with: GenPack:Backdoor.SDBot.8DD8C7F1

C:\WINNT\system32\winjava.exe
Disinfection failed

C:\WINNT\system32\winjava.exe
Delete failed

C:\WINNT\taskcntr.exe
Infected with: Backdoor.SDBot.C56CD13C

C:\WINNT\taskcntr.exe
Disinfection failed

C:\WINNT\taskcntr.exe
Delete failed

D:\backup\netvista.utilities\INSTALL.EXE=>(RAR Sfx o)=>EX1.EXE=>(RAR Sfx o)=>EXAMPLE3\APPACK\APPACK.EXE
Infected with: Win95.Radix.405.B

D:\backup\netvista.utilities\INSTALL.EXE=>(RAR Sfx o)=>EX1.EXE=>(RAR Sfx o)=>EXAMPLE3\APPACK\APPACK.EXE
Disinfection failed

D:\backup\netvista.utilities\INSTALL.EXE=>(RAR Sfx o)=>EX1.EXE=>(RAR Sfx o)=>EXAMPLE3\APPACK\APPACK.EXE
Deleted

D:\backup\netvista.utilities\INSTALL.EXE=>(RAR Sfx o)=>EX1.EXE=>(RAR Sfx o)
Update failed

natasha5417 · #12 (**permalink**) 29-09-2005, 06:46 AM

Neil hi.
Here is new hijack this log. Thanks a lot for your help and patience so far - really appreciate it.

Logfile of HijackThis v1.99.1
Scan saved at 06:28:13, on 29/09/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\cisvc.exe
C:\JRun4\verity\k2\_nti40\bin\k2admin.exe
C:\WINNT\javapanel.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\winjava.exe
C:\JRun4\bin\jrunsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\JRun4\bin\jrun.exe
C:\MSSQL7\binn\sqlservr.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\taskcntr.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\mqsvc.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\gsicon.exe
C:\WINNT\system32\dslagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINNT\system32\winsass.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\MSSQL7\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\BT Broadband\Help\bin\mpbtn.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\System32\cidaemon.exe
D:\backup\Downloads\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Microsoft Java Class - {6E28339B-7A2A-47B6-AEB2-46BA53782379} - C:\WINNT\system32\dllcache\java.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [GsiFinal] rundll32 gspndll.dll,postInstall final
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Cleanup] c:\program files\mcafee.com\shared\mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Microsoft Windows WinSaSS Management] winsass.exe
O4 - HKLM\..\RunServices: [Microsoft Windows WinSaSS Management] winsass.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [Microsoft Windows WinSaSS Management] winsass.exe
O4 - HKCU\..\RunServices: [Microsoft Windows WinSaSS Management] winsass.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BT Broadband Help.lnk = C:\Program Files\BT Broadband\Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\MSSQL7\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...6/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/16083780...p/RdxIE601.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1122495034437
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1125165968156
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streamingfaith.com/common...INIBrowser.CAB
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ColdFusion MX 7 Search Server - Unknown owner - C:\JRun4\verity\k2\_nti40\bin\k2admin.exe" -cfg "C:\JRun4\verity\k2\common\verity.cfg" -ntstart 1 (file missing)
O23 - Service: ECA (cpanel) - Unknown owner - C:\WINNT\javapanel.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Enables Java Support (Java) - Unknown owner - C:\WINNT\system32\winjava.exe
O23 - Service: Macromedia JRun Admin Server - Macromedia Inc. - C:\JRun4\bin\jrunsvc.exe
O23 - Service: Macromedia JRun CFusion Server - Macromedia Inc. - C:\JRun4\bin\jrunsvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: NetDDE Server (NetDDEsrv) - Unknown owner - C:\WINNT\system32\netddesrv.exe (file missing)
O23 - Service: Print Spool Handler (Print Spooler) - Unknown owner - C:\WINNT\system32\spooler.exe (file missing)
O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINNT\taskcntr.exe

Neal · #13 (**permalink**) 29-09-2005, 09:11 PM

Hi,

Did you ever decide which anti-virus program you are going to use?

Make sure you can see hidden files/folders
In Windows XP
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
After you're cleaned, please "rehide" them again.

I need you to scan a file for me at a single file scanner to check to see if it is ok or bad:

I need you to submit file(s) to see if it(they) are infected or legit:--http://virusscan.jotti.org/

Files: 1. C:\WINNT\system32\winjava.exe

copy/paste the results for me back here please.

Go into Task Manager and end process on these files please by pressing(ctrl+alt+del) at the same time or do a search for task manager.

End process on these files:

javapanel.exe
taskcntr.exe
spooler.exe
netddesrv.exe

You have several bad services running on your computer follow instructions below and do it one at a time please.

Go to Start > Run and type in Services.msc then click OK

Click the Extended tab.

Scroll down until you find ECA
TASKESV
Print spool Handler
NetDDEsrv

Click once on the service to highlight it.one at a time, get rid of one then come back and get another one

Click Stop

Right-Click on the service.

Click on 'Properties'

Select the 'General' tab

Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box

From the drop-down menu, click on 'Disabled'

Click the 'Apply' tab, then click 'OK'

Next:

Please run HijackThis and click Config -> Misc Tools -> Delete an NT service. In the Delete window, type the service names above one at a time(only do one service at a time then come back and do another one) and press OK. OK any prompts, close HijackThis, and restart your computer. Do another one etc.

Scan with HJT again and put a check next to these items, making sure all browser windows are closed includeing this one so print this or create a new text document on desktop by right clicking an open area select new text document and save it to what ever you like. Now put a check next to these:

O23 - Service: ECA (cpanel) - Unknown owner - C:\WINNT\javapanel.exe
O23 - Service: NetDDE Server (NetDDEsrv) - Unknown owner - C:\WINNT\system32\netddesrv.exe (file missing)
O23 - Service: Print Spool Handler (Print Spooler) - Unknown owner - C:\WINNT\system32\spooler.exe (file missing)
O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINNT\taskcntr.exe

Again make sure all browser windows are closed and click FIX

Reboot and post another HJT log please.