180search assistant and Visual Log

Unknown

My computer has been running very slow lately. I updated and ran Adaware SE and Spybot Search and Destroy. Neither found anything. I also ran Spysweeper. It found 2 items with 6 traces. The items were 180search assistant and Visual Log. It says it removes 2 traces and ignores 4. This occurs even in safe mode. When I run it again it finds the same items and the same 6 traces. For the record I am the system administrator for my company and I did not install the Visual Log on this computer. Spysweeper shows the registry key for 180search assistant as:
[Registry Entry] HKEY_CURRENT_USER\software\msbb

The registry entry for Visual Log is:
[Registry Entry] HKEY_CURRENT_USER\software\qsetup_dyn_data

The following is my current Hijack This log. I am running Windows XP SP2.

Logfile of HijackThis v1.99.1
Scan saved at 1:31:25 PM, on 3/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\r2 Studios\HideOutlook\HideOutlook.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\bgsmsnd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\AdSubtract\adsub.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINSMNT.EXE
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Program Files\MSWorks\Calendar\Wkcalrem.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HIJACK THIS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\OOBE\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=AdSubtract:4444
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [HideOutlook] "C:\Program Files\r2 Studios\HideOutlook\HideOutlook.exe"
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
O4 - HKCU\..\Run: [bgsmsnd.exe] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\bgsmsnd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Documents and Settings\Timothy B. Richards\Desktop\FREERAM XP PRO 1.4\framxpro\FreeRAM XP Pro 1.40.exe" -win
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Startup: yvReminder.lnk = C:\RECYCLER\NPROTECT\00038504.EXE
O4 - Global Startup: AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe
O4 - Global Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINSMNT.EXE
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://F:\content\include\XPPatchInstaller.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1108995325968
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E163238-6CCF-427B-8EE7-6B2A1F303F77}: Domain = freemanscarstereo.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E163238-6CCF-427B-8EE7-6B2A1F303F77}: NameServer = 64.105.199.74,61.105.212.250
O17 - HKLM\System\CS1\Services\Tcpip\..\{1E163238-6CCF-427B-8EE7-6B2A1F303F77}: Domain = freemanscarstereo.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{1E163238-6CCF-427B-8EE7-6B2A1F303F77}: NameServer = 64.105.199.74,61.105.212.250
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005\RpcSandraSrv.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Any help would be appreciated.
Thanks

jiffytech

Buckeye_Sam

I'm not seeing anything nasty in your log. Here's some optional fixes that you can make with hijackthis that should make you run a little bit faster.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\OOBE\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE
O4 - Startup: yvReminder.lnk = C:\RECYCLER\NPROTECT\00038504.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\MSWorks\Calendar\WKCALREM.EXE



I'd recommend one more opinion before you worry too much about Spysweeper's results.

Download and run Microsoft's Antispyware application.

http://www.microsoft.com/athome/security/spyware/software/default.mspx

If it doesn't find anything, and Adaware and Spybot both come back clean, then you can safely disregard anything that Spysweeper finds.

jiffytech

Thank you for your quick response. Microsoft's Antispyware application did not find anything. I will use Hijack This to fix the problems as you suggested.

Dexter

A little more advice for you:

Visual Log is a keylogger, if you weren't already aware of that. A good rundown of it is here, manually check the files and reg settings indicated there to make sure all traces of it are gone from the system

Go back is a resource heavy program, and since you are running Windows XP, you may not need it, as System Restore performs the same function. Go Back does give some added features, but if you are not actively using Go Back (it may have been bundled with your Norton software, as Symantec bought this software from Roxio) you may want to uninstall it and just use System Restore. That may free up some resources, there are 2 active processes from Go Back that will be freed up (plus I believe one of the Svchost entries.) Check your Task Manager to see how much RAM the 2 Roxio items are using, and see how much RAM you have free, and determine from there if you think it is worth keeping the program on, especially since XP's own System Restore does a pretty good job of managing rollback functions anways.

Dexter...