[jackkv]

Same deal, Kristy. I got home, turned on the computer, and everything was great for about 10 minutes. The balloon message then appeared, and a few minutes later, it really slowed down, as it has for the past several weeks. It's like it processes everything slowly - even as I type this, it takes a handful of seconds for the words to appear on my screen - a big lag time.

Anyway, here is my HiJack This log right now while this is slow.

Logfile of HijackThis v1.99.1
Scan saved at 5:47:39 PM, on 7/6/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\COMPAQ\CPQINET\CPQINET.EXE
C:\PROGRAM FILES\COMPAQ\DIGITAL DASHBOARD\DEVGULP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\PCTVOICE.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMON32.EXE
C:\PROGRAM FILES\SBC SELF SUPPORT TOOL\SMARTBRIDGE\MOTIVESB.EXE
C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMON32.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\EAUSBKBD.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBROWSER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presa...onsumer&LC=0409
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
F1 - win.ini: run=C:\WINDOWS\hpfsched.exe
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://yahoo.sbc.com/dsl"); (C:\Program Files\Netscape\Users\User00\prefs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe
O4 - HKLM\..\Run: [CPQInet] c:\compaq\CPQInet\CpqInet.exe
O4 - HKLM\..\Run: [Digital Dashboard] C:\Program Files\Compaq\Digital Dashboard\DevGulp.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\PROGRAM FILES\VISUAL NETWORKS\VISUAL IP INSIGHT\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [OmgStartup] C:\Program Files\Common Files\Sony Shared\OpenMG\OmgStartup.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\PROGRAM FILES\SBC YAHOO!\CONNECTION MANAGER\IP INSIGHT\IPMon32.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [NetMDSB] C:\PROGRAM FILES\SONY\MD SIMPLE BURNER\NETMDSB.EXE -start
O4 - HKLM\..\RunServices: [panda cleaner] %SystemRoot%\pavdr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O12 - Plugin for .mp3: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npwinamp.dll
O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
O12 - Plugin for .wav: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npaudio.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...ebscan_ansi.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

[Advertisements]

One more thing that might help you solve this problem: After I posted the last Hijack This log, I restarted my computer (I have to constantly do that because it gets so slow) - when the computer rebooted, I got a message that said, "Explorer has caused an error in KERNEL32.DLL. Explorer will now close. If you continue to experience problems, try restarting your computer."

[jackkv]

One more thing that might help you solve this problem: After I posted the last Hijack This log, I restarted my computer (I have to constantly do that because it gets so slow) - when the computer rebooted, I got a message that said, "Explorer has caused an error in KERNEL32.DLL. Explorer will now close. If you continue to experience problems, try restarting your computer."

[Kristy]

Hello jackkv,

Please download spyware-scan , save it to your desktop and run it.

Let me know the results.

~Kristy

[jackkv]

OK, here's what it says ...

Summary of Privacy Threats:

3 item(s) classified as Adware
8 item(s) classified as Cookie
1 item(s) classified as Browser Hijacker

ADW_Balloon.A (1 item)
centrport.net (1 item)
pointroll.com (1 item)
Zedo.com (1 item)
2o7.net (1 item)
insightexpressai.com (1 item)
go.com (1 item)
Profiling Cookie (1 item)
ImrWorldWide.com (1 item)
Effective-i Inc. (1 item)
Realsearch.cc (1 item)
BHOT_IBISLLC (1 item)

I'll wait to hear from you before I choose the "Clean Threats Now" option. Thanks.

[Kristy]

Hello jackkv,

Go ahead and click the "Clean Threats Now" button. It will make a registry backup, which may take some time, so try to wait it out if it does.

~Kristy

[jackkv]

Just did the Clean Threats - didn't take long at all, just gave a warning that deleting some of the files may cause some software to function improperly. Hmm ... what next?

[Kristy]

How is your computer running? Any better?

~Kristy

[jackkv]

Still slow - should I reboot, surf around for a while and check back in?

[Kristy]

Hello jackkv,

First there are a couple more things I would like you to try. Let's do this scan first.

I would like you to go to this site. Register, for Corporation name use anything you want.

Let the program scan and DELETE anything it wants to.

Try to copy any report that it offers and paste it in your next reply.

~Kristy

[Kristy]

Please do this as well.

Download "Registry Search Tool" (RegSrch.vbs) from here
http://www.billsway.com/vbspage/
start it and paste in

cs*.exe

hit ok, wait, then when wordpad opens copy that back here please
Note: Your antivirus script protection might interfere, its safe, please allow it to run.

do two more searches also please
cs???.exe
cisvvc.exe

~Kristy

Edited by Rustymilo, 06 July 2005 - 09:15 PM.

[jackkv]

Here's what Kaspersky had to say:

The scan is complete.
Attention, your computer is infected.
The following infected files/objects were found during the scan:

KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Wednesday, July 06, 2005 20:51:44
Operating System: Microsoft Windows Millennium Edition
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 7/07/2005
Kaspersky Anti-Virus database records: 129509
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
a:\
c:\
d:\
e:\

Scan Statistics:
Total number of scanned objects: 26462
Number of viruses found: 4
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 2948 sec

Infected Object Name - Virus Name
c:\WINDOWS\SYSTEM\cisvvc.exe Infected: Trojan-Clicker.Win32.Agent.db
c:\WINDOWS\SYSTEM\drv2cltr.dll Infected: Trojan-PSW.Win32.Agent.am
c:\WINDOWS\SYSTEM\cscgn.exe Infected: Trojan-Dropper.Win32.Agent.nj
c:\Recycled\Q330995.exe Infected: Trojan-Downloader.Win32.Agent.ew
c:\!Submit\drv2cltr.dll Infected: Trojan-PSW.Win32.Agent.am

Scan process completed.

[Kristy]

Hello jackkv,

First please do this

  Please do this as well.

Download "Registry Search Tool" (RegSrch.vbs) from here
http://www.billsway.com/vbspage/
start it and paste in

cs*.exe

hit ok, wait, then when wordpad opens copy that back here please
Note: Your antivirus script protection might interfere, its safe, please allow it to run.

do two more searches also please
cs???.exe
cisvvc.exe

~Kristy

Next,

* Please download the Killbox by Option^Explicit.

* Save it to your desktop.

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

c:\WINDOWS\SYSTEM\cisvvc.exe
c:\WINDOWS\SYSTEM\drv2cltr.dll
c:\WINDOWS\SYSTEM\cscgn.exe
c:\Recycled\Q330995.exe
c:\!Submit\drv2cltr.dll

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Let me know how your computer is working.

~Kristy

Edited by Rustymilo, 06 July 2005 - 10:22 PM.

[jackkv]

Kristy,

When I try to do a search in the registry, I get an error message that says:

Windows Script Host
Script: C:\WINDOWS\TEMP\TD_0007.DIR\RegSrch.vbs
Line: 40
Char: 5
Error: Permission denied
Code: 800A0046
Source: Microsoft VBScript run time error

This happens with cs*.exe, cs???.exe and cisvvc.exe

[Kristy]

Hello jackkv,

Okay, we will have to skip that part. Continue on with the Killbox part.

~Kristy

[jackkv]

Kristy,

Went throught the KillBox procedure and things went well for as long a time as I've seen in several weeks now. Out of curiosity, I rebooted, and re-ran Kapersky. Here's what it comes up with:

KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Thursday, July 07, 2005 06:10:06
Operating System: Microsoft Windows Millennium Edition
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 7/07/2005
Kaspersky Anti-Virus database records: 129523
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
a:\
c:\
d:\
e:\

Scan Statistics:
Total number of scanned objects: 26947
Number of viruses found: 4
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 3007 sec

Infected Object Name - Virus Name
c:\WINDOWS\SYSTEM\cisvvc.exe Infected: Trojan-Clicker.Win32.Agent.db
c:\_RESTORE\TEMP\DRV2CLTR.0 Infected: Trojan-PSW.Win32.Agent.am
c:\_RESTORE\TEMP\CSCGN.0 Infected: Trojan-Dropper.Win32.Agent.nj
c:\_RESTORE\TEMP\Q330995.0 Infected: Trojan-Downloader.Win32.Agent.ew
c:\_RESTORE\TEMP\DRV2CLTR.1 Infected: Trojan-PSW.Win32.Agent.am

Scan process completed.
____________________________________________________________________

So obviously these things are triggered by restarting the computer. It appears we're on the right track though ....