Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Machine running very slow and sluggish


  • This topic is locked This topic is locked
10 replies to this topic

#1 domnjeff

domnjeff

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 18 September 2005 - 11:19 PM

Greetings,

I am nw to this forum so hello to allof you. I was told by a friend that you guys and girls do awesome work.

OK over the last three days my PC has been running very slow and sluggishly. I have tried Adaware and removed what that found, ran my antivirus and saw some Adaware type viruses but was not able to remove them. Did 'msconfig" looked for any weird programs - found nothing.
Can you please look at my HJT logfile and tell me if you see anything suspicious that could be slowing me down.

Many thanks,

JP

Logfile of HijackThis v1.99.1
Scan saved at 9:19:03 PM, on 9/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\eFax Messenger 3.5\J2GTray.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wwSecure.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\dad\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\sstqo.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: sstqo - C:\WINDOWS\system32\sstqo.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:46 AM

Posted 19 September 2005 - 12:17 PM

Hello JP,

You have some nasty malware on this computer, so will we use this fix for it. :thumbsup:


Print out these instructions as we will need to shutdown every window that is open later in the fix.

Please download Process Explorer
by Sysinternals and extract it to your desktop. Do not run this now as we will use it later.


Download KillBox and extract it to your desktop. Do not run this now as we will use it later.


Download FixVundo.reg and save it to your desktop. Do not run this now as we will use it later.

Download CCleaner and install it. (default location is best). Do not run this now as we will use it later.


Reboot your computer into Safe Mode

*******************************************

Double-click on procexp.exe which is the Process Explorer that we downloaded earlier.


In the top section of the Process Explorer screen double-click on winlogon.exe to bring up the winlogon.exe properties screen.
Click on the Threads tab at the top.

Once you see this screen click on each instance of the sstqo.dll and click on the kill button.

If you see any files listed that are the same name but end with .bak or .ini or are the name in reverse, you can kill those as well.

After you have killed all of the instances of the sstqo.dll under winlogon click on the OK button.


Now double-click on explorer.exe, select the Threads tab, and again click once on each instance of the sstqo.dll.

Once they are highlighted click on the Kill button.

When this is done, click on the OK button again.

*******************************************

Now run HijackThis, close all windows, and press the Scan button.

Place a check next to each of the entries:

O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\sstqo.dll
O20 - Winlogon Notify: sstqo - C:\WINDOWS\system32\sstqo.dll



Once all the entries are checked, press the Fix button and then exit HijackThis.

*******************************************

Now double-click on the FixVundo.reg file that you downloaded earlier and allow it to merge the information.

*******************************************

Killbox tutorial:
http://forum.malwareremoval.com/viewtopic.php?t=320

Download KillBox to the desktop.

Run Killbox program, in the field labeled "Full Path of File to Delete" enter

C:\WINDOWS\system32\sstqo.dll


select the "Delete on Reboot" and click on the Red X(delete file) ,when it asks if you would like to Reboot now, press the Yes button

If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

*******************************************


Let's empty the temp files:

Run CCleaner your downloaded earlier.
Select the Windows Tab, Run CCleaner, (click Run Cleaner (bottom right) then, when it finishes scanning click Exit.)
When you see "Complete" on the top line, it's done. It's very fast.

I recommend that you DO NOT run anything under the Issues button and the Applications Tab. Uncheck everything under the Applications tab.

*******************************************


Finally, reboot to the Normal Mode and post a new Hijackthis log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 domnjeff

domnjeff
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 20 September 2005 - 10:58 AM

Hi Mike,

I followed instructions. However when I did the Process Explorer step I did not see a "Threads" tab at the top so I stopped there. Here is what I found when running the Process Explorer. Maybe you can see something I missed. I did not see any sstqo.dll files.

Thanks for your response,

JP

Process PID CPU Description Company Name
System Idle Process 0 95.38
Interrupts n/a Hardware Interrupts
DPCs n/a 1.54 Deferred Procedure Calls
System 4
smss.exe 620 Windows NT Session Manager Microsoft Corporation
csrss.exe 684 Client Server Runtime Process Microsoft Corporation
winlogon.exe 708 Windows NT Logon Application Microsoft Corporation
services.exe 752 Services and Controller app Microsoft Corporation
svchost.exe 920 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 976 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1068 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1116 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1260 Generic Host Process for Win32 Services Microsoft Corporation
CCPROXY.EXE 1404 Common Client Network Proxy Service Symantec Corporation
CCSETMGR.EXE 1452 Symantec Settings Manager Service Symantec Corporation
SNDSrvc.exe 1468 Network Driver Service Symantec Corporation
SPBBCSvc.exe 1508 SPBBC Service Symantec Corporation
CCEVTMGR.EXE 1532 Symantec Event Manager Service Symantec Corporation
spoolsv.exe 324 Spooler SubSystem App Microsoft Corporation
AOLacsd.exe 1188 AOL Connectivity Service America Online, Inc.
MDM.EXE 1288 Machine Debug Manager Microsoft Corporation
NAVAPSVC.EXE 1784 Norton AntiVirus Auto-Protect Service Symantec Corporation
svchost.exe 2200 Generic Host Process for Win32 Services Microsoft Corporation
symlcsvc.exe 2368 Symantec Core Component Symantec Corporation
wwSecure.exe 2456 Washer Security Service Webroot Software, Inc.
symwsc.exe 2616 Norton Security Center Service Symantec Corporation
alg.exe 560 Application Layer Gateway Service Microsoft Corporation
lsass.exe 764 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 524 1.54 Windows Explorer Microsoft Corporation
jusched.exe 768
hpsysdrv.exe 904 hpsysdrv Hewlett-Packard Company
kbd.exe 928 KBD EXE Hewlett-Packard Company
VTTimer.exe 1016 S3 Graphics, Inc.
CCAPP.EXE 1036 Symantec User Session Symantec Corporation
AGRSMMSG.exe 1136 SoftModem Messaging Applet Agere Systems
CFD.exe 1268
IPClient.exe 1280 IP Session Statistics Visual Networks
ipmon32.exe 1316 IP Monitor Visual Networks
MotiveSB.exe 1228 SBC Self Support Tool Alerts Motive Communications, Inc.
hpwuSchd.exe 1352 hpwuSchd Hewlett-Packard
hpcmpmgr.exe 1364 HP Framework Component Manager Service Hewlett-Packard Company
atiptaxx.exe 1396 ATI Desktop Control Panel ATI Technologies, Inc.
realsched.exe 1420 RealNetworks Scheduler RealNetworks, Inc.
ctfmon.exe 1428 CTF Loader Microsoft Corporation
wwDisp.exe 1496 Window Washer hard disk cleaning utility Webroot Software
Compaq Connections.exe 1880
J2GDllCmd.exe 1896 eFax Messenger - DLL Command Utility j2 Global Communications, Inc.
J2GTray.exe 1904 eFax Messenger - Tray j2 Global Communications, Inc.
IEXPLORE.EXE 3708 Internet Explorer Microsoft Corporation
WINWORD.EXE 3844 Microsoft Office Word Microsoft Corporation
IEXPLORE.EXE 2916 Internet Explorer Microsoft Corporation
procexp.exe 3444 1.54 Sysinternals Process Explorer Sysinternals

Process: winlogon.exe Pid: 708

Type Name
WindowStation \Windows\WindowStations\WinSta0
WindowStation \Windows\WindowStations\WinSta0
Token YOUR-22CA86D5C4\dad
Token YOUR-22CA86D5C4\dad
Token YOUR-22CA86D5C4\dad
Token YOUR-22CA86D5C4\dad
Token YOUR-22CA86D5C4\dad
Token NT AUTHORITY\SYSTEM
Thread winlogon.exe(708): 712
Thread winlogon.exe(708): 2220
Thread winlogon.exe(708): 728
Thread winlogon.exe(708): 452
Thread winlogon.exe(708): 1332
Thread winlogon.exe(708): 420
Thread winlogon.exe(708): 1324
Thread winlogon.exe(708): 1320
Thread winlogon.exe(708): 1312
Thread winlogon.exe(708): 1312
Thread winlogon.exe(708): 1248
Thread winlogon.exe(708): 960
Thread winlogon.exe(708): 956
Thread winlogon.exe(708): 952
Thread winlogon.exe(708): 952
Thread winlogon.exe(708): 972
Thread winlogon.exe(708): 760
Thread winlogon.exe(708): 748
Thread winlogon.exe(708): 740
Thread winlogon.exe(708): 736
Thread winlogon.exe(708): 712
Semaphore \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
Semaphore \BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}
Semaphore \BaseNamedObjects\shell.{7CB834F0-527B-11D2-9D1F-0000F805CA57}
Semaphore \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
Section \BaseNamedObjects\__R_000000000010_SMem__
Section \BaseNamedObjects\WDMAUD_Callbacks
Section \BaseNamedObjects\mmGlobalPnpInfo
Section \BaseNamedObjects\UrlZonesSM_SYSTEM
Section \BaseNamedObjects\C:_WINDOWS_system32_config_systemprofile_Cookies_index.dat_16384
Section \BaseNamedObjects\C:_WINDOWS_system32_config_systemprofile_Local Settings_History_History.IE5_index.dat_32768
Section \BaseNamedObjects\C:_WINDOWS_system32_config_systemprofile_Local Settings_Temporary Internet Files_Content.IE5_index.dat_32768
Section \BaseNamedObjects\ShimSharedMemory
Process lsass.exe(764)
Process services.exe(752)
Port \RPC Control\OLE56CED2C38A4740F28622B4F51930
Port \RPC Control\IUserProfile
Port \RPC Control\sclogonrpc
Mutant \BaseNamedObjects\winlogon: Logon UserProfileMapping Mutex
Mutant \BaseNamedObjects\SingleSesMutex
Mutant \BaseNamedObjects\MidiMapper_Configure
Mutant \BaseNamedObjects\MidiMapper_modLongMessage_RefCnt
Mutant \BaseNamedObjects\WininetProxyRegistryMutex
Mutant \BaseNamedObjects\WininetConnectionMutex
Mutant \BaseNamedObjects\WininetStartupMutex
Mutant \BaseNamedObjects\ZonesLockedCacheCounterMutex
Mutant \BaseNamedObjects\ZonesCacheCounterMutex
Mutant \BaseNamedObjects\ZonesCounterMutex
Mutant \BaseNamedObjects\c:!windows!system32!config!systemprofile!local settings!history!history.ie5!
Mutant \BaseNamedObjects\c:!windows!system32!config!systemprofile!cookies!
Mutant \BaseNamedObjects\c:!windows!system32!config!systemprofile!local settings!temporary internet files!content.ie5!
Mutant \BaseNamedObjects\_!MSFTHISTORY!_
Mutant \BaseNamedObjects\WPA_LICSTORE_MUTEX
Mutant \BaseNamedObjects\WPA_HWID_MUTEX
Mutant \BaseNamedObjects\WPA_LT_MUTEX
Mutant \BaseNamedObjects\WPA_RT_MUTEX
Mutant \BaseNamedObjects\WPA_PR_MUTEX
Mutant \BaseNamedObjects\userenv: User Registry policy mutex
Mutant \BaseNamedObjects\userenv: user policy mutex
Mutant \BaseNamedObjects\userenv: Machine Registry policy mutex
Mutant \BaseNamedObjects\userenv: machine policy mutex
Mutant \BaseNamedObjects\msgina: InteractiveLogonRequestMutex
Mutant \BaseNamedObjects\msgina: InteractiveLogonMutex
Mutant \BaseNamedObjects\ShimCacheMutex
Mutant \BaseNamedObjects\VMProtectionMutex
KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
Key HKU\.DEFAULT
Key HKCR
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Key HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache
Key HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam
Key HKCU
Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters
Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters
Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage
Key HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Key HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Key HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Key HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Key HKU
Key HKLM\SYSTEM\Setup
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Credentials
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Key HKLM\SYSTEM\ControlSet001\Control\Lsa
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
Key HKLM
File \Device\KsecDD
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File \Device\NamedPipe\TerminalServer\AutoReconnect
File C:\WINDOWS\system32
File \Device\KSENUM#00000001\{9B365890-165F-11D0-A195-0020AFD156E4}
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File \Device\Ip
File \Device\Tcp
File C:\WINDOWS\system32\sstqo.dll
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
File C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
File C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
File \Device\NamedPipe\winlogonrpc
File \Device\NamedPipe\winlogonrpc
File \Device\Tcp
File \Device\Ip
File \Device\Ip
File \Device\NamedPipe\winlogonrpc
File \Device\NamedPipe\SfcApi
File \Device\NamedPipe\SfcApi
File C:\WINDOWS\WinSxS
File C:\Program Files\xerox\nwwia
File C:\WINDOWS\system32\mui\0424
File C:\WINDOWS\system32\mui\041b
File C:\Program Files\Windows NT\Accessories
File C:\WINDOWS\system32\wbem\xml
File C:\Program Files\Common Files\Microsoft Shared\VGX
File C:\WINDOWS\pchealth\UploadLB\Binaries
File C:\WINDOWS\Help\Tours\mmTour
File C:\WINDOWS\system32\IME\TINTLGNT
File C:\WINDOWS\system32\spool\drivers\color
File C:\WINDOWS\PeerNet
File C:\Program Files\Common Files\Microsoft Shared\Speech\1033
File C:\Program Files\Common Files\SpeechEngines\Microsoft
File C:\WINDOWS\system32\wbem\snmp
File C:\WINDOWS\Resources\Themes\Luna\Shell\Metallic
File C:\WINDOWS\Resources\Themes\Luna\Shell\Homestead
File C:\WINDOWS\Resources\Themes\Luna\Shell\NormalColor
File C:\Program Files\Common Files\Microsoft Shared\Speech
File C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS\1033
File C:\WINDOWS\system32\Restore
File C:\WINDOWS\ime\chsime\applets
File C:\Program Files\Windows NT\Pinball
File C:\WINDOWS\ime\shared\res
File C:\WINDOWS\system32\npp
File C:\Program Files\Common Files\MSSoap\Binaries\Resources\1033
File C:\Program Files\Common Files\MSSoap\Binaries
File C:\WINDOWS\system32\oobe
File C:\Program Files\Outlook Express
File C:\WINDOWS\srchasst
File C:\WINDOWS\ime
File C:\Program Files\Movie Maker
File C:\WINDOWS\Resources\Themes\Luna
File C:\Program Files\Common Files\SpeechEngines\Microsoft\Lexicon\1033
File C:\WINDOWS\system32\IME\PINTLGNT
File C:\WINDOWS\ime\shared
File C:\WINDOWS\ime\imkr6_1
File C:\Program Files\Common Files\Microsoft Shared\MSInfo
File C:\Program Files\Internet Explorer\Connection Wizard
File C:\WINDOWS\system32\xircom
File C:\WINDOWS\ime\imkr6_1\applets
File C:\WINDOWS\ime\imjp8_1\applets
File C:\Program Files\Internet Explorer
File C:\WINDOWS\system32\mui\0009
File C:\WINDOWS\ime\imkr6_1\dicts
File C:\WINDOWS\system32\usmt
File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\admisapi\scripts
File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\admcgi\scripts
File C:\WINDOWS\system32\1033
File C:\Program Files\Common Files\System
File C:\Program Files\Windows NT
File C:\Program Files\Common Files\Microsoft Shared\Triedit
File C:\WINDOWS\ime\imjp8_1
File C:\WINDOWS\system32\Setup
File C:\WINDOWS\system32\Com
File C:\WINDOWS\system32\IME\CINTLGNT
File C:\WINDOWS\system32\wbem
File C:\WINDOWS\ime\CHTIME\Applets
File C:\WINDOWS\system32\drivers\disdn
File C:\Program Files\NetMeeting
File C:\WINDOWS\pchealth\helpctr\binaries
File C:\Program Files\MSN Gaming Zone\Windows
File C:\WINDOWS\system32\inetsrv
File C:\WINDOWS\msagent\intl
File C:\WINDOWS\msagent
File C:\WINDOWS\system
File C:\WINDOWS\inf
File C:\Program Files\Common Files\System\Ole DB
File C:\Program Files\Common Files\System\ado
File C:\Program Files\Common Files\System\msadc
File C:\Program Files\Windows Media Player
File C:\Program Files\Common Files\Microsoft Shared\DAO
File C:\WINDOWS
File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi
File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bin\1033
File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\_vti_bin
File C:\Program Files\microsoft frontpage\version3.0\bin
File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bots\vinavbar
File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\servsupp
File C:\WINDOWS\system32\drivers
File C:\WINDOWS\Fonts
File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\bin
File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\_vti_bin\_vti_aut
File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi\_vti_aut
File C:\WINDOWS\Help
File C:\WINDOWS\system32
File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\_vti_bin\_vti_adm
File C:\Program Files\Common Files\Microsoft Shared\web server extensions\40\isapi\_vti_adm
File C:\WINDOWS\system32\dllcache
File C:\WINDOWS\AppPatch
File \Device\NamedPipe\InitShutdown
File \Device\NamedPipe\InitShutdown
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
Event \Security\NetworkProviderLoad
Event \BaseNamedObjects\ReconEvent
Event \BaseNamedObjects\hardwaremixercallback
Event \BaseNamedObjects\TS-WPAAE
Event \BaseNamedObjects\WinlogonTSSynchronizeEvent
Event \BaseNamedObjects\0000000000014b59_WlballoonKerberosNotificationEventName
Event \BaseNamedObjects\WlballoonLogoffNotificationEventName
Event \BaseNamedObjects\WlballoonLogoffNotificationEventName
Event \BaseNamedObjects\CscCacheInitCompleteEvent
Event \BaseNamedObjects\SENS Started Event
Event \BaseNamedObjects\AgentExistsEvent
Event \BaseNamedObjects\AgentToWkssvcEvent
Event \BaseNamedObjects\WkssvcToAgentStopEvent
Event \BaseNamedObjects\WkssvcToAgentStartEvent
Event \BaseNamedObjects\jjCSCSessEvent_UM_KM_0
Event \BaseNamedObjects\userenv: User Policy Foreground Done Event
Event \BaseNamedObjects\jjCSCSharedFillEvent_UM_KM
Event \BaseNamedObjects\userenv: User Group Policy Processing is done
Event \BaseNamedObjects\DINPUTWINMM
Event \BaseNamedObjects\ThemesStartEvent
Event \BaseNamedObjects\userenv: User Group Policy ForcedRefresh Needs Foreground Processing
Event \BaseNamedObjects\userenv: User Group Policy has been applied
Event \BaseNamedObjects\userenv: Machine Policy Foreground Done Event
Event \BaseNamedObjects\userenv: Machine Group Policy Processing is done
Event \BaseNamedObjects\userenv: Machine Group Policy ForcedRefresh Needs Foreground Processing
Event \BaseNamedObjects\userenv: Machine Group Policy has been applied
Event \BaseNamedObjects\userenv: User Profile setup event
Event \BaseNamedObjects\crypt32LogoffEvent
Event \BaseNamedObjects\WFP_IDLE_TRIGGER
Event \BaseNamedObjects\msgina: ShutdownEvent
Event \BaseNamedObjects\msgina: ReturnToWelcome
Event \BaseNamedObjects\Microsoft Smart Card Resource Manager Started
Event \BaseNamedObjects\mixercallback
Directory \KnownDlls
Directory \BaseNamedObjects
Directory \Windows
Desktop \Default
Desktop \Disconnect
Desktop \Winlogon
Desktop \Default

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:46 AM

Posted 20 September 2005 - 12:21 PM

Hi domnjeff,

I followed instructions. However when I did the Process Explorer step I did not see a "Threads" tab at the top so I stopped there.


Sounds like you did not double rt. click on the winlogon.exe to bring up the winlogon.exe properties screen. :thumbsup:


There will be 8 Tabs listed on the winlogon.exe Properties screen (tcp/ip, seciruty, envirnment, strings, image, image preformance, performance graph, Threads).
You want the Threads tab.
Click on the Threads tab at the top and do there procedure I outlined in my previous threads. :flowers:

Edited by SifuMike, 20 September 2005 - 12:27 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 domnjeff

domnjeff
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 20 September 2005 - 03:15 PM

Hello,

OK did as instructed. The machine seems to be running much better...however it does take a while to boot up. maybe that is unrelated. Here is the HJT log... what do you think?

Logfile of HijackThis v1.99.1
Scan saved at 1:12:07 PM, on 9/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
C:\Program Files\eFax Messenger 3.5\J2GTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\dad\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:46 AM

Posted 20 September 2005 - 03:48 PM

Hi domnjeff,

Opps! Looks like I missed an item.

http://www.bleepingcomputer.com/startups/i...t.exe-2308.html

ipclient.exe
Description: Installed with Verizon DSL accounts. IP Insight is a Quality of Service monitor and diagnostic tool that isn't required - see here for more information. This one constantly "phones home" and wastes resource - hence the "X" status



How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.

Please boot into Safe Mode, go to HijackThis->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each.
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe


Now run HijackThis, close all windows, and press the Scan button.

Place a check next to each of the entries:

O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l


Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders' and deselect (uncheck) 'hide protected operating system files (recommended)'.

Using Windows Explorer, find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.

Using Windows Explorer, delete the following files/folders in bold (Do not be concerned if they do not exist)
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe <==file


*******************************************


Let's empty the temp files:

Download CCleaner and install it. (default location is best).
Select the Windows Tab, Run CCleaner, (click Run Cleaner (bottom right) then, when it finishes scanning click Exit.)
When you see "Complete" on the top line, it's done. It's very fast.

I recommend that you DO NOT run anything under the Issues button and the Applications Tab. Uncheck everything under the Applications tab.

*******************************************


Finally, reboot to the Normal Mode and post a new Hijackthis log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 domnjeff

domnjeff
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 20 September 2005 - 04:39 PM

Hello,

OK, I did not find the file

C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe

But did find one without the IPClient.exe extension. I did not delete it. Should I?

Here is the latest HJT scan.... see anything else?

Thanks a million

JP

Logfile of HijackThis v1.99.1
Scan saved at 2:36:23 PM, on 9/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wwSecure.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
C:\Program Files\eFax Messenger 3.5\J2GTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\dad\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:46 AM

Posted 20 September 2005 - 09:32 PM

Hi domnjeff,

I did not find the file
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
But did find one without the IPClient.exe extension. I did not delete it. Should I?


No, leave it. IPClient.exe is not in your log anymore, so it looks like Hijackthis deleted it.

Your log looks clean! :thumbsup: Good job on the cleanup!


let's clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.



Please read How did I get infected?, With steps so it does not happen again!

Edited by SifuMike, 20 September 2005 - 09:35 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 domnjeff

domnjeff
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:46 AM

Posted 21 September 2005 - 10:22 PM

Greetings,

Just wanted to thank you for your help!

Here is the latest HJT scan... the machine is running MUCH better

Thanks,

JP

Logfile of HijackThis v1.99.1
Scan saved at 8:20:40 PM, on 9/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wwSecure.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
C:\Program Files\eFax Messenger 3.5\J2GTray.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\dad\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - c:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\RunOnce: [Index Washer] C:\Program Files\Webroot\Washer\WashIdx.exe "dad"
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\6750491\Program\Compaq Connections.exe
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers...ll/pinstall.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:46 AM

Posted 21 September 2005 - 11:43 PM

Your log looks clean! :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:05:46 AM

Posted 15 October 2005 - 02:47 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users