PDA

View Full Version : Speedy, if you don't mind...



TiJay
26-04-2006, 04:31 AM
can you check this log out? my computer is running REALLY slow. I know it has something to do with the AdobeGamma taking 60M+, but if their is anything else you see, this slow boot up/shut down sucks. I know it's going to run slow just because I'm on a roaming user network - but this is just torture...

zqwerty
26-04-2006, 09:16 AM
Uhhh, where is log?

TiJay
26-04-2006, 09:39 AM
uh...oops...

Logfile of HijackThis v1.99.1
Scan saved at 11:26:57 AM, on 4/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Symantec AntiVirus\DefWatch.exe
D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\WINDOWS\system32\HPZipm12.exe
D:\Program Files\Symantec AntiVirus\SavRoam.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Symantec AntiVirus\Rtvscan.exe
D:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe
D:\WINDOWS\explorerTiJay.exe
D:\WINDOWS\BCMSMMSG.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\PROGRA~1\SYMANT~1\VPTray.exe
D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\WINDOWS\Logi_MwX.Exe
D:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
D:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe
D:\Program Files\Microsoft ActiveSync\wcescomm.exe
D:\WINDOWS\system32\ctfmon.exe
D:\PROGRA~1\AWS\WEATHE~1\Weather.exe
D:\PROGRA~1\MICROS~3\rapimgr.exe
D:\Program Files\Yahoo!\Messenger\ypager.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
D:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\Logitech\SetPoint\SetPoint.exe
D:\Documents and Settings\TiJay.OUTCOMEMEDICAL\Start Menu\Programs\Startup\ZAdobeGammaLoader.exe
D:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
D:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\HijackThis.exe
D:\Documents and Settings\TiJay.OUTCOMEMEDICAL\Start Menu\Programs\Startup\ZAdobeGammaLoader.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [http://search.msn.com/spbasic.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
F2 - REG:system.ini: Shell=explorerTiJay.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - D:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HPHUPD08] D:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "D:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpySweeperEnterprise] "D:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeperUI.exe" /StartInTray
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "D:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE"
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] D:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [RoboForm] "D:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: Adobe Gamma.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: BitTorrent.lnk = D:\Program Files\BitTorrent\bittorrent.exe
O4 - Startup: Yahoo! Widget Engine.lnk = D:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
O4 - Startup: ZAdobeGammaLoader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = D:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Customize Menu - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Options - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComOptions.html
O8 - Extra context menu item: RoboForm Toolbar - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Generate - {320AF880-6646-11D3-ABEE-C5DBF3571F50} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComPasswordGenerator.html
O9 - Extra 'Tools' menuitem: Password Generator - {320AF880-6646-11D3-ABEE-C5DBF3571F50} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComPasswordGenerator.html
O9 - Extra button: Set Fields - {320AF880-6646-11D3-ABEE-C5DBF3571F52} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSetFields.html
O9 - Extra 'Tools' menuitem: Set Fields - {320AF880-6646-11D3-ABEE-C5DBF3571F52} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComSetFields.html
O9 - Extra button: Reset Fields - {320AF880-6646-11D3-ABEE-C5DBF3571F53} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComResetFields.html
O9 - Extra 'Tools' menuitem: Reset Fields - {320AF880-6646-11D3-ABEE-C5DBF3571F53} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComResetFields.html
O9 - Extra button: Clear Fields - {320AF880-6646-11D3-ABEE-C5DBF3571F54} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComClearFields.html
O9 - Extra 'Tools' menuitem: Clear Fields - {320AF880-6646-11D3-ABEE-C5DBF3571F54} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComClearFields.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://D:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136901185281
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = outcomemedical.local
O17 - HKLM\Software\..\Telephony: DomainName = outcomemedical.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{91E3CB7C-E366-418C-9C38-CA45E3D358E0}: NameServer = 72.17.238.226
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = outcomemedical.local
O20 - Winlogon Notify: NavLogon - D:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - D:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: WRNotifier - D:\WINDOWS\SYSTEM32\WRLogonNtf.DLL
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - D:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - D:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - D:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - D:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Webroot CommAgent Service (WebrootCommAgentService) - Webroot Software, Inc. - D:\Program Files\Webroot\Enterprise\Spy Sweeper\CommAgent.exe
O23 - Service: WebrootSpySweeperService - Webroot Software, Inc. - D:\Program Files\Webroot\Enterprise\Spy Sweeper\SpySweeper.exe

Speedy Gonzales
26-04-2006, 10:02 AM
Hmm boot into safe mode, run hijackthis again tick these entries and tick fix checked.

I dont know what this is.

D:\WINDOWS\explorerTiJay.exe

D:\PROGRA~1\AWS\WEATHE~1\Weather.exe - This is adware

I dont know what this is (Do you)?

D:\Documents and Settings\TiJay.OUTCOMEMEDICAL\Start Menu\Programs\Startup\ZAdobeGammaLoader.exe

D:\Documents and Settings\TiJay.OUTCOMEMEDICAL\Start Menu\Programs\Startup\ZAdobeGammaLoader.exe

F2 - REG:system.ini: Shell=explorerTiJay.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe

O4 - HKCU\..\Run: [Weather] D:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1

O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/min...ransporter.cab?

TiJay
26-04-2006, 10:32 AM
explorerTiJay.exe is a hack I added - all it is is a different explorer file where I changed some text so my start menu doesn't say 'Start' it is SAY MY NAME!! and many of the menu items are renamed...(Control Panel is now called CockPit) That is nothing but different text in the resource file. I kinda figured weatherbug was adware, but it's so damned usefull - I guess I will make a shortcut to weather.com :P

As for the ZAdobeGammaLoader.exe - I have no clue, and my google searches are turning up fruitless...but I do know that is a big memory hog (60M) but i didn't wanna delete if I wasn't sure.

I set system.ini to automatically run explorerTiJay.exe as opposed to explorer.exe - no harm there.

I am about to head out for the day - i've already put in too much overtime for my boss to be happy, so I will let you know if that helps tomorrow...thanks a billion

Safari
26-04-2006, 10:47 AM
AdobeGammaLoader.exe is used by Adobe Photoshop

ZAdobeGammaLoader.exe can be a worm TR/Click.VB.MN
Antivirus should pick it up.

SolMiester
26-04-2006, 07:26 PM
And with a 'Roaming Profile', you are going to carry that around the office workstations!!

Edit & back to the server.................

TiJay
27-04-2006, 01:44 AM
I am using Symantec Antivirus 10.1 - I would think (as long as ZAdobeGammaLoader.exe has been on my computer) symantec would have noticed it by now...the 6 day war has been changed to a daily war. Symantec stopped putting out new definitions only on wednesday and started put them out daily. Yet I will search symantec's site for more information.

And before I start tickin' the boxes: What does HijackThis do, actually? My MSN Messenger is an easy way for the people who work at this company to keep in touch when they are out of town/state. There are a few things I don't want deleted. If that's what this does, I'll not tick it.

Thanks

Greg
27-04-2006, 01:53 AM
My MSN Messenger is an easy way for the people who work at this company to keep in touch when they are out of town/state. There are a few things I don't want deleted. If that's what this does, I'll not tick it.
Messenger isn't the same thing as MSN Messenger. Messenger is just an evil exploitable addition to Windows.

TiJay
27-04-2006, 03:15 AM
Oh yea...duh...:P I remember now:

Messenger is VERY easy to exploit because it doesn't judge what comes in or out, it bypasses the antivirus, and it is nothing more than an open port...leaving a Computer open to anyone...kk - t's ticked :P

Speedy Gonzales
27-04-2006, 08:54 AM
Ticking the entries in hijackthis will remove the entries / remove them from running on startup. It wont remove them completelty, until you go to add/remove programs and uninstall them.

I would look in Add / remove programs. See if there's an entry with Weather in it as well. Uninstall it, it most probably belongs to Weatherbug.

You can leave those entries in relating to explorerTiJay.exe then. Since you know what it is / does.

TiJay
27-04-2006, 09:18 AM
Ok, thanks for the help, speedy - Hopefully it will fix it...

As for ZAdobeGammaLoader, I will post a new thread talking about this so people don't have to go as far to find out what it is...

Speedy Gonzales
27-04-2006, 09:23 AM
Ok, thanks for the help, speedy - Hopefully it will fix it...

As for ZAdobeGammaLoader, I will post a new thread talking about this so people don't have to go as far to find out what it is...

No, dont create a new thread asking what ZAdobeGammaLoader is....

One site (http://discussions.virtualdr.com/showthread.php?threadid=204837) says its a worm TR/Click.VB.MN.

TiJay
27-04-2006, 09:38 AM
However the name of the trojan is Trojan.Adclicker and I also included removal instructions.

And I saw that site in my searches for the exe file... Nothing told me how to deep clean the system...so I went farther into searching..

Speedy Gonzales
27-04-2006, 09:47 AM
Too late now :D

Trojan remover has it in its database, it says:

Trojan.Adclicker. Annoyance Trojan

Generic detection for a program designed to simulate clicks on website banner advertisements to increase traffic artificially.