I recenty got high speed internet, and my computer seems to be slugish at times, I don't have any type of firewall set up, but am running norton anti-virus software. I have notice bogus programs self-installing themselves without permision. I am able to remove the programs but not sure I am getting all as it seems some of them are smart and may be called "msupdate" or whatever, making me unsure if I should un-install. Normal virus scans do not detect anything. I have a dual processor system with AMD mp 2000's, 512mb crucial ram, and scsi, this thing should fly! It is also very slow also at shut down and start up when saving and applying settings. What type of firewall do you recommend and where do I buy a high speed modem? Does anyone know of easy to use benchmark testing programs and where I might get them? I'd like to benchmark this rig to see how far off it is.
AMD MP 2000's slow after getting internet, help!
- Thread starter schultzey11
- Start date
Hey friend ..... you've been hijacked. It sounds like malware has invaded your system. Download HijackThis from the link in my sig. Be sure to install it in its own directory like C:\HijackThis. Don't leave it in the temporary directory because it makes back-ups we don't want to lose. Anyway, once you've got it installed properly, open it and run the scan. At this point don't do anything. Just save your results to a log. Then, paste your log in your next post. I'll take a look at it and help you clean things out.
Here it is,
Logfile of HijackThis v1.98.2
Scan saved at 8:58:16 PM, on 11/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
C:\WINNT\sbnet\ShowBehind.exe
C:\PROGRA~1\Save\Save.exe
C:\WINNT\system32\UMonit2k.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\Program Files\SED\SED.exe
C:\WINNT\system32\ctfmon.exe
C:\PROGRA~1\CLOCKS~1\Sync.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Hijack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchgateway.net/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchgateway.net/search/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
O4 - HKLM\..\Run: [ShowBehind] C:\WINNT\sbnet\ShowBehind.exe
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINNT\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINNT\system32\UMonit2k.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINNT\srchupdt.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [Uninstall_TBPS] C:\WINNT\Temp\TBuninst.exe /remove
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - Global Startup: DriveSelect.lnk = C:\Program Files\321Studios\Xpress\DriveSelect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
Logfile of HijackThis v1.98.2
Scan saved at 8:58:16 PM, on 11/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
C:\WINNT\sbnet\ShowBehind.exe
C:\PROGRA~1\Save\Save.exe
C:\WINNT\system32\UMonit2k.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\Program Files\SED\SED.exe
C:\WINNT\system32\ctfmon.exe
C:\PROGRA~1\CLOCKS~1\Sync.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Hijack\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchgateway.net/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchgateway.net/search/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
O4 - HKLM\..\Run: [ShowBehind] C:\WINNT\sbnet\ShowBehind.exe
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINNT\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINNT\system32\UMonit2k.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINNT\srchupdt.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [Uninstall_TBPS] C:\WINNT\Temp\TBuninst.exe /remove
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - Global Startup: DriveSelect.lnk = C:\Program Files\321Studios\Xpress\DriveSelect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
Yes, I can see why your system isn't running right! You've got an adult dialer, hunt bar, and some other "nasties" slowing you way down. Actually, you've got a multitude of problems. This isn't going to be a one click fix. We'll get it though ..... but it may take several posts and multiple steps.
First thing I'm going to have you do is do some innitial cleaning with spybot S&D. So, download it from HERE. Once you've downloaded it, and have it installed .... be sure to update ALL its definitions. Once its updated, you'll want to close all your browser windows before you "scan for problems." Once the scan has completed, click the "fix" button and have it fix everything in red. If spybot asks to run on next boot .... give it permission and then reboot your system. When this is done, post another log. Spybot should do some of the "easy" cleaning for us .... shortening a few of our steps.
I'll be waiting for your next log ....
First thing I'm going to have you do is do some innitial cleaning with spybot S&D. So, download it from HERE. Once you've downloaded it, and have it installed .... be sure to update ALL its definitions. Once its updated, you'll want to close all your browser windows before you "scan for problems." Once the scan has completed, click the "fix" button and have it fix everything in red. If spybot asks to run on next boot .... give it permission and then reboot your system. When this is done, post another log. Spybot should do some of the "easy" cleaning for us .... shortening a few of our steps.
I'll be waiting for your next log ....
mechBgon
Super Moderator<br>Elite Member
- Oct 31, 1999
- 30,699
- 1
- 0
Not to cut to the chase too early, but I see he's got BargainBuddy on there. It's pretty resilient, judging from the episode I went through with a co-worker's computer (his home computer, I hasten to add!). It's automagically reinstalled by one or two Windows Services. I can tell you what I'd do, and that's Drop The Bomb On It? :evil: Reformat, reinstall, and get it right from the beginning this time 
But I'm just crazy like that
*we now return you to your regularly-scheduled malware-removal thread*
But I'm just crazy like that *we now return you to your regularly-scheduled malware-removal thread*
To mechBgon:
Good evening! How are ya today ....
Thats certainly ONE very effective way to fix it. But in the case he doesn't want to drop the bomb, we can still get it without the format/reinstall. You see, BargainBuddy and some of the other advanced malwares uses ActiveX to reinstall. What makes them difficult is that they use randomly generated BHO's and exe's and that can take several attempts to figure it all out.
We'll leave it in his hands though .... format/reinstall will be the easier route. However, if he has stuff he cannot afford to lose and no way to back it up .... then we have to go the manual removal route.
schultzey11
You make the call. Do we reformat/reinstall? mechBgon's got some very good ways that if you set it up properly the first time, you won't see this stuff ever again.
OR
Do we continue with the manual removal process.
Either way is fine with me. Its your choice.
Good evening! How are ya today ....
Thats certainly ONE very effective way to fix it. But in the case he doesn't want to drop the bomb, we can still get it without the format/reinstall. You see, BargainBuddy and some of the other advanced malwares uses ActiveX to reinstall. What makes them difficult is that they use randomly generated BHO's and exe's and that can take several attempts to figure it all out.
We'll leave it in his hands though .... format/reinstall will be the easier route. However, if he has stuff he cannot afford to lose and no way to back it up .... then we have to go the manual removal route.
schultzey11
You make the call. Do we reformat/reinstall? mechBgon's got some very good ways that if you set it up properly the first time, you won't see this stuff ever again.
OR
Do we continue with the manual removal process.
Either way is fine with me. Its your choice.
I did the spybot and after that I have been having trouble getting on the internet. I had replied last time but just befor I was able to post the internet took a crap. Forgive me if I'm short. I have two hard drives the 36gb scsi has my programs and os on it and the 120 gb is for backup. The os is 2000 sp4. I do video editing and have some files I need to save. I frequenltly transfer files from scsi drive to the larger regular one. It seems to take a while. The transfere rate figure to be around 16mb/s. the mode on the drive is ultra dma. Could these crap files have some influence on this? Would you reccomend xp or 2000? I use pinnacle video editing software. This system has dual processors and thus far I haven't been impressed. I will check post tommorrow at my work. Thanks
. I will check post tommorrow at my work. Thanks
mechBgon
Super Moderator<br>Elite Member
- Oct 31, 1999
- 30,699
- 1
- 0
To start with, I happen to know that the trouble with getting onto the Internet stems from the half-removed BargainBuddy and its pals. Fire up Spybot again, click Mode > Advanced on the menu at the top, then go down to Tools and hit the BHOs. There are some BHOs that attempt to play middleman between you and the Internet in order to run your keystrokes through their search engine. If you remove them using Spybot, you should be able to browse normally until BargainBuddy comes along and reinstalls them.Originally posted by: schultzey11
I did the spybot and after that I have been having trouble getting on the internet. I had replied last time but just befor I was able to post the internet took a crap. Forgive me if I'm short. I have two hard drives the 36gb scsi has my programs and os on it and the 120 gb is for backup. The os is 2000 sp4. I do video editing and have some files I need to save. I frequenltly transfer files from scsi drive to the larger regular one. It seems to take a while. The transfere rate figure to be around 16mb/s. the mode on the drive is ultra dma. Could these crap files have some influence on this? Would you reccomend xp or 2000? I use pinnacle video editing software. This system has dual processors and thus far I haven't been impressed
If you are still having trouble with that after you've used spybot again, then download WinsockFix for windows 2000.
You're best off running it in safemode.
mechBgon and I had already been discussing the level of infestation in your winsock layer through the private message system. We were already aware of the potential for that to happen.
We may have different ideas on the best way to handle things .... but when you get to the nuts and bolts of these issues We're really on the same page! Its still your call. Manual fix or format/reinstall?
EDIt:
If you want to use manual removal, I'll need a new HijackThis log. However, its late here and I'm likely not going to be able to put much more time into it tonight.
You're best off running it in safemode.
mechBgon and I had already been discussing the level of infestation in your winsock layer through the private message system. We were already aware of the potential for that to happen.
We may have different ideas on the best way to handle things .... but when you get to the nuts and bolts of these issues We're really on the same page! Its still your call. Manual fix or format/reinstall?
EDIt:
If you want to use manual removal, I'll need a new HijackThis log. However, its late here and I'm likely not going to be able to put much more time into it tonight.
Originally posted by: schultzey11
I did the spybot and after that I have been having trouble getting on the internet. I had replied last time but just befor I was able to post the internet took a crap. Forgive me if I'm short. I have two hard drives the 36gb scsi has my programs and os on it and the 120 gb is for backup. The os is 2000 sp4. I do video editing and have some files I need to save. I frequenltly transfer files from scsi drive to the larger regular one. It seems to take a while. The transfere rate figure to be around 16mb/s. the mode on the drive is ultra dma. Could these crap files have some influence on this? Would you reccomend xp or 2000? I use pinnacle video editing software. This system has dual processors and thus far I haven't been impressed
First, your malware is affecting the way your system is running. Usually this junk isn't written to perform efficiently. Its written to accomplish its purposes .... to track your internet browsing and then to serve you pop up adds. Therefore, memory leaks, stolen cpu cycles and other problems that makes your system groan.
Second, SMP systems are NOT going to run "twice as good" as a one cpu system with the same speed. Using your rig for example, 2 x 2000 mp does not = 4000 speed. Part of the problem is because most of your mainstream software is not written to suport SMP systems. Also neither win2000 or winXP uses SMP efficiently, so you're taking another hit there. You're supposed to see better dual processor support in Longhorn ..... if it ever gets here.
Your scsi issues ..... we'll leave that part with mechBgon. I don't have a lot of scsi experience. What I can say is this .... you should certainly be getting better transfer rates than that! I can transfer files over my lan from one computer to another using IDE drives and get close to 50 Mbit transfer rates .... and one of the drives in that mix is a 5200 drive!
WinXP vs Win2000 .... that one's a bit tough. Granted, win2000 should run faster on your machine. However, some of those "extra bells and whistles" in XP are really nice to have. So, really it all depends! Whats more important to you? The smaller fingerprint of 2000 which will run faster or the "extra stuff" ....
Well, bed time for me.
I will try to post another log tonight when I get home. I think as of right now I'd like to use total re-install as last option, I enjoy learning new things and like finding out what is the problem is.
By the way, upon shutting down on several occasions after runing spybot the computer seems to shut down much quicker
Here the latest
Logfile of HijackThis v1.98.2
Scan saved at 4:55:17 PM, on 11/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
C:\WINNT\system32\UMonit2k.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\Program Files\SED\SED.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\rundll32.exe
C:\Hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 search.netscape.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINNT\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINNT\system32\UMonit2k.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINNT\srchupdt.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - Global Startup: DriveSelect.lnk = C:\Program Files\321Studios\Xpress\DriveSelect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O10 - Unknown file in Winsock LSP: c:\winnt\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\lspak.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
Logfile of HijackThis v1.98.2
Scan saved at 4:55:17 PM, on 11/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
C:\WINNT\system32\UMonit2k.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\Program Files\SED\SED.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\rundll32.exe
C:\Hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 69.20.16.183 search.netscape.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
O4 - HKLM\..\Run: [PCLEPCI] C:\PROGRA~1\Pinnacle\PPE\ppe.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINNT\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINNT\system32\UMonit2k.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [SrchfstUpdate] C:\WINNT\srchupdt.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - Global Startup: DriveSelect.lnk = C:\Program Files\321Studios\Xpress\DriveSelect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O10 - Unknown file in Winsock LSP: c:\winnt\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\lspak.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
mechBgon
Super Moderator<br>Elite Member
- Oct 31, 1999
- 30,699
- 1
- 0
Ok, looking through your log right now .... One question .... did you ever run winsockfix? If not, do it now please.
Your winsock layer is still infected.
Your winsock layer is still infected.
mechBgon
Super Moderator<br>Elite Member
- Oct 31, 1999
- 30,699
- 1
- 0
Ok, here are the two images of your Services list:
http://pics.bbzzdd.com/users/mechBgon/services1.gif
and
http://pics.bbzzdd.com/users/mechBgon/services2.gif
Disable the WinTools for IE service for starters.
http://pics.bbzzdd.com/users/mechBgon/services1.gif
and
http://pics.bbzzdd.com/users/mechBgon/services2.gif
Disable the WinTools for IE service for starters.
Bump .... we're waiting for ya. Have you run winsockfix yet? Please do if you haven't .... and YES, disable wintools in services, it will only make our job easier. Let us know when you're back. I'll post your HJT fix once I know you've run winsockfix.
Otherwise, we might kill your internet connection!
Otherwise, we might kill your internet connection!
Ok, I'm gonna be AFK for a while. If you haven't yet run winsockfix, please do it now. Otherwise, you stand a good chance of losing your internet connection ....
anyway...
here we go ..... You may want to either save this to notepad or print it out. We're going to want to boot into safemode to perform these fixes. So, lets reboot and then begin tapping your F8 key right after the post. Once you're in safemode, start up HijackThis again. This time, put a check beside the following entries. Double check to make sure you don't miss any.
O1 - Hosts: 69.20.16.183 search.netscape.com
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
Lets fix this activeX control too. There's no reason it needs to be installing anything without alerting you to it first.
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
Got those boxes checked? Click on the "fix it" button.
Then perform a search for the following files/folders:
C:\Program Files\Common Files\WinTools
C:\Program Files\SED\SED.exe
DELETE THEM
EDIT: Forgot to tell ya, empty your recycle bin
Reboot and post me one more HJT log please.
anyway...
here we go ..... You may want to either save this to notepad or print it out. We're going to want to boot into safemode to perform these fixes. So, lets reboot and then begin tapping your F8 key right after the post. Once you're in safemode, start up HijackThis again. This time, put a check beside the following entries. Double check to make sure you don't miss any.
O1 - Hosts: 69.20.16.183 search.netscape.com
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
Lets fix this activeX control too. There's no reason it needs to be installing anything without alerting you to it first.
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
Got those boxes checked? Click on the "fix it" button.
Then perform a search for the following files/folders:
C:\Program Files\Common Files\WinTools
C:\Program Files\SED\SED.exe
DELETE THEM
EDIT: Forgot to tell ya, empty your recycle bin
Reboot and post me one more HJT log please.
HijackThis alters the registry. Registry editing isn't a task I'd recommend for most. As for msconfig .... you CAN uncheck it from start-up, but I'm afraid it would come back since its still on your system. These spyware writers have covered that .... its unfortunately not that easy.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 24K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes Discussion Threads
- Started by Tigerick
- Replies: 19K
-
-
-
Facebook
Twitter