PDA

View Full Version : slow PC (started in Core Hardware) - and merged here



jes
10-19-2007, 02:28 PM
I just noticed this yesterday, my PC seems to have slowed down considerably. Specifically I am noticing that it suddenly takes much longer to open programs. I has installed a software firewall but I have since uninstalled it and operations are still sluggish. AVG pro can find no viruses and neither Windows Defender nor Adaware can find any spyware. I thought that one of my RAM chips may have somehow sliped out of the slot but they seem to be fine and Windows still recognizes the same 1014 MB. What else could I try?

saphalline
10-19-2007, 05:24 PM
Pending any info about recent changes to the system, you should post an HJT log in the security section of the forums. Let the experts look it over.

jes
10-19-2007, 08:35 PM
I don't think that I have made any recent changes to this system. I have posted my HjT log in the security section under this thread name.

jes
10-19-2007, 08:36 PM
Logfile of HijackThis v1.99.1
Scan saved at 5:45:02 PM, on 19/10/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Winamp\winampa.exe
C:\Windows\System32\mobsync.exe
C:\hp\kbd\kbd.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Jesse\AppData\Local\Temp\Temp1_hijackthis .zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=71&bd=Presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=71&bd=Presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=71&bd=Presario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [CCUTRAYICON] FactoryMode
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [snpstd] C:\Windows\vsnpstd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxdev.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Intel(R) Alert Service (AlertService) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.e xe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel DH Service (IntelDHSvcConf) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

Budfred
10-19-2007, 09:16 PM
Is this Vista??

Before you do anything else, please extract HJT to a permanent folder or download and install the latest version...

Then please do this:

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop (it needs to be run from the Desktop).
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall...

jes
10-19-2007, 11:58 PM
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:54:56 PM, on 19/10/2007
Platform: Windows Vista (WinNT 6.00.1904)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hp\kbd\kbd.exe
C:\Users\Jesse\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=71&bd=Presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=71&bd=Presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=71&bd=Presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [CCUTRAYICON] FactoryMode
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [snpstd] C:\Windows\vsnpstd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Intel(R) Alert Service (AlertService) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.e xe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel DH Service (IntelDHSvcConf) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6621 bytes


Yeah, it's Vista.

Budfred
10-20-2007, 12:01 AM
Did you run ComboFix first??

jes
10-20-2007, 12:01 AM
ComboFix 07-10-19.1 - Jesse 2007-10-19 21:45:05.1 - NTFSx86
Microsoftİ Windows VistaT Home Premium 6.0.6000.0.1252.1.1033.18.535 [GMT -6:00]
Running from: C:\Users\Jesse\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\avgwlntf.dll
C:\Windows\system32\x64

.
((((((((((((((((((((((((( Files Created from 2007-09-20 to 2007-10-20 )))))))))))))))))))))))))))))))
.

2007-10-19 21:43 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-19 21:08 <DIR> d-------- C:\Users\Jesse\AppData\Roaming\ATI
2007-10-19 21:04 <DIR> d-------- C:\Program Files\Common Files\ATI Technologies
2007-10-19 21:03 <DIR> d-------- C:\Program Files\ATI Technologies
2007-10-19 21:03 <DIR> d-------- C:\Program Files\ATI
2007-10-18 23:35 <DIR> d-------- C:\Users\All Users\Lavasoft
2007-10-18 23:35 <DIR> d-------- C:\ProgramData\Lavasoft
2007-10-18 23:35 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-18 23:34 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-18 18:28 <DIR> d-------- C:\Users\Jesse\AppData\Roaming\PCToolsFirewallPlus
2007-10-18 18:22 <DIR> d-------- C:\Program Files\PC Tools Firewall Plus
2007-10-15 10:39 <DIR> d-------- C:\Users\All Users\Apple Computer
2007-10-15 10:39 <DIR> d-------- C:\ProgramData\Apple Computer
2007-10-15 10:39 <DIR> d-------- C:\Program Files\QuickTime
2007-10-15 10:36 <DIR> d-------- C:\Users\All Users\Apple
2007-10-15 10:36 <DIR> d-------- C:\ProgramData\Apple
2007-10-15 10:36 <DIR> d-------- C:\Program Files\Apple Software Update
2007-10-14 20:05 <DIR> d-------- C:\Temp
2007-10-14 20:00 <DIR> d-------- C:\Program Files\Packet Tracer 4.1
2007-10-14 16:11 <DIR> d-------- C:\Users\All Users\Google
2007-10-14 16:11 <DIR> d-------- C:\Program Files\Google
2007-10-14 14:08 229,888 --a------ C:\WINDOWS\System32\msshsq.dll
2007-10-14 13:42 <DIR> d-------- C:\Users\Jesse\Shared
2007-10-14 13:42 <DIR> d-------- C:\Users\Jesse\Incomplete
2007-10-14 13:42 <DIR> d-------- C:\Users\Jesse\AppData\Roaming\LimeWire
2007-10-14 13:42 <DIR> d-------- C:\Program Files\LimeWire
2007-10-14 11:07 <DIR> d-------- C:\Users\Jesse\AppData\Roaming\OpenOffice.org2
2007-10-13 21:44 <DIR> d-------- C:\Program Files\CCleaner
2007-10-13 21:28 <DIR> d-------- C:\Users\Jesse\AppData\Roaming\Winamp
2007-10-13 21:28 <DIR> d-------- C:\Program Files\Winamp
2007-10-13 21:23 <DIR> d-------- C:\Users\Jesse\AppData\Roaming\AVG7
2007-10-13 21:22 <DIR> d-------- C:\Users\All Users\Grisoft
2007-10-13 21:22 <DIR> d-------- C:\Users\All Users\avg7
2007-10-13 21:22 <DIR> d-------- C:\ProgramData\Grisoft
2007-10-13 21:22 <DIR> d-------- C:\ProgramData\avg7
2007-10-13 21:22 47,104 --a------ C:\WINDOWS\System32\drivers\avgwfp.sys
2007-10-13 21:10 <DIR> d-------- C:\Program Files\OpenOffice.org 2.3
2007-10-13 21:10 <DIR> d-------- C:\Program Files\Java
2007-10-13 21:10 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-13 20:44 <DIR> d-------- C:\WINDOWS\PCHEALTH
2007-10-13 20:44 <DIR> d-------- C:\Program Files\MSN Messenger
2007-10-13 20:07 <DIR> d-------- C:\Users\Jesse\AppData\Roaming\Thunderbird
2007-10-13 20:07 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2007-10-13 19:54 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-13 19:46 205,824 --a------ C:\WINDOWS\System32\msoeacct.dll
2007-10-13 19:46 87,040 --a------ C:\WINDOWS\System32\msoert2.dll
2007-10-13 19:46 39,424 --a------ C:\WINDOWS\System32\ACCTRES.dll
2007-10-13 19:45 376,320 --a------ C:\WINDOWS\System32\winsrv.dll
2007-10-13 19:45 49,664 --a------ C:\WINDOWS\System32\csrsrv.dll
2007-10-13 19:43 2,048 --a------ C:\WINDOWS\System32\tzres.dll
2007-10-13 19:42 374,456 --a------ C:\WINDOWS\System32\mcupdate_GenuineIntel.dll
2007-10-13 19:40 8,147,968 --a------ C:\WINDOWS\System32\wmploc.DLL
2007-10-13 19:40 414,208 --a------ C:\WINDOWS\System32\msscp.dll
2007-10-13 19:40 356,864 --a------ C:\WINDOWS\System32\MediaMetadataHandler.dll
2007-10-13 19:40 7,680 --a------ C:\WINDOWS\System32\spwmp.dll
2007-10-13 19:40 4,096 --a------ C:\WINDOWS\System32\dxmasf.dll
2007-10-13 19:39 396,800 --a------ C:\WINDOWS\System32\MPSSVC.dll
2007-10-13 19:39 392,192 --a------ C:\WINDOWS\System32\FirewallAPI.dll
2007-10-13 19:39 178,688 --a------ C:\WINDOWS\System32\iphlpsvc.dll
2007-10-13 19:39 86,016 --a------ C:\WINDOWS\System32\icfupgd.dll
2007-10-13 19:39 63,488 --a------ C:\WINDOWS\System32\drivers\mpsdrv.sys
2007-10-13 19:39 61,952 --a------ C:\WINDOWS\System32\cmifw.dll
2007-10-13 19:39 23,040 --a------ C:\WINDOWS\System32\drivers\tunnel.sys
2007-10-13 19:39 16,896 --a------ C:\WINDOWS\System32\wfapigp.dll
2007-10-13 19:39 15,360 --a------ C:\WINDOWS\System32\drivers\TUNMP.SYS
2007-10-13 19:38 1,191,936 --a------ C:\WINDOWS\System32\msxml3.dll
2007-10-13 19:38 104,448 --a------ C:\WINDOWS\System32\DWWIN.EXE
2007-10-13 19:38 2,048 --a------ C:\WINDOWS\System32\msxml3r.dll
2007-10-13 19:37 4,247,552 --a------ C:\WINDOWS\System32\GameUXLegacyGDFs.dll
2007-10-13 19:37 1,686,528 --a------ C:\WINDOWS\System32\gameux.dll
2007-10-13 19:34 3,504,824 --a------ C:\WINDOWS\System32\ntkrnlpa.exe
2007-10-13 19:34 3,470,008 --a------ C:\WINDOWS\System32\ntoskrnl.exe
2007-10-13 19:34 704,000 --a------ C:\WINDOWS\System32\PhotoScreensaver.scr
2007-10-13 19:34 269,824 --a------ C:\WINDOWS\System32\schannel.dll
2007-10-13 19:34 220,160 --a------ C:\WINDOWS\System32\ntprint.dll
2007-10-13 19:34 61,440 --a------ C:\WINDOWS\System32\ntprint.exe
2007-10-13 19:32 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-10-13 19:32 2,026,496 --a------ C:\WINDOWS\System32\win32k.sys
2007-10-13 19:32 750,080 --a------ C:\WINDOWS\System32\qmgr.dll
2007-10-13 19:32 633,856 --a------ C:\WINDOWS\System32\user32.dll
2007-10-13 19:23 <DIR> dr------- C:\Users\Jesse\Searches
2007-10-13 19:23 <DIR> dr------- C:\Users\Jesse\Contacts
2007-10-13 19:22 1,712,984 --a------ C:\WINDOWS\System32\wuaueng.dll
2007-10-13 19:22 1,524,224 --a------ C:\WINDOWS\System32\wucltux.dll
2007-10-13 19:22 549,720 --a------ C:\WINDOWS\System32\wuapi.dll
2007-10-13 19:22 163,000 --a------ C:\WINDOWS\System32\wuwebv.dll
2007-10-13 19:22 80,896 --a------ C:\WINDOWS\System32\wudriver.dll
2007-10-13 19:22 53,080 --a------ C:\WINDOWS\System32\wuauclt.exe
2007-10-13 19:22 43,352 --a------ C:\WINDOWS\System32\wups2.dll
2007-10-13 19:22 33,624 --a------ C:\WINDOWS\System32\wups.dll
2007-10-13 19:22 31,232 --a------ C:\WINDOWS\System32\wuapp.exe
2007-10-13 19:21 <DIR> d-------- C:\Users\Jesse\AppData\Roaming\Hewlett-Packard
2007-10-13 19:18 <DIR> dr------- C:\Users\Jesse\Videos
2007-10-13 19:18 <DIR> dr------- C:\Users\Jesse\Saved Games
2007-10-13 19:18 <DIR> dr------- C:\Users\Jesse\Pictures
2007-10-13 19:18 <DIR> dr------- C:\Users\Jesse\Music
2007-10-13 19:18 <DIR> dr------- C:\Users\Jesse\Links
2007-10-13 19:18 <DIR> dr------- C:\Users\Jesse\Downloads
2007-10-13 19:18 <DIR> dr------- C:\Users\Jesse\Documents
2007-10-13 19:18 <DIR> d-------- C:\Users\Jesse\AppData\Roaming\Media Center Programs

continued in next....

jes
10-20-2007, 12:02 AM
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-10-14 03:55 --------- d-----w C:\Program Files\Yahoo!
2007-10-14 03:55 --------- d-----w C:\Program Files\Hewlett-Packard
2007-10-14 02:27 --------- d-----w C:\Program Files\Compaq Connections
2007-10-14 02:25 --------- d-----w C:\Program Files\Real
2007-10-14 02:25 --------- d-----w C:\Program Files\Common Files\Real
2007-10-14 02:21 --------- d-----w C:\ProgramData\WildTangent
2007-10-14 02:18 --------- d-----w C:\Program Files\HP
2007-10-14 02:15 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-14 01:50 --------- d-----w C:\Program Files\Windows Mail
2007-10-14 01:50 --------- d-----w C:\Program Files\Windows Defender
2007-10-14 01:50 --------- d-----w C:\Program Files\Windows Calendar
2007-10-14 01:47 70,144 ----a-w C:\Windows\system32\drivers\pacer.sys
2007-10-14 01:47 619,008 ----a-w C:\Windows\system32\drivers\dxgkrnl.sys
2007-10-14 01:47 61,952 ----a-w C:\Windows\system32\drivers\wanarp.sys
2007-10-14 01:47 48,640 ----a-w C:\Windows\system32\drivers\ndproxy.sys
2007-10-14 01:47 20,480 ----a-w C:\Windows\system32\drivers\ndistapi.sys
2007-10-14 01:37 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2007-10-14 01:37 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2007-10-14 01:37 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2007-10-14 01:37 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2007-10-14 01:36 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2007-10-14 01:33 53,760 ----a-w C:\Windows\system32\drivers\hdaudbus.sys
2007-10-14 01:33 12,800 ----a-w C:\Windows\system32\drivers\fs_rec.sys
2007-10-14 01:33 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-14 01:31 --------- d-----w C:\ProgramData\Symantec
2007-10-14 01:25 --------- d-----w C:\ProgramData\Hewlett-Packard
2007-10-14 01:15 1,871 --sha-r C:\Windows\system32\drivers\103C_HP_CPC_RX897AA-ABA SR5050NX_YC_0Pres_QCNX711_E72NAv3PrA2_49_ILEONITE_ SASUSTek Computer INC._V5.00_B5.13_T070216_WUH0_L409_M1014_J250_7Int el_8Pentium D_93_#070925_N808627DC_Z14F12F20_G80862772.MRK
2007-10-14 01:14 174 --sha-w C:\Program Files\desktop.ini
2007-10-14 01:13 --------- d-sh--w C:\ProgramData\Templates
2007-10-14 01:13 --------- d-sh--w C:\ProgramData\Start Menu
2007-10-14 01:13 --------- d-sh--w C:\ProgramData\Favorites
2007-10-14 01:13 --------- d-sh--w C:\ProgramData\Documents
2007-10-14 01:13 --------- d-sh--w C:\ProgramData\Desktop
2007-10-14 01:13 --------- d-sh--w C:\ProgramData\Application Data
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-10-13 19:44]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 07:42]
"KBD"="C:\HP\KBD\KbdStub.EXE" [2006-12-08 09:16]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-09-29 14:39]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2006-11-28 14:14]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2006-11-28 14:17]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2006-11-28 14:13]
"RtHDVCpl"="RtHDVCpl.exe" [2007-01-18 08:46 C:\WINDOWS\RtHDVCpl.exe]
"CCUTRAYICON"="FactoryMode" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-13 21:22]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-09 20:31]
"snpstd"="C:\Windows\vsnpstd.exe" [2005-10-11 20:54]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"HPAdvisor"="C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\runonce]
"Launcher"=%WINDIR%\SMINST\launcher.exe

R2 DQLWinService;DQLWinService;"C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.e xe"
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.s ys
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atik mdag.sys
R3 AvgWFP;AVG7 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfp.sys
S2 IntelDHSvcConf;Intel DH Service;"C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe"
S3 igfx;igfx;C:\Windows\system32\DRIVERS\igdkmd32.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum
AutoRun\command - E:\detector.exe

.
************************************************** ************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-19 21:49:51
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2007-10-19 21:51:02 - machine was rebooted
.
--- E O F ---

jes
10-20-2007, 12:19 AM
I ran Combofix and lost track of what was going on. I had to turn off the computer for a wile to install my new vid card. Then I ran Combofix again and the downloaded and ran the new HJT and posted logs here.

Budfred
10-20-2007, 08:22 AM
I ran Combofix and lost track of what was going on. I had to turn off the computer for a wile to install my new vid card. Then I ran Combofix again and the downloaded and ran the new HJT and posted logs here.
I am not sure what is going on since you ran the ComboFix scan twice and installing a video card during a malware cleanup is really not a good idea... It makes it much harder for me to help you... For now, I will go with what you gave me... It looks like you have at least 2 resident anti-spyware apps running in resident mode, so please disable them until the fixes are complete... Then please open a HJT scan and put checks by:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe

Close all open windows except HJT and press Fix Checked...

Find and delete:

%WINDIR%\SMINST\launcher.exe

This is odd and I can't find any info on whether it is legit... Do you recognize the company listed in this entry??

2007-10-14 01:15 1,871 --sha-r C:\Windows\system32\drivers\103C_HP_CPC_RX897AA-ABA SR5050NX_YC_0Pres_QCNX711_E72NAv3PrA2_49_ILEONITE_ SASUSTek Computer INC._V5.00_B5.13_T070216_WUH0_L409_M1014_J250_7Int el_8Pentium D_93_#070925_N808627DC_Z14F12F20_G80862772.MRK

Please post a fresh HJT log after reboot and let me know how things are going...

jes
10-20-2007, 02:35 PM
I removed the three entries that you mentioned first and the %WINDIR%\SMINST\launcher.exe comes back after I remove it.

I am not sure what you mean about 2 resident anti-spyware programs. As far as I know the only one running resident should be Windows Defender but maybe I missed something in that log file. Should I post another now?

Budfred
10-20-2007, 03:38 PM
Yes, that is why I requested another HJT log... It is quite possible that O4 is returning because of the protection programs... This is what I see:

C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

Given the problems with Ad-Aware, I suggest uninstalling it and turning Windows Defender off for the cleanup...

What about that other entry I asked about?? What about how your computer is running??

jes
10-20-2007, 04:09 PM
I uninstalled Adaware. The PC seems to be running smoother now. I didn't know that Adaware had a background agent.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:09:09 PM, on 20/10/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Winamp\winampa.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hp\kbd\kbd.exe
C:\Users\Jesse\Desktop\misc\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=71&bd=Presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=71&bd=Presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=71&bd=Presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [CCUTRAYICON] FactoryMode
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [snpstd] C:\Windows\vsnpstd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: Intel(R) Alert Service (AlertService) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.e xe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel DH Service (IntelDHSvcConf) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6349 bytes

Budfred
10-20-2007, 07:09 PM
It looks like Defender is still running, so it is likely this won't work... However, run it and see or turn off Defender first and then run it...

Please open a HJT scan again and check these:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe

Close all open windows except HJT and press Fix Checked...

Find and delete:

%WINDIR%\SMINST\launcher.exe

You never responded to this, please do so... This is odd and I can't find any info on whether it is legit... Do you recognize the company listed in this entry??

2007-10-14 01:15 1,871 --sha-r C:\Windows\system32\drivers\103C_HP_CPC_RX897AA-ABA SR5050NX_YC_0Pres_QCNX711_E72NAv3PrA2_49_ILEONITE_ SASUSTek Computer INC._V5.00_B5.13_T070216_WUH0_L409_M1014_J250_7Int el_8Pentium D_93_#070925_N808627DC_Z14F12F20_G80862772.MRK

Please post a fresh HJT log after reboot and let me know how things are going...

jes
10-20-2007, 08:25 PM
I have tried to delete those entries to no avail. How can I deactivate Windows Defender?

As to the other line, it contains the model name of my PC but I don't know SASUSTEK.

Budfred
10-20-2007, 09:26 PM
To disable your Windows Defender Real-time Protection:

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

After all of the fixes are complete it is very important that you enable Real-time Protection again.

jes
10-21-2007, 12:58 PM
I followed your instructions to disable Windows Defender but it is still in the HJT scan and those two lines will still no remove. Maybe there is something else?

http://jesse.sasktelwebsite.net/defender.jpg

Budfred
10-21-2007, 02:58 PM
Sometimes the real time protection used by programs like Windows Defender getting interfere with malware cleaning procedures. So if you have been sent to this link, follow the below steps to temporarily disable Windows Defender's Real Time Protection. Please leave it disabled during the cleaning process.

* Open Windows Defender
* Click Tools
* Click General Settings
* Scroll down to Real Time Protection Options
* Uncheck Turn on Real Time Protection (recommended)
* After you uncheck this, click on the Save button
* Close Windows Defender

Once your system has been deemed free from malware, you can re-enable Windows Defender's Real Time Protection.This is another version of the same instructions... If that isn't working, it may be worthwhile to uninstall Defender and then reinstall it later...

jes
10-21-2007, 03:49 PM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:06 AM, on 21/10/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\hp\KBD\KbdStub.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Grisoft\AVG7\avgw.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Users\Jesse\Desktop\misc\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=71&bd=Presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=71&bd=Presario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=71&bd=Presario&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [CCUTRAYICON] FactoryMode
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [snpstd] C:\Windows\vsnpstd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O23 - Service: Intel(R) Alert Service (AlertService) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: DQLWinService - Unknown owner - C:\Program Files\Common Files\Intel\IntelDH\NMS\AdpPlugins\DQLWinService.e xe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel DH Service (IntelDHSvcConf) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6315 bytes


The Windows Security Center claims that Windows Defender is turned off but the fourth running process in the above list mentions Windows Defender. Maybe it is time to uninstall it but how could I reinstall? Would I be able to get it from the Windows update site?

Would it be safe to remove O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing) ? I assume that is a remnant of NAV that I uninstalled after purchasing this preinstalled computer.

Budfred
10-22-2007, 12:30 AM
Yes, you can fix the Symantec entries... And yes, you should be able to get Defender again after you uninstall it... You may even have the install file in your downloads... You can check in Start - Programs to see if it has an uninstaller, but you may just be able to remove it in Add or Remove Programs...

jes
10-23-2007, 04:31 PM
That Symantec entry won't delete. I can't find an uninstaller for Defender nor is it referenced in Programs and Features in the control panel. I have read some help files and found nothing on this topic. I am running Vista, isn't defender built in to the OS so to remove it I would have to remove Windows all together?

Budfred
10-23-2007, 07:22 PM
That Symantec entry won't delete. I can't find an uninstaller for Defender nor is it referenced in Programs and Features in the control panel. I have read some help files and found nothing on this topic. I am running Vista, isn't defender built in to the OS so to remove it I would have to remove Windows all together?

Apparently that is the case... Try this then... Open the Security Center and disable it from there... Then try the fixes again... The Symantec entry will probably not fix until Defender is disabled as well...

Try this for the Symantec:

Go to Start - Run and copy/paste:

sc delete Symantec Lic NetConnect

Once you manage to disable Defender, run the HJT fixes, reboot and post a fresh log... If that Symantec entry still shows up, do the sc delete after disabling Defender...

jes
10-25-2007, 09:19 PM
I am currently having some problems with my Radeon card. I have had to restore my system in hopes of restoring my system sound. It seems that the bottom line right now is that AMD doesn't support Vista as well as they say they do, yet. I guess I can wait or I can remove the card.

Budfred
10-25-2007, 09:42 PM
I am currently having some problems with my Radeon card. I have had to restore my system in hopes of restoring my system sound. It seems that the bottom line right now is that AMD doesn't support Vista as well as they say they do, yet. I guess I can wait or I can remove the card.

If you restored your system with System Restore, it is likely that you also restored whatever infections have already been cleaned... If you ran the hardware compatibility utility from MS for Vista, it is likely that it is not the hardware that is the problem...

jes
10-27-2007, 12:45 PM
How does Windows Defender disallow some entries to be removed? What if I went to msconfig and stopped Defender from starting? Could I remove the Symantec and other entries then? I would re enable the Defender startup afterwards, of course.

Budfred
10-27-2007, 11:13 PM
Defender maintains a record of programs that it wants to protect and generally tries to keep things from changing from what it assumes is an intentional pattern... Unfortunately, all of the resident anti-spyware programs do a similar type of thing and this can make it hard to clean up malware at times... When they don't prevent infection, they can prevent cleanup...

It would be best to disable Defender in Windows Security since I think that will make it more likely that the fixes will be permanent... You can enable it again once things are cleaned up, although it may still try to restore them... If so, we can try some other approaches, but it really shouldn't be this difficult...

jes
10-30-2007, 12:00 PM
I blocked Windows Defender from starting through MSconfig but still can't seem to get rid of those entries. What else could be keeping them there?

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

(AMD tech support helped me fix my Radeon card problem)

Budfred
10-30-2007, 08:34 PM
Did you try turning it off in the Security Center?? We can try some brute force methods if needed, but I would go with that first...

Budfred
10-30-2007, 09:08 PM
I have been digging deeper and there are conflicting reports about whether this is actually malware:

O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe

It seems that it is common on HP computers with Vista... Are you still having any symptoms of infection...

jes
10-30-2007, 09:42 PM
Actually, since AMD helped me repair the problem with my Radeon card this morning my system seems to be running smoother but I still feel a bit uneasy about having rogue processes running on my PC, especially the Symantec.

My video is no longer onboard but Vista still tells me that I only have 1022 MB. What could be using the last 2 MB?

Budfred
10-30-2007, 11:25 PM
I wouldn't worry too much about that last 2 MB, but you can post in the Hardware forum again if it really troubles you...

Have you actually tried disabling Defender in Security Center to fix the other 2 items??

jes
11-01-2007, 06:37 PM
I assume that you mean the Windows Defender listing in the top-left of the main Security Center Window. Isn't that link the same as clicking on the Windows Defender icon in the control panel?

Budfred
11-01-2007, 10:00 PM
I don't have Vista installed, so I am not sure how it is listed... However, the reading I have done suggests that the Security Center is a master control for all MS security components and, presumably, that means it turns it off at a more basic level than simply going through the program... I wouldn't have suggested it if I thought it was the same as going through the program...

jes
11-10-2007, 05:22 PM
Maybe I just don't understand what you mean because when I enter the control panel and go into windows defender through the security center icon, I see the same screens that I see if I go into windows defender via the Windows Defender icon. Do you mean the security center icon in the control panel?

Budfred
11-11-2007, 12:41 AM
Maybe I just don't understand what you mean because when I enter the control panel and go into windows defender through the security center icon, I see the same screens that I see if I go into windows defender via the Windows Defender icon. Do you mean the security center icon in the control panel?I mean to turn it off from within Security Center, not to go to Defender through Security Center and then try to turn it off, that would not be different than what you have done already... Security Center is supposed to be the Master Control for all Vista security programs...

jes
11-11-2007, 01:53 AM
Forgive me if I sound stupid but I see no way to deactivate defender in the security center, however, if I click on the defender icon and deactivate the background agent as you suggested, the security center says that defender is not operational.

Budfred
11-11-2007, 07:51 AM
Forgive me if I sound stupid but I see no way to deactivate defender in the security center, however, if I click on the defender icon and deactivate the background agent as you suggested, the security center says that defender is not operational.

Since I haven't seen the Security Center on Vista and don't run Defender, I don't know if there is another way... What I read about the Security Center in Vista suggested that it could control it and that is the way similar features work in XP, but that may not be true in practice... I plan to install Vista once SP1 is available, so I will know more after that...