Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Constant disk drive access


  • This topic is locked This topic is locked
10 replies to this topic

#1 Peter09

Peter09

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:44 PM

Posted 27 April 2010 - 07:51 AM

Hello, I have a new Gateway DX4831-03c with Windows 7 64 bit with 8 GB RAM and a 1T SATA hard drive. It seems to work fine, except for the annoyance of constant hard drive access, the drive light blinking on in about one second intervals. The resource monitor shows that the system service is responsible for most of this hard drive access. I read a few similar reports on the web and the problem appears to persist even when search indexing and monitoring services are disabled.

I ran a HijackThis scan, but don't understand it. Has anyone encountered this issue before and can recommend a solution? It is like Chinese water torture, it's driving me crazy??

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:23:32 AM, on 27/04/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files (x86)\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Spyware Doctor\pctsAuxs.exe
C:\Program Files (x86)\Spyware Doctor\pctsSvc.exe
C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe
C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files (x86)\Pure Networks\Network Magic\nmapp.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files (x86)\Spyware Doctor\pctsTray.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
C:\Program Files (x86)\Spyware Doctor\TFEngine\TFService.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Windows\SysWow64\Macromed\Flash\FlashUtil10c.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gateway.com/rdr.aspx?b=ACG...85v165k4951r23q
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gateway.com/rdr.aspx?b=ACG...85v165k4951r23q
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.gateway.com/rdr.aspx?b=ACG...85v165k4951r23q
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files (x86)\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files (x86)\Spyware Doctor\BDT\PCTBrowserDefender.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Gateway Photo Frame] C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe -A
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files (x86)\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files (x86)\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Global Registration] "C:\Program Files (x86)\Gateway\Registration\GREG.exe" BOOT
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: Logitech . Product Registration.lnk = C:\Program Files (x86)\Common Files\LogiShrd\eReg\SetPoint\eReg.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files (x86)\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O16 - DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} (SysInfo Class) - http://content.systemrequirementslab.com.s...ri_4.1.71.0.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.5.0.cab
O18 - Protocol: intu-qt2009 - {03947252-2355-4E9B-B446-8CCC75C43370} - C:\Program Files (x86)\QuickTax 2009\ic2009pp.dll
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files (x86)\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files (x86)\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Intel® Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NTI IScheduleSvc - NewTech Infosystems, Inc. - C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files (x86)\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files (x86)\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files (x86)\Spyware Doctor\pctsSvc.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: ThreatFire - PC Tools - C:\Program Files (x86)\Spyware Doctor\TFEngine\TFService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Intel® Management & Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 14678 bytes

EDIT: Moved from Win 7 forum to more appropriate Malware Removal Logs ~ Hamluis.

Edited by hamluis, 27 April 2010 - 12:28 PM.


BC AdBot (Login to Remove)

 


#2 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:11:44 PM

Posted 01 May 2010 - 02:12 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Shannon

#3 Peter09

Peter09
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:44 PM

Posted 02 May 2010 - 02:37 PM

Thanks Shannon,

I went through the steps as instructed and here is the information: (The GMER scan found no modifications, hence blank report, not attached). My original post was moved into this forum by the sysop, although I suspect that the constant disk access is a feature of Windows 7, or my drive's manufacturer, rather than due to an infection...anyways, here goes. I appreciate your help with this. BTW I already tried disabling indexing, defragmentation, Carbonite monitoring, HP's utilities, virus monitoring, etc...to no avail, the drive access just keeps on grinding away, about once every second.


DDS (Ver_10-03-17.01) - NTFSX64
Run by user at 15:05:20.20 on 02/05/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.2.1033.18.8151.6214 [GMT -4:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\atieclxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files (x86)\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Windows\system32\CISVC.EXE
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\IScheduleSvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Spyware Doctor\pctsAuxs.exe
C:\Program Files (x86)\Spyware Doctor\pctsSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\Spyware Doctor\pctsTray.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files (x86)\Gateway Photo Frame\ButtonMonitor.exe
C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files (x86)\Pure Networks\Network Magic\nmapp.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files (x86)\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files (x86)\Spyware Doctor\TFEngine\TFService.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Windows\splwow64.exe
C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\HP\Digital Imaging\smart web printing\hpswp_clipbook.exe
C:\Windows\SysWow64\Macromed\Flash\FlashUtil10c.exe
C:\Program Files (x86)\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\splwow64.exe
C:\Users\user\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=1009&m=dx4831&r=17360410p206p0385v165k4951r23q
mDefault_Page_URL = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=1009&m=dx4831&r=17360410p206p0385v165k4951r23q
mStart Page = hxxp://homepage.gateway.com/rdr.aspx?b=ACGW&l=1009&m=dx4831&r=17360410p206p0385v165k4951r23q
mLocal Page = c:\windows\syswow64\blank.htm
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files (x86)\yahoo!\companion\installs\cpn\yt.dll
mWinlogon: Userinit=userinit.exe
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files (x86)\yahoo!\companion\installs\cpn\yt.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files (x86)\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files (x86)\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files (x86)\yahoo!\companion\installs\cpn\YTSingleInstance.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files (x86)\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files (x86)\spyware doctor\bdt\PCTBrowserDefender.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files (x86)\yahoo!\companion\installs\cpn\yt.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\program files (x86)\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Global Registration] "c:\program files (x86)\gateway\registration\GREG.exe" BOOT
uRun: [msnmsgr] "c:\program files (x86)\windows live\messenger\msnmsgr.exe" /background
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [StartCCC] "c:\program files (x86)\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Gateway Photo Frame] c:\program files (x86)\gateway photo frame\ButtonMonitor.exe -A
mRun: [QuickTime Task] "c:\program files (x86)\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files (x86)\itunes\iTunesHelper.exe"
mRun: [nmctxth] "c:\program files (x86)\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files (x86)\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [HP Software Update] c:\program files (x86)\hp\hp software update\HPWuSchd2.exe
mRun: [Adobe Acrobat Speed Launcher] "c:\program files (x86)\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files (x86)\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Carbonite Backup] c:\program files (x86)\carbonite\carbonite backup\CarboniteUI.exe
mRun: [ISTray] "c:\program files (x86)\spyware doctor\pctsTray.exe"
mRun: [Adobe ARM] "c:\program files (x86)\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Intuit SyncManager] c:\program files (x86)\common files\intuit\sync\IntuitSyncManager.exe startup
StartupFolder: c:\users\user\appdata\roaming\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files (x86)\common files\logishrd\ereg\setpoint\eReg.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files (x86)\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files (x86)\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files (x86)\common files\intuit\quickbooks\qbupdate\qbupdate.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append Link Target to Existing PDF - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\micros~1\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files (x86)\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\micros~1\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files (x86)\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: c:\program files (x86)\common files\pc tools\lsp\PCTLsp.dll
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files (x86)\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
Handler: intu-qt2009 - {03947252-2355-4e9b-B446-8CCC75C43370} - c:\program files (x86)\quicktax 2009\ic2009pp.dll
Handler: intu-res - {9CE7D474-16F9-4889-9BB9-53E2008EAE8A} - c:\program files (x86)\common files\intuit\intu-res.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files (x86)\common files\pure networks shared\platform\puresp4.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB-X64: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
TB-X64: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [IAAnotif] c:\program files (x86)\intel\intel matrix storage manager\iaanotif.exe
mRun-x64: [RtHDVCpl] c:\program files\realtek\audio\hda\RAVCpl64.exe -s
mRun-x64: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

================= FIREFOX ===================

FF - ProfilePath -

---- FIREFOX POLICIES ----
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore64.sys [2010-4-15 230904]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-4-15 65072]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-4-15 60416]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi64.sys [2010-4-15 306648]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 59904]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-12-1 202752]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files (x86)\spyware doctor\bdt\BDTUpdateService.exe [2010-4-15 112592]
R2 NTI IScheduleSvc;NTI IScheduleSvc;c:\program files (x86)\newtech infosystems\gateway mybackup\IScheduleSvc.exe [2009-8-12 62208]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files (x86)\spyware doctor\pctsAuxs.exe [2010-4-15 366840]
R2 sdCoreService;PC Tools Security Service;c:\program files (x86)\spyware doctor\pctsSvc.exe [2010-4-15 1142224]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\intel\intel® management engine components\uns\UNS.exe [2010-4-14 2314240]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k62x64.sys [2009-12-1 283824]
R3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\drivers\HECIx64.sys [2009-12-1 56344]
R3 netr28x;Ralink 802.11n Extensible Wireless Driver;c:\windows\system32\drivers\netr28x.sys [2009-12-1 712704]
R3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg64.sys [2010-4-15 92896]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-4-15 41888]
R3 ThreatFire;ThreatFire;c:\program files (x86)\spyware doctor\tfengine\tfservice.exe service --> c:\program files (x86)\spyware doctor\tfengine\TFService.exe service [?]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-14 1255736]
S4 Updater Service;Updater Service;c:\program files\gateway\gateway updater\UpdaterService.exe [2009-12-1 240160]

=============== Created Last 30 ================

2010-05-02 19:03:13 0 ----a-w- c:\users\user\defogger_reenable
2010-05-02 12:06:23 3833856 ----a-w- c:\windows\syswow64\cdintf300.dll
2010-05-02 11:38:29 0 d-----w- c:\program files\common files\Intuit
2010-05-02 00:30:48 0 d-----w- c:\program files (x86)\common files\supportsoft
2010-05-02 00:30:39 4194304 ----a-w- c:\windows\syswow64\cdintf400.dll
2010-05-02 00:25:30 90 ----a-w- c:\windows\QBChanUtil_Trigger.ini
2010-05-02 00:25:30 0 d-----w- c:\programdata\SQL Anywhere 10
2010-04-30 11:39:18 23141 ----a-w- c:\windows\hpqins15.dat
2010-04-28 12:17:29 223448 ----a-w- c:\windows\system32\drivers\fvevol.sys
2010-04-28 12:17:26 12867072 ----a-w- c:\windows\syswow64\shell32.dll
2010-04-28 12:17:25 96768 ----a-w- c:\windows\syswow64\sspicli.dll
2010-04-28 12:17:25 22016 ----a-w- c:\windows\syswow64\secur32.dll
2010-04-28 12:17:25 153160 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2010-04-28 12:17:25 1446912 ----a-w- c:\windows\system32\lsasrv.dll
2010-04-27 12:20:27 0 d-----w- c:\program files (x86)\Trend Micro
2010-04-25 12:18:44 24416 ----a-r- c:\windows\system32\AdobePDFUI.dll
2010-04-25 12:17:03 0 d-----w- C:\_AcroTemp
2010-04-25 03:47:57 52568 ----a-w- c:\windows\system32\AdobePDF.dll
2010-04-24 20:46:29 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2010-04-24 20:46:26 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2010-04-24 20:46:05 190992 ----a-w- c:\windows\system32\BtCoreIf.dll
2010-04-24 20:46:01 96272 ----a-w- c:\windows\system32\KemXML.dll
2010-04-24 20:46:01 235536 ----a-w- c:\windows\system32\KemUtil.dll
2010-04-24 20:46:01 235536 ----a-w- c:\windows\system32\kemutb.dll
2010-04-24 20:46:01 159248 ----a-w- c:\windows\system32\KemWnd.dll
2010-04-24 20:45:50 0 d-----w- c:\programdata\Logitech
2010-04-24 20:45:36 0 d-----w- c:\program files\common files\Logishrd
2010-04-24 20:45:24 0 d-----w- c:\program files\Logitech
2010-04-24 20:44:55 0 d-----w- c:\programdata\LogiShrd
2010-04-21 23:44:41 0 d-----w- c:\program files (x86)\Punch! Home and Landscape
2010-04-21 23:35:17 765771852 ----a-w- c:\windows\MEMORY.DMP
2010-04-21 12:32:46 0 d-----w- c:\programdata\WinZipEC
2010-04-21 12:32:45 0 d-----w- c:\program files (x86)\WinZip E-Mail Companion
2010-04-21 12:26:41 0 d-----w- c:\programdata\WinZip
2010-04-19 01:58:56 0 d-----w- c:\program files (x86)\WinSCP
2010-04-18 14:23:27 0 d-----w- c:\program files (x86)\HP Canada Password Safe
2010-04-18 02:46:37 4608 ----a-w- c:\windows\system32\drivers\vncmirror.sys
2010-04-18 02:46:37 26112 ----a-w- c:\windows\system32\vncmirror.dll
2010-04-18 00:41:33 0 d--h--w- c:\windows\msdownld.tmp
2010-04-18 00:41:27 0 d-----w- c:\windows\syswow64\directx
2010-04-17 20:26:08 2337488 ----a-w- c:\windows\syswow64\d3dx9_25.dll
2010-04-17 20:26:07 2222800 ----a-w- c:\windows\syswow64\d3dx9_24.dll
2010-04-17 20:02:21 331 ----a-w- c:\windows\game.ini
2010-04-17 19:50:56 0 d-sh--w- c:\windows\ftpcache
2010-04-17 19:25:44 0 d-----w- C:\BackupTax
2010-04-17 19:21:25 0 d-----w- C:\T2
2010-04-17 17:30:23 306688 ----a-w- c:\windows\IsUninst.exe
2010-04-17 13:38:56 0 d-----w- C:\Downloads
2010-04-17 13:38:23 13030 ----a-w- C:\PDOXUSRS.NET
2010-04-17 13:38:13 0 d-----w- C:\VT2DATA10
2010-04-17 13:36:08 0 d-----w- C:\t2-2010
2010-04-17 13:35:13 4076 ----a-w- c:\windows\syswow64\Uninstall.ini
2010-04-17 05:12:07 0 d-----w- C:\QuickTax 2006
2010-04-17 05:09:39 0 d-----w- C:\QuickTax 2005
2010-04-17 03:17:35 0 d-----w- c:\program files\Intuit
2010-04-16 20:48:03 0 d-----w- c:\users\user\Tracing
2010-04-16 14:07:55 0 d-----w- c:\programdata\FLEXnet
2010-04-16 13:54:45 0 d-----w- c:\program files (x86)\Webroot
2010-04-16 13:13:37 0 d-----w- c:\program files (x86)\common files\Macrovision Shared
2010-04-16 12:50:50 0 d-----w- c:\program files (x86)\Omron Healthcare
2010-04-16 12:50:50 0 d-----w- C:\Omron Healthcare
2010-04-16 11:50:15 0 d-----w- c:\users\user\appdata\roaming\Intuit Canada
2010-04-16 11:49:50 0 d-----w- c:\program files (x86)\QuickTax 2009
2010-04-16 11:49:26 0 d-----w- c:\programdata\Intuit Canada
2010-04-16 08:27:46 0 d-----w- c:\programdata\WEBREG
2010-04-16 04:19:53 0 d-----w- c:\programdata\Yahoo! Companion
2010-04-16 04:19:52 0 d-----w- c:\program files (x86)\Yahoo!
2010-04-16 04:18:43 0 d-----w- c:\programdata\HP Product Assistant
2010-04-16 04:17:38 0 d-----w- c:\program files (x86)\common files\HP
2010-04-16 04:17:31 0 d-----w- c:\program files (x86)\common files\Hewlett-Packard
2010-04-16 04:17:15 0 d-----w- c:\program files (x86)\HP
2010-04-16 04:15:55 457 ------w- c:\windows\hpomdl13.dat
2010-04-16 04:15:55 165080 ----a-w- c:\windows\hpoins13.dat
2010-04-16 04:15:23 859136 ----a-w- c:\windows\system32\hpowiax4.dll
2010-04-16 04:15:23 642360 ----a-w- c:\windows\system32\hpzids40.dll
2010-04-16 04:15:23 540672 ----a-w- c:\windows\system32\hppldcoi.dll
2010-04-16 04:15:23 488960 ----a-w- c:\windows\system32\hpovst11.dll
2010-04-16 04:15:23 1295360 ----a-w- c:\windows\system32\hpotiop4.dll
2010-04-16 03:35:25 0 d-----w- c:\programdata\HP
2010-04-16 03:30:19 0 d-----w- c:\program files\HP
2010-04-16 03:30:16 61952 ----a-w- c:\windows\system32\ZIMF.DLL
2010-04-16 03:30:16 567296 ----a-w- c:\windows\system32\ZSHP1018.EXE
2010-04-16 03:30:16 49664 ----a-w- c:\windows\system32\ZTAG.DLL
2010-04-16 03:30:16 127488 ----a-w- c:\windows\system32\ZSPOOL.DLL
2010-04-16 03:30:16 115200 ----a-w- c:\windows\system32\ZLhp1018.DLL
2010-04-16 03:30:15 128380 ----a-w- c:\windows\system32\hp1018.img
2010-04-16 03:30:15 10632 ----a-w- c:\windows\system32\ZSHP1018.CHM
2010-04-16 03:14:14 0 d-----w- c:\programdata\Hewlett-Packard
2010-04-16 02:27:19 0 d-----w- c:\program files (x86)\Pure Networks
2010-04-16 02:27:05 0 d-----w- c:\program files (x86)\common files\Pure Networks Shared
2010-04-16 02:24:35 0 d-----w- c:\program files\Linksys
2010-04-16 02:01:31 0 d-----w- c:\program files (x86)\SystemRequirementsLab
2010-04-16 01:09:08 33328 ----a-w- c:\windows\system32\drivers\pnarp.sys
2010-04-16 01:09:07 35376 ----a-w- c:\windows\system32\drivers\purendis.sys
2010-04-16 01:08:10 0 d-----w- c:\programdata\Pure Networks
2010-04-15 22:01:32 1933312 ----a-w- c:\windows\syswow64\cdintf251.dll
2010-04-15 21:59:24 0 d-----w- c:\programdata\Intuit
2010-04-15 21:55:18 0 d-----w- c:\programdata\COMMON FILES
2010-04-15 21:54:06 735856 ----a-w- c:\windows\syswow64\PerfStringBackup.INI
2010-04-15 21:53:47 0 d-----w- c:\windows\syswow64\URTTEMP
2010-04-15 21:33:13 236 ----a-w- c:\windows\WinHelp.ini
2010-04-15 21:33:01 2471424 ----a-w- c:\windows\syswow64\TeeChart5.ocx
2010-04-15 21:32:06 0 d-----w- c:\program files (x86)\common files\AnswerWorks 4.0
2010-04-15 21:31:36 0 d-----w- c:\program files (x86)\Intuit
2010-04-15 21:31:36 0 d-----w- c:\program files (x86)\common files\Intuit
2010-04-15 21:24:05 0 d-----w- c:\windows\Intuit
2010-04-15 11:16:05 0 d-----w- c:\windows\PCHEALTH
2010-04-15 11:14:51 0 d-----w- c:\program files\Microsoft Office
2010-04-15 11:09:54 376 ----a-w- c:\windows\ODBC.INI
2010-04-15 10:59:55 0 d-----w- c:\program files\Carbonite
2010-04-15 10:59:24 0 d-----w- c:\programdata\Carbonite
2010-04-15 10:59:24 0 d-----w- c:\program files (x86)\Carbonite
2010-04-15 10:56:42 65072 --s---w- c:\windows\system32\drivers\TfFsMon.sys
2010-04-15 10:56:42 60416 --s---w- c:\windows\system32\drivers\TfSysMon.sys
2010-04-15 10:56:42 41888 --s---w- c:\windows\system32\drivers\TfNetMon.sys
2010-04-15 10:44:24 882 ----a-w- c:\windows\RegSDImport.xml
2010-04-15 10:44:24 879 ----a-w- c:\windows\RegISSImport.xml
2010-04-15 10:44:24 767952 ----a-w- c:\windows\BDTSupport.dll
2010-04-15 10:44:24 165840 ----a-w- c:\windows\PCTBDRes.dll
2010-04-15 10:44:24 1652688 ----a-w- c:\windows\PCTBDCore.dll
2010-04-15 10:44:24 149456 ----a-w- c:\windows\SGDetectionTool.dll
2010-04-15 10:44:24 131 ----a-w- c:\windows\IDB.zip
2010-04-15 10:44:24 1152444 ----a-w- c:\windows\UDB.zip
2010-04-15 10:42:14 7357 ----a-w- c:\windows\system32\drivers\pctgntdi64.cat
2010-04-15 10:42:14 306648 ----a-w- c:\windows\system32\drivers\pctgntdi64.sys
2010-04-15 10:42:14 133072 ----a-w- c:\windows\system32\drivers\pctwfpfilter64.sys
2010-04-15 10:42:13 7353 ----a-w- c:\windows\system32\drivers\pctcore64.cat
2010-04-15 10:42:13 230904 ----a-w- c:\windows\system32\drivers\PCTCore64.sys
2010-04-15 10:42:12 92896 ----a-w- c:\windows\system32\drivers\pctplsg64.sys
2010-04-15 10:42:12 7353 ----a-w- c:\windows\system32\drivers\pctplsg64.cat
2010-04-15 10:42:07 0 d-----w- c:\users\user\appdata\roaming\PC Tools
2010-04-15 10:42:07 0 d-----w- c:\programdata\PC Tools
2010-04-15 10:42:07 0 d-----w- c:\program files (x86)\Spyware Doctor
2010-04-15 10:42:07 0 d-----w- c:\program files (x86)\common files\PC Tools
2010-04-15 10:41:47 0 d---a-w- c:\programdata\TEMP
2010-04-15 01:55:49 0 d-----w- c:\windows\syswow64\Wat
2010-04-15 01:55:49 0 d-----w- c:\windows\system32\Wat
2010-04-15 01:52:00 0 d-----w- c:\program files (x86)\MSXML 4.0
2010-04-15 01:49:48 960512 ----a-w- c:\windows\system32\CPFilters.dll
2010-04-15 01:40:55 0 d-----w- c:\programdata\Geek Squad
2010-04-15 01:39:50 46592 ----a-w- c:\windows\system32\msasn1.dll
2010-04-15 01:39:50 34816 ----a-w- c:\windows\syswow64\msasn1.dll
2010-04-15 01:39:46 311808 ----a-w- c:\windows\system32\msv1_0.dll
2010-04-15 01:39:46 257024 ----a-w- c:\windows\syswow64\msv1_0.dll
2010-04-15 01:30:02 0 d-----w- c:\programdata\Skype
2010-04-15 01:30:02 0 d-----r- c:\program files (x86)\Skype
2010-04-15 01:18:44 34152 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-04-15 01:18:44 126312 ----a-w- c:\windows\system32\GEARAspi64.dll
2010-04-15 01:18:44 107368 ----a-w- c:\windows\syswow64\GEARAspi.dll
2010-04-15 01:18:35 0 d-----w- c:\programdata\{0DD0EEEE-2A7C-411C-9243-1AE62F445FC3}
2010-04-15 01:18:35 0 d-----w- c:\program files\iTunes
2010-04-15 01:18:35 0 d-----w- c:\program files\iPod
2010-04-15 01:18:35 0 d-----w- c:\program files (x86)\iTunes
2010-04-15 01:18:23 0 d-----w- c:\program files\Bonjour
2010-04-15 01:18:23 0 d-----w- c:\program files (x86)\Bonjour
2010-04-15 01:18:16 0 d-----w- c:\programdata\Apple Computer
2010-04-15 01:18:09 0 d-----w- c:\program files\common files\Apple
2010-04-15 01:18:03 0 d-----w- c:\programdata\Apple
2010-04-15 01:10:26 455680 ----a-w- c:\windows\system32\deploytk.dll
2010-04-15 01:10:15 0 d-----w- c:\program files\Java
2010-04-15 01:09:02 411368 ----a-w- c:\windows\syswow64\deploytk.dll
2010-04-15 01:09:02 149280 ----a-w- c:\windows\syswow64\javaws.exe
2010-04-15 01:09:02 145184 ----a-w- c:\windows\syswow64\javaw.exe
2010-04-15 01:09:02 145184 ----a-w- c:\windows\syswow64\java.exe
2010-04-15 00:29:06 212864 ------w- c:\windows\system32\MpSigStub.exe
2010-04-15 00:27:06 220672 ----a-w- c:\windows\system32\wintrust.dll
2010-04-15 00:27:06 172032 ----a-w- c:\windows\syswow64\wintrust.dll
2010-04-15 00:27:05 139264 ----a-w- c:\windows\system32\cabview.dll
2010-04-15 00:27:05 132608 ----a-w- c:\windows\syswow64\cabview.dll
2010-04-15 00:20:21 4398360 ----a-w- c:\windows\system32\d3dx9_32.dll
2010-04-15 00:20:21 3426072 ----a-w- c:\windows\syswow64\d3dx9_32.dll
2010-04-15 00:20:12 20 ----a-w- c:\windows\¸ö©
2010-04-15 00:20:12 0 d-----w- c:\program files (x86)\Microsoft SQL Server Compact Edition
2010-04-15 00:19:38 0 d-----w- c:\program files (x86)\Microsoft
2010-04-15 00:19:26 0 d-----w- c:\program files (x86)\Windows Live SkyDrive
2010-04-15 00:18:36 0 d-----w- c:\program files (x86)\common files\Windows Live
2010-04-15 00:18:25 0 d-----w- c:\program files (x86)\Gateway Photo Frame
2010-04-15 00:16:13 0 d-----w- c:\program files (x86)\common files\postureAgent
2010-04-15 00:16:01 0 d-----w- c:\programdata\ATI

==================== Find3M ====================

2010-04-17 13:35:13 64349 ----a-w- c:\windows\syswow64\Uninstall.exe
2010-03-25 21:43:53 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-03-08 21:59:59 612352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 21:33:56 427520 ----a-w- c:\windows\syswow64\vbscript.dll
2010-02-27 15:17:00 5509008 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-27 12:07:48 3954568 ----a-w- c:\windows\syswow64\ntkrnlpa.exe
2010-02-27 12:07:48 3899280 ----a-w- c:\windows\syswow64\ntoskrnl.exe
2010-02-23 08:22:50 1192960 ----a-w- c:\windows\system32\wininet.dll
2010-02-23 07:56:00 977920 ----a-w- c:\windows\syswow64\wininet.dll
2010-02-23 07:55:56 1225216 ----a-w- c:\windows\syswow64\urlmon.dll
2010-02-23 07:55:45 606208 ----a-w- c:\windows\syswow64\mstime.dll
2010-02-23 07:55:43 64512 ----a-w- c:\windows\syswow64\msfeedsbs.dll
2010-02-23 07:55:43 5964800 ----a-w- c:\windows\syswow64\mshtml.dll
2010-02-23 07:55:24 10978816 ----a-w- c:\windows\syswow64\ieframe.dll
2010-02-23 07:55:20 381440 ----a-w- c:\windows\syswow64\iedkcs32.dll
2010-02-04 14:01:14 78680 ----a-w- c:\windows\system32\XAPOFX1_4.dll
2010-02-04 14:01:14 74072 ----a-w- c:\windows\syswow64\XAPOFX1_4.dll
2010-02-04 14:01:14 530776 ----a-w- c:\windows\system32\XAudio2_6.dll
2010-02-04 14:01:14 528216 ----a-w- c:\windows\syswow64\XAudio2_6.dll
2010-02-04 14:01:14 24920 ----a-w- c:\windows\system32\X3DAudio1_7.dll
2010-02-04 14:01:14 238936 ----a-w- c:\windows\syswow64\xactengine3_6.dll
2010-02-04 14:01:14 22360 ----a-w- c:\windows\syswow64\X3DAudio1_7.dll
2010-02-04 14:01:14 176984 ----a-w- c:\windows\system32\xactengine3_6.dll
2010-02-02 08:36:47 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-02 07:45:54 2048 ----a-w- c:\windows\syswow64\tzres.dll
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 15:08:13.91 ===============

Attached Files



#4 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:44 PM

Posted 05 May 2010 - 05:26 PM

Hello, Peter09.

GMER won't really run at 64-bit systems anyway...most of it was probably grayed out. The good news is that most rootkits won't run on it either.

I have W7x64 for my main desktop, but haven't encountered this issue. What service do you mean by 'system service'? Do you mean an entry of 'System' in the Resource Monitor?

Let's run MBAM to rule out malware. I may have to refer you to the Windows 7 forum as they're a better resource at non-malware issues, but let's give this a go.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#5 Peter09

Peter09
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:44 PM

Posted 06 May 2010 - 07:07 AM

Thank you for the suggestion. I ran the MBAM scan and here is the report. It does not appear to show any infection, except for the Hijackthis entry, which was probably a result of my installation of this utility. I still suspect that the constant access is some Windows 7 "feature", as yet undiscovered....any other suggestions would be most welcome. The water torture continues...

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4071

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

06/05/2010 7:55:44 AM
mbam-log-2010-05-06 (07-55-44).txt

Scan type: Quick scan
Objects scanned: 131724
Time elapsed: 4 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:44 PM

Posted 06 May 2010 - 05:13 PM

What service do you mean by 'system service'? Do you mean an entry of 'System' in the Resource Monitor?

The MBAM entry is unrelated to Hijack this, it just showed that the Search in the Start menu was disabled. That could be a false positive if you intentionally set it that way. But, that's a clean log. We can run an ESET antivirus scan to be safe, but it's likely not malware related.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:44 PM

Posted 06 May 2010 - 05:15 PM

Please don't miss my post above.

PS> this has some ideas for Vista, that are applicable to W7 as well:
http://www.tweakguides.com/VA_5.html


Have you looked to see if you should defragment your hard drive? Unlikely, but a severely fragmented disk could also cause this.

Any of that work?

Edited by etavares, 06 May 2010 - 05:15 PM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#8 Peter09

Peter09
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:44 PM

Posted 07 May 2010 - 12:30 PM

The drive is brand new and reports 0% fragmentation. I believe it's clean as far as viruses or malware go. Turning indexing on and off made no difference. Also contacted Gateway voice support - their answer was "this is normal". Maybe it's time to return the machine and get a refund, unless this is a common problem with all 64 bit Windows 7 PC's? In that case - Thank you Microsoft.

Thanks for all the replies and suggestions, I think I'll go and buy earplugs now....



#9 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:44 PM

Posted 08 May 2010 - 08:24 AM

OK, I agree it's not malware so that's about the extent of help I can provide.

My Windows 7 64bit PC does not have that issue, thankfully. So, it's fixable. Indexing was my first thought, but you already tried that. Have you tried looking at the CPU usage, or just the disk access in the resource monitor? If it's accessing the disk, it could be taking up a fair amount of your CPU power.

Here's another thread that has other ideas as well.
http://windows7forums.com/windows-7-suppor...k-activity.html

The reason the mods moved your thread into this forum is that you posted a log. They are only allowed in this forum. You may want to post back in the Windows 7 forum here....but please don't post a log, just describe your problem, what you've tried, and you can reference this thread if you want.

Windows 7 forum

Edited by etavares, 08 May 2010 - 08:25 AM.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#10 Peter09

Peter09
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:44 PM

Posted 10 May 2010 - 09:12 AM

Thanks again for your suggestions. I checked the CPU usage, it's minimal < 2%. I attached a resource monitor screenshot which shows the ticks on the drive with nothing running.

I will give the other forum a try...

Attached Files



#11 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:44 PM

Posted 15 May 2010 - 05:58 AM

Since this issue appears to be resolved (well sort of)... this Topic has been closed.

If you are the topic starter, and need this topic reopened, please contact me via PM with the address of this thread.

Everyone else please begin a new topic.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users