Hello, I am trying to fix a friends laptop. He has updated NAV and run a full scan and it finds no infection, yet his CPU
is running constantly at 100% The .exe files that are taking all the resourses change constantly. xit95.exe, hiq2.exe,
GcgOLIcr.exe etc etc. I have a feeling this could be the BKDR Sandbox.A infection. Below is a log from Hijack this, can you please let me kinow which files to delete (or any other ideas what this could be)
Cheers
Logfile of HijackThis v1.97.7
Scan saved at 19:48:53, on 13/04/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.e
xe
C:\WINDOWS\system32\winlog
on.exe
C:\WINDOWS\system32\servic
es.exe
C:\WINDOWS\system32\lsass.
exe
C:\WINDOWS\system32\svchos
t.exe
C:\WINDOWS\System32\svchos
t.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spools
v.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\Ati2ev
xx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\atipta
xx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\TouchPad\TPT
ray.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey
.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\WINDOWS\System32\ezSP_P
x.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\docume~1\sambut~1\local
s~1\temp\K
Nv3b.exe
C:\docume~1\sambut~1\local
s~1\temp\p
TYGq.exe
C:\Program Files\ClearSearch\Loader.e
xe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\rundll
32.exe
C:\WINDOWS\uptodate.exe
C:\Program Files\Bargain Buddy\bin\bargains.exe
C:\Program Files\Save\Save.exe
C:\Program Files\WhenUSearch\Search.e
xe
C:\Program Files\AutoUpdate\AutoUpdat
e.exe
C:\Program Files\ClockSync\Sync.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\FinePixViewer\QuickD
CF.exe
C:\WINDOWS\System32\inmsdw
.exe
C:\WINDOWS\System32\Hiq2.e
xe
C:\WINDOWS\System32\Ebq69j
NP.exe
C:\Program Files\SysAI\SysAI.exe
C:\WINDOWS\System32\taskmg
r.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\SAM BUTLER\My Documents\HijackThis.exe
R1 - HKCU\Software\Microsoft\In
ternet Explorer\Main,Search Bar =
http://www.startium.com/metasearch.php?dst=DIST1R1 - HKCU\Software\Microsoft\In
ternet Explorer\Main,Search Page =
http://www.findthewebsiteyouneed.comR0 - HKCU\Software\Microsoft\In
ternet Explorer\Main,Start Page =
http://www.rleague.com/R0 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Start Page =
http://default-homepage-network.com/start.cgi?hklmR1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Search Bar =
http://server224.smartbotpro.net/7search/?hklmR1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Default_Page
_URL =
http://dial.blueyonder.co.uk/R0 - HKLM\Software\Microsoft\In
ternet Explorer\Search,SearchAssi
stant =
http://searchbar.findthewebsiteyouneed.comR0 - HKCU\Software\Microsoft\In
ternet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\In
ternet Explorer\Toolbar,LinksFold
erName =
O2 - BHO: IE Agent - {00000000-0000-0000-0000-0
0000000022
1} - C:\Program Files\Lycos\IEagent\CSIE.D
LL
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3
D4BF457D4C
8} - C:\Program Files\Lycos\Sidesearch\sid
esearch132
18.dll
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-7
86FA05C83A
B} - C:\Program Files\SysAI\AproposPlugin.
dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7
84B7D6BE0B
3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEH
elper.ocx
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5
297EF71F44
3} - C:\WINDOWS\System32\stlbdi
st.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-F
ADC6B08487
2} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
0A0C908246
7} - C:\WINDOWS\System32\msdxm.
ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
859DF00B1D
6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Search - {2CF0B992-5EEB-4143-99C0-5
297EF71F44
4} - C:\WINDOWS\System32\stlbdi
st.DLL
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPT
ray.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey
.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_P
x.exe
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EX
E /AUTORUN
O4 - HKLM\..\Run: [5I2qWA.exe] C:\docume~1\sambut~1\local
s~1\temp\5
I2qWA.exe
O4 - HKLM\..\Run: [KNv3b.exe] C:\docume~1\sambut~1\local
s~1\temp\K
Nv3b.exe
O4 - HKLM\..\Run: [pTYGq.exe] C:\docume~1\sambut~1\local
s~1\temp\p
TYGq.exe
O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.e
xe
O4 - HKLM\..\Run: [2ZQLKP#2WLSCTL] C:\WINDOWS\System32\VchsZQ
oq.exe
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-
5297EF71F4
44}] rundll32.exe C:\WINDOWS\System32\stlbdi
st.DLL,Dll
RunMain
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin\bargains.exe
O4 - HKLM\..\Run: [WhenUSave] C:\Program Files\Save\Save.exe
O4 - HKLM\..\Run: [WhenUSearch] C:\Program Files\WhenUSearch\Search.e
xe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdat
e.exe"
O4 - HKLM\..\Run: [inmsdw] C:\WINDOWS\System32\inmsdw
.exe
O4 - HKCU\..\Run: [ClockSync] C:\Program Files\ClockSync\Sync.exe /q
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickD
CF.exe
O6 - HKCU\Software\Policies\Mic
rosoft\Int
ernet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Mic
rosoft\Int
ernet Explorer\Control Panel present
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.
dll
O14 - IERESET.INF: START_PAGE_URL=
http://dial.blueyonder.co.uk/O16 - DPF: {8699D723-6DC6-47D3-B55C-4
89BA006B91
7} (WebInstall) -
http://dot-sandy18.cc-827043.namezero.com/nl/webinstall.cabO16 - DPF: {9F1C11AA-197B-4942-BA54-4
7A8489BB47
F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37873.493275463O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
4455354000
0} (Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
