Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log - Please Help Diagnose


  • This topic is locked This topic is locked
26 replies to this topic

#1 bluerodent

bluerodent

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 23 November 2006 - 05:42 AM

My PC appears to be running slowly - particularly my browser (Internet Explorer).
have recently defragged the machine and run Ad-Aware & Spybot. There is still a "Bearshare" registry entry highlighted by Spybot which never seems to get fixed. Not sure if this is the cause of the problem or if it is something else. I use AVG 7.5 anti-virus and Windows Defender.

Hoping you can assist me.

Many thanks,
Ross

log follows:


Logfile of HijackThis v1.99.1
Scan saved at 10:11:26, on 23/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\USB Storage RW\shwicon.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Owner\My Documents\Downloads\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 11.0.0.10:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.123found.com"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\whoob85z.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\whoob85z.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} (mailhelper Class) - https://register.btinternet.com/templates/b...lcontrol013.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EAF984B3-3B7A-4D21-A8FC-DD7EAEA767A2}: NameServer = 192.168.1.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

BC AdBot (Login to Remove)

 


m

#2 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:04:16 AM

Posted 02 December 2006 - 05:52 PM

Hi Bluerodent,

Sorry for the delay. The forums have been very busy.

If you still need help, I need to see a Spybot log.
  • Open the program, run updates, and then run a full system scan.
  • Let the program fix anything it finds.
  • Select Mode, then Advanced. Click Yes in the warning box that you know what you're doing. Open the Tools section.
  • Highlight the line View reports. Check Do not report disabled or known legitimate items .
  • Leave Include results of last check in report checked, but uncheck all other boxes.
  • Then click the green arrow to view the report. Next click the floppy icon to export (save) the report as a file.
  • Accept the default location, which is C:\Documents and Settings\All Users\Application Data\Spybot-Search & Destroy\Logs. The file will be named SpybotSD.Report.txt. You will need to navigate to that file in order to post the report later.
Next I need a fresh HijackThis log. Close all open windows and then start the program. Run a scan, then save the log and post it to a reply here, along with your Spybot log.

Dave

#3 bluerodent

bluerodent
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 02 December 2006 - 07:46 PM

Thanks Dave - It's still running sluggishly though not quite as slow as it was. I have a feeling there is still something lurking there which is slowing down the system.

As requested I attach SpyBot and new HiJackThis logs. Thanks for your help,

Ross

Logs follow:
SpyBot
--- Search result list ---
Bearshare: Class ID (Registry key, fixing failed)
HKEY_CLASSES_ROOT\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E}


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-06-15 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-12-01 Includes\Cookies.sbi (*)
2006-10-13 Includes\Dialer.sbi (*)
2006-12-01 Includes\DialerC.sbi (*)
2006-11-24 Includes\Hijackers.sbi (*)
2006-12-01 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2006-12-01 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-10-13 Includes\Malware.sbi (*)
2006-12-01 Includes\MalwareC.sbi (*)
2006-10-20 Includes\PUPS.sbi (*)
2006-12-01 Includes\PUPSC.sbi (*)
2006-12-01 Includes\Revision.sbi (*)
2006-10-13 Includes\Security.sbi (*)
2006-12-01 Includes\SecurityC.sbi (*)
2006-10-13 Includes\Spybots.sbi (*)
2006-12-01 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-12-01 Includes\Trojans.sbi (*)
2006-12-01 Includes\TrojansC.sbi (*)


HiJackThis:

Logfile of HijackThis v1.99.1
Scan saved at 00:35:23, on 03/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\USB Storage RW\shwicon.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Belkin\Belkin 802.11g Wireless PCI Card Configuration Utility\utility.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Documents and Settings\Owner\My Documents\Downloads\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 11.0.0.10:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.123found.com"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\whoob85z.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\whoob85z.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [KYE_Showicon] "C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: Belkin 802.11g Wireless PCI Card Configuration Utility.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} (mailhelper Class) - https://register.btinternet.com/templates/b...lcontrol013.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab28578.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EAF984B3-3B7A-4D21-A8FC-DD7EAEA767A2}: NameServer = 192.168.1.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

#4 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:04:16 AM

Posted 03 December 2006 - 10:04 AM

Hi again,

Apparently you had Bearshare installed on this computer at one time. That registry entry that Spybot found is a leftover. It is harmless. Many uninstall programs leave registry entries behind like this.

Question: Please tell me about your internet connection. Do you use a proxy server?

Another question: Did this slowdown coincide with the installation of a new program, or an update -- including Windows updates?

The only line I see in your HJT log that needs fixing is this one:

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.123found.com"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\whoob85z.slt\prefs.js)

Close all other windows on your desktop and make sue there are no programs in your taskbar. Open HJT and run a scan. Place a check mark next to the line above, then click Fix Checked. Close the program.

Other than that, and assuming your proxy settings are correct, your log is clean.

One quick check I might suggest: Press <Ctrl>-<Alt>-<Del> to open Task Manager, then click on the Processes tab. Place a check next to Show processes from all users. Scroll down and see if any of the processes is running at a high percentage of CPU usage. On a normal system at idle the System Idle Process should show about 98 percent, meaning nothing else is using the CPU. The next columns to the right, memory usage and peak memory usage, may also show something out of line if one process is using a large amount of memory. If you see anything showing high CPU usage or high Memory usage, make a note of it.

Now, click the Performance tab. The key numbers here are in the Commit Charge box -- The Total and Peak figures; and in the Physical Memory box, the Total figure. Make a note of these three numbers. I would like to see them, but I can tell you what I'm looking for: basically, any time the Commit Charge exceeds the total physical memory, Windows is going to have to constantly swap data back and forth between the hard drive and the RAM chips. This is known as thrashing . So, the rule of thumb is, is your Peak Commit Charge is greater than your total Physical memory, your either need to install more RAM or reduce your commit charge by trimming down the number of running processes (which means programs and also optional Windows components).

Please let me know what you find, and also answer my other questions.

Good luck,

Dave

Edited by DaveM59, 03 December 2006 - 10:08 AM.


#5 bluerodent

bluerodent
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 07 December 2006 - 11:30 AM

Thanks Dave,

In answer to your questions:

I don't think I use a proxy server. Under LAN settings it is set to "Automatically detect settings". Under the proxy section there is an entry: 11.0.0.10 Port 80, but the section is greyed out and the box is not checked, so I'm assuming whatever is in there is being ignored. I use a wireless connection to a Netgear router (i live in a shared house so the connection is shared between 2-3 other people).

The only thing I can think of in terms of installed programs was that around the time it started I installed AVG anti-spyware but I don't have it running on start-up - I just open it occasionally if i want to run it.

I have removed the line you mentioned in the HJT log.

Regarding processes: seems to show system idle fluctuating all the time between 95% and 97%, CPU usage on idle 4-5%

Main memory use:
explorer.exe cpu 0-2% fluctuating with mem usage 28k, peak 30k
svchost.exe mem usage 24k, peak 28.5k
MsMpEng.exe mem usage 15.8k, peak 21.4k
guard.exe mem usage 10.7k, peak 21.1k
Logitray.exe 7.9k (for both)
winlogon.exe mem 4.0k, peak 32.0k
services.exe cpu 3% mem 5.7k, peak 6.1k
utility.exe cpu 0-2% fluctuating, 5.5k (for both)

Commit Charge: Total 241,588K; Peak 275,324K; Limit 2,524,956K
Total Physical memory 1,048,044K


Hope all this makes some sense to you!

Thanks,

Ross

#6 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:04:16 AM

Posted 07 December 2006 - 01:03 PM

Hi again Ross,

The numbers make sense. You've got plenty of memory. Nothing is hogging your CPU at idle.

Sounds like those proxy settings are not active, just as you said. Was this computer used in a big corporate office (or any sort of business setting) at one time?

Anyway, you can fix those two lines referring to proxy settings if you want, but it should not make any difference.

Next step is to open Internet Explorer and open Task Manager at the same time. Task Manager is set for "always on top" by default. Do some surfing and see what happens with CPU usage. Also see what happens to the commit charge figures at the bottom of the window (to the right of the CPU usage).

Please post a reply with your observations. If nothing looks out of line, we'll do a few scans to be sure malware is not causing this problem.

(Palm slap to forehead) Stupid of me not to think of this before -- are the other people in your house having problems with slow internet speeds? If that's the case, we are wasting our time looking in your computer.

Dave

#7 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:04:16 AM

Posted 07 December 2006 - 08:18 PM

Hi Ross,

Give me a big dope-slap for this one.

The only thing I can think of in terms of installed programs was that around the time it started I installed AVG anti-spyware but I don't have it running on start-up - I just open it occasionally if i want to run it.


But, look at this line from your HijackThis log:

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

I have told three people this week that running two real-time antispyware scanners can slow down a system, but in your case I missed it. I noticed your Windows Defender but not the AVG. :thumbsup:

There should be an AVG-AS icon on the right side of your taskbar, next to your clock. Right-click it, and in the middle of the menu there are three lines, probably all with check marks by them:

Resident Shield
Automatic Updates
Start With Windows


Automatic updates can be left alone. Click Resident shield. The menu will close and the program icon will lose its colors. Right click it again to open, this time click the line Start with Windows. A warning message will pop up. Click Yes. Then right click once more, this time click the bottom line, Exit. Again you will get the warning message, click Yes to close the program. That should end the program and leave you with only Windows Defender running. Your AVG real-time scanner should be permanently disabled, however you can still use the program to scan your computer whenever you wish.

Note that unless you pay for the program, AVG-AS Shield and Auto Update features are disabled after thirty days. If you have paid for the program, you may choose to disable Windows Defender's real-time protection instead.

Whether this will cure your slow internet I don't know, you'll have to try it. But your symptoms are what I would expect if this is your problem.

Please accept my apologies, and let me know whether this helps.

Dave

#8 bluerodent

bluerodent
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 08 December 2006 - 01:43 PM

Thanks Dave,

This is very strange because I thought I had already disabled AVG-AS by deleting from the system tray.

I have just followed your instructions to the letter to disable it again, but when I re-boot my computer the guard.exe file is still shown as running under Processes. I re-ran HiJackThis and the O23 line entry was still showing too. Is there any other way you can think of disabling it (other than uninstalling AVG-AS altogether)?

Ross

#9 bluerodent

bluerodent
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 08 December 2006 - 02:43 PM

Dave,

I finally managed to disable AVG-AS using Run: services.msc

Need to do a bit of browsing to see if it's made a noticable difference in speed. Will let you know how I get on.

Thanks very much for all your help.

Ross

#10 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:04:16 AM

Posted 08 December 2006 - 09:30 PM

Hi Ross,

You're right, that is strange. Just for grins and giggles I ran HJT on my own machine, sure enough, there was that O23 for AVG Antispyware guard.exe. My 30 day trial expired a while ago, when I click the Shield tab in the program it says not available in the free version, just like that, underlined red letters. But services.msc confirms HJT, guard.exe was set to automatic (i.e. start with Windows). I'd call this a bug in the AVG-AS program.

Here's the skinny on HJT -- it's an enumerator-cum-registry editor, does a lot of other tricks too, but that's the heart of its functionality. So to disable guard.exe, I just put a check next to its line in HJT and clicked fix checked. It asked me whether I wanted to reboot (necessary to complete the fix), I said yes, and on reboot services.msc showed the service set to disabled.

So there's the other way to do it -- but one's no better than the other. Please let me know if it helped. Have you tried the check I suggested, tracking what happens to CPU usage while you are using Internet Explorer? Have you asked you housemates about their internet speed?

Let me know, I'll get back to you on Monday. We haven't done any malware scanning yet, I wanted to do the easy stuff first.

Cheers,

Dave

#11 bluerodent

bluerodent
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 11 December 2006 - 07:03 AM

Hi Dave,

I'm replying to this from a pc at work. I won't be at my house for a few days now so it'll be a little while before i get chance to do the checks you've suggested. What sort of % CPU usage would you expect to see during normal surfing with Internet Explorer?

Cheers,
Ross

#12 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:04:16 AM

Posted 11 December 2006 - 08:51 PM

Hi Ross,

It depends on your machine, obviously, but when IE is actually downloading a page I see usage spikes of 27, 33, 40 percent (this is the total usage down at the bottom of the Task Manager Window). But after each spike CPU usage quickly returns to its idling 2 percent. Note that this is for a page that actually has to be downloaded. If a page is retrieved from cache CPU usage is much less.

Actually had to fire up IE for the first time in weeks to check this--I use Firefox. :thumbsup: Anyway, with a very old PC it might be higher, with a state-of-the-art dual-core CPU it would be less. My machine is a very middling Sempron 2400, low end when I built it a year and a half ago.

What you are looking for is sustained high usage, with a bad slowdown you typically see 100 percent. That means it's causing the CPU to work continuously, which should not be the case for a web browser. Other programs, for example video software, will show sustained high usage, and usually you can set such programs to leave some spare CPU power for other tasks like web browsing. This allows you to use the computer while your movie is being encoded.

If a browser behaves like this it usually means it has been hijacked and is doing things behind your back. That's why I'm interested. However, some malware works in other ways and taxes the CPU without involving your browser.

Hope this explains why I'm interested in what you find. Please get back to me when you can and we'll see what further diagnostics might be advisable.

Cheers,

Dave

#13 bluerodent

bluerodent
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 17 December 2006 - 04:53 PM

Hi Dave - apologies for the delay in getting back to you, but only got back to the house earlier today.

Spoke to my housemates - they reckon it slows a little at certain times of the day but they haven't experienced any major problems.

I did a check on CPU usage whilst browsing with IE:
Idling usage around 4%-5%.
Peaks vary enormously depending on site etc - some are only 17%, 26% etc but others are much higher- 46% 77% and afew peaking at 100% for a second or two.

Regards,

Ross

#14 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:04:16 AM

Posted 17 December 2006 - 08:48 PM

Hi Ross,

I did a check on CPU usage whilst browsing with IE:
Idling usage around 4%-5%.
Peaks vary enormously depending on site etc - some are only 17%, 26% etc but others are much higher- 46% 77% and afew peaking at 100% for a second or two.


That might be normal, depending on how complicated the webpage is. I can't say for sure, I only checked a few sites. Frankly we're at the limit of my competency in this area, I am no expert on the internet or web issues.

However, before I refer you to the Browser forum, I think we'd better do what I said before, Let's do a little cleanup and run a couple of scans, just to rule out malware.

We're going to start with some HijackThis fixes. Three of the lines I am not sure of, they are these:

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

As you can see the common element is that (file missing) note at the end. This could mean that the application was uninstalled, but this registry entry got left behind. It also could mean that HijackThis made a mistake. It sometimes reports missing files in error. So, you need to do a little checking. The first item is the MSN toolbar. If it's working fine and you want to keep it, don't fix that line. Same goes for the Yahoo Services button (second line), and MSN Messenger (last line).

Having done that, you can do the HJT fix, keeping in mind that you may not need or want to fix those items listed above. Assuming you do, here are the instructions:

Open HijackThis and run a scan. When the scan is finished, Put a check next to the following lines, if they are still present:R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 11.0.0.10:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

Close all other windows on your desktop, and make sure there are no programs minimized in your taskbar. This includes browsers. Then click Fix Checked. Close HijackThis. Reboot if instructed to do so.

Now let's run a couple of scans, just to rule out malware.

First go to the Kaspersky online scanner. Accept the terms, let it install an ActiveX program (since you have XP SP2 this is blocked by default, you must allow it), then accept the terms again, let it download the files (about 8 MB total). Click Next, and select "My Computer" as the scan area. Kaspersky takes a long time but it is very thorough. When it is finished, save the report as a text file (easier to work with than an HTML file) to your desktop.

Next, let's run a rootkit scan.

Please download Blacklight Beta here. You can read the information on the download page for an idea of what it will do. Download it to your desktop and double click to open. Accept the agreement, then on the next screen click the Scan button. When the scan is finished, click Next. If anything was found, let Blacklight clean it. Then exit the program. You will find a log file on your desktop, named fsbl-xxxxxxxxxxxxx.log. The x's are numbers, the first four being the current year. This is a text file and can be opened with Notepad.

And to finish up, run a fresh HijackThis scan and post that log, along with the Kaspersky and Blacklight reports, to your next reply.

Good luck,

Dave

#15 bluerodent

bluerodent
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 23 December 2006 - 04:18 PM

Dave,

Having great difficulty getting Kapersky to load - it keeps saying i should have Admin rights (which i do) and medium security settings (which i do), but then doesn't load anything up. Any ideas?

Thanks,

Ross




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users