Not up to Speed - Hijackthis log

Raffe · 07-05-2005, 07:37 PM

Sluggish performance on my computer. When I run Ad-Aware or the Trend online scan, as it's scanning - my installed Trend PcCillin window opens with this:

Trend Micro PC-cillin Internet Security has detected a virus, spyware application, or other Internet threat, and performed the action specified.
Infected file: C:\Program Files\backup-20040506-095259-496.dll
Virus name: SPYW_CLIENTMAN.A

Can't seem to get rid of it - scans come back clean.

Anaylized log below:

Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 9:27:12 PM, on 7/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\vnxserv.exe
C:\WINDOWS\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?Link...04&clcid=0x409
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/pro...tor/WebAAS.cab
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: Vsclient Service (VnxService) - Unknown owner - C:\WINDOWS\system32\vnxserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

End of KRC HijackThis Analyzer Log.
====================================================================

Thanks for your help!

sUBs · 07-06-2005, 04:09 AM

Start HiJackThis & go to Config>Misc.Tools>Delete a file on reboot....

In the popup box that appears, type in C:\Program Files\backup-20040506-095259-496.dll
Click the "Open" button.
Click "Yes" when prompted to restart your computer now.

Other than that, your log appears clean. Do you have anymore problems?

Raffe · 07-07-2005, 04:42 PM

Things are running OK except my installed Trend Micro PC-cillin always finds the following in it's real time scan:

Real-time Scan
Trend Micro PC-cillin Internet Security has detected a virus, spyware application, or other Internet threat, and performed the action specified.

Infected file: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP890\A0039075.dll
Virus name: SPYW_CLIENTMAN.A
User name: katie
Scan action result: Denied Access.

Will setting a new restore point get rid of it?

sUBs · 07-07-2005, 04:45 PM

Your log is clean.

Create a new System Restore point

click Start >> Run - type SYSDM.CPL & press Enter
select the System Restore Tab
tick on the checkbox - "Turn off System Restore on all drives"
click Apply
then untick the same checkbox & click OK

Enable Windows Auto Update

Go to Start>Run - type wuaucpl.cpl
tick on the checkbox - "Keep my computer up to date"
Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

SpywareBlaster to help prevent spyware from installing in the first place.
SpywareGuard to catch and block spyware before it can execute.
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

If you do not have a firewall, here are 3 free ones available for personal use:

and a good antivirus like the one you are currently using. It is critical to have both a firewall and an anti-virus application and to keep them updated.

In light of your recent hiccup, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

Raffe · 07-08-2005, 03:00 PM

Things are lookin' good. Thanks for your expertise!

07-05-2005, 07:37 PM	#1 (permalink)
Raffe Registered User Join Date: Jun 2005 Posts: 11 OS: XP	Not up to Speed - Hijackthis log Sluggish performance on my computer. When I run Ad-Aware or the Trend online scan, as it's scanning - my installed Trend PcCillin window opens with this: Trend Micro PC-cillin Internet Security has detected a virus, spyware application, or other Internet threat, and performed the action specified. Infected file: C:\Program Files\backup-20040506-095259-496.dll Virus name: SPYW_CLIENTMAN.A Can't seem to get rid of it - scans come back clean. Anaylized log below: Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05 Get updates at http://www.greyknight17.com/download.htm#programs *Security Programs Detected* C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Logfile of HijackThis v1.99.1 Scan saved at 9:27:12 PM, on 7/5/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\Dell Support\DSAgnt.exe C:\WINDOWS\system32\vnxserv.exe C:\WINDOWS\notepad.exe C:\Program Files\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/ O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup O15 - Trusted Zone: .musicmatch.com O15 - Trusted Zone: .musicmatch.com (HKLM) O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?Link...04&clcid=0x409 O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/pro...tor/WebAAS.cab O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe O23 - Service: Vsclient Service (VnxService) - Unknown owner - C:\WINDOWS\system32\vnxserv.exe O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe End of KRC HijackThis Analyzer Log. ==================================================================== Thanks for your help! Last edited by Raffe; 07-05-2005 at 07:38 PM. Reason: left out info

07-06-2005, 04:09 AM	#2 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,422 OS: N/A	Start HiJackThis & go to Config>Misc.Tools>Delete a file on reboot.... In the popup box that appears, type in C:\Program Files\backup-20040506-095259-496.dll Click the *"Open"* button. Click *"Yes"* when prompted to restart your computer now. Other than that, your log appears clean. Do you have anymore problems? __________________ Question - what have you done for the community today?

07-07-2005, 04:42 PM	#3 (permalink)
Raffe Registered User Join Date: Jun 2005 Posts: 11 OS: XP	Virus protection finding this... Things are running OK except my installed Trend Micro PC-cillin always finds the following in it's real time scan: Real-time Scan Trend Micro PC-cillin Internet Security has detected a virus, spyware application, or other Internet threat, and performed the action specified. Infected file: C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP890\A0039075.dll Virus name: SPYW_CLIENTMAN.A User name: katie Scan action result: Denied Access. Will setting a new restore point get rid of it?

07-07-2005, 04:45 PM	#4 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,422 OS: N/A	Your log is clean. Create a new System Restore point click Start >> Run - type SYSDM.CPL & press Enter select the System Restore Tab tick on the checkbox - "Turn off System Restore on all drives" click Apply then untick the same checkbox & click OK Enable Windows Auto Update Go to Start>Run - type wuaucpl.cpl tick on the checkbox - "Keep my computer up to date" Under settings, choose "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: SpywareBlaster to help prevent spyware from installing in the first place. SpywareGuard to catch and block spyware before it can execute. IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email. If you do not have a firewall, here are 3 free ones available for personal use: Sygate Personal Firewall Kerio Personal Firewall ZoneAlarm and a good antivirus like the one you are currently using. It is critical to have both a firewall and an anti-virus application and to keep them updated. In light of your recent hiccup, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles HOW DID I GET INFECTED IN THE FIRST PLACE? THE ANTI-SPYWARE TUTORIAL Have a safe & happy computing day. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Question - what have you done for the community today?

07-08-2005, 03:00 PM	#5 (permalink)
Raffe Registered User Join Date: Jun 2005 Posts: 11 OS: XP	It's all good Things are lookin' good. Thanks for your expertise!