Computer is running slow - possible Spyware, Etc.

[kite1969]

I have a computer that is running Windows 2000 and has started running very slow. I have ran Spybot S&D, Adaware and Bazooka. Here is the HighJackThis log below. Can someone please review the information and let me know if there is any additional items I need to remove.

Thank you


Logfile of HijackThis v1.98.2
Scan saved at 11:48:32 AM, on 11/5/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\WINNT\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Compaq\LCRMS\LCRMS.EXE
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06. exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\WINNT\_re_file.exe
C:\WINNT\System32\MsiExec.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\becky\Local Settings\Temp\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06. exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winshost.exe] C:\WINNT\system32\winshost.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINNT\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [wingo] C:\WINNT\system32\wingo.exe
O4 - HKCU\..\Run: [winshost.exe] C:\WINNT\system32\winshost.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/mini...ransporter.cab?
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/26fee675...p/RdxIE601.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/instal...sinstaller.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/40...2/cpbrkpie.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minib...rand=200332811
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = StateUtilityContractors.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = StateUtilityContractors.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = StateUtilityContractors.local

[Acrobaze]

Hi,

Yes, there are worms here. We'll clean the computer.

---------1

Close all browser windows, run only HijackThis and check these lines:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html

O4 - HKLM\..\Run: [winshost.exe] C:\WINNT\system32\winshost.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [wingo] C:\WINNT\system32\wingo.exe
O4 - HKCU\..\Run: [winshost.exe] C:\WINNT\system32\winshost.exe

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4...22/cpbrkpie.cab
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/mini...?rand=200332811

Click "Fix checked".

---------------2

Now, reboot in safe mode, make sure you can see the hidden files and folders and delete:

C:\WINNT\system32\winshost.exe
C:\PROGRAM FILES\AWS\ <-the folder
C:\WINNT\system32\wingo.exe
C:\WINNT\_re_file.exe

Empty the recycle bin.

----------------3

-----I
Reboot in normal mode.
_re_file.exe is "Bagle trojan", so, I recommend you to download this tool :
Stinger

and to do a full system scan with it.

------II

After this, post a new HijackThis log, please, kite1969.

Ps: what are your antivirus and your firewall?

[kite1969]

I am using Symantec Corporate as my antivirus and our ISP has the firewall on the T1 line.


Thank you for all your help Acrobaze. There were 158 items from the "Bagle trojan". The computer seems to be better.

Here is the repost.

Logfile of HijackThis v1.98.2
Scan saved at 2:21:36 PM, on 11/5/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\WINNT\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Program Files\NavNT\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Compaq\LCRMS\LCRMS.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06. exe
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\becky\Local Settings\Temp\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06. exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINNT\Cpqdiag\CpqDfwAg.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/26fee675...p/RdxIE601.cab
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensavers.com/dm/instal...sinstaller.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = StateUtilityContractors.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = StateUtilityContractors.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = StateUtilityContractors.local

[Acrobaze]

Ok. NavNT appears now. In the first log, there was only its tray.

This log looks clean, now.