XP Box - Help w/ HiJackThis Log

Guys,
I'm at a friend's house helping with their PC. The major problem is sluggish DSL speeds on the Net. We have installed & run Ad-aware6 and Spybot 1.3. All told, these two found ~125 items. All have been cleaned. We rebooted and Ad-aware finds nothing new. Spybot is set to immunize. A port checker was run, but it found 0 trojans on UDP ports. We just finished a Trend Micro online scan, too. No viruses found.

The box is a GW E-series w/ 256Mb RAM and XP Home. They run MSN Messanger and AIM almost all the time on the Net.

Please help us figure out if they have lingering problems. Here's HiJackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 8:10:16 PM, on 6/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINNT\System32\CTHELPER.EXE
C:\WINNT\System32\CTHELPER.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/slv/ycheck/hp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/slv/ycheck/hp/*http://www.yahoo.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_4.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_4.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue: "Keyboard Preload Check "
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security1.norton.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2FD74BEC-AA17-49C0-A74E-3B20BE946496} - http://www.cursorzone.com/toolbar/files/czone_bundle_p2.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/06ffa7950d8100f42f20/netzip/RdxIE6.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://152.2.61.67/activex/AxisCamControl.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0410.dll
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C7932801-AF0C-11D6-8137-0050DA5F0293} (RdxIE Class) - http://www.grokster.com/rdx/RdxIE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


THANKS folks!

 

The first problem I see is this.

C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

HijackThis needs to be put in a permanent folder. Just open C: and right click>new>folder. Name it HJT, then cut/paste HijackThis.exe from the temp folder to the new.

Open, scan again and check the following. Close all other windows and fix.

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll (file missing)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.cab
O16 - DPF: {2FD74BEC-AA17-49C0-A74E-3B20BE946496} - http://www.cursorzone.com/toolbar/f...e_bundle_p2.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/06ffa7950d8100...tzip/RdxIE6.cab
O16 - DPF: {C7932801-AF0C-11D6-8137-0050DA5F0293} (RdxIE Class) - http://www.grokster.com/rdx/RdxIE.cab



The MSN toolbar, if you want to continue using it, needs to be re-installed since a file is missing. We just fixed the obsolete entry for it.

Please see the following link related to the Grokster entry.
http://www.pestpatrol.com/PestInfo/G/Grokster.asp
Search for any of the mentioned programs and get rid of them if found.

Because of the ak.imgfarm.com entry, I would like you to first search for Fun Web Products and recommend you get rid of the if found. Add/remove programs then delete the folder. It usually introduces the Lop nasty. We need to check for that too. Paste the following command into the address window and hit enter. Copy the contents of the resulting window and paste it here along with a new HijackThis log.

javascript:navigator.userAgent

Please recheck anything you unchecked in msconfig and reboot before doing the new scan.

 

Copy HJT out of the temp folder, into it's own folder.
Have all browser closed, and remove these.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/slv/ycheck/hp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/slv/ycheck/hp/*http://www.yahoo.com
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-us\msntb.dll (file missing)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.cabO16 - DPF: {2FD74BEC-AA17-49C0-A74E-3B20BE946496} - http://www.cursorzone.com/toolbar/f...e_bundle_p2.cab
O16 - DPF: {C7932801-AF0C-11D6-8137-0050DA5F0293} (RdxIE Class) - http://www.grokster.com/rdx/RdxIE.cab

 

THANKS guys!
Since this is a friend's PC, I'm working on it whenever I can get to their home. I plan to go by this afternoon and place HiJackThis in its own folder, kill the processes you mentioned and repost the log. Please be patient as the entire process may take a few days. I sincerely appreciate your help. These folks are good friends and I want to help them.

 

and don't forget to delete all system restore points after the clean up...

Johanna

 

Update 6/22/04

The HiJackThis file has been placed in its own folder.

I unchecked everything that was checked to die at Startup (from MSCONFIG).

The result was:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; YComp 5.0.0.0)

No software found in Add/Remove Programs. No directories found on HDD. Two entries found and deleted in Registry.

The Grokster removal process (on pestpatrol) has begun. I'll post a quick follow-up when that's done. BTW, there is a Grokster folder on the HDD. It has a DB folder within it. Two files are in the folder: data256.dbb and data1024.dbb.

The new HiJackThis log is posted below:
Logfile of HijackThis v1.97.7
Scan saved at 6:12:52 PM, on 6/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTHELPER.EXE
C:\WINNT\System32\CTHELPER.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Intuit\QuickBooks\Components\QBAgent\qbdagent2002.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\wanmpsvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Norton Internet Security\ATRACK.EXE
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_4.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_4.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue: "Keyboard Preload Check "
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe "
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe "
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\qbdagent2002.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security1.norton.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://152.2.61.67/activex/AxisCamControl.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0410.dll
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

I see a couple of new items.

O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE

These are two individual entries. I would use CWShredder to get rid of these.

These I have no info on, but I would get rid of them.

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

You should use Spybot's Immunize feature, and the IEspyads file in my signature is a good idea.

 

THANKS Mark! I deleted one using HiJackThis. The other was deleted from a search through the All Users folder right after we rebooted the PC.

Already using both... thanks to previous threads I found with your advice. In fact, I'm adding these to almost every PC I work on lately. TESTIMONIAL: I installed Ad-aware6, Spybot1.3 and IESPYADS on my two PCs at home. With LOTS of web browsing for various topics of research, and several scans, I have found less than 25 items on each PC in over a month now. THAT IS PHENOMENAL!

Anything else you see in the previously posted HJT log? If not, then please venture a guess for me...

The original problem that lead me to think "Aha, malware" was that my friends' DSL connection to the Net was what we in the South call "dog slow ". They had Sprint technicians test the line and it tested out fine. Secondary to the slow connection was the sluggishness [good word, huh] of the PC when I arrived on-site. It's a newer Gateway E-series machine w/ plenty of RAM what they do. The problem seems to originate at connection to the Net -- as if the PC is working on something in the background. Thus, my conclusion that malware is the cause.

THANKS for your insights! [and that of all other forum participants]

 

One more note of reference...

I found that the PC has had a couple of hard shutdowns over the past couple of months. THAT could be the reason for sluggish performance -- corrupt files, etc.

However, I want to make sure that the 6/22/04 18:42 HJT log is clean (with Mark's noted exceptions).

Would someone please look at the log again and let me know if there is anything else we need to do?

THANKS!

 

Hi CharlieJ

These are from Gateway and are OK. Verify by checking properties.
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

If there are multiple users, run Ad-aware and Spybot while logged on to each account. A separate HJT log should be posted also, to this thread but with mention of a different username.


Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix. Basically just not needed at startup.


O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe "
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks 2002 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks\Components\QBAgent\qbdagen t2002.exe


Reboot.


PowerReg Scheduler V3.exe
Pest Patrol says it is adware and should be fixed, and all files searched for and deleted.

Remove files/folder.

powerregschedulerv3.exe
profilepath+\start menu\programs\startup\powerreg scheduler.exe
profilepath+\start menu\programs\startup\powerreg schedulerv2.exe
programfilesdir+\powerreg
systemroot+\start menu\programs\startup\powerreg scheduler.exe


CTHELPER

CTHELPER is a background task that is a plug-in manager for Creative drivers. It first appeared with Creative’s SoundBlaster Live and Audigy soundcards. The theory is that 3rd party manufacturers can use the CTHELPER plug-in interface to produce drivers, add-on features, and fixes that will integrate with a tighter fit with Creative’s sound drivers and utilities. One of the very first uses of this interface has been for InterVideo’s WinDVD in the shape of a fix called "WinDVDPatch" and, at the time of writing 12-Jan-2003, there have not been other uses for it yet.

Recommendation :
Given its purpose CTHELPER would normally be classified as a "leave alone" background task. Unfortunately, as with many other Creative background tasks in these pages, there are often problems with CTHELPER. The most common complaint is random excess CPU utilization, up to 100% ! We have also had complaints of PCs freezing when CTHELPER is around, although that is probably also 100% CPU utilization. Additionally, on PCs running Intel’s Pentium 4 Hyper-Threading CPUs, the sound stutters. In short : CTHELPER is far more trouble than it is a help.


Information below about this process, taken from answersthatwork.com. C:\WINDOWS\System32\nvsvc32.exe

NVIDIA Driver Helper Service which gets installed under Windows NT4/2000/XP/2003 by the NVIDIA drivers for some of their graphics cards (or graphics cards based on an NVIDIA chipset). We do not at this stage know what this process does except consume memory ! And we also have no idea as to what a “Driver Helper Service†is supposed to do !!

Recommendation :
This service is often responsible for various glitches, from significant shutdown delays to excessive memory usage. Disabling it, however, does not result in our experience in any ill-effect as regards the proper operation of your NVIDIA or NVIDIA chipset graphics card, so we recommend that you definitely set the Startup Mode of this service to Disabled. You can Do this by going to start>run, type services.msc, hit enter. Locate the service in the list and right click>properties.


If doing the above fails to help, there are some hidden dll's to check for. Download this zip.

http://tools.zerosrealm.com/pv.zip

Unzip it to the desktop. It will not work if you run it from inside the zip. After unzipping open the pv folder. Double click on the runme.bat. A dos window will open. Select option 1 for explorer dlls by typing 1 and then pressing enter. Notepad will open with a log in it. Copy and paste the log into this post.

After that, with an IE window open, run the PV tool again, this time selecting option 2 for IE dlls and post it's log.

In addition, HijackThis does not always show us all of the running processes, so I recommend you install Process Explorer, create a log and post it also.

 

Response to Dave's recommendations... 1 of 5

Post 1 of 2

I've finally been able to get back to my friends' house. All of the items noahdfear recommended have been removed. Downloaded PV and ran as requested. Here is the first log:

//A//
Module information for 'Explorer.EXE'
MODULE BASE SIZE PATH
Explorer.EXE 1000000 1015808 C:\WINNT\Explorer.EXE 6.00.2800.1106 (xpsp1.020828-1920) Windows Explorer
ntdll.dll 77f50000 684032 C:\WINNT\System32\ntdll.dll 5.1.2600.1217 (xpsp2.030429-2131) NT Layer DLL
kernel32.dll 77e60000 942080 C:\WINNT\system32\kernel32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 339968 C:\WINNT\system32\msvcrt.dll 7.0.2600.1106 (xpsp1.020828-1920) Windows NT CRT DLL
ADVAPI32.dll 77dd0000 577536 C:\WINNT\system32\ADVAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Advanced Windows 32 Base API
RPCRT4.dll 78000000 552960 C:\WINNT\system32\RPCRT4.dll 5.1.2600.1361 (xpsp2.040109-1800) Remote Procedure Call Runtime
GDI32.dll 7e090000 266240 C:\WINNT\system32\GDI32.dll 5.1.2600.1346 (xpsp2.040109-1800) GDI Client DLL
USER32.dll 77d40000 573440 C:\WINNT\system32\USER32.dll 5.1.2600.1255 (xpsp2.030804-1745) Windows XP USER API Client DLL
SHLWAPI.dll 70a70000 413696 C:\WINNT\system32\SHLWAPI.dll 6.00.2800.1400 Shell Light-weight Utility Library
SHELL32.dll 773d0000 8359936 C:\WINNT\system32\SHELL32.dll 6.00.2800.1348 (xpsp2.040109-1800) Windows Shell Common Dll
ole32.dll 771b0000 1196032 C:\WINNT\system32\ole32.dll 5.1.2600.1362 (xpsp2.040109-1800) Microsoft OLE for Windows
OLEAUT32.dll 77120000 569344 C:\WINNT\system32\OLEAUT32.dll 3.50.5016.0 Microsoft OLE 3.50 for Windows NT(TM) and Windows 95(TM) Operating Systems
BROWSEUI.dll 71500000 1036288 C:\WINNT\System32\BROWSEUI.dll 6.00.2800.1400 Shell Browser UI Library
SHDOCVW.dll 71700000 1347584 C:\WINNT\System32\SHDOCVW.dll 6.00.2800.1400 Shell Doc Object and Control Library
UxTheme.dll 5ad70000 212992 C:\WINNT\System32\UxTheme.dll 6.00.2800.1106 (xpsp1.020828-1920) Microsoft UxTheme Library
comctl32.dll 71950000 933888 C:\WINNT\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1331_x-ww_7abf6d02\comctl32.dll 6.0 (xpsp2.040109-1800) User Experience Controls Library
comctl32.dll 77340000 569344 C:\WINNT\system32\comctl32.dll 5.82 (xpsp1.020828-1920) Common Controls Library
appHelp.dll 75f40000 126976 C:\WINNT\system32\appHelp.dll 5.1.2600.1106 (xpsp1.020828-1920) Application Compatibility Client Library
CLBCATQ.DLL 7c890000 528384 C:\WINNT\System32\CLBCATQ.DLL 2001.12.4414.53
COMRes.dll 77050000 806912 C:\WINNT\System32\COMRes.dll 2001.12.4414.42
VERSION.dll 77c00000 28672 C:\WINNT\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
cscui.dll 76620000 319488 C:\WINNT\System32\cscui.dll 5.1.2600.1106 (xpsp1.020828-1920) Client Side Caching UI
CSCDLL.dll 76600000 110592 C:\WINNT\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent
themeui.dll 559e0000 462848 C:\WINNT\System32\themeui.dll 6.00.2800.1106 (xpsp1.020828-1920) Windows Theme API
Secur32.dll 76f90000 65536 C:\WINNT\System32\Secur32.dll 5.1.2600.1106 (xpsp1.020828-1920) Security Support Provider Interface
MSIMG32.dll 76380000 20480 C:\WINNT\System32\MSIMG32.dll 5.1.2600.1106 (xpsp1.020828-1920) GDIEXT Client DLL
USERENV.dll 75a70000 675840 C:\WINNT\system32\USERENV.dll 5.1.2600.1106 (xpsp1.020828-1920) Userenv
actxprxy.dll 71d40000 110592 C:\WINNT\System32\actxprxy.dll 6.00.2600.0000 (XPClient.010817-1148) ActiveX Interface Marshaling Library
netapi32.dll 71c20000 319488 C:\WINNT\System32\netapi32.dll 5.1.2600.1343 (xpsp2.040109-1800) Net Win32 API DLL
urlmon.dll 1a400000 499712 C:\WINNT\system32\urlmon.dll 6.00.2800.1400 OLE32 Extensions for Win32
SETUPAPI.dll 76670000 946176 C:\WINNT\System32\SETUPAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Setup API
mlang.dll 74770000 585728 C:\WINNT\System32\mlang.dll 6.00.2600.0000 (xpclient.010817-1148) Multi Language Support DLL
mshtml.dll 63580000 2818048 C:\WINNT\System32\mshtml.dll 6.00.2800.1400 Microsoft (R) HTML Viewer
NETSHELL.dll 75cf0000 1642496 C:\WINNT\system32\NETSHELL.dll 5.1.2600.1106 (xpsp1.020828-1920) Network Connections Shell
credui.dll 76c00000 184320 C:\WINNT\system32\credui.dll 5.1.2600.1106 (xpsp1.020828-1920) Credential Manager User Interface
WS2_32.dll 71ab0000 81920 C:\WINNT\system32\WS2_32.dll 5.1.2600.1240 (xpsp2.030618-0119) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINNT\system32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT
iphlpapi.dll 76d60000 90112 C:\WINNT\system32\iphlpapi.dll 5.1.2600.1240 (xpsp2.030618-0119) IP Helper API
WININET.DLL 63000000 614400 C:\WINNT\system32\WININET.DLL 6.00.2800.1405 Internet Extensions for Win32
CRYPT32.dll 762c0000 557056 C:\WINNT\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto API32
MSASN1.dll 762a0000 65536 C:\WINNT\system32\MSASN1.dll 5.1.2600.1362 (xpsp2.040109-1800) ASN.1 Runtime APIs
LINKINFO.dll 76980000 28672 C:\WINNT\System32\LINKINFO.dll 5.1.2600.0 (xpclient.010817-1148) Windows Volume Tracking
ntshrui.dll 76990000 147456 C:\WINNT\System32\ntshrui.dll 5.1.2600.1106 (xpsp1.020828-1920) Shell extensions for sharing
ATL.DLL 76b20000 86016 C:\WINNT\System32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)
msi.dll 1d30000 2101248 C:\WINNT\System32\msi.dll 2.0.2600.1106 Windows Installer
RASAPI32.DLL 76ee0000 225280 C:\WINNT\System32\RASAPI32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Remote Access API
rasman.dll 76e90000 69632 C:\WINNT\System32\rasman.dll 5.1.2600.1106 (xpsp1.020828-1920) Remote Access Connection Manager
TAPI32.dll 76eb0000 176128 C:\WINNT\System32\TAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Windows(TM) Telephony API Client DLL
rtutils.dll 76e80000 53248 C:\WINNT\System32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities
WINMM.dll 76b40000 180224 C:\WINNT\System32\WINMM.dll 5.1.2600.1106 (xpsp1.020828-1920) MCI API DLL
serwvdrv.dll 5cd70000 28672 C:\WINNT\System32\serwvdrv.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Serial Wave driver
umdmxfrm.dll 5b0a0000 28672 C:\WINNT\System32\umdmxfrm.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Tranform Module
MPR.dll 71b20000 69632 C:\WINNT\system32\MPR.dll 5.1.2600.0 (xpclient.010817-1148) Multiple Provider Router DLL
drprov.dll 75f60000 24576 C:\WINNT\System32\drprov.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Terminal Server Network Provider
ntlanman.dll 71c10000 53248 C:\WINNT\System32\ntlanman.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Lan Manager
NETUI0.dll 71cd0000 90112 C:\WINNT\System32\NETUI0.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 245760 C:\WINNT\System32\NETUI1.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - Networking classes
NETRAP.dll 71c80000 24576 C:\WINNT\System32\NETRAP.dll 5.1.2600.0 (xpclient.010817-1148) Net Remote Admin Protocol DLL
SAMLIB.dll 71bf0000 69632 C:\WINNT\System32\SAMLIB.dll 5.1.2600.1106 (xpsp1.020828-1920) SAM Library DLL
davclnt.dll 75f70000 36864 C:\WINNT\System32\davclnt.dll 5.1.2600.0 (xpclient.010817-1148) Web DAV Client DLL

(cont'd)

 

Response to Dave's recommendations... 2 of 5

//A// continued

SXS.DLL 75e90000 688128 C:\WINNT\System32\SXS.DLL 5.1.2600.1336 (xpsp2.040109-1800) Fusion 2.5
rsaenh.dll ffd0000 143360 C:\WINNT\System32\rsaenh.dll 5.1.2600.1029 (xpsp1.020426-1800) Microsoft Base Cryptographic Provider
wsock32.dll 71ad0000 32768 C:\WINNT\System32\wsock32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 32-Bit DLL
mswsock.dll 71a50000 241664 C:\WINNT\system32\mswsock.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Windows Sockets 2.0 Service Provider
wshtcpip.dll 71a90000 32768 C:\WINNT\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-1148) Windows Sockets Helper DLL
sensapi.dll 722b0000 20480 C:\WINNT\System32\sensapi.dll 5.1.2600.1106 (xpsp1.020828-1920) SENS Connectivity API DLL
rasadhlp.dll 76fc0000 20480 C:\WINNT\System32\rasadhlp.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access AutoDial Helper
DNSAPI.dll 76f20000 151552 C:\WINNT\System32\DNSAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) DNS Client API DLL
winrnr.dll 76fb0000 28672 C:\WINNT\System32\winrnr.dll 5.1.2600.0 (xpclient.010817-1148) LDAP RnR Provider DLL
WLDAP32.dll 76f60000 180224 C:\WINNT\system32\WLDAP32.dll 5.1.2600.1106 (xpsp1.020828-1920) Win32 LDAP API DLL
browselc.dll 72430000 73728 C:\WINNT\System32\browselc.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Browser UI Library
NavShExt.dll be0000 106496 C:\Program Files\Norton AntiVirus\NavShExt.dll 8.07.17 Norton AntiVirusNAVShellExt Module
MSVCP60.dll 55900000 397312 C:\WINNT\System32\MSVCP60.dll 6.00.8972.0 Microsoft (R) C++ Runtime Library
comdlg32.dll 763b0000 282624 C:\WINNT\system32\comdlg32.dll 6.00.2800.1106 (xpsp1.020828-1920) Common Dialogs DLL
shdoclc.dll 1ab0000 557056 C:\WINNT\System32\shdoclc.dll 6.00.2715.400 Shell Doc Object and Control Library
msimtf.dll 746f0000 155648 C:\WINNT\System32\msimtf.dll 5.1.2600.1106 (xpsp1.020828-1920) Active IMM Server DLL
MSCTF.dll 74720000 278528 C:\WINNT\System32\MSCTF.dll 5.1.2600.1106 (xpsp1.020828-1920) MSCTF Server DLL
MSACM32.dll 77be0000 81920 C:\WINNT\System32\MSACM32.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft ACM Audio Filter
MSLS31.DLL 746c0000 159744 C:\WINNT\System32\MSLS31.DLL 3.10.349.0 Microsoft Line Services library file
IMM32.DLL 76390000 114688 C:\WINNT\System32\IMM32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Windows XP IMM32 API Client DLL
msxml3.dll 72e00000 1134592 C:\WINNT\System32\msxml3.dll 8.30.9926.0 MSXML 3.0 SP 3
scrauth.dll 39a0000 110592 C:\Program Files\Common Files\Symantec Shared\Script Blocking\scrauth.dll 1, 1, 0, 126 ScriptBlocking Authenticator
ScrBlock.dll 3ac0000 122880 C:\Program Files\Common Files\Symantec Shared\Script Blocking\ScrBlock.dll 1, 1, 0, 126 ScriptBlocking
wintrust.dll 76c30000 176128 C:\WINNT\System32\wintrust.dll 5.131.2600.0 (xpclient.010817-1148) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 139264 C:\WINNT\system32\IMAGEHLP.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT Image Helper
cryptnet.dll 73d50000 65536 C:\WINNT\System32\cryptnet.dll 5.131.2600.0 (xpclient.010817-1148) Crypto Network Related API
jscript.dll 6b700000 589824 c:\winnt\system32\jscript.dll 5.6.0.8513 Microsoft (r) JScript
DUSER.dll 6c1b0000 278528 C:\WINNT\System32\DUSER.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows DirectUser Engine
WINSTA.dll 76360000 61440 C:\WINNT\System32\WINSTA.dll 5.1.2600.1106 (xpsp1.020828-1920) Winstation Library
webcheck.dll 74b30000 266240 C:\WINNT\System32\webcheck.dll 6.00.2800.1106 (xpsp1.020828-1920) Web Site Monitor
stobject.dll 74b00000 131072 C:\WINNT\System32\stobject.dll 5.1.2600.1106 (xpsp1.020828-1920) Systray shell service object
BatMeter.dll 74af0000 36864 C:\WINNT\System32\BatMeter.dll 6.00.2600.0000 (xpclient.010817-1148) Battery Meter Helper DLL
POWRPROF.dll 74ad0000 28672 C:\WINNT\System32\POWRPROF.dll 6.00.2600.0000 (xpclient.010817-1148) Power Profile Helper DLL
WTSAPI32.dll 76f50000 32768 C:\WINNT\System32\WTSAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Terminal Server SDK APIs
wdmaud.drv 72d20000 36864 C:\WINNT\System32\wdmaud.drv 5.1.2600.0 (XPClient.010817-1148) WDM Audio driver mapper
msacm32.drv 72d10000 32768 C:\WINNT\System32\msacm32.drv 5.1.2600.0 (xpclient.010817-1148) Microsoft Sound Mapper
MSGINA.dll 75970000 991232 C:\WINNT\System32\MSGINA.dll 5.1.2600.1343 (xpsp2.040109-1800) Windows NT Logon GINA DLL
ODBC32.dll 4b60000 204800 C:\WINNT\System32\ODBC32.dll 3.520.9042.0 Microsoft Data Access - ODBC Driver Manager
odbcint.dll 1f850000 90112 C:\WINNT\System32\odbcint.dll 3.520.7713.0 Microsoft Data Access - ODBC Resources
midimap.dll 77bd0000 28672 C:\WINNT\System32\midimap.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft MIDI Mapper
urlmapps.dll 50e0000 28672 C:\Program Files\Microsoft Money\System\urlmapps.dll 10.00.0809 Money URL Map Proxy/Stub dll
printui.dll 74b80000 532480 C:\WINNT\System32\printui.dll 5.1.2600.1106 (xpsp1.020828-1920) Print UI DLL
WINSPOOL.DRV 73000000 143360 C:\WINNT\System32\WINSPOOL.DRV 5.1.2600.1106 (xpsp1.020828-1920) Windows Spooler Driver
ACTIVEDS.dll 76e40000 192512 C:\WINNT\System32\ACTIVEDS.dll 5.1.2600.0 (xpclient.010817-1148) ADs Router Layer DLL
adsldpc.dll 76e10000 151552 C:\WINNT\System32\adsldpc.dll 5.1.2600.1106 (xpsp1.020828-1920) ADs LDAP Provider C DLL
CFGMGR32.dll 74ae0000 28672 C:\WINNT\System32\CFGMGR32.dll 5.1.2600.0 (xpclient.010817-1148) Configuration Manager Forwarder DLL
mstask.dll 735d0000 258048 C:\WINNT\System32\mstask.dll 5.1.2600.1106 (xpsp1.020828-1920) Task Scheduler interface DLL
RASDLG.dll 75550000 647168 C:\WINNT\System32\RASDLG.dll 5.1.2600.1106 (xpsp1.020828-1920) Remote Access Common Dialog API
MPRAPI.dll 76d40000 90112 C:\WINNT\System32\MPRAPI.dll 5.1.2600.0 (xpclient.010817-1148) Windows NT MP Router Administration DLL
zipfldr.dll 73380000 335872 C:\WINNT\System32\zipfldr.dll 6.00.2800.1126 (xpsp2.020921-0842) Compressed (zipped) Folders
AcroIEHelper.dll 10000000 45056 C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll 6.0.0.2003051500 Adobe Acrobat IE Helper Version 6.0 for ActivieX
ycomp5_0_2_4.dll 68000000 204800 C:\Program Files\Yahoo!\Companion\ycomp5_0_2_4.dll 2002, 09, 19, 1 Yahoo! Companion 5.0 for Internet Explorer
SDHelper.dll 1910000 765952 C:\PROGRA~1\SPYBOT~1\SDHelper.dll 1, 3, 0, 12 Bad download blocker
olepro32.dll 5edd0000 106496 C:\WINNT\System32\olepro32.dll 5.0.5014 Microsoft (R) OLE Property Support DLL
mnyviewer.dll 13c0000 147456 C:\Program Files\Microsoft Money\System\mnyviewer.dll 10.00.0809 MoneySide Controls
AolHook.dll 34c0000 81920 C:\PROGRA~1\COMMON~1\aolshare\Coach\AolHook.dll 1, 0, 0, 2 AolHook
ACHelpers.dll 4370000 229376 C:\PROGRA~1\COMMON~1\aolshare\Coach\ACHelpers.dll
asfsipc.dll 70eb0000 28672 C:\WINNT\System32\asfsipc.dll 1.1.00.3917 ASFSipc Object
MSISIP.DLL 605f0000 53248 C:\WINNT\System32\MSISIP.DLL 2.0.2600.0 MSI Signature SIP Provider
wshext.dll 74ea0000 65536 C:\WINNT\System32\wshext.dll 5.6.0.6626 Microsoft (r) Shell Extension for Windows Script Host
ScrTrust.dll 43d0000 53248 C:\Program Files\Common Files\Symantec Shared\Script Blocking\ScrTrust.dll 1, 1, 0, 126 ScriptBlocking Trust Verifier
MCPS.DLL 365a0000 86016 C:\PROGRA~1\MI1933~1\Office10\MCPS.DLL 10.0.2625 Media Catalog Proxy/Stub

 

3 of 5

//B//
Here is the IE log:
Module information for 'IEXPLORE.EXE'
MODULE BASE SIZE PATH
IEXPLORE.EXE 400000 102400 C:\Program Files\Internet Explorer\IEXPLORE.EXE 6.00.2800.1106 (xpsp1.020828-1920) Internet Explorer
ntdll.dll 77f50000 684032 C:\WINNT\System32\ntdll.dll 5.1.2600.1217 (xpsp2.030429-2131) NT Layer DLL
kernel32.dll 77e60000 942080 C:\WINNT\system32\kernel32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT BASE API Client DLL
msvcrt.dll 77c10000 339968 C:\WINNT\system32\msvcrt.dll 7.0.2600.1106 (xpsp1.020828-1920) Windows NT CRT DLL
USER32.dll 77d40000 573440 C:\WINNT\system32\USER32.dll 5.1.2600.1255 (xpsp2.030804-1745) Windows XP USER API Client DLL
GDI32.dll 7e090000 266240 C:\WINNT\system32\GDI32.dll 5.1.2600.1346 (xpsp2.040109-1800) GDI Client DLL
ADVAPI32.dll 77dd0000 577536 C:\WINNT\system32\ADVAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Advanced Windows 32 Base API
RPCRT4.dll 78000000 552960 C:\WINNT\system32\RPCRT4.dll 5.1.2600.1361 (xpsp2.040109-1800) Remote Procedure Call Runtime
SHLWAPI.dll 70a70000 413696 C:\WINNT\system32\SHLWAPI.dll 6.00.2800.1400 Shell Light-weight Utility Library
SHDOCVW.dll 71700000 1347584 C:\WINNT\System32\SHDOCVW.dll 6.00.2800.1400 Shell Doc Object and Control Library
comctl32.dll 71950000 933888 C:\WINNT\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1331_x-ww_7abf6d02\comctl32.dll 6.0 (xpsp2.040109-1800) User Experience Controls Library
SHELL32.dll 773d0000 8359936 C:\WINNT\system32\SHELL32.dll 6.00.2800.1348 (xpsp2.040109-1800) Windows Shell Common Dll
comctl32.dll 77340000 569344 C:\WINNT\system32\comctl32.dll 5.82 (xpsp1.020828-1920) Common Controls Library
ole32.dll 771b0000 1196032 C:\WINNT\system32\ole32.dll 5.1.2600.1362 (xpsp2.040109-1800) Microsoft OLE for Windows
uxtheme.dll 5ad70000 212992 C:\WINNT\System32\uxtheme.dll 6.00.2800.1106 (xpsp1.020828-1920) Microsoft UxTheme Library
BROWSEUI.dll 71500000 1036288 C:\WINNT\System32\BROWSEUI.dll 6.00.2800.1400 Shell Browser UI Library
browselc.dll 72430000 73728 C:\WINNT\System32\browselc.dll 6.00.2800.1106 (xpsp1.020828-1920) Shell Browser UI Library
appHelp.dll 75f40000 126976 C:\WINNT\system32\appHelp.dll 5.1.2600.1106 (xpsp1.020828-1920) Application Compatibility Client Library
CLBCATQ.DLL 7c890000 528384 C:\WINNT\System32\CLBCATQ.DLL 2001.12.4414.53
OLEAUT32.dll 77120000 569344 C:\WINNT\system32\OLEAUT32.dll 3.50.5016.0 Microsoft OLE 3.50 for Windows NT(TM) and Windows 95(TM) Operating Systems
COMRes.dll 77050000 806912 C:\WINNT\System32\COMRes.dll 2001.12.4414.42
VERSION.dll 77c00000 28672 C:\WINNT\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
WININET.dll 63000000 614400 C:\WINNT\system32\WININET.dll 6.00.2800.1405 Internet Extensions for Win32
CRYPT32.dll 762c0000 557056 C:\WINNT\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto API32
MSASN1.dll 762a0000 65536 C:\WINNT\system32\MSASN1.dll 5.1.2600.1362 (xpsp2.040109-1800) ASN.1 Runtime APIs
Secur32.dll 76f90000 65536 C:\WINNT\System32\Secur32.dll 5.1.2600.1106 (xpsp1.020828-1920) Security Support Provider Interface
cscui.dll 76620000 319488 C:\WINNT\System32\cscui.dll 5.1.2600.1106 (xpsp1.020828-1920) Client Side Caching UI
CSCDLL.dll 76600000 110592 C:\WINNT\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Offline Network Agent
SETUPAPI.dll 76670000 946176 C:\WINNT\System32\SETUPAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Setup API
AcroIEHelper.dll 10000000 45056 C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll 6.0.0.2003051500 Adobe Acrobat IE Helper Version 6.0 for ActivieX
ycomp5_0_2_4.dll 68000000 204800 C:\Program Files\Yahoo!\Companion\ycomp5_0_2_4.dll 2002, 09, 19, 1 Yahoo! Companion 5.0 for Internet Explorer
WSOCK32.dll 71ad0000 32768 C:\WINNT\System32\WSOCK32.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 32-Bit DLL
WS2_32.dll 71ab0000 81920 C:\WINNT\System32\WS2_32.dll 5.1.2600.1240 (xpsp2.030618-0119) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71aa0000 32768 C:\WINNT\System32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper for Windows NT
SDHelper.dll 1cf0000 765952 C:\PROGRA~1\SPYBOT~1\SDHelper.dll 1, 3, 0, 12 Bad download blocker
olepro32.dll 5edd0000 106496 C:\WINNT\System32\olepro32.dll 5.0.5014 Microsoft (R) OLE Property Support DLL
NavShExt.dll 1eb0000 106496 C:\Program Files\Norton AntiVirus\NavShExt.dll 8.07.17 Norton AntiVirusNAVShellExt Module
ATL.DLL 76b20000 86016 C:\WINNT\System32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)
MSVCP60.dll 55900000 397312 C:\WINNT\System32\MSVCP60.dll 6.00.8972.0 Microsoft (R) C++ Runtime Library
msi.dll 1f10000 2101248 C:\WINNT\System32\msi.dll 2.0.2600.1106 Windows Installer
mnyviewer.dll 2130000 147456 C:\Program Files\Microsoft Money\System\mnyviewer.dll 10.00.0809 MoneySide Controls
comdlg32.dll 763b0000 282624 C:\WINNT\system32\comdlg32.dll 6.00.2800.1106 (xpsp1.020828-1920) Common Dialogs DLL
urlmon.dll 1a400000 499712 C:\WINNT\system32\urlmon.dll 6.00.2800.1400 OLE32 Extensions for Win32
shdoclc.dll 2440000 557056 C:\WINNT\System32\shdoclc.dll 6.00.2715.400 Shell Doc Object and Control Library
mlang.dll 74770000 585728 C:\WINNT\System32\mlang.dll 6.00.2600.0000 (xpclient.010817-1148) Multi Language Support DLL
mswsock.dll 71a50000 241664 C:\WINNT\system32\mswsock.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Windows Sockets 2.0 Service Provider
wshtcpip.dll 71a90000 32768 C:\WINNT\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-1148) Windows Sockets Helper DLL
RASAPI32.DLL 76ee0000 225280 C:\WINNT\System32\RASAPI32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Remote Access API
rasman.dll 76e90000 69632 C:\WINNT\System32\rasman.dll 5.1.2600.1106 (xpsp1.020828-1920) Remote Access Connection Manager
NETAPI32.dll 71c20000 319488 C:\WINNT\System32\NETAPI32.dll 5.1.2600.1343 (xpsp2.040109-1800) Net Win32 API DLL
TAPI32.dll 76eb0000 176128 C:\WINNT\System32\TAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Windows(TM) Telephony API Client DLL
rtutils.dll 76e80000 53248 C:\WINNT\System32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities
WINMM.dll 76b40000 180224 C:\WINNT\System32\WINMM.dll 5.1.2600.1106 (xpsp1.020828-1920) MCI API DLL
serwvdrv.dll 5cd70000 28672 C:\WINNT\System32\serwvdrv.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Serial Wave driver
umdmxfrm.dll 5b0a0000 28672 C:\WINNT\System32\umdmxfrm.dll 5.1.2600.0 (xpclient.010817-1148) Unimodem Tranform Module
SXS.DLL 75e90000 688128 C:\WINNT\System32\SXS.DLL 5.1.2600.1336 (xpsp2.040109-1800) Fusion 2.5

(cont'd)

 

4 of 4 (thought it would take 5)

//B// continued

USERENV.dll 75a70000 675840 C:\WINNT\system32\USERENV.dll 5.1.2600.1106 (xpsp1.020828-1920) Userenv
rsaenh.dll ffd0000 143360 C:\WINNT\System32\rsaenh.dll 5.1.2600.1029 (xpsp1.020426-1800) Microsoft Base Cryptographic Provider
DNSAPI.dll 76f20000 151552 C:\WINNT\System32\DNSAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) DNS Client API DLL
winrnr.dll 76fb0000 28672 C:\WINNT\System32\winrnr.dll 5.1.2600.0 (xpclient.010817-1148) LDAP RnR Provider DLL
WLDAP32.dll 76f60000 180224 C:\WINNT\system32\WLDAP32.dll 5.1.2600.1106 (xpsp1.020828-1920) Win32 LDAP API DLL
mshtml.dll 63580000 2818048 C:\WINNT\System32\mshtml.dll 6.00.2800.1400 Microsoft (R) HTML Viewer
msimtf.dll 746f0000 155648 C:\WINNT\System32\msimtf.dll 5.1.2600.1106 (xpsp1.020828-1920) Active IMM Server DLL
MSCTF.dll 74720000 278528 C:\WINNT\System32\MSCTF.dll 5.1.2600.1106 (xpsp1.020828-1920) MSCTF Server DLL
MSLS31.DLL 746c0000 159744 C:\WINNT\System32\MSLS31.DLL 3.10.349.0 Microsoft Line Services library file
IMM32.DLL 76390000 114688 C:\WINNT\System32\IMM32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Windows XP IMM32 API Client DLL
msohev.dll 32520000 73728 C:\Program Files\Microsoft Office\Office10\msohev.dll 10.0.2609 Microsoft Office XP component
rasadhlp.dll 76fc0000 20480 C:\WINNT\System32\rasadhlp.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access AutoDial Helper
urlmapps.dll 3300000 28672 C:\Program Files\Microsoft Money\System\urlmapps.dll 10.00.0809 Money URL Map Proxy/Stub dll
MPR.dll 71b20000 69632 C:\WINNT\system32\MPR.dll 5.1.2600.0 (xpclient.010817-1148) Multiple Provider Router DLL
drprov.dll 75f60000 24576 C:\WINNT\System32\drprov.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Terminal Server Network Provider
ntlanman.dll 71c10000 53248 C:\WINNT\System32\ntlanman.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Lan Manager
NETUI0.dll 71cd0000 90112 C:\WINNT\System32\NETUI0.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - GUI Classes
NETUI1.dll 71c90000 245760 C:\WINNT\System32\NETUI1.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - Networking classes
NETRAP.dll 71c80000 24576 C:\WINNT\System32\NETRAP.dll 5.1.2600.0 (xpclient.010817-1148) Net Remote Admin Protocol DLL
SAMLIB.dll 71bf0000 69632 C:\WINNT\System32\SAMLIB.dll 5.1.2600.1106 (xpsp1.020828-1920) SAM Library DLL
davclnt.dll 75f70000 36864 C:\WINNT\System32\davclnt.dll 5.1.2600.0 (xpclient.010817-1148) Web DAV Client DLL
MSGINA.dll 75970000 991232 C:\WINNT\System32\MSGINA.dll 5.1.2600.1343 (xpsp2.040109-1800) Windows NT Logon GINA DLL
WINSTA.dll 76360000 61440 C:\WINNT\System32\WINSTA.dll 5.1.2600.1106 (xpsp1.020828-1920) Winstation Library
ODBC32.dll 3000000 204800 C:\WINNT\System32\ODBC32.dll 3.520.9042.0 Microsoft Data Access - ODBC Driver Manager
odbcint.dll 1f850000 90112 C:\WINNT\System32\odbcint.dll 3.520.7713.0 Microsoft Data Access - ODBC Resources
scrauth.dll 3450000 110592 C:\Program Files\Common Files\Symantec Shared\Script Blocking\scrauth.dll 1, 1, 0, 126 ScriptBlocking Authenticator
ScrBlock.dll 3580000 122880 C:\Program Files\Common Files\Symantec Shared\Script Blocking\ScrBlock.dll 1, 1, 0, 126 ScriptBlocking
wintrust.dll 76c30000 176128 C:\WINNT\System32\wintrust.dll 5.131.2600.0 (xpclient.010817-1148) Microsoft Trust Verification APIs
IMAGEHLP.dll 76c90000 139264 C:\WINNT\system32\IMAGEHLP.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT Image Helper
cryptnet.dll 73d50000 65536 C:\WINNT\System32\cryptnet.dll 5.131.2600.0 (xpclient.010817-1148) Crypto Network Related API
jscript.dll 6b700000 589824 c:\winnt\system32\jscript.dll 5.6.0.8513 Microsoft (r) JScript
inetcpl.cpl 58a20000 319488 C:\WINNT\System32\inetcpl.cpl 6.00.2800.1106 (xpsp1.020828-1920) Internet Control Panel
inetcplc.dll 667d0000 118784 C:\WINNT\System32\inetcplc.dll 6.00.2600.0000 (xpclient.010817-1148) Internet Control Panel
mshtmled.dll 74cb0000 454656 C:\WINNT\System32\mshtmled.dll 6.00.2800.1106 (xpsp1.020828-1920) Microsoft (R) HTML Editing Component
dxtrans.dll 6bdd0000 208896 C:\WINNT\System32\dxtrans.dll 6.00.2800.1106 (xpsp1.020828-1920) DirectX Media -- DirectX Transform Core
ddrawex.dll 6d430000 36864 C:\WINNT\System32\ddrawex.dll 5.1.2600.0 (xpclient.010817-1148) Direct Draw Ex
DDRAW.dll 73760000 278528 C:\WINNT\System32\DDRAW.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft DirectDraw
DCIMAN32.dll 73bc0000 24576 C:\WINNT\System32\DCIMAN32.dll 5.1.2600.0 (xpclient.010817-1148) DCI Manager
dxtmsft.dll 6be10000 348160 C:\WINNT\System32\dxtmsft.dll 6.00.2800.1106 (xpsp1.020828-1920) DirectX Media -- Image DirectX Transforms
actxprxy.dll 71d40000 110592 C:\WINNT\System32\actxprxy.dll 6.00.2600.0000 (XPClient.010817-1148) ActiveX Interface Marshaling Library

//C//
Installed Process Explorer, too. All of the processes shown could be legitimately accounted for. Besides, I didn't see any way to create a log in procexpnt.

Please let me know what you see, if anything, in the logs above. These folks are very anxious to get their PC back to par. THANKS once again for your assistance. I hope that I can repay your generosity!

 

I looked through it twice, and verified some which I did not immediately recognize on my XP partition.

 

I didn't find any hidden or bad dll's Charlie. Is the PC still running IE slow? Anything to to with the recent NAV update everyone was having trouble with? Try start>run and type sfc /scannow with the XP cd handy. May need to reinstall some windows updates afterwards.

 

Found & fixed problem... here's the tale...

After everything else we've done, the IE connection was still slow. I used the suggestions offered here to download Process Explorer. It found an unusual occurrence that bothered me -- SYMPROXYSVC.EXE. This a Symantec borne process that was sometimes taking as much as 95% of the PC's resources. Used that info to google a query. Ended up finding another forum thread that pointed to a fix by someone named sonofjay. Downloaded the file and installed it. Problem solved.

The DSL connection picked up to normal speed. SymProxySv.exe took its proper place in the process list (not at 95%) and all is well.

The malware we removed, plus the SymProxySvc fix, has brought my friends' PC back to life. THANKS to everyone who contributed. Your efforts are sincerely appreciated.

 

Interesting. Do a search for Charlesvar's posts on the Norton 2002 updates (Symantec Redirector) I'm using NIS 2003 and do not have that exe on my system.
http://search.symantec.com/custom/us/query.html

Thanks for posting back with the solution. Why didn't Live Update kick in and fix it, I wonder?

Johanna

 

Norton strikes again! Thanks for the update Charlie. Glad to hear all is well again. Incidentally, to create a log with Process Explorer, without highlighting any entries, click file>save.