Solved

Virus - Starting IE takes too much resources

Posted on 2004-03-25
10
2,969 Views
Last Modified: 2010-04-12
I am running windows 2000. When starting IE, too much resources are consumed that CPU and Memory usage runs low. Is my PC affected by any viruses. Any fixes? Also logging into the system takes too long right after rebooting.

Thanks in Advance.
0
Comment
Question by:namasi_navaretnam
  • 5
  • 5
10 Comments
 
LVL 67

Expert Comment

by:sirbounty
ID: 10682932
Check for Spyware:
  HijackThis -->http://www.spychecker.com/program/hijackthis.html
  Spybot-S&D -->http://www.safer-networking.org/
  Ad-Aware --> http://www.netsecurity.about.com/library/blfreespyware.htm
  Web Shredder -->http://www.spywareinfo.com/~merijn/cwschronicles.html#cwshredder

Check for Viruses with online scanners:
  Norton/Symantec --> http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym
  Trend Micro --> http://housecall.antivirus.com/housecall/start_corp.asp
  Panda ActiveScan --> http://www.pandasoftware.com/activescan/
  McAfee Security --> http://us.mcafee.com/root/mfs/default.asp
  Individual File Scanner --> http://www.kaspersky.com/remoteviruschk.html

Post the log from the first link (HJT) for further review...
0
 
LVL 15

Author Comment

by:namasi_navaretnam
ID: 10683236
Here is the log

Logfile of HijackThis v1.97.7
Scan saved at 7:49:04 PM, on 3/25/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\mdm.exe
C:\WINNT\system32\starter.exe
C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
C:\PROGRA~1\Aveo\Attune\bin\attune_ce.exe
C:\Program Files\Common Files\InstallShield\DigitalWizard\dwMon.exe
C:\Program Files\Common Files\InstallShield\DigitalWizard\ISWizard.exe
C:\Program Files\Navnt\POPROXY.EXE
C:\WINNT\Svchost.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\WINNT\System32\SahAgent.exe
C:\Program Files\Bargain Buddy\bin\bargains.exe
C:\Program Files\DownloadWare\dw.exe
C:\Program Files\n-CASE\msbb.exe
C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Forbes\ForbesAlerts.exe
C:\WINNT\System32\internat.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\ezula\mmod.exe
C:\Program Files\Navnt\navapw32.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\PrecisionTime\PrecisionTime.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\RECOMM~1\v15\rh.exe
C:\Program Files\RBEnhance\rbenh.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.iquicksearch.net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iquicksearch.net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.iquicksearch.net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://in.webcounter.cc/-/?cxlow (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?cxlow (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.iquicksearch.net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?cxlow (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchenhancement.com/searchbar/iev1.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.iquicksearch.net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?cxlow (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?cxlow (obfuscated)
R3 - URLSearchHook: WebSearch Class - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - C:\Program Files\scbar\v2\scbar.dll
F0 - system.ini: Shell=explorer.exe winupdate.exe
F2 - REG:system.ini: Shell=explorer.exe winupdate.exe
O1 - Hosts: 1089288654 auto.search.msn.com
O1 - Hosts: 1089288654 auto.search.msn.com
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {00000762-3965-4A1A-98CE-3D4BF457D4C8} - C:\Program Files\Lycos\Sidesearch\sidesearch1311.dll
O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - C:\Program Files\scbar\v2\scbar.dll
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\bxxs5.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\ycomp5_1_3_0.dll
O2 - BHO: Recommended Hotfix - {0421701D-CF13-4E70-ADF0-45A953E7CB8B} - C:\Program Files\Recommended Hotfix - 421701D\v15\RH.DLL
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINNT\hhU.dll
O2 - BHO: (no name) - {C5941EE5-6DFA-11D8-86B0-0002441A9695} - C:\WINNT\3_0_1browserhelper3.dll
O2 - BHO: (no name) - {C8847EEA-72D6-11D4-AB4F-00B0D02332EE} - C:\PROGRA~1\COMMON~1\INSTAL~1\DIGITA~1\PHook.dll
O2 - BHO: Url Catcher - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRA~1\BARGAI~1\bin\apuc.dll
O2 - BHO: surebar Helper - {D3F01312-8A3D-4D41-A4FA-FB61D295CB6B} - C:\WINNT\System32\surebar.dll
O2 - BHO: (no name) - {FD09D03F-CCA6-522C-799E-AF24F307ED30} - C:\WINNT\system32\arbsriau.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_1_3_0.dll
O3 - Toolbar: Search Bar - {270B845C-712C-4773-BEE0-AE2D2001CD0F} - C:\WINNT\System32\surebar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINNT\system32\starter.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [AttuneClientEngine] C:\PROGRA~1\Aveo\Attune\bin\attune_ce.exe
O4 - HKLM\..\Run: [DigitalWizard Monitor] C:\Program Files\Common Files\InstallShield\DigitalWizard\dwMon.exe
O4 - HKLM\..\Run: [DigitalWizard] C:\Program Files\Common Files\InstallShield\DigitalWizard\ISWizard.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Canada] c:\program files\dialers\canada\canada.exe /noconnect
O4 - HKLM\..\Run: [SystemBoot] C:\WINNT\wer.exe
O4 - HKLM\..\Run: [SystemReg] C:\WINNT\Svchost.exe run
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [NCplDeamon] SVCH0ST.EXE
O4 - HKLM\..\Run: [windowsupdate] winupdate.exe
O4 - HKLM\..\Run: [Soundmx] \soundmx.exe
O4 - HKLM\..\Run: [rbenh ml744e] "C:\Program Files\RBEnhance\rbenh.exe"
O4 - HKLM\..\Run: [<H] c:\WINNT\System32\<HEAD>
O4 - HKLM\..\Run: [  <TITLE>Error</TI] c:\WINNT\System32\  <TITLE>Error</TITLE>
O4 - HKLM\..\Run: [</H] c:\WINNT\System32\</HTML>
O4 - HKLM\..\Run: [<B] c:\WINNT\System32\<BODY>
O4 - HKLM\..\Run: [The site you have requested doesn't ex] c:\WINNT\System32\The site you have requested doesn't exist.
O4 - HKLM\..\Run: [] c:\WINNT\System32\
O4 - HKLM\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINNT\System32\The associated domain name has probably been reserved by a client from
O4 - HKLM\..\Run: [<A HREF="http://www.gandi.net/">GANDI</A> then par] c:\WINNT\System32\<A HREF="http://www.gandi.net/">GANDI</A> then parked.
O4 - HKLM\..\Run: [</B] c:\WINNT\System32\</BODY>
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [SAHAgent] C:\WINNT\System32\SahAgent.exe
O4 - HKLM\..\Run: [Bargains] C:\Program Files\Bargain Buddy\bin\bargains.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINNT\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [SwimSuitNetwork] "C:\Program Files\SwimSuitNetwork\SwimSuitNetwork.exe" /H
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [msbb] C:\Program Files\n-CASE\msbb.exe
O4 - HKLM\..\Run: [ILOSVY] C:\WINNT\ILOSVY.exe
O4 - HKLM\..\Run: [SearchEnhancement] "C:\Program Files\scbar\v2\scbar.exe" /U
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\createcd.exe -r
O4 - HKLM\..\RunServices: [WebSiteServer] C:\WebSite\httpd32.exe
O4 - HKLM\..\RunServices: [SystemReg] C:\WINNT\Svchost.exe run
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SystemReg] C:\WINNT\Svchost.exe run
O4 - HKCU\..\Run: [Forbes] C:\Program Files\Forbes\ForbesAlerts.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [<H] c:\WINNT\System32\<HEAD>
O4 - HKCU\..\Run: [  <TITLE>Error</TI] c:\WINNT\System32\  <TITLE>Error</TITLE>
O4 - HKCU\..\Run: [</H] c:\WINNT\System32\</HTML>
O4 - HKCU\..\Run: [<B] c:\WINNT\System32\<BODY>
O4 - HKCU\..\Run: [The site you have requested doesn't ex] c:\WINNT\System32\The site you have requested doesn't exist.
O4 - HKCU\..\Run: [] c:\WINNT\System32\
O4 - HKCU\..\Run: [The associated domain name has probably been reserved by a client ] c:\WINNT\System32\The associated domain name has probably been reserved by a client from
O4 - HKCU\..\Run: [<A HREF="http://www.gandi.net/">GANDI</A> then par] c:\WINNT\System32\<A HREF="http://www.gandi.net/">GANDI</A> then parked.
O4 - HKCU\..\Run: [</B] c:\WINNT\System32\</BODY>
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O4 - Global Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\Realdownload.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save to &DigitalWizard - C:\Program Files\Common Files\InstallShield\DigitalWizard\Menu
O9 - Extra button: Sidesearch (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: DigitalWizard (HKLM)
O9 - Extra 'Tools' menuitem: &DigitalWizard (HKLM)
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\\NPssView.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.greatplugin.com/diallerfiles/012970.exe
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bitstream.com/wfplayer/tdserver.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://jobs.tntlogistics.com/CFIDE/classes/CFJava.cab
O16 - DPF: {0FEBDCE8-1435-11D1-B8DA-00001C500B3F} (dwRotatePic.RotatePic) - http://www.desaware.com/Controls/dwrotpic.cab
O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (FormFlow Form Control) - https://www.cbs.gov.on.ca/obra/forms/Codebase/FormCtl.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {29CAC0B6-D6C2-4395-8289-BF3FBF27AD5F} (AInst Class) - http://209.47.15.72/inst/activeinstaller.dll
O16 - DPF: {2C52AF58-B9B1-11D5-9DF6-00508B755B44} (AXClientUtil2 Control) - http://www.smartforce.com/v2.1/applications/liveplay/Activex/AXClientUtil.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/06fa3d57297557c57e18/netzip/RdxIE601.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37957.8512731481
O16 - DPF: {A45F39DC-3608-4237-8F0E-139F1BC49464} - http://www.greatplugin.com/diallerfiles/014601.exe
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {B8AB2281-447F-482B-86E9-1F0ED5973637} - http://www.isurfplus.com/sure.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} (NSUpdateLiteCtrl Class) - http://204.177.92.201/quickdl/proclaim/NSupd9x.cab
O16 - DPF: {E3DB227E-CE9D-11D3-9740-00105A088F97} (InstallShield ZUICmd Control) - http://www.installshield.com/downloads/dw/DigitalWizard1790.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio4023.cab
O19 - User stylesheet: C:\WINNT\Web\tips.ini
O19 - User stylesheet: C:\WINNT\hh.htt (HKLM)

Thanks.
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10683660
Uh...Wow.
Quite a bit here...

I'd suggest running the other spyware cleanup tools...update them first though.

I only went through the first few of these (there's A LOT).  
Here's some examples: (Highlight these from HJT and click Fix Checked)

C:\PROGRA~1\Aveo\Attune\bin\attune_ce.exe - (don't have a link, but believe this to be spyware as well)
C:\WINNT\System32\SahAgent.exe - http://www.liutilities.com/products/wintaskspro/processlibrary/sahagent/
C:\Program Files\Bargain Buddy\bin\bargains.exe -http://www.liutilities.com/products/wintaskspro/processlibrary/bargains/
C:\Program Files\Common Files\CMEII\CMESys.exe - http://www.liutilities.com/products/wintaskspro/processlibrary/CMESys/
C:\Program Files\Common Files\GMT\GMT.exe - http://www.liutilities.com/products/wintaskspro/processlibrary/GMT/
C:\Program Files\n-CASE\msbb.exe - http://www.liutilities.com/products/wintaskspro/processlibrary/msbb/
C:\PROGRA~1\ezula\mmod.exe - http://www.liutilities.com/products/wintaskspro/processlibrary/mmod/
R3 - URLSearchHook: WebSearch Class - {9368D063-44BE-49B9-BD14-BB9663FD38FC} - C:\Program Files\scbar\v2\scbar.dll - http://www.allentech.net/parasite/SCBar.html
O2 - BHO: (no name) - {00041A26-7033-432C-94C7-6371DE343822} - C:\Program Files\scbar\v2\scbar.dll -http://www.allentech.net/parasite/SCBar.html
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL - again, no link - but I'd clear this one

You could probably fix these as well...Maybe not 'harmful' but probable causes for your slowdown...
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.iquicksearch.net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iquicksearch.net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.iquicksearch.net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://in.webcounter.cc/-/?cxlow (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?cxlow (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.iquicksearch.net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?cxlow (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchenhancement.com/searchbar/iev1.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.iquicksearch.net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.searchenhancement.com/nph-enhanced.cgi?affid=sesm&sstring=
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?cxlow (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?cxlow (obfuscated)
O1 - Hosts: 1089288654 auto.search.msn.com
O1 - Hosts: 1089288654 auto.search.msn.com
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com


These are suspicous - if you don't know what they are, you may consider removing them (or at least disabling them)
C:\Program Files\RBEnhance\rbenh.exe
C:\PROGRA~1\RECOMM~1\v15\rh.exe
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\bxxs5.dll
O2 - BHO: (no name) - {BCF96FB4-5F1B-497B-AECC-910304A55011} - C:\WINNT\hhU.dll
O2 - BHO: (no name) - {C5941EE5-6DFA-11D8-86B0-0002441A9695} - C:\WINNT\3_0_1browserhelper3.dll

Again, run the others: Spybot, Adaware, Cool Web Shredder.  Get those updated and clean up your system (run them all).
Then, repost the HJT log and we can review it again...

<Whew>  :D
0
 
LVL 15

Author Comment

by:namasi_navaretnam
ID: 10684083
sirbounty,

I scanned my PC using those utilities and removed suspicious ones. IE starts just fine now. But logging in after re-booting still takes too long. Any ides?

Thanks for your help so far.
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10684189
Repost the log from HJT...there are other items to clear out - just wanted to get rid of the spyware first...
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 15

Author Comment

by:namasi_navaretnam
ID: 10684406
Here is the log file again.

Logfile of HijackThis v1.97.7
Scan saved at 12:07:52 PM, on 9/25/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\mdm.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\WINNT\msagent\AgentSvr.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
0
 
LVL 67

Accepted Solution

by:
sirbounty earned 500 total points
ID: 10686529
Wow - what a difference, eh?
Have you also run the online virus scanners?  I saw at least 3 dialers there and would be concerned of 'what' home they were phoning....
Please try at least the first 3 from my first post.

Afterwards, run a scandisk of your system:
  Double-click My Computer, and then right-click the C drive
  Click Properties, and then click Tools.
  In Error-checking, click Check Now.  (You may be asked to reboot.  Expect this to take a while)
  ref: (http://support.microsoft.com/?kbid=156571)

Next, run a defrag of your drive:
  I always prefer booting into safe mode to run defrag...(http://www.microsoft.com/windows2000/en/server/help/boot_failsafe.htm)
  The procedures are as for scandisk, just run disk defragmenter instead.
  ref: (http://www.microsoft.com/windows2000/techinfo/administration/fileandprint/defrag.asp)

Lastly, go through this site to determine what services can be shut off or disabled to gain back wasted resources:
  http://www.blackviper.com/WIN2K/servicecfg.htm
0
 
LVL 15

Author Comment

by:namasi_navaretnam
ID: 10686701
Thanks for you help!!!

I am just going to accept your solution. I just have one more question if you could answer.

> I saw at least 3 dialers there and would be concerned of 'what' home they were phoning....

Not sure what you mean here. What is the name of process?
0
 
LVL 67

Expert Comment

by:sirbounty
ID: 10686741
One was called canadadialer - can't seem to locate the other two in the first list though.
These programs download themselves on your system during web browsing.  Then they place themselves in your startup, much like a virus, and when you're sound asleep, they dial into a server using your internet connection.  Once connected, who knows what they'll do (some just report statistics, others may do more harm).

I'd highly recommend a good firewall for your system.  www.zonelabs.com has one called ZoneAlarm - the 'lite' version is free (the Pro version costs $), but it's a very good product.

Thanx for the points.  Take care.

~sirbounty
0
 
LVL 15

Author Comment

by:namasi_navaretnam
ID: 10686807
Thanks again, You da man!!!
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Are you unable to connect or configure Hotmail email account in Microsoft Outlook 2010, 2007? Or Outlook.com emails are not downloading to Outlook? Lets’ see the problem and resolve Outlook Connector error syncing folder hierarchy (0x8004102A).
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now