Norton was disabled, now system is very slow

fitmat · 06-03-2009, 12:08 PM

My system was running smooth and fast until a few days ago, then all of the sudden, after opening Internet Explorer, my NAV was disabled--it just quit. I immediately did a reboot and scanned for infections using NAV 2009 (it was working again), Malwarebytes, and SuperAntiSpyware, all scans came up clean.

Since then however, my system has been running very slow--Outlook Express and Internet Explorer takes a long time to load, audio is choppy, cursor disappears randomly then reappears and shutdowns and reboots take 3-4 minutes.

I have uninstalled all but one AV program (NAV) ran DDS and GMER as requested--here are the logs:

DDS (Ver_09-05-14.01) - NTFSx86
Run by CJN at 4:45:55.87 on Wed 06/03/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1561 [GMT -5:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\WINDOWS\system32\WebUpdateSvc.exe
C:\WINDOWS\System32\HPZipm12.exe
svchost.exe
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\Documents and Settings\CJN\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\16.5.0.134\IPSBHO.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ResChanger2004] NONE
uRunOnce: [<NO NAME>] c:\program files\internet explorer\IEXPLORE.EXE http://www.symantec.com/techsupp/ser...000d3.0000025b
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
StartupFolder: c:\docume~1\cjn\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
uPolicies-explorer: NoRecentDocsNetHood = 01000000
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F}
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197506877921
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197506855890
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1005000.086\SymEFA.sys [2009-3-28 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1005000.086\BHDrvx86.sys [2009-3-28 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1005000.086\cchpx86.sys [2009-3-28 482352]
R2 IOPort;IOPort;c:\windows\system32\IOPORT.SYS [1998-11-27 6144]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\engine\16.5.0.134\ccSvcHst.exe [2009-3-28 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-3-28 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090602.048\NAVENG.SYS [2009-6-3 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090602.048\NAVEX15.SYS [2009-6-3 876144]
S0 NVStrap;NVStrap;c:\windows\system32\drivers\NVStrap.sys [2005-9-30 3712]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090528.001\IDSXpx86.sys [2009-5-29 276344]
S3 ASUSHWIO;ASUSHWIO;\??\c:\windows\system32\drivers\asushwio.sys --> c:\windows\system32\drivers\ASUSHWIO.sys [?]
S3 SGUARD;SGUARD;\??\c:\windows\system32\drivers\sguard.sys --> c:\windows\system32\drivers\SGuard.sys [?]

=============== Created Last 30 ================

2009-05-28 14:38 <DIR> --d----- c:\program files\MSECache

==================== Find3M ====================

2009-04-08 11:25 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-07 11:15 106,496 a------- c:\windows\system32\cnbrvre.dll
2009-03-28 09:25 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-03-26 11:11 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll
2006-11-28 13:07 10,856 a--sh--- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 4:46:22.39 ===============

fitmat · 06-06-2009, 12:16 PM

BUMP! Please

Ried · 06-06-2009, 09:16 PM

Hello fitmat,

I'm not seeing any malware here. Did this seem to happen shortly after your install of the Compatibility Pack for the 2007 Office system?

fitmat · 06-07-2009, 06:10 AM

Ried,

Thanks for looking into this and yes, it would have been within a day I believe of installing the compatibility program for Office 2007.

The fact that you found no malware is a good thing but based on my systems behavior I would have bet money that it was full of infections. Have there been other cases where installing the compatibility program for Office has resulted in this behavior? What do you suggest I do at this point?

Thanks,

fitmat · 06-07-2009, 09:21 AM

Since you did not find any malware, I uninstalled the Office Compatibility Pack and tried to do a system restore back to Wednesday, May 27. I received a message saying that System Restore was not able to restore my system to that point. I checked Norton and it said:

"Unautherized access logged (System Restore Failure)"

Actor: c:\windows\explorer.exe
Actor PID: 140
Target: C:\WIDOWS\system32\Restore\rstrui.exe
Target PID: 164

I apologize for my lack of patience in not waiting for your response.

Please advise next steps.

Thank you

Ried · 06-07-2009, 09:32 AM

Norton is interfering. Follow the instructions listed at Norton's website http://community.norton.com/norton/b...sage.uid=96734

Let me know if you were successful.

fitmat · 06-07-2009, 10:23 AM

Ried,

Thanks, I have now restored my system back to the day prior to installing the Office compatibility pack. Everything is running smooth again!

Why did that Office pack download mess up my system the way it did? I believe it was dl'd via the automatic updates--have other people reported having problems after installing the Office pack? Should I try installing it again or hide it from future automatic updates?

Ried · 06-07-2009, 10:41 AM

Not that I'm aware of, I was just playing a 'hunch'. No malware in logs, and from personal experience, I've had some odd things happen to my OS when installing any updates for MS Office 2007 lately.

You may want to inquire in the Microsoft Office Support section of this forum.

fitmat · 06-07-2009, 11:15 AM

Ried, thanks for your help, I am so glad you guys are here to help us. I have to say I am very relieved to know I am not infected. I consider this issue resolved:)

Ried · 06-07-2009, 11:18 AM

You're welcome, fitmat.

You could try disabling Norton while downloading and installing the update and see if it performs better. If not, uninstall it again.

06-06-2009, 12:16 PM	#2 (permalink)
fitmat Registered User Join Date: Apr 2009 Posts: 17 OS: Windows XP My System	Re: Norton was disabled, now system is very slow BUMP! Please

06-06-2009, 09:16 PM	#3 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,860 OS: WinXP and Vista	Re: Norton was disabled, now system is very slow Hello fitmat, I'm not seeing any malware here. Did this seem to happen shortly after your install of the Compatibility Pack for the 2007 Office system? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

06-07-2009, 06:10 AM	#4 (permalink)
fitmat Registered User Join Date: Apr 2009 Posts: 17 OS: Windows XP My System	Re: Norton was disabled, now system is very slow Ried, Thanks for looking into this and yes, it would have been within a day I believe of installing the compatibility program for Office 2007. The fact that you found no malware is a good thing but based on my systems behavior I would have bet money that it was full of infections. Have there been other cases where installing the compatibility program for Office has resulted in this behavior? What do you suggest I do at this point? Thanks,

06-07-2009, 09:21 AM	#5 (permalink)
fitmat Registered User Join Date: Apr 2009 Posts: 17 OS: Windows XP My System	Re: Norton was disabled, now system is very slow Since you did not find any malware, I uninstalled the Office Compatibility Pack and tried to do a system restore back to Wednesday, May 27. I received a message saying that System Restore was not able to restore my system to that point. I checked Norton and it said: "Unautherized access logged (System Restore Failure)" Actor: c:\windows\explorer.exe Actor PID: 140 Target: C:\WIDOWS\system32\Restore\rstrui.exe Target PID: 164 I apologize for my lack of patience in not waiting for your response. Please advise next steps. Thank you Last edited by fitmat; 06-07-2009 at 09:23 AM.

06-07-2009, 09:32 AM	#6 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,860 OS: WinXP and Vista	Re: Norton was disabled, now system is very slow Norton is interfering. Follow the instructions listed at Norton's website http://community.norton.com/norton/b...sage.uid=96734 Let me know if you were successful. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

06-07-2009, 10:23 AM	#7 (permalink)
fitmat Registered User Join Date: Apr 2009 Posts: 17 OS: Windows XP My System	Re: Norton was disabled, now system is very slow Ried, Thanks, I have now restored my system back to the day prior to installing the Office compatibility pack. Everything is running smooth again! Why did that Office pack download mess up my system the way it did? I believe it was dl'd via the automatic updates--have other people reported having problems after installing the Office pack? Should I try installing it again or hide it from future automatic updates?

06-07-2009, 10:41 AM	#8 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,860 OS: WinXP and Vista	Re: Norton was disabled, now system is very slow Not that I'm aware of, I was just playing a 'hunch'. No malware in logs, and from personal experience, I've had some odd things happen to my OS when installing any updates for MS Office 2007 lately. You may want to inquire in the Microsoft Office Support section of this forum. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

06-07-2009, 11:15 AM	#9 (permalink)
fitmat Registered User Join Date: Apr 2009 Posts: 17 OS: Windows XP My System	Re: Norton was disabled, now system is very slow Ried, thanks for your help, I am so glad you guys are here to help us. I have to say I am very relieved to know I am not infected. I consider this issue resolved:)

06-07-2009, 11:18 AM	#10 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,860 OS: WinXP and Vista	Re: Norton was disabled, now system is very slow You're welcome, fitmat. You could try disabling Norton while downloading and installing the update and see if it performs better. If not, uninstall it again. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."