PC Running A Little Slow ... Lots of Processes Running ... HJT LOG

[xupugh]

Logfile of HijackThis v1.99.1
Scan saved at 11:19:26 PM, on 1/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\winupdates\winupdates.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Yahoo!\WIDGET~1\WidgetEngine\YahooWidgetEngi ne.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Yahoo!\WIDGET~1\WidgetEngine\YahooWidgetEngi ne.exe
C:\Program Files\Yahoo!\WIDGET~1\WidgetEngine\YahooWidgetEngi ne.exe
C:\Program Files\Yahoo!\WIDGET~1\WidgetEngine\YahooWidgetEngi ne.exe
C:\Program Files\Yahoo!\WIDGET~1\WidgetEngine\YahooWidgetEngi ne.exe
C:\Program Files\Yahoo!\WIDGET~1\WidgetEngine\YahooWidgetEngi ne.exe
C:\Program Files\Yahoo!\WIDGET~1\WidgetEngine\YahooWidgetEngi ne.exe
C:\Program Files\Yahoo!\WIDGET~1\WidgetEngine\YahooWidgetEngi ne.exe
C:\Program Files\Yahoo!\WIDGET~1\WidgetEngine\YahooWidgetEngi ne.exe
C:\Program Files\Yahoo!\WIDGET~1\WidgetEngine\YahooWidgetEngi ne.exe
C:\Program Files\Yahoo!\WIDGET~1\WidgetEngine\YahooWidgetEngi ne.exe
C:\Program Files\Yahoo!\WIDGET~1\WidgetEngine\YahooWidgetEngi ne.exe
C:\Program Files\Yahoo!\WIDGET~1\WidgetEngine\YahooWidgetEngi ne.exe
C:\Program Files\Yahoo!\WIDGET~1\WidgetEngine\YahooWidgetEngi ne.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jeff Pugh\My Documents\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\WIDGET~1\WidgetEngine\YahooWidgetEngi ne.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

[Jintan]

Howdy xupugh,


Welcome to CTH. Yes, there is some infection showing there. Though this is not an infected item, I am curious as to why so many instances of it are running.

C:\Program Files\Yahoo!\WIDGET~1\WidgetEngine\YahooWidgetEngi ne.exe

Please do the following. You will want to print or have access to these steps while working in Safe Mode.


Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"


Download the trial version of Ewido Security Suite from here.

When installing, under "Additional Options" uncheck "Install Background Guard" and "Install scan via context menu".

Launch Ewido (there should be an icon on your desktop doubleclick it). The program will now go to the main screen. You will need to update ewido to the latest definition files.

On the left hand side of the main screen click update and then click on Start Update. The update will start and a progress bar will show the updates being installed. If you have problems with the updater, you can use this link to manually update ewido.
ewido manual updates http://www.ewido.net/en/download/updates/. Do not run a scan yet.


------------------------------------------------------------------

Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).

Close all open windows and run a scan in HijackThis. Place a check next to all of the following lines, then select “Fix Checked” and close HijackThis.

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto


Do a search ( Start-Find-Files or Folders) for the following files/folders (shown in Bold), and if found, delete them.

C:\Program Files\winupdates (the entire folder)


Run Ewido now. Click on Scanner and click Complete System Scan and the scan will begin. During the scan it will prompt you to clean files, click OK. When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK. When the scan is finished, click the Save report button at the bottom of the screen. Save the report to your desktop and close Ewido.


Then reboot. Run a new scan with HijackThis and post that and the Ewido log back here.

[xupugh]

Thanks JinTan. I am at work today, so I won't be able to get back to you until later tonight, if that is OK?

[Jintan]

That's fine.

[xupugh]

Well, I'm multi-tasking at work today. I brought the PC with me, but just have to burn and transfer the material to get it on the Net.

The Ewido program finished running, but I have to click each individual thing that reads:

The file "C:\ ..." cannot be removed because it is embedded in the archive "C:\ ...". Do you want to remove the whole archive?

I have clicked yes, but it appears that I am going to have to do that 2000 more times.

Is there a way around this?

[Jintan]

Check lower left corner - Perform actions on all...

[xupugh]

I did that, but this is a separate "Warning" Message that appears.

My only two options are Yes / No

[xupugh]

I'm re-running the program. I made sure to click "Perform action" and to set that to "remove."

I'll update in about 115 minutes (if it takes as long as last time).

---

I don't mind clicking the Yes button 2000 times, just can't stand the PC system "boot" noise that many times.

[xupugh]

The "Warning" message came up again as it began the cleaning process. I will have to click for a while. After I am finished removing the infected objects, I will post the report.

Thanks for the help. I need earplugs for the noise though.

[Jintan]

If that continues, post back a sample of the file and location of the archive it is referencing. It may be items you can clear en-masse and then rescan (but post here first).

[xupugh]

Warning

The file "C:\Documents and Settings\xupugh\Complete\Amigo Easy Video Converter 4.29.zip/Setup.exe" cannot be removed because it is embedded in the archive "C:\Documents and Settings\xupugh\Complete\Amigo Easy Video Converter 4.29.zip". Do you want to remove the whole archive.



Thanks.

[Jintan]

Are they all referencing that software? It is a legit program, and might possibly have components that would appear to a scan as infection (but be harmless in fact).

[xupugh]

Not just that software. I just went to that folder of the C: drive to see how many files were in it ... 2,271.

They range from "Anonymous Web Surfing 3.3" (which I've never downloaded) to "Apache Cookbook" to "Burn and Go X" to "iMarkup 3.97" to "Microsoft Office 2003 Service Pack 2" to "Symantec Norton AnitVirus 2005"

It runs a gamut of stuff.

[Jintan]

They are all archived (all known programs identified as executable files located in a zip file)?

[Jintan]

Understand we are not discussing some by-product of infection, but how to make the scan do the removal procedures you need. I am not familiar with a Complete folder located in a user Documents and Settings. Do you have some sort of back-up software that would create this.