rmpalmer52
asked on
Can someone analyze this HijackThis Log - Problem with a PC Ads Popping Up and Slow PC
My first post here at Experts-Exchange.
Trying to clean up a PC from one of the users at my company. I didn't want to reformat and reinstall operating system since it was purchased with software preinstalled.
I upgraded the operating system from Windows 98 to Windows XP - prior to upgrade the PC would give tons of messages about missing nonsensical .lnk shortcut files - thought at least getting it to XP would get rid of those which it did though I assume whatever is causing it is still on the PC. I did install latest upgrades of Windows XP.
The PC sits behind a Sonicwall firewall and I checked for viruses with the McAffee virusscan and also ran Stinger and FixBlast just in case.
I ran following programs and their suggested fixes:
Ad-Award 6.0 free edition
Web Root SpySweeper Registered version
Spybot Search & Destroy
XCleaner - Free version
Registry Mechanic - Registered version
After all this the PC is still running at a crawl after accessing Internet Explorer and a number of ads continue to pop up.
Here's HijackThis Log - hope you give me some pointers. This website has already been a help on other problems:
Logfile of HijackThis v1.97.7
Scan saved at 5:49:58 PM, on 5/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\myCIO\Agent\myA gtSvc.exe
C:\WINDOWS\myCIO\Agent\swA gent.exe
C:\WINDOWS\myCIO\VScan\McS hield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\USRmln kA.exe
C:\WINDOWS\SYSTEM32\USRshu tA.exe
C:\WINDOWS\SYSTEM32\USRmln kA.exe
C:\WINDOWS\myCIO\Agent\mya gttry.exe
C:\Program Files\Webshots\WebshotsTra y.exe
C:\WINDOWS\SYSTEM32\MDM.EX E
C:\Documents and Settings\All Users\Documents\Rita 2004-03-30\HijackThis.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = http://www.dell.com/search/index.htm
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.post-gazette.com
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-0 0C04FD6449 7}_ - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEH ELPER.OCX
O2 - BHO: (no name) - {D537A3D0-8C07-4D62-953F-1 62207F5090 D} - C:\WINDOWS\SYSTEM32\regsvr ac32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0 0A0C908246 7} - C:\WINDOWS\System32\msdxm. ocx
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmln kA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [myCIO.com ASaP] C:\WINDOWS\myCIO\Agent\mya gttry.exe
O4 - HKLM\..\Run: [myCIO.com Splash] C:\WINDOWS\myCIO\VScan\Spl ash.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /1
O4 - HKLM\..\RunOnce: [08a70r.exe] C:\WINDOWS\System32\08a70r .exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\ bin\matcli .exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTra y.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugi ns\NPDocBo x.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D 3488ABDDC6 B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1 E41684E07B B} - http://ak.imgfarm.com/images/nocache/funwebproducts/PopularScreenSaversInitialSetup1.0.0.6.exe
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-4 31EE84A088 6} (SecureObjectFactory Class) - http://virusscanasap.mcafeeasap.com/VS2/SonicWall/bin/myCioAgt.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5 D2C442ADFD E} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-4 7A8489BB47 F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38076.5617361111
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4 4455354000 0} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Thanks.
Trying to clean up a PC from one of the users at my company. I didn't want to reformat and reinstall operating system since it was purchased with software preinstalled.
I upgraded the operating system from Windows 98 to Windows XP - prior to upgrade the PC would give tons of messages about missing nonsensical .lnk shortcut files - thought at least getting it to XP would get rid of those which it did though I assume whatever is causing it is still on the PC. I did install latest upgrades of Windows XP.
The PC sits behind a Sonicwall firewall and I checked for viruses with the McAffee virusscan and also ran Stinger and FixBlast just in case.
I ran following programs and their suggested fixes:
Ad-Award 6.0 free edition
Web Root SpySweeper Registered version
Spybot Search & Destroy
XCleaner - Free version
Registry Mechanic - Registered version
After all this the PC is still running at a crawl after accessing Internet Explorer and a number of ads continue to pop up.
Here's HijackThis Log - hope you give me some pointers. This website has already been a help on other problems:
Logfile of HijackThis v1.97.7
Scan saved at 5:49:58 PM, on 5/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\WINDOWS\myCIO\Agent\myA
C:\WINDOWS\myCIO\Agent\swA
C:\WINDOWS\myCIO\VScan\McS
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\USRmln
C:\WINDOWS\SYSTEM32\USRshu
C:\WINDOWS\SYSTEM32\USRmln
C:\WINDOWS\myCIO\Agent\mya
C:\Program Files\Webshots\WebshotsTra
C:\WINDOWS\SYSTEM32\MDM.EX
C:\Documents and Settings\All Users\Documents\Rita 2004-03-30\HijackThis.exe
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-0
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {D537A3D0-8C07-4D62-953F-1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-0
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmln
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [myCIO.com ASaP] C:\WINDOWS\myCIO\Agent\mya
O4 - HKLM\..\Run: [myCIO.com Splash] C:\WINDOWS\myCIO\VScan\Spl
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /1
O4 - HKLM\..\RunOnce: [08a70r.exe] C:\WINDOWS\System32\08a70r
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTra
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugi
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1
O16 - DPF: {40C83AF8-FEA7-4A6A-A470-4
O16 - DPF: {62475759-9E84-458E-A1AB-5
O16 - DPF: {9F1C11AA-197B-4942-BA54-4
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
Thanks.
ASKER
Thanks jeremyrm I checked the hosts file as you suggested. Nothing in it. 0kb size. I'm going to run a disk cleanup and disk defrag.
Appreciate if anyone sees anything in the original hijackthis log I posted. And any other ideas.
Appreciate if anyone sees anything in the original hijackthis log I posted. And any other ideas.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you rossfingal - your suggestions seems to have fixed the problem. Love this site.
Hi!
Thanks!
Glad someone here could help you!
Let us know if you have any problems.
Thanks and good luck!
Thanks!
Glad someone here could help you!
Let us know if you have any problems.
Thanks and good luck!
The location of the file is a little different depending on your version of XP. Following the directions below based on which one pertains to your operating system.
For XP Home edition:
Go to C:\WINNT\System32\Drivers\
inside you will find a hosts file. Right click the file and select "open".
At the next window choose the "select program from a list" option and hit "ok"
Choose notepad from the list.
When you have it open it should only have "127.0.0.1 localhost" listed on one line, if there are others below this then delete them. These are the DNS numbers of the pop up windows which are displayed everytime you open you browser to connect to the internet.
For XP Professional:
Go to C:\WINDOWS\System32\Driver
inside you will find a hosts file. Right click the file and select "open".
At the next window choose the "select program from a list" option and hit "ok"
Choose notepad from the list.
When you have it open the file contants should be:
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
If there is anything else listed below the line "127.0.0.1 localhost" then delete it. These are the DNS numbers of the pop up windows which are displayed everytime you open you browser to connect to the internet.
In either case, after you are done you may want to make the file read only. To do this, right click the file and choose properties. At the next window there should be a read-only checkbox at the bottom.
Hope this helps..