Hijack this log

Hi

Have a laptop that is performing poorly, have run adware and removed 140 entries including one that was identified as a compromise. The laptop has had a ton of software installed upon it. This is the hijack log.

Logfile of HijackThis v1.97.7
Scan saved at 14:34:35, on 23/06/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\FnUtil\Launch Manager\hotkeyex.exe
C:\WINNT\system32\ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\PROGRA~1\TUN\COMMON\ESLCBCST.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\FnUtil\Launch Manager\LaunchAp.exe
C:\Program Files\Acer\Powerkey\Powerkey.exe
C:\WINNT\System32\Keymap.exe
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\LXSUPMON.EXE
C:\WINNT\LTSMMSG.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Pvsw\Bin\W3dbsmgr.exe
C:\Program Files\TUN\tcpw\walld32.exe
C:\Program Files\TUN\TCPW\wportm32.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\WINNT\system32\wisptis.exe
C:\adware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.100.2:8000
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\FnUtil\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [AcerPowerkey] "C:\Program Files\Acer\Powerkey\Powerkey.exe "
O4 - HKLM\..\Run: [KEYMAP] C:\WINNT\System32\Keymap.exe
O4 - HKLM\..\Run: [Winupdate] regedit /s C:\Winnt\Discover.reg
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [hpsjbmgr] C:\SCANJET\PrecisionScanLT\hpsjbmgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ASWnk] c:\program files\primesoft\aswnk\aswnk.exe /noconnect
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Pervasive.SQL Workstation Engine.lnk = C:\Pvsw\Bin\W3dbsmgr.exe
O4 - Global Startup: Wall Server.lnk = C:\Program Files\TUN\tcpw\walld32.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37876.2696527778
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = connect4systems.co.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = connect4systems.co.uk
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = connect4systems.co.uk

Thanks in advance for looking at this.

Vortigern

 

Someone else may have better eyes than I do but except for a couple of legit items but rarely needed, I don't see anything real exciting in the hijackthis log.

You mentioned running Ad-aware. Good idea. Also good to run Spybot - and you will want the latest version so 1.3 and updates. It will probably find some things that Ad-aware missed.

There may be other causes for the poor performance though. Could you give details of the problems?

 

I would remove these.

O4 - HKLM\..\Run: [Winupdate] regedit /s C:\Winnt\Discover.reg
O4 - HKLM\..\Run: [ASWnk] c:\program files\primesoft\aswnk\aswnk.exe /noconnect
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} -
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -

Right click on the file C:\Winnt\Discover.reg, and select Edit, and post the contents of it on here. It is a text file and will open in Notepad doing it this way. A REG file running on startup is not alway a good thing.

Reboot, and delete this folder, it is a dialer that you do not want.
c:\program files\primesoft
Go to Start\Run and type in CMD and press Enter, use this command in the dos window:
regsvr32 /u msinfosys.dll
Then delete the file c:\WinNT\system32\msinfosys.dll
If not found, Ad-Aware may have removed it.

Go to Start\Run and type in Regedit, and delete the following keys [looks like a folder on the left].
HKEY_CLASSES_ROOT\.WINK
HKEY_CLASSES_ROOT\WINKfile

Note, there is an uninstall entry for this dialer in Add/Remove, but all it does is force this thing to hide.

Do you know what this is?
O4 - Global Startup: Wall Server.lnk = C:\Program Files\TUN\tcpw\walld32.exe

 

Cheers guys, will give those tasks a try. The machine is just performing poorly. Cannot find anything of consequence to point to a fault.

Walld32.exe is part of Esker Tun used for telneting to unix software.

Cheers

Vortigern

 

In addition to what the others have suggested

go get preferable two free online scans at other than your programs
websites for a better second opinion
RAV AntiVirus - Scan Online: http://www.rav.ro/scan/
eTrust AV Web Scanner: http://www3.ca.com/virusinfo/virusscan.aspx
both are great choices