Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

High Volume Of Data Sending/receiving


  • Please log in to reply
9 replies to this topic

#1 rossi

rossi

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:12:37 PM

Posted 29 May 2008 - 09:35 PM

When my internet connection is enabled, I am sending/receiving a high volume of data (8-9x that of similar machines with similar network connections) thru the connection, even with no programs running. There are two machines on this Linksys router, one laptop and one desktop and this only occurs on the desktop. I am running Windows XP SP2 and run AVG daily updates and scans and AdAware and Spybot S&D weekly with no virus/spyware/malware found. My broadband provider has limits on band width use and has recently warned me of my increased bandwidth usage, primarily upload. Otherwise I would not have been aware of this. The quick fix has been to enable the connection only when needed. But I am concerned that this might be something more sinister. Any input you may have would be much appreciated.

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:37 PM

Posted 30 May 2008 - 12:00 AM

quietmanAug 11 2007, 01:29 PM
If you want to quickly get a list of your startup programs, do this.

Download Startup Tracker3.zip and save to your desktop.
Unzip (extract) it to a new folder on your C: drive.
Open that folder, double-click StartupTracker3.exe and click "Continue" when it opens.
Click "View log".
Notepad will open displaying the results in startuplog.txt.
Save the log to your desktop and click "Exit".
Copy/paste the contents of the log in your next reply.



http://www.dougknox.com/xp/utils/StartupTracker3.zip

Edited by DaChew, 30 May 2008 - 12:00 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#3 rossi

rossi
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:12:37 PM

Posted 30 May 2008 - 06:38 PM

Thank you for the rapid response. Here is the log:

5/30/2008 6:04:46 PM

-- Registry --
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

No Items Found

-- Registry --
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

UpdateManager "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
Recguard C:\WINDOWS\SMINST\RECGUARD.EXE
LTMSG LTMSG.exe 7
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz nwiz.exe /installquiet /keeploaded /nodetect
Sunkist2k C:\Program Files\Multimedia Card Reader\shwicon2k.exe
IntelliType "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
POINTER point32.exe
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
AutoTBar em32\Wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows\servicesAUTOTBAR.EXE
ISUSPM Startup C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
Adobe Photo Downloader "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
KBD C:\HP\KBD\KBD.EXE
HP Software Update "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
Adobe Reader Speed Launcher "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
AVG8_TRAY C:\PROGRA~1\AVG\AVG8\avgtray.exe

-- Registry --
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

No Items Found

-- Registry --
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

MsnMsgr "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
Yahoo! Pager C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
ISUSPM "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
swg C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
EasyLinkAdvisor "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
SpybotSD TeaTimer C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

-- Registry --
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce

No Items Found

-- Start Menu - Current User --
No Items Found

-- Start Menu - All Users --
Billminder.lnk
Google Updater.lnk
HP Digital Imaging Monitor.lnk
HP Image Zone Fast Start.lnk
Quicken Scheduled Updates.lnk
Quicken Startup.lnk

-- Disabled Items --

Remind_XP
HP Digital Imaging Monitor

-- Registry - Shell Value - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon --
Explorer.exe

-- Running Processes --
System Idle Process
System
smss.exe \SystemRoot\System32\smss.exe
csrss.exe
winlogon.exe winlogon.exe
services.exe C:\WINDOWS\system32\services.exe
lsass.exe C:\WINDOWS\system32\lsass.exe
svchost.exe C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
aawservice.exe "C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"
spoolsv.exe C:\WINDOWS\system32\spoolsv.exe
PhotoshopElementsFil"C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe"
AppleMobileDeviceSer"C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"
avgwdsvc.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
GoogleUpdaterService"C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
nvsvc32.exe C:\WINDOWS\System32\nvsvc32.exe
svchost.exe C:\WINDOWS\System32\svchost.exe -k imgsvc
symlcsvc.exe "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"
wdfmgr.exe
avgrsx.exe avgrsx.exe
avgemc.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe
alg.exe
svchost.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter
explorer.exe C:\WINDOWS\Explorer.EXE
ltmsg.exe "C:\WINDOWS\LTMSG.exe" 7
shwicon2k.exe "C:\Program Files\Multimedia Card Reader\shwicon2k.exe"
rundll32.exe rundll32 nView.dll,nViewInitialize
type32.exe "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
point32.exe "C:\Program Files\Microsoft Hardware\Mouse\point32.exe"
apdproxy.exe "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
kbd.exe "C:\HP\KBD\KBD.EXE"
hpwuSchd2.exe "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
avgtray.exe "C:\PROGRA~1\AVG\AVG8\avgtray.exe"
msnmsgr.exe "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
ctfmon.exe "C:\WINDOWS\system32\ctfmon.exe"
ISUSPM.exe "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
LinksysAgent.exe "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
TeaTimer.exe "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
GoogleUpdater.exe "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -systray -startup
hpqtra08.exe "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"
Ymsgr_tray.exe "C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe" -ymsgr
hpqgalry.exe "C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe" -s
msimn.exe "C:\Program Files\Outlook Express\msimn.exe"
msmsgs.exe "C:\Program Files\Messenger\msmsgs.exe" -Embedding
firefox.exe "C:\PROGRA~1\MOZILL~1\FIREFOX.EXE" -requestPending -osint -url "http://www.bleepingcomputer.com/forums/index.php?showtopic=149625&view=g"
StartupTracker3.exe "C:\Documents and Settings\Owner\Desktop\startup tracker\StartupTracker3.exe"
wmiprvse.exe

-- Running Services --

Name: aawservice
Description: Ad-Aware service
Startup Mode: Auto
Run from: "C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"

Name: AdobeActiveFileMonitor5.0
Description: Tracks files that are managed by Adobe Photoshop Elements
Startup Mode: Auto
Run from: C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

Name: ALG
Description: Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Windows Firewall.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\alg.exe

Name: Apple Mobile Device
Description: Provides the interface to Apple mobile devices.
Startup Mode: Auto
Run from: "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"

Name: AudioSrv
Description: Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: avg8emc
Description:
Startup Mode: Auto
Run from: C:\PROGRA~1\AVG\AVG8\avgemc.exe

Name: avg8wd
Description:
Startup Mode: Auto
Run from: C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

Name: BITS
Description: Transfers files in the background using idle network bandwidth. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to automatically download programs and other information. If this service is disabled, any services that explicitly depend on it may fail to transfer files if they do not have a fail safe mechanism to transfer files directly through IE in case BITS has been disabled.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Browser
Description: Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: CryptSvc
Description: Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: DcomLaunch
Description: Provides launch functionality for DCOM services.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost -k DcomLaunch

Name: Dhcp
Description: Manages network configuration by registering and updating IP addresses and DNS names.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Dnscache
Description: Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k NetworkService

Name: ERSvc
Description: Allows error reporting for services and applictions running in non-standard environments.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Eventlog
Description: Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\services.exe

Name: EventSystem
Description: Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: FastUserSwitchingCompatibility
Description: Provides management for applications that require assistance in a multiple user environment.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: gusvc
Description:
Startup Mode: Auto
Run from: "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"

Name: helpsvc
Description: Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: HidServ
Description: Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: HTTPFilter
Description: This service implements the secure hypertext transfer protocol (HTTPS) for the HTTP service, using the Secure Socket Layer (SSL). If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k HTTPFilter

Name: lanmanserver
Description: Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: lanmanworkstation
Description: Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: LmHosts
Description: Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

Name: Netman
Description: Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Nla
Description: Collects and stores network configuration and location information, and notifies applications when this information changes.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: NVSvc
Description: Provides system and desktop level support to the NVIDIA display driver
Startup Mode: Auto
Run from: C:\WINDOWS\System32\nvsvc32.exe

Name: PlugPlay
Description: Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\services.exe

Name: PolicyAgent
Description: Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\lsass.exe

Name: ProtectedStorage
Description: Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\lsass.exe

Name: RasMan
Description: Creates a network connection.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: RpcSs
Description: Provides the endpoint mapper and other miscellaneous RPC services.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost -k rpcss

Name: SamSs
Description: Stores security information for local user accounts.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\lsass.exe

Name: Schedule
Description: Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: seclogon
Description: Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: SENS
Description: Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: SharedAccess
Description: Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: ShellHWDetection
Description:
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Spooler
Description: Loads files to memory for later printing.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\spoolsv.exe

Name: srservice
Description: Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: SSDPSRV
Description: Enables discovery of UPnP devices on your home network.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

Name: stisvc
Description: Provides image acquisition services for scanners and cameras.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k imgsvc

Name: Symantec Core LC
Description: Symantec Core LC
Startup Mode: Auto
Run from: "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"

Name: TapiSrv
Description: Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: TermService
Description: Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost -k DComLaunch

Name: Themes
Description: Provides user experience theme management.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: TrkWks
Description: Maintains links between NTFS files within a computer or across computers in a network domain.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: UMWdf
Description: Enables Windows user mode drivers.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\wdfmgr.exe

Name: W32Time
Description: Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: WebClient
Description: Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

Name: winmgmt
Description: Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: wscsvc
Description: Monitors system security settings and configurations.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: wuauserv
Description: Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: WZCSVC
Description: Provides automatic configuration for the 802.11 adapters
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs


It seems to be getting progressively worse. Once again, any assistance you may be able to provide would be greatly appreciated.

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:37 PM

Posted 30 May 2008 - 08:12 PM

well I was looking for some P2P but nothing showed that was obvious, the possibilities are endless with so many services running

http://www.microsoft.com/technet/sysintern...n/Autoruns.mspx

http://www.bleepingcomputer.com/forums/ind...mp;#entry811062

just to be safe run a scan with MBAM

I wonder if a good firewall might help
Chewy

No. Try not. Do... or do not. There is no try.

#5 rossi

rossi
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:12:37 PM

Posted 30 May 2008 - 10:23 PM

OK. Ran MBam and successfully removed all infections found. Windows Firewall is enabled.
Still have high volume of data going up and down. Any suggestions?
Here is MBam log:


Malwarebytes' Anti-Malware 1.14
Database version: 807

9:57:05 PM 5/30/2008
mbam-log-5-30-2008 (21-57-05).txt

Scan type: Quick Scan
Objects scanned: 71747
Time elapsed: 16 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 10
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\RegistrySmart\Microsoft.VC80.MFC\ (Rogue.RegistrySmart) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Microsoft.VC80.CRT (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\RegistrySmart\Microsoft.VC80.MFC (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\TEMP\Application Data\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\TEMP\Application Data\RegistrySmart\Log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharla\Application Data\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Sharla\Application Data\RegistrySmart\Log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\RegistrySmart\Log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\RegistrySmart\Registry Backups (Rogue.RegistrySmart) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Owner\Application Data\RegistrySmart\Registry Backups\2007-08-29_20-51-00.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:37 PM

Posted 30 May 2008 - 11:32 PM

Any suggestions?


I would start in add/remove programs
Chewy

No. Try not. Do... or do not. There is no try.

#7 rossi

rossi
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:12:37 PM

Posted 31 May 2008 - 07:21 AM

OK. Is there anything in particular I should be looking for? Is there a way to selectively enable/disable some of these startup programs in order to identify which is causing the problem?

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:37 PM

Posted 31 May 2008 - 07:58 AM

the key element missing from your log was disabled features

As more and more programs are loaded to an already bloated factory load then an endless number of conflicts can evolve,
there are no schools or forums for such problems


http://support.microsoft.com/default.aspx?...kb;en-us;282599

I would start with this one as it's complicated to kill

If the autoruns is too advanced I would still suggest uninstalling some of the more useless programs

I avoid google addons myself

In control panel what progams have exceptions in windows firewall?

Edited by DaChew, 31 May 2008 - 08:00 AM.

Chewy

No. Try not. Do... or do not. There is no try.

#9 rossi

rossi
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:12:37 PM

Posted 31 May 2008 - 01:30 PM

OK Chew:

Uninstalled some unnecessary programs/toolbars and reset the router. All seems well so far. Don't know which one did it. Time will tell if it is going to hold up.

Firewall exceptions are:

AVG components (5)
HP components (3)
Windows Mssgr
File & Print Share
and something called UPnP Framework, no idea what this is.

Any feedback on these?

Thank you so much for your input.

FYI new start up log:

5/31/2008 1:05:05 PM

-- Registry --
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

No Items Found

-- Registry --
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

UpdateManager "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
Recguard C:\WINDOWS\SMINST\RECGUARD.EXE
LTMSG LTMSG.exe 7
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz nwiz.exe /installquiet /keeploaded /nodetect
Sunkist2k C:\Program Files\Multimedia Card Reader\shwicon2k.exe
IntelliType "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
POINTER point32.exe
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
AutoTBar em32\Wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows\servicesAUTOTBAR.EXE
ISUSPM Startup C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
Adobe Photo Downloader "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
KBD C:\HP\KBD\KBD.EXE
HP Software Update "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
Adobe Reader Speed Launcher "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
AVG8_TRAY C:\PROGRA~1\AVG\AVG8\avgtray.exe

-- Registry --
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

No Items Found

-- Registry --
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

MsnMsgr "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
Yahoo! Pager C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
ISUSPM "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
EasyLinkAdvisor "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
SpybotSD TeaTimer C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

-- Registry --
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce

No Items Found

-- Start Menu - Current User --
No Items Found

-- Start Menu - All Users --
Billminder.lnk
HP Digital Imaging Monitor.lnk
HP Image Zone Fast Start.lnk
Quicken Scheduled Updates.lnk
Quicken Startup.lnk

-- Disabled Items --

Remind_XP
HP Digital Imaging Monitor

-- Registry - Shell Value - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon --
Explorer.exe

-- Running Processes --
System Idle Process
System
smss.exe \SystemRoot\System32\smss.exe
csrss.exe
winlogon.exe winlogon.exe
services.exe C:\WINDOWS\system32\services.exe
lsass.exe C:\WINDOWS\system32\lsass.exe
svchost.exe C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
aawservice.exe "C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"
spoolsv.exe C:\WINDOWS\system32\spoolsv.exe
PhotoshopElementsFil"C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe"
AppleMobileDeviceSer"C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"
avgwdsvc.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
nvsvc32.exe C:\WINDOWS\System32\nvsvc32.exe
svchost.exe C:\WINDOWS\System32\svchost.exe -k imgsvc
symlcsvc.exe "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"
wdfmgr.exe
avgrsx.exe avgrsx.exe
explorer.exe C:\WINDOWS\Explorer.EXE
avgemc.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe
alg.exe
ltmsg.exe "C:\WINDOWS\LTMSG.exe" 7
rundll32.exe rundll32 nView.dll,nViewInitialize
shwicon2k.exe "C:\Program Files\Multimedia Card Reader\shwicon2k.exe"
type32.exe "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
point32.exe "C:\Program Files\Microsoft Hardware\Mouse\point32.exe"
apdproxy.exe "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
kbd.exe "C:\HP\KBD\KBD.EXE"
hpwuSchd2.exe "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
avgtray.exe "C:\PROGRA~1\AVG\AVG8\avgtray.exe"
msnmsgr.exe "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
ctfmon.exe "C:\WINDOWS\system32\ctfmon.exe"
ISUSPM.exe "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
LinksysAgent.exe "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
TeaTimer.exe "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
hpqtra08.exe "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"
hpqgalry.exe "C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe" -s
svchost.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter
StartupTracker3.exe "C:\Documents and Settings\Owner\Desktop\startup tracker\StartupTracker3.exe"
wmiprvse.exe

-- Running Services --

Name: aawservice
Description: Ad-Aware service
Startup Mode: Auto
Run from: "C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe"

Name: AdobeActiveFileMonitor5.0
Description: Tracks files that are managed by Adobe Photoshop Elements
Startup Mode: Auto
Run from: C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe

Name: ALG
Description: Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Windows Firewall.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\alg.exe

Name: Apple Mobile Device
Description: Provides the interface to Apple mobile devices.
Startup Mode: Auto
Run from: "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"

Name: AudioSrv
Description: Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: avg8emc
Description:
Startup Mode: Auto
Run from: C:\PROGRA~1\AVG\AVG8\avgemc.exe

Name: avg8wd
Description:
Startup Mode: Auto
Run from: C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

Name: BITS
Description: Transfers files in the background using idle network bandwidth. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to automatically download programs and other information. If this service is disabled, any services that explicitly depend on it may fail to transfer files if they do not have a fail safe mechanism to transfer files directly through IE in case BITS has been disabled.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Browser
Description: Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: CryptSvc
Description: Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: DcomLaunch
Description: Provides launch functionality for DCOM services.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost -k DcomLaunch

Name: Dhcp
Description: Manages network configuration by registering and updating IP addresses and DNS names.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Dnscache
Description: Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k NetworkService

Name: ERSvc
Description: Allows error reporting for services and applictions running in non-standard environments.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Eventlog
Description: Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\services.exe

Name: EventSystem
Description: Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: FastUserSwitchingCompatibility
Description: Provides management for applications that require assistance in a multiple user environment.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: helpsvc
Description: Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: HidServ
Description: Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: HTTPFilter
Description: This service implements the secure hypertext transfer protocol (HTTPS) for the HTTP service, using the Secure Socket Layer (SSL). If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k HTTPFilter

Name: lanmanserver
Description: Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: lanmanworkstation
Description: Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: LmHosts
Description: Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

Name: Netman
Description: Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Nla
Description: Collects and stores network configuration and location information, and notifies applications when this information changes.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: NVSvc
Description: Provides system and desktop level support to the NVIDIA display driver
Startup Mode: Auto
Run from: C:\WINDOWS\System32\nvsvc32.exe

Name: PlugPlay
Description: Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\services.exe

Name: PolicyAgent
Description: Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\lsass.exe

Name: ProtectedStorage
Description: Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\lsass.exe

Name: RasMan
Description: Creates a network connection.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: RpcSs
Description: Provides the endpoint mapper and other miscellaneous RPC services.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost -k rpcss

Name: SamSs
Description: Stores security information for local user accounts.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\lsass.exe

Name: Schedule
Description: Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: seclogon
Description: Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: SENS
Description: Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: SharedAccess
Description: Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: ShellHWDetection
Description:
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: Spooler
Description: Loads files to memory for later printing.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\spoolsv.exe

Name: srservice
Description: Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: SSDPSRV
Description: Enables discovery of UPnP devices on your home network.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

Name: stisvc
Description: Provides image acquisition services for scanners and cameras.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k imgsvc

Name: Symantec Core LC
Description: Symantec Core LC
Startup Mode: Auto
Run from: "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"

Name: TapiSrv
Description: Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: TermService
Description: Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.
Startup Mode: Manual
Run from: C:\WINDOWS\System32\svchost -k DComLaunch

Name: Themes
Description: Provides user experience theme management.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: TrkWks
Description: Maintains links between NTFS files within a computer or across computers in a network domain.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: UMWdf
Description: Enables Windows user mode drivers.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\wdfmgr.exe

Name: W32Time
Description: Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: WebClient
Description: Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k LocalService

Name: winmgmt
Description: Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: wscsvc
Description: Monitors system security settings and configurations.
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

Name: wuauserv
Description: Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.
Startup Mode: Auto
Run from: C:\WINDOWS\system32\svchost.exe -k netsvcs

Name: WZCSVC
Description: Provides automatic configuration for the 802.11 adapters
Startup Mode: Auto
Run from: C:\WINDOWS\System32\svchost.exe -k netsvcs

#10 rossi

rossi
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:12:37 PM

Posted 09 June 2008 - 09:35 AM

That didn't work either. Did a complete System Restore. May have been a little extreme or premature, but tiime was running out. May never know what the problem was, but its gone now. Thanks for the effort.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users