[SOLVED] Anything odd here? -- XP being quirky

dr_c · 06-05-2009, 10:40 AM

For the past month or so my Windows XP installation on a Latitude D430 laptop (with U7700 processor) has been functional but a bit 'quirky.' Among the symptoms are:

Cursor flickers to hourglass about 1/second -- not always, but often
On shutdown, I get a 'microkernel database' program that hangs shutdown, requiring an 'end task' command
Long (multi-minute) boot up and shut down times

Any suggestions on where to look to ensure this isn't something odd? Antivirus and trojan scans (S&D) don't detect anything. Thanks in advance!

My DDS:

DDS (Ver_09-05-14.01) - NTFSx86
Run by acaola at 9:43:34.26 on Fri 06/05/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1018 [GMT -4:00]

AV: eTrust ITM *On-access scanning enabled* (Updated) {33EA71EA-56CF-40B5-A06B-BD3A27397C33}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\DirecTV\DirecTV\Kernel\DMP\CLHNService.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\system32\DWRCS.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\CA\eTrustITM\eaps.exe
C:\Program Files\Retrospect\Retrospect Express HD 2.5\retrorun.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\DWRCST.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrustITM\realmon.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\RETROS~1\RETROS~1.5\RetroExpress.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\hott notes 4\hottnotes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Retrospect\Retrospect Express HD 2.5\retrospect.exe
C:\HJT\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://portal.idexx.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Solid Converter PDF: {259f616c-a300-44f5-b04a-ed001a26c85c} - c:\program files\soliddocuments\solidconverterpdf\scpdf\ExploreExtPDF.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Solid Converter PDF: {259f616c-a300-44f5-b04a-ed001a26c85c} - c:\program files\soliddocuments\solidconverterpdf\scpdf\ExploreExtPDF.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [Eraser] c:\program files\eraser\eraser.exe -hide
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [Realtime Monitor] "c:\program files\ca\etrustitm\realmon.exe" -s
mRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe" -s
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Apoint] "c:\program files\apoint\Apoint.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DriveMapping] c:\program files\idexx\clientsidedrivemapping\MapDrives.vbs
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [RetroExpress] c:\progra~1\retros~1\retros~1.5\RetroExpress.exe /h
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [DameWare MRC Agent] c:\windows\system32\DWRCST.exe
StartupFolder: c:\docume~1\acaola\startm~1\programs\startup\hottno~1.lnk - c:\program files\hott notes 4\hottnotes.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adobea~1.lnk - c:\program files\adobe\acrobat 8.0\acrobat\acrobat_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\adobea~2.lnk - c:\program files\adobe\acrobat 8.0\acrobat\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: ameritrade.com
Trusted Zone: intuit.com
Trusted Zone: tdameritrade.com
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h30155.www3.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229437974359
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229437959671
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://premconf.webex.com/client/T25L10NSP41EP2-PREM/webex/ieatgpc.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://vpn-me.idexx.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - hxxp://www.cooliris.com/shared/plinstll.cab
DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} - hxxps://www.shoeboxed.com/includes/activex/ImageUploader4.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://vpn-me.idexx.com/dana-cached/sc/JuniperSetupClient.cab
DPF: {F53270D3-0E32-48B7-B63B-159E33210F70} - hxxp://livelinkprd.idexxi.com/Livelinksupport/webexp/lledit.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\acaola\applic~1\mozilla\firefox\profiles\vtejnxbj.default\
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 40001
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 40001
FF - component: c:\program files\mozilla firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

============= SERVICES / DRIVERS ===============

R0 a320raid;a320raid;c:\windows\system32\drivers\A320RAID.SYS [2007-8-1 251578]
R0 aac;PERC 320/DC SCSI RAID Miniport Driver;c:\windows\system32\drivers\aac.sys [2006-12-10 48140]
R0 aarich;aarich;c:\windows\system32\drivers\aarich.sys [2006-12-10 204800]
R0 megasas;DELL PERC RAID Driver;c:\windows\system32\drivers\megasas.sys [2006-12-10 17664]
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-2-15 26624]
R2 BCMWLNPF;Broadcom Netgroup Packet Filter;c:\windows\system32\drivers\BCMWLNPF.SYS [2007-10-1 33664]
R2 CLHNService3;CLHNService3;c:\program files\directv\directv\kernel\dmp\CLHNService.exe [2008-9-26 98304]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 ntk3;ntk3;c:\program files\directv\directv\kernel\dmp\ntk3.sys [2008-9-26 120048]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-4-8 92008]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-2-7 2944]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2008-5-21 34576]
S3 UltraCrypt;UltraCrypt;\??\c:\program files\ultraleecher_newsfeeds\ultracrypt.sys --> c:\program files\ultraleecher_newsfeeds\UltraCrypt.sys [?]

=============== Created Last 30 ================

2009-06-03 11:27 <DIR> --d----- C:\HJT
2009-06-03 11:27 <DIR> --d----- C:\New Folder
2009-05-22 15:27 <DIR> --d----- c:\program files\RarZilla Free Unrar
2009-05-22 12:12 <DIR> --d----- c:\docume~1\acaola\applic~1\.easytag
2009-05-22 12:11 <DIR> --d----- c:\program files\EasyTAG
2009-05-22 06:45 <DIR> --d----- c:\documents and settings\acaola\.pan2
2009-05-22 06:44 <DIR> --d----- c:\program files\Giganews Accelerator
2009-05-22 06:41 <DIR> --d----- c:\program files\Pan
2009-05-22 06:39 <DIR> --d----- C:\GTK
2009-05-19 19:09 398,632 a------- c:\windows\system32\dsNcSmartCardProv.dll

==================== Find3M ====================

2009-04-19 09:12 147,456 a------- c:\windows\system32\igfxCoIn_v4926.dll
2009-03-11 13:10 345,384 a------- c:\windows\system32\dsNcCredProv.dll
2009-03-11 13:08 221,184 a------- c:\windows\system32\dsGinaLoader.dll
2005-02-02 14:38 1,124,864 a------- c:\program files\common files\SAPActiveXL_nosig.xlt
2005-02-02 14:37 1,129,984 a------- c:\program files\common files\SAPActiveXL.xlt
2008-12-16 12:47 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008121620081217\index.dat
2009-02-10 17:37 32,768 a--sh--- c:\windows\temp\cookies\index.dat
2009-02-10 17:37 32,768 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2009-02-10 17:37 49,152 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 9:44:25.62 ===============

Ried · 06-08-2009, 09:14 AM

Hello dr_c and welcome,

As I'm not seeing any malware in any of these logs, it appears to be OS related and you would be better served discussing these issues in the Windows XP Support section of this forum.

dr_c · 06-09-2009, 10:48 AM

Thanks for looking at this. I didn't think this was a virus or trojan based on my scans, but with the hourglass and 'stuck programs,' I wanted to make sure. Down the hardware/OS path, we go!

All the best,

Dr. C.

Ried · 06-09-2009, 02:10 PM

You're welcome, Dr. C. Best of luck to you.

06-08-2009, 09:14 AM	#2 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,960 OS: WinXP and Vista	Re: Anything odd here? -- XP being quirky Hello dr_c and welcome, As I'm not seeing any malware in any of these logs, it appears to be OS related and you would be better served discussing these issues in the Windows XP Support section of this forum. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

06-09-2009, 10:48 AM	#3 (permalink)
dr_c Registered User Join Date: Jun 2009 Location: Maine Posts: 9 OS: XP	Re: Anything odd here? -- XP being quirky Thanks for looking at this. I didn't think this was a virus or trojan based on my scans, but with the hourglass and 'stuck programs,' I wanted to make sure. Down the hardware/OS path, we go! All the best, Dr. C.

06-09-2009, 02:10 PM	#4 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,960 OS: WinXP and Vista	Re: [SOLVED] Anything odd here? -- XP being quirky You're welcome, Dr. C. Best of luck to you. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."