Forum Moderators: open
A friend has asked me to help him out with some problems he’s having accessing the Internet using IE as I have (a little) more of an idea about what I’m doing.
Basically whenever he tries to access the Internet the connection is extremely slow (he’s using DSL) and stops working completely after 2/3 minutes (sometimes a little more, sometimes a little less). An error message appears saying that IE “Cannot open the search page”.
I’ve run cwshredder, SpyBot and AdAware (in that order) but the problem persists. I’ve also run Winsock and another couple of spyware programmes (Spy Sweeper and Spyware Doctor) to no avail.
This is the Hijack log:
Logfile of HijackThis v1.98.2
Scan saved at 23:50:37, on 10/09/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\service.exe
C:\WINDOWS\essspk.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\system32\tvicon.exe
C:\Documents and Settings\Michael Rigby\Application Data\admu.exe
C:\Program Files\Spyware Doctor\spydoctor.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\Rar$EX00.871\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http ://www.example.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http ://www.example.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http ://www.example.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Microsoft Windows Updater] winupdate.exe
O4 - HKLM\..\Run: [COM Services Update] service.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [Microsoft Windows Updater] winupdate.exe
O4 - HKLM\..\RunServices: [COM Services Update] service.exe
O4 - HKCU\..\Run: [Microsoft Windows Updater] winupdate.exe
O4 - HKCU\..\Run: [COM Services Update] service.exe
O4 - HKCU\..\Run: [TridentTVIcon] tvicon.exe
O4 - HKCU\..\Run: [Antl] C:\Documents and Settings\Michael Rigby\Application Data\admu.exe
O4 - HKCU\..\Run: [Olfc] C:\WINDOWS\System32\fgnqwwgr.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
O4 - HKCU\..\RunServices: [COM Services Update] service.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk =?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.example.com/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http ://example.com/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6930135-6794-4B81-8BDF-668E4CB1E617}: NameServer = 62.241.160.200 158.43.240.3
Unfortunately, this is a bit beyond my PC knowledge so any advice you can give would be greatly appreciated.
Thanks in advance!
[edited by: BlobFisk at 1:28 pm (utc) on Sep. 13, 2004]
[edit reason] Examplified URLs [/edit]
If the machine has previously been infected by any spyware or trojan, you might want to check the "hosts" file to see if there are any unusual entries for sites such as Google, Yahoo or MSN.
You will find the Windows XP hosts file here:
c:\winnt\system32\drivers\etcOpen it in Notepad, and you should see an entry saying something like:
127.0.0.1 localhostYou can leave that one, but any others, unless you have added them yourself, may be problematic. You can disable them line by line by adding a "#" (without the quote marks) at the beginning of each line, or if you're sure they shouldn't be there, you can delete them.
