Odd System Performance and Appearance of Undesirable Image during boot

Discussion in 'adware, spyware & hijack cleaning' started by crmurr, Jun 16, 2004.

Thread Status:
Not open for further replies.
  1. crmurr

    crmurr Registered Member

    Joined:
    May 27, 2004
    Posts:
    18
    This Acer laptop is performing slowly and since downloading files recently there is a new and objectionable image that displays during the boot process.

    I have run memorywatcher uninst.exe and Ad-Aware. I deleted all objects found by Ad-Aware and rebooted the system.

    I ran HijackThis. The log is listed below.

    Your help with this will be appreciated.ùù

    crmurr
     
  2. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello crmurr,

    I am not seeing your HJT log. Could you copy and paste it again here.
     
  3. crmurr

    crmurr Registered Member

    Joined:
    May 27, 2004
    Posts:
    18
    I was in the "Ready, Fire, Aim" mode when I posted.

    Sorry.

    Here is the log:
    Logfile of HijackThis v1.97.7
    Scan saved at 12:12:40 PM, on 6/16/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\Programmi\File comuni\Symantec Shared\ccSetMgr.exe
    C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\PROGRA~1\Iomega\System32\AppServices.exe
    C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
    C:\Programmi\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    C:\WINNT\system32\regsvc.exe
    C:\Programmi\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\tcpsvcs.exe
    C:\WINNT\System32\snmp.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\Tablet.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\Programmi\File comuni\Symantec Shared\SymTray.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\WINNT\LTSMMSG.exe
    C:\WINNT\system32\rmctrl.exe
    C:\Programmi\Iomega HotBurn Pro\Autolaunch.exe
    C:\Programmi\QuickTime\qttask.exe
    C:\Programmi\File comuni\Symantec Shared\ccApp.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Programmi\MSN Messenger\MsnMsgr.Exe
    C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Programmi\CyberBuddy\CyberBud.exe
    C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINNT\system32\HPZipm12.exe
    C:\WINNT\msagent\AgentSvr.exe
    C:\Programmi\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Documents and Settings\Tiziano\Desktop\HijackThis.exe
    C:\Programmi\Internet Explorer\IEXPLORE.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bispado.org.br/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:80
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Programmi\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\Programmi\E-Book Systems\FlipAlbum 5 Pro Eval\fplaunch.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programmi\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
    O4 - HKLM\..\Run: [RemoteControl] C:\WINNT\system32\rmctrl.exe
    O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Programmi\Iomega HotBurn Pro\Autolaunch.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Programmi\File comuni\Symantec Shared\Symtray.exe SetReg
    O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [PowerDVD] C:\Programmi\CyberLink\PowerDVD\PowerDVD.exe /autostart
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Programmi\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Programmi\File comuni\Symantec Shared\Symtrdr.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Programmi\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: CyberBuddy.lnk = C:\Programmi\CyberBuddy\CyberBud.exe
    O4 - Global Startup: hp psc 1000 series.lnk = C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    O4 - Global Startup: hpoddt01.exe.lnk = C:\Programmi\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O12 - Plugin for .UVR: C:\Programmi\Internet Explorer\Plugins\NPUPano.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38149.3989699074
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FF874F2D-4CA6-43F3-B9B2-2D2D28A57201}: NameServer = 10.0.0.1
     
  4. Taz71498

    Taz71498 Registered Member

    Joined:
    May 27, 2004
    Posts:
    674
    Location:
    USA
    Hello,

    I am not seeing much with your log.

    Start by going to this link: (It will tell you how to delete your temp files)
    http://www.personal-computer-tutor.com/deletingtempfiles.htm

    Empty the recycle bin.

    Delete the contents of the "temp internet files" folder and completely delete the cache folders by doing this:

    Open Internet Explorer. Then click on TOOLS in the top toolbar. Click on "Internet Options..." from the drop-down menu.
    A new smaller window will display. Under the "General" tab, in the middle, are 3 buttons.
    Click the Delete Cookies button - then a small warning box pops up. Click OK.
    Click the Delete Files button - a small warning box pops us. Check the box for "Delete all offline content" and click OK.
    Then on the same General tab, click Clear History, then click OK.


    Download Spybot S&D Check for Updates first, download ALL Updates and Do a Scan. When finished, make sure ALL RED items have been ticked, and click the "Fix Selected Problems" Button.

    Let me know how that goes and if that helps.
     
  5. crmurr

    crmurr Registered Member

    Joined:
    May 27, 2004
    Posts:
    18
    Taz, thanks for the guidance.

    I ran the procedures you specified. There were about 40 temporary files and folders identified in the search using the wildcards provided by the recommended website. About a dozen of those would not allow deletion but disappeared after rebooting.

    There were apparently a lot of Temp Internet Files that were deleted from IE; it took about a minute for the deletion to finish. No problem with deleting cookies and history in IE.

    Spybot identified only two items and removed them. We had run Ad-Aware prior to posting the Hijack log yesterday.

    The objectionable image still appears during part of the boot process ( before Desktop icons appear ). It also appears after pressing Ctl-Alt-Delete.

    Do you have any guidance on where to look for the offending image?

    The performance of the system continues to be very sluggish, but there is a lot of stuff installed and a number of items that start when the system boots.

    Thanks again and hope to hear from you about the continuing issue.

    crmurr
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi crmurr,

    Can you find desktop.ini , open it in notepad and post the content.

    Regards,

    Pieter
     
  7. crmurr

    crmurr Registered Member

    Joined:
    May 27, 2004
    Posts:
    18
    Pieter,

    Sorry for the delayed response.

    When I opened Desktop Properties and looked at the list of screen background files there was nothing unusual. I then set the background to <None>. After that change the offending background image no longer appeared.

    I do not have access to the problem system right now. I will get the desktop.ini at the next opportunity and post.

    Thanks,

    crmurr
     
Thread Status:
Not open for further replies.