Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Xp Pro Suddenly Running Very Slowly - Help - Nothing Turns Up With Standard Worm/virus/trojan Scans


  • This topic is locked This topic is locked
7 replies to this topic

#1 lazzlazz

lazzlazz

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 05 February 2007 - 09:11 PM

HiJack this log is below. My computer has slowed way down in the last few weeks and I can't figure out why.
I'm not sure if all the detail on history will help but here's what I can recall. I'm running XP professional (32 bit encryption I believe).
OS version 5_1_2600, SP 2.0 (installed over a year ago so not the culprit), Product 256_1.
Scanned with cleanmgr, Ad-Aware, Spybot, Trend-Micro Housecall, McAfee Stinger, Kaspersky, Norton Antivirus, running ZoneAlarm, Windows updates are current.

Back in Mid-January, McAfee required me to update their "internet security" program in order to get new virus definitions (McAfee shipped with the computer so I was using it until it expired). That is when a lot of problems began. Simultaneously, I decided to update to IE 7. I also was running ZoneAlarm.

I needed to do backup - and I have used Ghost as I like the complete image of the hard drive. I first tried Ghost booting from a CD; since it was very slow, on Jan 22, 2007 I decided to try downloading a free copy of Ghost 10.0 to see if that would speed things up. It didn't, and twice, it crashed halfway through the 2nd DVD, a very bad crash (blue screen) and something about a Kernel_Page_Error or something. I was able to recover but XP warned me it had recovered from a serious error. I'm not sure what caused this error - later I realized I should have selected "partition to image" instead of "disk to image" and don't know if that was the problem. See below for a chkdsk error report reporting a "dirty volume" and the fixes it made. (I have since made an image using Ghost booting from the CD and just letting it take its time, so my harddrive (at least the largest partition) has been imaged).

The day after trying to backup with Ghost 10 I went on vacation to see my family. On Jan 24, I installed some camera software my brother had (which installed Raw File Converter LE and Fine Pix Viewer, and possibly other things; the first 2 have since been uninstalled).

Prior to leaving on vacation, my system seemed to run fine - no slowing (I was burning some DVDs and the speed was high and I was able to do other things on the computer without the severe slowdown I started to notice on Jan 25. On Jan 25, I needed to burn some DVDs and the computer was noticeably slower - DVD burning speed was 4-5 times what it had been and the computer was (uncharacteristically) very slow to respond if I tried to surf the internet, etc.

Once I got back from vacation, I started troubleshooting. I uninstalled McAfee (including finally on Feb 1 using the McAfee tool mcpr.exe to complete uninstall). After running the tool, I got an error message on reboot saying "One of the files containing the system's registry data had to be recovered by the use of a log or alternate copy. the recovery was successful.". After this, my ZoneAlarm settings were all gone. On Feb. 4, at some point, I got a message saying that Zonealarm files might be corrupted so I uninstalled and reinstalled.

Additionally, I went into msconfig and using sysopt.org to guide me, unchecked a number of things that were slowing down startup (although they were starting up before my computer slowed down, so are unlikely the reason why my computer began running so slowly. I also removed (using the Add/remove programs option in Control Panel) any installed Java programs and a number of other programs which have been installed for a long time but which I don't use, including MSN messenger (which may be while some of the Hijackthis log entries report files being missing?)). I also removed PaperPort viewer; I'm not sure whether that shipped with the Dell system or got installed on Jan 24 when I installed some camera software.

I also installed Firefox (and a few days later, decided to try uninstalling IE7 (didn't improve anything), ran Housecall from TrendMicro (nothing), ran Norton AV online (nothing), ran SpyBot, Ad-aware (with an update for each before running). Spy-bot and Ad-aware definitely seemed to take longer to run, DVD burning was just as slow. I started watching the performance tab in Windows Task Manager: my CPU history was at or close to 100% when running the antivirus/antispyware problems. One thing I did eventually discover was my memory management was set to run between 1.5 and 3x my system ram (which is 1 GB); from reading various sites, it seemed it was better to select "let windows manage" so I changed that (and no improvement). There were also some Minidump files from the crashes which it seemed from reading various sites should be deleted which I did (but I saved a copy of them to my email first, just in case). I also ran chkdsk /f /r overnight (see below for report from 1/28/07). I ran Defrag as well and it crashed
partway through. I think I ran chkdsk and after that, was able to run Defrag successfully. I also ran Disk Cleanup.

Yesterday, Feb. 4 I finally decided to open up the laptop to see if there was dust on the heat sink and circuitboards that was causing the slow-down.
I'd never done this before but followed Dell's online instructions to get things open and the dust situation was not bad - the most dust was on the fan but little on the heat sink or other circuit boards (blew dust off with compressed air). Computer was still running slowly when I rebooted.
Then I downloaded Kaspersky and ran a full scan (nothing) and since I had Norton SystemWorks 2003, decided to install that (I disabled Kaspersky). Norton OneButton checkup found some registry errors and shortcut errors. Norton DiskDoctor found some errors it could not fix while windows was running and so I selected "run at reboot" and it ran chkdsk (I assume with the /f and /r options?) overnight. Today, Feb. 5, I decided to try System Restore. I began with the oldest restore point (Jan 22) but found it couldn't restore. I tried others, uninstalled Norton (including using the Norton Removal Tool), Kaspersky, ZoneAlarm, RealPlayer to see if that would allow me to restore - nothing. I tried to see if I could restore to a point from late last night - no. I ran McAfee Stinger and nothing was found. (Since running and posting the Hijack This Log below, I alsodid as suggested in the ZoneLabs forum to avoid the problem with ZoneAlarms file backup.rdb eating up a big chunk of the system restore space: http://forum.zonelabs.org/zonelabs/board/m...essage.id=36218 and http://forum.zonelabs.org/zonelabs/board/m...essage.id=35671. I haven't yet eliminated my old system restore points but may have to if I can't access them).

I've also gone to Microsoft Update and reinstalled IE 7.0 and all the option software and hardware updates (except the one for WMPlayer 11 - I don't use the program); I was up-to-date with all critical updates. I also tried going to Admin tools/Local Security Settings/Security Options/ and enabling Shutdown: clear virtual memory pagefile but my system won't shutdown if I do that (it gets to the Windows Is Shutting Down screen and hangs - I've let it run for over 5 minutes in case it's doing something but I have to shut it down by pressing on the startup button for 10 seconds for so; I've tried enabling this on 2 different occasions over the last 24 hours or so and same result, so I'm pretty sure it's hanging because this is enabled).

I know XP is known for slowdowns so I'm wondering what the next step is to up the computer's speed to what it should be - do I reinstall XP? I have had a problem with 2 Dell adapters burning out - one phone tech suggested it was due to Motherboard problems - at that point, I didn't want to deal with a motherboard switch if not necessary (another 90W Dell adapter worked just fine, whereas the 65W Dell Inspiron 6000 adapters kept failing every 4-5 months) and asked them to just send another adapter. But perhaps it is a motherboard issue? Another possibility is RAM - I have 2 DIMMS for a total of 1 GB. My system still registers 1 GB of RAM - but is it possible for RAM to fail and the system record of RAM to not reflect that failure?

I really need to get my computer's speed back up. Adding RAM doesn't seem to be the solution as my system worked great just 1 month ago with 1 GB - something has happened that has caused it to slow dramatically down.

Finally, spyware/viruses/trojans could be an issue. I've always run with ZoneAlarm (grc.com registers me in true stealth mode for all 1056 ports it checks) and antivirus protection, but maybe something along those lines is causing this?

Any suggestions would be great (I've reinstalled ZoneAlarm and Norton to go online; those aren't reflected in the HiJack this log below). I've spent days searching the internet trying to figure out how to diagnose and solve the problem and haven't yet found the solution.

HIJACKTHIS LOG==============================
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webproxy.ucsd.edu:3128
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1170714744984
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1287227C-13AC-46C2-8F41-5160825709A6}: NameServer = xxxxxxxxxxxxxxxxxx (x-ed out for privacy)
O17 - HKLM\System\CS1\Services\Tcpip\..\{1287227C-13AC-46C2-8F41-5160825709A6}: NameServer = xxxxxxxxxxxxxxxxxx (x-ed out for privacy)
O17 - HKLM\System\CS2\Services\Tcpip\..\{1287227C-13AC-46C2-8F41-5160825709A6}: NameServer = xxxxxxxxxxxxxxxxxx (x-ed out for privacy)
O17 - HKLM\System\CS3\Services\Tcpip\..\{1287227C-13AC-46C2-8F41-5160825709A6}: NameServer = xxxxxxxxxxxxxxxxxx (x-ed out for privacy)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

===========================

Other perhaps useful information:

From the Event Viewer: I get Error ID 111 for the System Restore failure.
Event Type: Information
Event Source: SRService
Event Category: None
Event ID: 111
Date: 2/5/2007
Time: 11:53:40 AM
User: N/A
Computer: LYOVIK
Description:
A restoration to "System Checkpoint" restore point failed. No changes have been made to the system.
==============
Other "reports"

2/2/2007

Checking file system on C:
The type of the file system is NTFS.
Cleaning up 85 unused index entries from index $SII of file 0x9.
Cleaning up 85 unused index entries from index $SDH of file 0x9.
Cleaning up 85 unused security descriptors.
CHKDSK is verifying file data (stage 4 of 5)...
Read failure with status 0xc000009c at offset 0xc0f7b000 for 0x10000 bytes.
Read failure with status 0xc000009c at offset 0xc0f7b000 for 0x1000 bytes.
Windows replaced bad clusters in file 34481
of name \i386\licdll.dll.
File data verification completed.
CHKDSK is verifying free space (stage 5 of 5)...
Free space verification is complete.
Adding 1 bad clusters to the Bad Clusters File.
CHKDSK discovered free space marked as allocated in the volume bitmap.
Windows has made corrections to the file system.

73489342 KB total disk space.
22249352 KB in 64312 files.
23908 KB in 5698 indexes.
328 KB in bad sectors.
174646 KB in use by the system.
65536 KB occupied by the log file.
51041108 KB available on disk.

4096 bytes in each allocation unit.
18372335 total allocation units on disk.
12760277 allocation units available on disk.

Internal Info:
30 9d 01 00 84 11 01 00 ec 71 01 00 00 00 00 00 0........q......
da 05 00 00 01 00 00 00 98 02 00 00 00 00 00 00 ................
02 d7 7d 26 00 00 00 00 ba 81 1a 90 00 00 00 00 ..}&............
28 43 b0 43 00 00 00 00 04 a7 7f fd 2c 00 00 00 (C.C........,...
4a 58 41 ef 04 00 00 00 6e 75 e9 fa 32 00 00 00 JXA.....nu..2...
99 9e 36 00 00 00 00 00 98 38 07 00 38 fb 00 00 ..6......8..8...
00 00 00 00 00 20 fe 4d 05 00 00 00 42 16 00 00 ..... .M....B...

Windows has finished checking your disk.
Please wait while your computer restarts.
=================================
1/28/2007
Checking file system on C:
The type of the file system is NTFS.

The volume is dirty.
Cleaning up minor inconsistencies on the drive.
Cleaning up 7 unused index entries from index $SII of file 0x9.
Cleaning up 7 unused index entries from index $SDH of file 0x9.
Cleaning up 7 unused security descriptors.
CHKDSK discovered free space marked as allocated in the volume bitmap.
Windows has made corrections to the file system.

73489342 KB total disk space.
56198676 KB in 69789 files.
27448 KB in 5925 indexes.
0 KB in bad sectors.
174686 KB in use by the system.
65536 KB occupied by the log file.
17088532 KB available on disk.

4096 bytes in each allocation unit.
18372335 total allocation units on disk.
4272133 allocation units available on disk.

Internal Info:
30 9d 01 00 cc 27 01 00 6a a3 01 00 00 00 00 00 0....'..j.......
df 05 00 00 01 00 00 00 6e 02 00 00 00 00 00 00 ........n.......
6a f8 fd 1c 00 00 00 00 de 57 9f 66 00 00 00 00 j........W.f....
aa ca dd 20 00 00 00 00 00 00 00 00 00 00 00 00 ... ............
00 00 00 00 00 00 00 00 40 8a 12 b9 00 00 00 00 ........@.......
99 9e 36 00 00 00 00 00 80 38 07 00 9d 10 01 00 ..6......8......
00 00 00 00 00 50 18 66 0d 00 00 00 25 17 00 00 .....P.f....%...

Windows has finished checking your disk.
Please wait while your computer restarts.

======================================
1/22/2007

Checking file system on C:
The type of the file system is NTFS.

The volume is dirty.
The attribute of type 0x80 and instance tag 0x1 in file 0x8
has allocated length of 0x7d047d000 instead of 0x10a770d000.
Deleting corrupt attribute record (128, $Bad)
from file record segment 8.
Cleaning up minor inconsistencies on the drive.
Cleaning up 840 unused index entries from index $SII of file 0x9.
Cleaning up 840 unused index entries from index $SDH of file 0x9.
Cleaning up 840 unused security descriptors.
Correcting errors in the Bad Clusters File.
CHKDSK discovered free space marked as allocated in the
master file table (MFT) bitmap.
CHKDSK discovered free space marked as allocated in the volume bitmap.
Windows has made corrections to the file system.

73489342 KB total disk space.
21337356 KB in 63711 files.
27148 KB in 5853 indexes.
0 KB in bad sectors.
174682 KB in use by the system.
65536 KB occupied by the log file.
51950156 KB available on disk.

4096 bytes in each allocation unit.
18372335 total allocation units on disk.
12987539 allocation units available on disk.

Internal Info:
30 9d 01 00 c6 0f 01 00 59 77 01 00 00 00 00 00 0.......Yw......
cd 05 00 00 01 00 00 00 aa 05 00 00 00 00 00 00 ................
12 ef 19 03 00 00 00 00 80 9b 8b 44 00 00 00 00 ...........D....
62 2d 80 0e 00 00 00 00 00 00 00 00 00 00 00 00 b-..............
00 00 00 00 00 00 00 00 08 b1 66 58 00 00 00 00 ..........fX....
99 9e 36 00 00 00 00 00 80 38 07 00 df f8 00 00 ..6......8......
00 00 00 00 00 30 54 16 05 00 00 00 dd 16 00 00 .....0T.........

Windows has finished checking your disk.
Please wait while your computer restarts.

============
Product: Windows Operating System
Event ID: 111
Source: SRService
Version: 5.2
Symbolic Name: EVMSG_RESTORE_FAILED
Message: A restoration to "%1" restore point failed. No changes have been made to the system.

Explanation
The System Restore service could not restore the system.

Possible causes include:

The restore point is corrupted.
There is an unknown problem with the system.

Edited by lazzlazz, 05 February 2007 - 09:48 PM.


BC AdBot (Login to Remove)

 


#2 lazzlazz

lazzlazz
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 09 February 2007 - 01:02 AM

Since no one's replied yet and since I had to get anti-virus protection (trend micro for now), I'm posting a new hijack this log. I also ran some PC pitstop diagnostics (as shown in the new log) and also ran F-secure's blacklight (beta) which turned up nothing. (This isn't an attempt to bump ... merely to have a correct log here). I also installed Java 6.0 from the Sun website (currently turned off).

(If it's of any relevance, I noticed in the msconfig "startup" tab, one of my entries (checked) is blank under "start up item" and "command" and location is HKLM\software\microsoft\windows\currentVersion\Run. Is this OK? Or is it some suspicious something starting at bootup?)

Also: if nothing else, can hijack this experts please tell me how to deal with the "file missing" entries in the log.

Logfile of HijackThis v1.99.1
Scan saved at 9:42:37 PM, on 2/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webproxy.XXblockedoutforprivacyxx.edu:3128
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

**O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe -1 --delay 15
O4 - HKLM\..\Run: [PCPitstop Disk MD Registration Reminder] C:\Program Files\PCPitstop\Disk MD\Reminder.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll ***this appears to be relate to trend micro**
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1170714744984
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1287227C-13AC-46C2-8F41-5160825709A6}: NameServer = XXXXXXXXXXXXXXXXXXXX
O17 - HKLM\System\CS1\Services\Tcpip\..\{1287227C-13AC-46C2-8F41-5160825709A6}: NameServer = XXXXXXXXXXXXXXXXXXXX
O17 - HKLM\System\CS2\Services\Tcpip\..\{1287227C-13AC-46C2-8F41-5160825709A6}: NameServer = XXXXXXXXXXXXXXXXXXXX
O17 - HKLM\System\CS3\Services\Tcpip\..\{1287227C-13AC-46C2-8F41-5160825709A6}: NameServer = XXXXXXXXXXXXXXXXXXXX
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

Edited by lazzlazz, 09 February 2007 - 01:08 AM.


#3 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 10 February 2007 - 08:45 AM

Hi lazzlazz,

can/will you please post a non modified HijackThis log?
That means don't change anything in it like you did with the 017-lines!!

O17 - HKLM\System\CCS\Services\Tcpip\..\{1287227C-13AC-46C2-8F41-5160825709A6}: NameServer = xxxxxxxxxxxxxxxxxx (x-ed out for privacy)

We need that info to make a proper analyse of your system.


Regards,

Rosty.
Posted Image
Proud member of ASAP since 2007

#4 lazzlazz

lazzlazz
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 11 February 2007 - 02:25 AM

Hi,
Can the analysis be done without just the IP address (see 017 lines below); I really don't want my IP address posted if it can be avoided (I can PM you the IP address if it's really necessary. I'm sorry but I tend to be very cautious. Thanks.

New HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 11:20:12 PM, on 2/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Trend Micro\AntiVirus 2007\TAVScan.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\laura\My Documents\mydownloads\hijackthisjan312007\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = webproxy.ucsd.edu:3128
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Trend Micro AntiVirus 2007] C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe -1 --delay 15
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmlsp.dll
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1170714744984
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1287227C-13AC-46C2-8F41-5160825709A6}: NameServer = xxx.xx.xx.x,132.139.1.52,127.110.0.26 X's are for IP address
O17 - HKLM\System\CS1\Services\Tcpip\..\{1287227C-13AC-46C2-8F41-5160825709A6}: NameServer = xxx.xx.xx.x,132.139.1.52,127.110.0.26
O17 - HKLM\System\CS2\Services\Tcpip\..\{1287227C-13AC-46C2-8F41-5160825709A6}: NameServer = xxx.xx.xx.x,132.139.1.52,127.110.0.26
O17 - HKLM\System\CS3\Services\Tcpip\..\{1287227C-13AC-46C2-8F41-5160825709A6}: NameServer = xxx.xx.xx.x,132.139.1.52,127.110.0.26
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Trend Micro AntiVirus Protection Service (tavsvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

#5 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 11 February 2007 - 05:13 AM

Hi lazzlazz,

How old is the old computer? From the looks of the CHKNTFS logs I have a feeling that the hard disc is quickly dying.
How regularly do you use Ghost? I have a friend using Ghost as well on a weekly basis, and have no qualms with restoring images.


Please,

Run HijackThis.
Click on Open the Misc Tools Section.
Then press Generate StartupList log, making sure that both boxes next to it are checked.
Select Yes at the prompt.
A Notepad file will open, and will automatically be saved in your HijackThis folder.
Paste this log in your next reply.
More information with a screenshot, can be found here.


Regards,

Rosty.
Posted Image
Proud member of ASAP since 2007

#6 lazzlazz

lazzlazz
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:47 PM

Posted 11 February 2007 - 05:58 PM

Hi,
Thanks for your reply. The Dell laptop is just about 13 months old - but I have bad hard drive kharma. I had 2 harddrives fail within the first 2 years on a gateway desktop purchased in 2000 - although it could be gateway was installing and replacing with garbage - when I went out and simply purchased a Seagate drive (even though the computer was still under warranty), that solved the problem (hasn't failed in over 4 years!). What entry in the hijackthis log tells you about the CHKNTFS log?

Below is the requested log from Hijackthis/Generate Startuplist log.

About Ghost: I don't image terribly often due to it taking so long but did image the drive (by booting from a CD, rather than running it from within windows) a few weeks ago and am probably going to do it once more tonight just to be safe. I also *just* managed to greatly sped up the harddrive to where it seems to be back to where it was; see http://pcpitstop.com/pcpitstop/DskSlow.asp, section on "Make sure DMA is enabled" (I have been searching the internet for almost 2 weeks trying to figure out why the system is so slow and no website I looked at mentioned this possibility!). I don't know how DMA got disabled - but I was able to enable it (although from reading the Microsoft info pages, if there's a deeper problem, it could end up disabled again). I ran a PC Pitstop report about a week ago and it didn't mention that my harddrive was slow (thus, didn't refer me to that info. page). (I also have speedfan installed and it seems that my CPU is running a lot cooler in the hour or so since I figured out this DMA thing - it had been registering temps in the 80-90 degrees C; now it's down to 64 C - maybe it's just because I haven't been running any CPU-intensive programs).
I'm also a bit worried about my harddrive; some other program I ran (I can't remember which) suggested there might be problems.

What do you suggest doing about the harddrive - are there any diagnostic tests I should run? I could go to grc.com and update to their XP version of SpinRite - I only have v. 5.0 so I've been holding off on paying the $30 to upgrade but maybe I need to.

I also still am wondering about how to resolve the "file missing" entries from the hijack this log, and whether it appears there may be any malware/grayware/spyware/virus/trojans on the system.

I've tried to minimize what loads at startup via msconfig. I still have Adobe Reader Synchronizer launching (sysinfo.org doesn't have an entry on that). I also have Adobe Reader Speedlaunch loading which could go but I decided to keep it. I just noticed PC pitstop put in a few things which should go. Also, PC Pitstop Optimize recommended not having igfxhkcmd load ... I don't have anything in msconfig by that name but I suspect it's referring to igfxpers, hkcmd (which can go(?)), and igfxtray (also can go?), and igfxpers (not sure whether I am better off keeping this, although sysinfo.org says "not required or recommended"). I suspect these things aren't eating up much of the startup time (except for the PCPitstop items), esp. relative to the time it takes for zonealarm and trendmicro to load.

StartupList report, 2/11/2007, 2:38:24 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\laura\My Documents\mydownloads\hijackthisjan312007\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.5730.0011)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavsvc.exe
C:\Program Files\Trend Micro\AntiVirus 2007\Components\tmproxy.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\AntiVirus 2007\tavui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Documents and Settings\laura\My Documents\mydownloads\hijackthisjan312007\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\laura\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

Edited by lazzlazz, 11 February 2007 - 06:20 PM.


#7 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 13 February 2007 - 10:44 AM

Hi lazzlazz,

thanks for the log.

I also still am wondering about how to resolve the "file missing" entries from the hijack this log,

Do not worry about this one's, thats a bug in HijackThis.

I've tried to minimize what loads at startup via msconfig.

Please don't do that, we need every item that loads at startup.

Download WinPFind.exe to your desktop and double-click on the WinPFind.exe file to extract the contents.

It will create a folder named WinPFind on your desktop.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Open the WinPfind folder on your desktop and double-click on the WinPFind.exe file to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here and I will review the information when it comes in.

Regards,

Rosty.
Posted Image
Proud member of ASAP since 2007

#8 Rosty

Rosty

    Skydive junkie


  • Malware Response Team
  • 1,220 posts
  • OFFLINE
  •  
  • Local time:12:47 AM

Posted 26 March 2007 - 11:01 AM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Regards,

Rosty.
Posted Image
Proud member of ASAP since 2007




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users