System uses 99% of CPU. HJT log included

Captain Stable · 02-23-2005, 04:26 PM

Help! I've spent 2 days so far on this and got no where...

I am running two Dell computers, both using Windows XP. One of them has just suddenly started becoming very slow. On further investigation, it appears the resource "System" (not System Idle) is using all the available CPU usage.

Here is HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 23:19:12, on 23/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\CCProxy\CCProxy.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\All Users\Documents\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:808
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\Old Computer\Program Files\Freeserve\FSBar\FSBar.dll
O3 - Toolbar: Norton Personal Firewall - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O6 "USB001" /M "Stylus CX5200"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: CCProxy.lnk = C:\CCProxy\CCProxy.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Any help anyone can give me would be very much appreciated. Thank you.

greyknight17 · 02-23-2005, 05:24 PM

You have programs running that are really not necessary to run at startup.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

If you have a fast internet connection (broadband), run an online virus scan at TrendMicro. Just follow the instructions on the site to run the online scan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan.

Restart. Any problems now?

Captain Stable · 02-24-2005, 12:15 AM

I removed those items, and no change. Here is the updated log.

Logfile of HijackThis v1.99.1
Scan saved at 07:04:00, on 24/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\CCProxy\CCProxy.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Documents and Settings\All Users\Documents\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:808
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\Old Computer\Program Files\Freeserve\FSBar\FSBar.dll
O3 - Toolbar: Norton Personal Firewall - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O6 "USB001" /M "Stylus CX5200"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Startup: CCProxy.lnk = C:\CCProxy\CCProxy.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

CTSNKY · 02-24-2005, 05:27 AM

Let's use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies.

===========

Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.

Captain Stable · 02-24-2005, 04:27 PM

I've just completed the first part (TDS-3) and it found 6 alerts. Here is the log.

20:03:12 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED)
20:03:12 [Init] Started 24-02-05 20:03:12 GMT Standard Time (UTC: 0), Internet Time @877.22
20:03:12 [Init] Loading TDS-3 Systems ...
20:03:12 [Init] Token successfully adjusted.
20:03:13 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum
20:03:14 [Init] • Plugins : OK. Loaded 13
20:03:14 [Init] • Exec Protection : Not Installed
20:03:15 [Init] WARNING: Your Radius.TD3 database needs to be updated!
20:03:15 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3
20:03:15 [Init] Licensed users can use the Update facility from the TDS menu
20:03:16 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
20:03:32 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
20:03:32 [Init] • Systems Initialised [47949 references - 23637 primaries/12150 traces/12162 variants/other]
20:03:32 [Init] Radius Systems loaded. <Databases updated 24-02-2005>
20:03:33 [Init] TDS-3 Ready. <Roadster@192.168.1.5, 127.0.0.1 - United Kingdom>
20:03:33 [Tip Of The Day] Did you know? - TDS-3 is the only anti-trojan system that can detect trojans by scanning for the memory-resident mutexes that they use.
20:03:33 [TDS] Good evening Roadster.
20:04:28 [Mutex Memory Scan] Started...
20:04:30 [Mutex Memory Scan] Finished (no trojan mutexes found).
20:04:30 [TDS-3] NOTICE - TDS-3 was not properly shut down.
20:04:30 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering.
20:04:45 [CRC32] Started - verifying 29 files ...
20:04:50 [CRC32] Test finished.
20:08:18 [Memory Scan] Memory scan started, please wait a moment ...
20:08:19 [Memory Scan] Memory scan complete.
20:08:20 [Mutex Memory Scan] Started...
20:08:22 [Mutex Memory Scan] Finished (no trojan mutexes found).
20:08:22 [Trace Scan] Started...
20:23:31 [Trace Scan] Finished.
20:23:31 [ServiceScan] Scanning for services and drivers ...
20:23:45 [ServiceScan] Scanned 335 services and drivers.
20:23:46 [File Scan] Scanning in C:\ ...
22:37:05 [Locked File] Couldn't open c:\recycler\nprotect\00000004.exe for read access, file is locked
22:37:06 [Locked File] Couldn't open c:\recycler\nprotect\00000072.exe for read access, file is locked
22:37:06 [Locked File] Couldn't open c:\recycler\nprotect\00000074.exe for read access, file is locked
22:37:23 [Locked File] Couldn't open c:\recycler\nprotect\00000396.exe for read access, file is locked
22:37:24 [Locked File] Couldn't open c:\recycler\nprotect\00000419.exe for read access, file is locked
22:37:24 [Locked File] Couldn't open c:\recycler\nprotect\00000421.exe for read access, file is locked
22:37:25 [Locked File] Couldn't open c:\recycler\nprotect\00000428.exe for read access, file is locked
22:37:25 [Locked File] Couldn't open c:\recycler\nprotect\00000433.exe for read access, file is locked
22:37:25 [Locked File] Couldn't open c:\recycler\nprotect\00000439.exe for read access, file is locked
22:37:26 [Locked File] Couldn't open c:\recycler\nprotect\00000462.exe for read access, file is locked
22:37:26 [Locked File] Couldn't open c:\recycler\nprotect\00000468.exe for read access, file is locked
22:37:26 [Locked File] Couldn't open c:\recycler\nprotect\00000480.exe for read access, file is locked
22:37:27 [Locked File] Couldn't open c:\recycler\nprotect\00000494.exe for read access, file is locked
22:37:27 [Locked File] Couldn't open c:\recycler\nprotect\00000500.exe for read access, file is locked
22:37:28 [Locked File] Couldn't open c:\recycler\nprotect\00000513.exe for read access, file is locked
22:37:28 [Locked File] Couldn't open c:\recycler\nprotect\00000525.exe for read access, file is locked
22:37:28 [Locked File] Couldn't open c:\recycler\nprotect\00000531.exe for read access, file is locked
22:38:03 [Locked File] Couldn't open c:\recycler\nprotect\00000863.exe for read access, file is locked
22:38:13 [Locked File] Couldn't open c:\recycler\nprotect\00001063.exe for read access, file is locked
22:38:37 [Locked File] Couldn't open c:\recycler\nprotect\00001403.exe for read access, file is locked
22:58:04 [File Scan] Scanned 87938 files: 6 alarms in 9258.109 seconds (Avg 10.5 files/sec)
22:58:04 [File Scan] Scanning in D:\ ...
22:58:05 [File Scan] Scanned 0 files: 6 alarms in 0.03125 seconds (Avg 1. files/sec)
22:58:05 [Scan] Finished.
-----------------------------------------------------------------
Scan Control Dumped @ 23:02:07 24-02-05
Trojan Client\EditServer found: FTP.FtpSmtp 2.31 (Utility)
File: c:\old computer\program files\icq\received files\captain stable\new folder\windows setup.exe

Positive identification: Riskware.ProcessRestart
File: c:\old computer\program files\kodak\kodak software updater\7288971\6.1.4.37-7288971l\program\restart.exe

Positive identification: Riskware.Proxy.Hltv
File: c:\old computer\sierra\half-life\hltv.exe

Positive identification (embedded in file): Worm.Mabutu.a (dll)
File: c:\program files\norton systemworks\norton antivirus\quarantine\08a4756a.tmp

Positive identification (embedded in file): Worm.Mabutu.a (dll)
File: c:\program files\norton systemworks\norton antivirus\quarantine\3a68057d.tmp

Positive identification (embedded in file): Worm.Mabutu.a (dll)
File: c:\program files\norton systemworks\norton antivirus\quarantine\4d533eab.tmp

I'm just about to do the next suggestion. :D

Ok, so this is the startdreck log.

StartDreck (build 2.1.7 public stable) - 2005-02-24 @ 23:24:16 (GMT +00:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 2)
Internet Explorer: 6.0.2900.2180
Logged in as Roadster at EUNOS

»Registry
»Run Keys
»Current User
»Run
*Norton SystemWorks="C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
*MSMSGS="C:\Program Files\Messenger\msmsgs.exe" /background
»RunOnce
»Default User
»Run
*CTFMON.EXE=C:\WINDOWS\system32\CTFMON.EXE
*Norton SystemWorks="C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
»RunOnce
»Local Machine
»Run
*IgfxTray=C:\WINDOWS\system32\igfxtray.exe
*HotKeysCmds=C:\WINDOWS\system32\hkcmd.exe
*PCMService="C:\Program Files\Dell\Media Experience\PCMService.exe"
*CTSysVol=C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
*UpdReg=C:\WINDOWS\UpdReg.EXE
*dla=C:\WINDOWS\system32\dla\tfswctrl.exe
*ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
*SpeedTouch USB Diagnostics="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
*Symantec NetDriver Monitor=C:\PROGRA~1\SYMNET~1\SNDMon.exe
*EPSON Stylus CX5200=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O6 "USB001" /M "Stylus CX5200"
*P17Helper=Rundll32 P17.dll,P17Helper
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*NoChange=1
*Installed=1
+MAPI
*NoChange=1
*Installed=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINDOWS\system32\mshta.exe "%1" %*
+.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Microsoft Windows Media Player/>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
*StubPath=C:\WINDOWS\inf\unregmp2.exe /ShowWMP
+Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
+Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
+Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
*StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+Internet Explorer/{4b218e3e-bc98-4770-93d3-2731b9329278}
*StubPath=%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
+Windows Messenger 4.7/{5945c046-1e7d-11d1-bc44-00c04fd912be}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser
+Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
+Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\system32\ie4uinit.exe
+Fax/{8b15971b-5355-4c82-8c07-7e181ea07608}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
»Browser Helper Objects (LM)
*YBIOCtrl.CompanionBHO.4/{02478D38-C3F9-4efb-9B51-7695ECA05670}
`InprocServer32=C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
*AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
`InprocServer32=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
*DriveLetterAccess/{5CA3D70E-1895-11CF-8E15-001234567890}
`InprocServer32=C:\WINDOWS\system32\dla\tfswshx.dll
*Nisbho.CNisExtBho.1/{9ECB9560-04F9-4bbc-943D-298DDF1699E1}
`InprocServer32=C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
*Navbho.CNavExtBho.1/{BDF3E430-B101-42AD-A544-FADC6B084872}
`InprocServer32=C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
»Internet Explorer
»Current User
*Default_Page_URL=http://www.dell.co.uk/myway
*Local Page=C:\WINDOWS\system32\blank.htm
*Search Bar=http://www.freeserve.com/iesearch/default.htm
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=http://www.google.co.uk/
*Window Title=Microsoft Internet Explorer provided by Freeserve
+SearchUrl
*provider=yaho
*(Default)=frsv
»Default User
*Default_Page_URL=http://www.dell.co.uk/myway
*First Home Page=http://www.dell.co.uk/myway
*Start Page=http://www.dell.co.uk/myway
»Local Machine
*Default_Page_URL=http://www.freeserve.com/
*Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Local Page=%SystemRoot%\system32\blank.htm
*Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
*Start Page=http://www.dell.co.uk/myway
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
*SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
»ShellServiceObjectDelayLoad (LM)
*PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=%SystemRoot%\system32\webcheck.dll
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=C:\WINDOWS\system32\stobject.dll
»Special NT Values
»Current User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Default User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=Explorer.exe
*Userinit=C:\WINDOWS\system32\userinit.exe,
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\Roadster\Start Menu\Programs\Startup\CCProxy.lnk
*C:\Documents and Settings\Roadster\Start Menu\Programs\Startup\DESKTOP.INI
*C:\Documents and Settings\Roadster\Start Menu\Programs\Startup\HotSync Manager.lnk
»Default User
*C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\DESKTOP.INI
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Norton GoBack.lnk
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
`[boot loader]
`timeout=30
`default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
*C:\msdos.sys
*C:\config.sys
*C:\WINDOWS\system32\config.nt
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=40
*C:\autoexec.bat
*C:\WINDOWS\system32\autoexec.nt
`@echo off
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
`SET BLASTER=A220 I5 D1 P330 T3
*C:\WINDOWS\wininit.ini
`[Rename]
`NUL=
`NUL=
`NUL=
`NUL=
`NUL=
`NUL=
`NUL=
`NUL=
`NUL=
`NUL=
`NUL=
`NUL=
`NUL=
`NUL=
`NUL=
`NUL=
`NUL=
`NUL=
`NUL=
`NUL=
`NUL=
*C:\WINDOWS\system32\drivers\etc\hosts
`127.0.0.1 localhost
`64.91.255.87 www.dcsresearch.com
»Program Files
*C:\ntldr
*C:\ntdetect.com
*C:\io.sys
*C:\WINDOWS\system32\win.com
*C:\WINDOWS\explorer.exe
»%PATH% Companion Files
+C:\SETUP.EXE
*C:\WINDOWS\system32\SETUP.EXE
+C:\WINDOWS\system32\NOTEPAD.EXE
*C:\WINDOWS\NOTEPAD.EXE
+C:\WINDOWS\system32\TASKMAN.EXE
*C:\WINDOWS\TASKMAN.EXE
+C:\WINDOWS\system32\WINHLP32.EXE
*C:\WINDOWS\WINHLP32.EXE
»System/Drivers
»Running Processes
+0=<idle>
+4=<system>
+988=\SystemRoot\System32\smss.exe
+1052=\??\C:\WINDOWS\system32\csrss.exe
+1076=\??\C:\WINDOWS\system32\winlogon.exe
+1120=C:\WINDOWS\system32\services.exe
+1132=C:\WINDOWS\system32\lsass.exe
+1296=C:\WINDOWS\system32\svchost.exe
+1404=C:\WINDOWS\system32\svchost.exe
+1524=C:\WINDOWS\System32\svchost.exe
+1636=C:\WINDOWS\system32\svchost.exe
+1780=C:\WINDOWS\system32\svchost.exe
+1796=C:\WINDOWS\Explorer.EXE
+1952=C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
+1972=C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
+1984=C:\Program Files\Norton Personal Firewall\ISSVC.exe
+1996=C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
+2032=C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
+136=C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
+684=C:\WINDOWS\system32\spoolsv.exe
+928=C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
+1444=C:\WINDOWS\system32\CTsvcCDA.EXE
+1468=C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
+1748=C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
+1892=C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
+212=C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
+468=C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
+816=C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
+1452=C:\WINDOWS\system32\svchost.exe
+1516=C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
+1568=C:\WINDOWS\system32\MsPMSPSv.exe
+3472=C:\WINDOWS\system32\hkcmd.exe
+3528=C:\Program Files\Dell\Media Experience\PCMService.exe
+3564=C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
+3624=C:\WINDOWS\system32\dla\tfswctrl.exe
+3636=C:\Program Files\Common Files\Symantec Shared\ccApp.exe
+3712=C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
+4024=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
+268=C:\WINDOWS\system32\Rundll32.exe
+2156=C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
+2448=C:\CCProxy\CCProxy.exe
+2472=C:\Program Files\Handspring\HOTSYNC.EXE
+2972=C:\WINDOWS\System32\svchost.exe
+3808=C:\Program Files\startdreck\StartDreck.exe
+4052=C:\Program Files\Messenger\msmsgs.exe
»VMM32Files (LM)
»%System%\VMM32
»%System%\IOSUBSYS
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User

I really appreictae you folks helping me out. Thanks :)

CTSNKY · 02-25-2005, 06:05 AM

You should dump your Norton Protected Recycle Bin and your Norton quaratined files.

Download Hoster (http://www.greyknight17.com/spy/Hoster.exe) and run it. Choose the 'Restore Original Hosts' button and press OK.

Double-click on C:\WINDOWS\wininit.ini to open it in Notepad. Delete all of the lines in the file. Save the file and close Notepad.

Reboot and post a fresh HJT log, along with a report on your condition.

Captain Stable · 03-07-2005, 03:55 PM

Just to bring you all up to date:
A HUGE thank you to everyone who tried to help me on these one (esp. Greyknight and CTSNKY. I ended up calling Dell tech support 5 times, each time they couldn't fix it. In the end I got rather upset and them what I thought about their service and hung up. 20 mins later they phoned back and said they would send an engineer round in a few days. Sure nough, he came. Twice. On the second visit he fixed it. I don't know what was wrong, but he changed the hard disk and memory, then the motherboard and processo chip. Now, it doesn't run slow at all :D

So, once again, a HUGE thank you to everyone who tried to help.

02-23-2005, 04:26 PM	#1 (permalink)
Captain Stable Registered User Join Date: Feb 2005 Posts: 5 OS: winXP	System uses 99% of CPU. HJT log included Help! I've spent 2 days so far on this and got no where... I am running two Dell computers, both using Windows XP. One of them has just suddenly started becoming very slow. On further investigation, it appears the resource "System" (not System Idle) is using all the available CPU usage. Here is HJT log: Logfile of HijackThis v1.99.1 Scan saved at 23:19:12, on 23/02/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Norton Personal Firewall\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE C:\WINDOWS\system32\Rundll32.exe C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe C:\CCProxy\CCProxy.exe C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\All Users\Documents\HijackThis.exe C:\Program Files\Messenger\msmsgs.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:808 O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\Old Computer\Program Files\Freeserve\FSBar\FSBar.dll O3 - Toolbar: Norton Personal Firewall - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O6 "USB001" /M "Stylus CX5200" O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: CCProxy.lnk = C:\CCProxy\CCProxy.exe O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/ O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ISSVC.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe Any help anyone can give me would be very much appreciated. Thank you.

02-23-2005, 05:24 PM	#2 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	You have programs running that are really not necessary to run at startup. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE If you have a fast internet connection (broadband), run an online virus scan at TrendMicro. Just follow the instructions on the site to run the online scan. Otherwise, make sure your antivirus program has the latest definitions and run a full system scan. Restart. Any problems now? __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

02-24-2005, 05:27 AM	#4 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	Let's use a program to scan for any trojans that may exist. Download TDS-3. Learn how to use it here. Make sure to update it after you installed it. You can get the manual updates here. When you launch the program, it will scan your memory for running processes. This will take less than 30 seconds. Next go to System Testing on the menu and choose Full System Scan. After that's finished, post the log file by selecting everything on the top pane (select from bottom to top). If any alarms are found, it will be listed in the bottom window. Please copy and paste that here also if it applies. =========== Download StartDreck http://www.greyknight17.com/spy/StartDreck.zip Unzip to its own folder and start the program: Press 'Config' Press 'mark all' Uncheck the following boxes only: System/Running Process -> List Modules System/Drivers -> NT Services System/Drivers -> NT Kernel- and FS-drivers Press 'OK' Press 'Save' and select the location to save the log file (default is the same folder as the application) Post the log in this thread. __________________ GO BIG BLUE!!

02-25-2005, 06:05 AM	#6 (permalink)
CTSNKY Knower of all that is MS Join Date: Aug 2004 Posts: 10,755 OS: (multiple machines) 95, 98, 2K & XP Home & Pro	You should dump your Norton Protected Recycle Bin and your Norton quaratined files. Download Hoster (http://www.greyknight17.com/spy/Hoster.exe) and run it. Choose the 'Restore Original Hosts' button and press OK. Double-click on C:\WINDOWS\wininit.ini to open it in Notepad. Delete all of the lines in the file. Save the file and close Notepad. Reboot and post a fresh HJT log, along with a report on your condition. __________________ GO BIG BLUE!!

02-24-2005, 12:15 AM	#3 (permalink)
Captain Stable Registered User Join Date: Feb 2005 Posts: 5 OS: winXP	I removed those items, and no change. Here is the updated log. Logfile of HijackThis v1.99.1 Scan saved at 07:04:00, on 24/02/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Norton Personal Firewall\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE C:\WINDOWS\system32\Rundll32.exe C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe C:\CCProxy\CCProxy.exe C:\Program Files\Handspring\HOTSYNC.EXE C:\Documents and Settings\All Users\Documents\HijackThis.exe C:\Program Files\Messenger\msmsgs.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.freeserve.com/iesearch/default.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:808 O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\Old Computer\Program Files\Freeserve\FSBar\FSBar.dll O3 - Toolbar: Norton Personal Firewall - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O6 "USB001" /M "Stylus CX5200" O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz O4 - Startup: CCProxy.lnk = C:\CCProxy\CCProxy.exe O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/ O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ISSVC.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

02-24-2005, 04:27 PM	#5 (permalink)
Captain Stable Registered User Join Date: Feb 2005 Posts: 5 OS: winXP	I've just completed the first part (TDS-3) and it found 6 alerts. Here is the log. 20:03:12 [Init] Trojan Defence Suite v3.2.0 (UNLICENSED) 20:03:12 [Init] Started 24-02-05 20:03:12 GMT Standard Time (UTC: 0), Internet Time @877.22 20:03:12 [Init] Loading TDS-3 Systems ... 20:03:12 [Init] Token successfully adjusted. 20:03:13 [Init] • TDS Privileges : OK. Adjusted TDS-3 token privileges to maximum 20:03:14 [Init] • Plugins : OK. Loaded 13 20:03:14 [Init] • Exec Protection : Not Installed 20:03:15 [Init] WARNING: Your Radius.TD3 database needs to be updated! 20:03:15 [Init] Please download the latest from http://tds.diamondcs.com.au/radius.td3 20:03:15 [Init] Licensed users can use the Update facility from the TDS menu 20:03:16 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs> 20:03:32 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families 20:03:32 [Init] • Systems Initialised [47949 references - 23637 primaries/12150 traces/12162 variants/other] 20:03:32 [Init] Radius Systems loaded. <Databases updated 24-02-2005> 20:03:33 [Init] TDS-3 Ready. <Roadster@192.168.1.5, 127.0.0.1 - United Kingdom> 20:03:33 [Tip Of The Day] Did you know? - TDS-3 is the only anti-trojan system that can detect trojans by scanning for the memory-resident mutexes that they use. 20:03:33 [TDS] Good evening Roadster. 20:04:28 [Mutex Memory Scan] Started... 20:04:30 [Mutex Memory Scan] Finished (no trojan mutexes found). 20:04:30 [TDS-3] NOTICE - TDS-3 was not properly shut down. 20:04:30 [TDS-3] This is an EVALUATION demo of TDS-3. Please see the help file for help on registering. 20:04:45 [CRC32] Started - verifying 29 files ... 20:04:50 [CRC32] Test finished. 20:08:18 [Memory Scan] Memory scan started, please wait a moment ... 20:08:19 [Memory Scan] Memory scan complete. 20:08:20 [Mutex Memory Scan] Started... 20:08:22 [Mutex Memory Scan] Finished (no trojan mutexes found). 20:08:22 [Trace Scan] Started... 20:23:31 [Trace Scan] Finished. 20:23:31 [ServiceScan] Scanning for services and drivers ... 20:23:45 [ServiceScan] Scanned 335 services and drivers. 20:23:46 [File Scan] Scanning in C:\ ... 22:37:05 [Locked File] Couldn't open c:\recycler\nprotect\00000004.exe for read access, file is locked 22:37:06 [Locked File] Couldn't open c:\recycler\nprotect\00000072.exe for read access, file is locked 22:37:06 [Locked File] Couldn't open c:\recycler\nprotect\00000074.exe for read access, file is locked 22:37:23 [Locked File] Couldn't open c:\recycler\nprotect\00000396.exe for read access, file is locked 22:37:24 [Locked File] Couldn't open c:\recycler\nprotect\00000419.exe for read access, file is locked 22:37:24 [Locked File] Couldn't open c:\recycler\nprotect\00000421.exe for read access, file is locked 22:37:25 [Locked File] Couldn't open c:\recycler\nprotect\00000428.exe for read access, file is locked 22:37:25 [Locked File] Couldn't open c:\recycler\nprotect\00000433.exe for read access, file is locked 22:37:25 [Locked File] Couldn't open c:\recycler\nprotect\00000439.exe for read access, file is locked 22:37:26 [Locked File] Couldn't open c:\recycler\nprotect\00000462.exe for read access, file is locked 22:37:26 [Locked File] Couldn't open c:\recycler\nprotect\00000468.exe for read access, file is locked 22:37:26 [Locked File] Couldn't open c:\recycler\nprotect\00000480.exe for read access, file is locked 22:37:27 [Locked File] Couldn't open c:\recycler\nprotect\00000494.exe for read access, file is locked 22:37:27 [Locked File] Couldn't open c:\recycler\nprotect\00000500.exe for read access, file is locked 22:37:28 [Locked File] Couldn't open c:\recycler\nprotect\00000513.exe for read access, file is locked 22:37:28 [Locked File] Couldn't open c:\recycler\nprotect\00000525.exe for read access, file is locked 22:37:28 [Locked File] Couldn't open c:\recycler\nprotect\00000531.exe for read access, file is locked 22:38:03 [Locked File] Couldn't open c:\recycler\nprotect\00000863.exe for read access, file is locked 22:38:13 [Locked File] Couldn't open c:\recycler\nprotect\00001063.exe for read access, file is locked 22:38:37 [Locked File] Couldn't open c:\recycler\nprotect\00001403.exe for read access, file is locked 22:58:04 [File Scan] Scanned 87938 files: 6 alarms in 9258.109 seconds (Avg 10.5 files/sec) 22:58:04 [File Scan] Scanning in D:\ ... 22:58:05 [File Scan] Scanned 0 files: 6 alarms in 0.03125 seconds (Avg 1. files/sec) 22:58:05 [Scan] Finished. ----------------------------------------------------------------- Scan Control Dumped @ 23:02:07 24-02-05 Trojan Client\EditServer found: FTP.FtpSmtp 2.31 (Utility) File: c:\old computer\program files\icq\received files\captain stable\new folder\windows setup.exe Positive identification: Riskware.ProcessRestart File: c:\old computer\program files\kodak\kodak software updater\7288971\6.1.4.37-7288971l\program\restart.exe Positive identification: Riskware.Proxy.Hltv File: c:\old computer\sierra\half-life\hltv.exe Positive identification (embedded in file): Worm.Mabutu.a (dll) File: c:\program files\norton systemworks\norton antivirus\quarantine\08a4756a.tmp Positive identification (embedded in file): Worm.Mabutu.a (dll) File: c:\program files\norton systemworks\norton antivirus\quarantine\3a68057d.tmp Positive identification (embedded in file): Worm.Mabutu.a (dll) File: c:\program files\norton systemworks\norton antivirus\quarantine\4d533eab.tmp I'm just about to do the next suggestion. :D Ok, so this is the startdreck log. StartDreck (build 2.1.7 public stable) - 2005-02-24 @ 23:24:16 (GMT +00:00) Platform: Windows XP (Win NT 5.1.2600 Service Pack 2) Internet Explorer: 6.0.2900.2180 Logged in as Roadster at EUNOS »Registry »Run Keys »Current User »Run Norton SystemWorks="C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz MSMSGS="C:\Program Files\Messenger\msmsgs.exe" /background »RunOnce »Default User »Run CTFMON.EXE=C:\WINDOWS\system32\CTFMON.EXE Norton SystemWorks="C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz »RunOnce »Local Machine »Run IgfxTray=C:\WINDOWS\system32\igfxtray.exe HotKeysCmds=C:\WINDOWS\system32\hkcmd.exe PCMService="C:\Program Files\Dell\Media Experience\PCMService.exe" CTSysVol=C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r UpdReg=C:\WINDOWS\UpdReg.EXE dla=C:\WINDOWS\system32\dla\tfswctrl.exe ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" SpeedTouch USB Diagnostics="C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon Symantec NetDriver Monitor=C:\PROGRA~1\SYMNET~1\SNDMon.exe EPSON Stylus CX5200=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O6 "USB001" /M "Stylus CX5200" P17Helper=Rundll32 P17.dll,P17Helper +OptionalComponents +MSFS Installed=1 +MAPI NoChange=1 Installed=1 +MAPI NoChange=1 Installed=1 »RunOnce »RunServices »RunServicesOnce »RunOnceEx »RunServicesOnceEx »File Associations (CR) +.bat batfile="%1" % +.com comfile="%1" % +.exe exefile="%1" % +.hta htafile=C:\WINDOWS\system32\mshta.exe "%1" % +.htm htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome +.html htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome +.js JSFile=%SystemRoot%\System32\WScript.exe "%1" % +.jse JSEFile=%SystemRoot%\System32\WScript.exe "%1" % +.pif piffile="%1" % +.reg regfile=regedit.exe "%1" +.scr scrfile="%1" /S +.txt txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1 +.vbs VBSFile=%SystemRoot%\System32\WScript.exe "%1" %* +.vbe VBEFile=%SystemRoot%\System32\WScript.exe "%1" % +.wsh WSHFile=%SystemRoot%\System32\WScript.exe "%1" % +.wsf WSFFile=%SystemRoot%\System32\WScript.exe "%1" % +.lnk `lnkfile= [key or value does not exist] »Active Setup (LM) +Microsoft Windows Media Player/>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} StubPath=C:\WINDOWS\inf\unregmp2.exe /ShowWMP +Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c} StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE +Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE +Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED} StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll +Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C} StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install +NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT +Internet Explorer/{4b218e3e-bc98-4770-93d3-2731b9329278} StubPath=%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf +Windows Messenger 4.7/{5945c046-1e7d-11d1-bc44-00c04fd912be} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser +Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub +Address Book 6/{7790769C-0471-11d2-AF11-00C04FA35D02} StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install +Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340} StubPath=regsvr32.exe /s /n /i:U shell32.dll +Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383} StubPath=%SystemRoot%\system32\ie4uinit.exe +Fax/{8b15971b-5355-4c82-8c07-7e181ea07608} StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser »Browser Helper Objects (LM) YBIOCtrl.CompanionBHO.4/{02478D38-C3F9-4efb-9B51-7695ECA05670} `InprocServer32=C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll AcroIEHelper.AcroIEHlprObj.1/{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} `InprocServer32=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll DriveLetterAccess/{5CA3D70E-1895-11CF-8E15-001234567890} `InprocServer32=C:\WINDOWS\system32\dla\tfswshx.dll Nisbho.CNisExtBho.1/{9ECB9560-04F9-4bbc-943D-298DDF1699E1} `InprocServer32=C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll Navbho.CNavExtBho.1/{BDF3E430-B101-42AD-A544-FADC6B084872} `InprocServer32=C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll »Internet Explorer »Current User Default_Page_URL=http://www.dell.co.uk/myway Local Page=C:\WINDOWS\system32\blank.htm Search Bar=http://www.freeserve.com/iesearch/default.htm Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch Start Page=http://www.google.co.uk/ Window Title=Microsoft Internet Explorer provided by Freeserve +SearchUrl provider=yaho (Default)=frsv »Default User Default_Page_URL=http://www.dell.co.uk/myway First Home Page=http://www.dell.co.uk/myway Start Page=http://www.dell.co.uk/myway »Local Machine Default_Page_URL=http://www.freeserve.com/ Default_Search_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch Local Page=%SystemRoot%\system32\blank.htm Search Page=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch Start Page=http://www.dell.co.uk/myway CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm »ShellServiceObjectDelayLoad (LM) PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9} `InprocServer32=%SystemRoot%\system32\SHELL32.dll CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9} `InprocServer32=%SystemRoot%\system32\SHELL32.dll WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED} `InprocServer32=%SystemRoot%\system32\webcheck.dll SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153} `InprocServer32=C:\WINDOWS\system32\stobject.dll »Special NT Values »Current User Load= Run= Programs=com exe bat pif cmd SHELL= »Default User Load= Run= Programs=com exe bat pif cmd SHELL= »Local Machine AppInit_DLLs= SHELL=Explorer.exe Userinit=C:\WINDOWS\system32\userinit.exe, »Files »Autostart Folders »Current User C:\Documents and Settings\Roadster\Start Menu\Programs\Startup\CCProxy.lnk C:\Documents and Settings\Roadster\Start Menu\Programs\Startup\DESKTOP.INI C:\Documents and Settings\Roadster\Start Menu\Programs\Startup\HotSync Manager.lnk »Default User C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\DESKTOP.INI »Local Machine C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Norton GoBack.lnk »INI-Files »WIN.INI\[windows] LOAD= RUN= »SYSTEM.INI\[boot] SHELL=Explorer.exe »Text Files C:\boot.ini `[boot loader] `timeout=30 `default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS `[operating systems] `multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect C:\msdos.sys C:\config.sys C:\WINDOWS\system32\config.nt `dos=high, umb `device=%SystemRoot%\system32\himem.sys `files=40 C:\autoexec.bat C:\WINDOWS\system32\autoexec.nt `@echo off `lh %SystemRoot%\system32\mscdexnt.exe `lh %SystemRoot%\system32\redir `lh %SystemRoot%\system32\dosx `SET BLASTER=A220 I5 D1 P330 T3 C:\WINDOWS\wininit.ini `[Rename] `NUL= `NUL= `NUL= `NUL= `NUL= `NUL= `NUL= `NUL= `NUL= `NUL= `NUL= `NUL= `NUL= `NUL= `NUL= `NUL= `NUL= `NUL= `NUL= `NUL= `NUL= C:\WINDOWS\system32\drivers\etc\hosts `127.0.0.1 localhost `64.91.255.87 www.dcsresearch.com »Program Files C:\ntldr C:\ntdetect.com C:\io.sys C:\WINDOWS\system32\win.com C:\WINDOWS\explorer.exe »%PATH% Companion Files +C:\SETUP.EXE C:\WINDOWS\system32\SETUP.EXE +C:\WINDOWS\system32\NOTEPAD.EXE C:\WINDOWS\NOTEPAD.EXE +C:\WINDOWS\system32\TASKMAN.EXE C:\WINDOWS\TASKMAN.EXE +C:\WINDOWS\system32\WINHLP32.EXE *C:\WINDOWS\WINHLP32.EXE »System/Drivers »Running Processes +0=<idle> +4=<system> +988=\SystemRoot\System32\smss.exe +1052=\??\C:\WINDOWS\system32\csrss.exe +1076=\??\C:\WINDOWS\system32\winlogon.exe +1120=C:\WINDOWS\system32\services.exe +1132=C:\WINDOWS\system32\lsass.exe +1296=C:\WINDOWS\system32\svchost.exe +1404=C:\WINDOWS\system32\svchost.exe +1524=C:\WINDOWS\System32\svchost.exe +1636=C:\WINDOWS\system32\svchost.exe +1780=C:\WINDOWS\system32\svchost.exe +1796=C:\WINDOWS\Explorer.EXE +1952=C:\Program Files\Common Files\Symantec Shared\ccProxy.exe +1972=C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe +1984=C:\Program Files\Norton Personal Firewall\ISSVC.exe +1996=C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe +2032=C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe +136=C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe +684=C:\WINDOWS\system32\spoolsv.exe +928=C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe +1444=C:\WINDOWS\system32\CTsvcCDA.EXE +1468=C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe +1748=C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe +1892=C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe +212=C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe +468=C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE +816=C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE +1452=C:\WINDOWS\system32\svchost.exe +1516=C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe +1568=C:\WINDOWS\system32\MsPMSPSv.exe +3472=C:\WINDOWS\system32\hkcmd.exe +3528=C:\Program Files\Dell\Media Experience\PCMService.exe +3564=C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe +3624=C:\WINDOWS\system32\dla\tfswctrl.exe +3636=C:\Program Files\Common Files\Symantec Shared\ccApp.exe +3712=C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe +4024=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE +268=C:\WINDOWS\system32\Rundll32.exe +2156=C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe +2448=C:\CCProxy\CCProxy.exe +2472=C:\Program Files\Handspring\HOTSYNC.EXE +2972=C:\WINDOWS\System32\svchost.exe +3808=C:\Program Files\startdreck\StartDreck.exe +4052=C:\Program Files\Messenger\msmsgs.exe »VMM32Files (LM) »%System%\VMM32 »%System%\IOSUBSYS »Application specific »MS Office 97/8.0 STARTUP-PATH »Current User »Default User »Local Machine »ICQ NetDetect »Current User »Default User I really appreictae you folks helping me out. Thanks :)

03-07-2005, 03:55 PM	#7 (permalink)
Captain Stable Registered User Join Date: Feb 2005 Posts: 5 OS: winXP	Just to bring you all up to date: A HUGE thank you to everyone who tried to help me on these one (esp. Greyknight and CTSNKY. I ended up calling Dell tech support 5 times, each time they couldn't fix it. In the end I got rather upset and them what I thought about their service and hung up. 20 mins later they phoned back and said they would send an engineer round in a few days. Sure nough, he came. Twice. On the second visit he fixed it. I don't know what was wrong, but he changed the hard disk and memory, then the motherboard and processo chip. Now, it doesn't run slow at all :D So, once again, a HUGE thank you to everyone who tried to help.