A highjackthis log

Discussion in 'Windows Desktop Systems' started by Heeter, Jan 29, 2004.

  1. Heeter

    Heeter Overclocked Like A Mother

    Messages:
    2,732
    Hi Guys,

    I pulled this off a Win2000Pro machine, Looks okay. Machine running very slowly, and the desktop has dissappeared. What do you guys think:

    Logfile of HijackThis v1.97.7
    Scan saved at 9:36:37 AM, on 1/29/2004
    Platform: Windows 2000 SP1 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\msdtc.exe
    C:\WINNT\Explorer.exe
    C:\WINNT\Explorer.exe
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\WINNT\System32\taskmgr.exe
    C:\Documents and Settings\Jen\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [SoundMan] soundman.exe
    O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    O4 - HKLM\..\Run: [Run32dll] c:\winnt\system32\taskmngr.exe
    O4 - HKLM\..\Run: [WebScan] C:\PROGRA~1\ACCELE~1\ANTI-V~1\DEFSCA~1.EXE -k
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [susp] C:\WINNT\susp.exe
    O4 - HKLM\..\Run: [AStart] C:\WINNT\AStart
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [PGStub.exe] C:\Documents and Settings\Jen\dp-b23011805.exe
    O4 - HKLM\..\Run: [SchedulingAgent] mstinit.exe /firstlogon
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: PowerReg SchedulerV2.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Sidesearch (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O10 - Broken Internet access because of LSP provider 'lsp.dll' missing
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {8D39C44E-F6AC-11D3-8D1E-00104B6DBF8D} (PIQPrint Class) - http://etoolbar01.photo.epson.com/Toolbar/client/plugins/ie/win32/x86/IEPIQPrintClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37427.7005902778
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


    Heeter
     
  2. Enyo

    Enyo Moderator

    Messages:
    1,338
    Remove:

    O4 - HKLM\..\Run: [susp] C:\WINNT\susp.exe

    O4 - HKLM\..\Run: [PGStub.exe] C:\Documents and Settings\Jen\dp-b23011805.exe

    If running (its not at the moment) terminate dp-b23011805.exe from the task manager and delete it.

    Delete susp.exe.
     
  3. Heeter

    Heeter Overclocked Like A Mother

    Messages:
    2,732
    A great Thanks, Enyo.

    Heeter
     
  4. Heeter

    Heeter Overclocked Like A Mother

    Messages:
    2,732
    Well, we cleaned up the files mentioned above.

    Windows is still starting up with just the wallpaper.

    Any Ideas? I know I am at a loss.

    Heeter
     
  5. Enyo

    Enyo Moderator

    Messages:
    1,338
  6. Heeter

    Heeter Overclocked Like A Mother

    Messages:
    2,732
    Well, here is an updated log:

    The desktop is still missing on this machine:

    Logfile of HijackThis v1.97.7
    Scan saved at 5:52:08 PM, on 1/30/2004
    Platform: Windows 2000 SP1 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.00 (5.00.2920.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
    C:\Program Files\NetAssistant\bin\mpbtn.exe
    C:\WINNT\system32\svchost.exe
    C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\enternet.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINNT\explorer.exe
    C:\Documents and Settings\Jen\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: PowerReg SchedulerV2.exe
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {8D39C44E-F6AC-11D3-8D1E-00104B6DBF8D} (PIQPrint Class) - http://etoolbar01.photo.epson.com/Toolbar/client/plugins/ie/win32/x86/IEPIQPrintClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37427.7005902778
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab



    Really appreciate all help so far.

    Heeter
     
  7. LeeJend

    LeeJend Moderator

    Messages:
    5,291
    Location:
    Fort Worth, TX
    Isn't anyone else compelled to ask how ENYO knows these off the top of his head?
     
  8. GoNz0

    GoNz0 NTFS Stoner

    Messages:
    2,781
    Location:
    the year 2525
    dunno about the top of your head bit, but google makes anyone look good :p
     
  9. Enyo

    Enyo Moderator

    Messages:
    1,338
    I do google some of it and check it on other sites, also lookup the BHOs i don't know in a database but you do learn the common ones and can spot problems easily in HJT.

    Heeter, also:

    O4 - Startup: PowerReg SchedulerV2.exe

    And check the value of 'shell' under:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon