[Resolved] I seem to have a trojan/worm I cant remove

Howdy, ward7, and welcome to A2K. A quick look through your HJT log doesn't immediately reveal any known yuckware signatures, which may or may not be good news. However, I do notice a few things that should be seen to. Perhaps most important, HiJackThis should be run from its own dedicated folder, either in your Programs file or directly on your root dirve. For detailed instructions on yuckware removal, including necessary tools, configuration, and update techniques, and preliminary steps, please see This Topic.

I suspect your main problem - sluggish performance, high processor utilization - is a resource issue; you have a helluva lot of stuff going on there that doesn't need to start with Windows at boot. A couple possible side issues, which we can get into a bit later, may be related to your Norton/Symantec software, and another may be related to Windows Media Center extensions you have installed.

For starters, though, I sugest you properly install and configure HiJackThis, per the instructions you'll find at the topic to which I referred you. Once that's been done, boot into safe mode (again, instructions for doing so are available at the earlier referrenced topic), locate and launch HijackThis, perform a system scan, then place a checkmark next to each of ONLY the following entries, if found:


R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1449/ftp.coupons.com/r3302/cpbrkpie.cab

Click "Fix Checked", and reboot when the process has completed.

Following that, I recommend you thoroughly familiarize yourself with the preliminary yuckware removal process to which I referred you, print out the instructions, gather the required downloads, perform the necessary updates and on-line scans, and carefully step through the entire remaining process, performing the steps in the manner and in the order listed. Doing so not only will reveal and remove much, if not most or even all, of the yuckware which may be present on your machine, but will harden your system against future infections. If you decide to go that way, post the resultant logs and any other pertinent info onto this thread (just navigate back here to your original post and click "Reply"). While I don't anticipate there will be much if any yuckware cleanup to be done (though surprises always are possible :wink: ), I expect we can do a good deal to free up system resources for you, resolve a couple software conflicts, speed up your boot time, and in general make you and your machine happier.

More on Spyware/Trojan problem...
Thanks for the very speedy response, Timberlandko. And I'll start by apologizing that my reply has been slow. It took a while to follow all these steps, and I had to leave town for the weekend. So now it's 12:39 AM and I just finished up.

I will begin by giving you step by step results of the process I took…

1) I was able to remove the errors you listed in your reply with Hijack this. Then I went on to the general cleanup you prescribed
2) No viruses/threats found by Norton Internet Security full scan after update.
3) When going to the Windows Update site and to the Malicious Software Removal tool, I was forced to use Safe Mode with Networking to access the internet. Whatever problem I have made the process too slow to run any other way. No malicious software detected.
4) When running Ad Aware, in the "cleaning engine" options, the first button "Automatically check…" was greyed out and could not be selected. No problems found.
5) Spybot found no infections
6) Pandas online scan found 6 virus incidences, including W32/Klez.I (x3) and TRJ/Mitglieder.dq (#2).
7) Kaspersky found 2 viruses, 4 infected objects, 2 suspicous objects. All were located in quarantine from Norton Antivirus or Spybot.
8) Stinger found nothing
9) Ewido (surprise!) found 21 infections, and they were cleaned. Looks like a few slipped past the goalie (why am I paying for Norton???) I saved the log file. The second run showed no infections.
10) Microsoft Spyware reported no infections.
11) As a sidenote, I must say my computer ran beautifully in safe mode. Man I miss that speed!!
12) I was very hopeful when rebooting since a number of infections were removed. Just a few moments after rebooting into normal mode, I was greeted with that (now hated) sound of USB hardware connecting and disconnecting, and services.exe running at least 50% of processor cycles. Then that Autoplay window popped up again. Darnit. Also noted an unusually long shutdown time on my last reboot before running Hijack This.
13) My last run of CCleaner found one nagging error that repeated each time: an Unused File Extension { - Hkcr\}
14) This would seem to lead to three possibilities: (a) I still have an infection that ten scanners wont detect; (b) I have a hardware issue causing services.exe to go nuts (the entire system, sans the scanner, is brand new); or (c) there are software issues as you suggested. I have gone from being a huge Norton fan to a big hater over the past few versions of Norton products. Often Liveupdate hangs and have had other problems, and wouldn't be surprised if it were the root of all this. If so they can forget about any more subscription renewals from me.
15) Is there any way to determine exactly what Services.exe is doing? Some analysis software that might shed some light on what service is causing the problem?
16) Finally, any further advice about how to proceed would, of course be appreciated. Also, I would love some advice as to what software I should leave running in the background for virus/spyware/Trojan detection. I have Norton Internet Security, Webroot Spysweeper, Ewido, Microsoft Antispyware, Spybot, Spyware Blaster, Spyware Doctor, etc. and I am certain that there is no good thing about having all these programs monitoring the system simultaneously, both from a conflict standpoint and a system resource standpoint. What should I leave running for solid protection?

Thanks so much for helping out your fellow computer users. My final Hijack This log is attached (incidentally, the system WAS acting up during the time I ran the log). Also, just to give you an idea how bad this problem is, it took me a full three minutes just to open this Word document to paste it into my reply…on a Pentium 4 3.2Ghz with 1GB of RAM! I am hot about this… ;-)

Ward7

Logfile of HijackThis v1.99.1
Scan saved at 12:36:08 AM, on 8/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon06.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Common Files\efax\HotTray.exe
C:\Program Files\Common Files\efax\Dllcmd32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Microsoft Reference\Bookshelf 98\qshelf98.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\PowerQuest\DataKeeper 5.0\DataKeeper.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Startup: DataKeeper.lnk = C:\Program Files\PowerQuest\DataKeeper 5.0\DataKeeper.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Desktop Weather Platinum.lnk = C:\Program Files\Desktop Weather Platinum\DWPlatinum.exe
O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program Files\Common Files\efax\HotTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech Harmony Remote.lnk = C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Qshelf.lnk = C:\Program Files\Microsoft Reference\Bookshelf 98\qshelf98.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1118039764218
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124424066828
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4560/mcfscan.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Deepsight Extractor (DeepsightExtractor) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: DeepSight Extractor Service for NPF03 (ExtractorServiceNPF03) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF03.exe
O23 - Service: DeepSight Extractor Service for NPF04 (ExtractorServiceNPF04) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF04.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

And I apologize for my slow get-back to you; my ISP suffered a major outage, been off the web mosta the time since early friday AM.

Got good-news/bad news for you; the HJT log doesn't reveal any known yuckware signatures.

One thing that sorta gets my attention: O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE - that's a Cypress USB Mass Storage Adapter process, commonly installed with iTunes, Napster, and other USB device software. It has been known to cause USB issues, but I dunno that it would cause the symptoms you describe.

HKCR/ refers to a registry hive, HKEY_CLASSES_ROOT, which among other things is home to file extensions associations and CLSIDs file and object types. Its recreated at each startup. I'm not sure why CCleaner would be alerting on that, I'll see what I can find out.

Something you might wanna try: shut off your machine, physically disconnect your peripherals, particularly your USB peripherals, then see what happens when you reboot. If things seem better, then shut down, connect one peripheral, and reboot - see what happens. Keep on adding peripherals one at a time, shutting down, then booting with the peripherals added successively. You might narrow things down that way.

Another thing to do is to eliminate a buncha non-essential startups; you have a buncha stuff firing up with Windows that doesn't need to launch on boot. And yeah, Norton is a resource hog ... there are better choices.

I'll get back to you soon as I can, but I have a buncha catchup to do, so it may take a few hours. Thanks for your patience ... I'll toss a bit more info your way soon.


Oh, and excellent "After Action Report" - wish more folks did that. I'm gonna look that over real carefully, to see if there might be other clues there.

Trojan
Tiberlandko,

I havent tried the hardware disconnects yet (I will tonight) but I did try the Windows System File Checker to see if anything was corrupted. It did replace a few files (I know this means I will have to visit Windows Update again), and the computer ran very well after reboot....for a few minutes. My Norton System Doctor window that shows CPU usage was nice and flat, then about a minute after the reboot was complete I watched as the graph slowly turned into a mountain (while I was doing nothing) and the problem was back once again. I mention this only because I am hoping it might give you a clue.

Another possible clue...most of the time when I hear the hardware connect/disconnect sound it is when I start a new program or click on a website link, as if the sound is being made when my CPU gets an additional load.

I cant help but wonder what would happen (based on my results above) if I reinstalled Windows XP...this used to be my fix-all in the Windows 95/98 days. What are your thoughts?

Thanks again

Ward 7

An OS re-install cures lotsa software woes, though it is a tedious process, what with updates, re-intalling software and drivers, and reconfiguring peripherals. On the other hand, if your personal stuff is independently backed up and current enough to suit you, it might be the best answer. If nothing else, it will give you a benchmark from which to begin effective troubleshooting; add back stuff one item at a time, see what happens for a while, add another item, etc.

I do think your Startup folder is awful heavy; all you really need at startup is Explorer, Systray, your security/privacy software, and mebbe Power Profile. All the rest of the stuff that preloads can be accessed on demand from your Start menu, from your Programs folder, or from desktop or taskbar icons. Cleaning that stuff up will take a big load off your processor and free up considerable resources. Spybot S&D offers an excellent Startup control feature in its tool set; Startup items may be individually toggled on and off, letting you try things for a while without actually permanently removing anything. Another thing you might want to try is experiment with starting your system from a Clean Boot; you can still manually start any programs you wish to use (though you may also have to manually start services required by that program); if your system operates stably, then your problem lies with a driver, process, or service loaded during normal boot. If this turns out to be the case - and I suspect it may - enable half your startups, and see what happens. If the problem doesn't recur, its in the other half. Disable the first set, enable the second. If it does recur, cut the list of suspects in half again, reboot, and see what happens. Continue in such fashion untill you've selectively loaded and started all of your startups. By process of elimination, you should be able to fairly quickly and accurately narrow down the problem iof it is indeed a startup issue - I've rarely found it necessary to go through more than 8 or 10 boot-configuration trials, often fewer than half a dozen.

An afterthought - you are running Noirton/Symantec - a process there which frequently eats all the resources it can gobble is "CCAPP.EXE" - you might wanna bring up Taskmanager when you hit one of those serious slowdowns, click the "Processes" tab, and watch that one's processor useage. Sometimes killing and restarting the process works, sometimes its best to uninstall/reinstall your Norton/Symantec software - the entire package.

Startup items
Excellent suggestion...I'm going to try it. I will report back on what I find in hopes that it might help someone else with the same problem. Oh, and here's another clue which makes me think it might just work...I noticed that hardware disconnect sound (albeit only once) at my office yesterday. If you guessed I have alot of the same software installed there too, you guessed correctly as the systems are 80% the same. My fingers are crossed......and thanks again for your advice!!

Ward

Problem resolved....I think
Tiberlandko,

After lots of trial and erorr last night and this morning I think I have isolated my problem.....thanks to your help.

After configuring MSCONFIG to do a clean boot per your instructions, I rebooted and the hardware connect/disconnect sounds went CRAZY...I mean every few seconds. Strangely, the computer was still usable. The system idle process, not Services.exe, was taking most of the processor cycles, but processor usage remained relatively constant at 50%. That left two sources of the problem...either something in Boot.ini (which MSCONFIG can't change), or a hardware problem.

I then shut down the computer, disconnected all USB hardware except the mouse and keyboard, and rebooted. SUCCESS, there was no problem. Now for the real test....I set MSCONFIG for a normal boot and tried again. Still good....so now I began to isolate the problem through each of the 12 or so peripherals attached via USB. I finally isolated the problem to an external Iomega ZIP 250 photoshow drive I attached to my system (surprise) not long before all this started. When it is disconnected, there are no problems, but when you connect it the computer goes crazy. I am doing cartwheels!

Now I have to determine if the problem is with the hardware or the installation, which I can handle. THANK YOU, Able2Know! For all the rest of you having problems with Services.exe eating system resources, I would advise you check your hardware in addition to viruses/trojans/etc before you make drastic changes to your system.

This leaves me with three ligering problems, probably the result of trying so hard to remove yuckware that wasnt even the cause of the problem. If you have advice, I'd really appreciate it.

Problem 1) I cannot connect to Windows Update to undo the changes I made to the system. The webpage begins to load, but it never finishes. I suspect one of the new security programs could be refusing access?

Problem #2) I still have a very slow system shutdown. Startup is fine, but after all Ive done something is causing the computer to take several minutes to shut down where it took less than a minute before.

Problem #3) I never got any advice from you as to which of my myriad of antivirus/antispyware programs you recommend to remain monitoring the system. I certainly want strong protection, but dont want all my resources eaten up and I suspect there may be conflicts with having several programs doing the same job.

Thanks again!

Ward7

Re: Problem resolved....I think

Glad that worked out - I pretty much figured the problem was gonna lie in that direction.


Always good advice - go for the easy stuff first.


That's possible. A few thoughts:
Before going to Windows Update, disable any resident security/privacy software you have, including particularly popup stoppers or ad blockers. Also, in Internet Options, under the "Advanced" tab, select "Browsing", clear the "Enable third-party browser extensions (requires restart)" check box, then close all instances of Internet Explorer. TaskManager - Ctrl+Alt+Del - can be handy for that; invoke it, click "Processes", kill iexplore.exe, then restart Internet Explorer by clicking "Applications", selecting "New Task", typing, (without the quotes) "iexplore.exe", and click "OK", or simply restart your machine after disabling 3rd-Party Extensions - either way oughtta work.

Try going to Windows update from Safe Mode With Networking and see what happens - might help, might not.

Go to Start>Run, type (without the quotes) "sfc /scannow" (observe there is a space between "sfc" and "scannow", and note the 2 "n"s in "scannow"), click "OK", follow the prompts through the process, then reboot normally, revisit Windows Update and see what happens.

Go to Add/Remove Programs and uninstall the most recent Microsoft updates and/or Service Pack you have installed, then revisit Windows update and see what happens.


Does the system shut down slowly even when started from a clean boot or from safe mode? I suspect there is a problem related to the sheer bulk of your Startup folder, though there are other possibilities. Here's an excellent Startup/Shutdown Troubleshooting guide, with lots of tips, step-throughs, and links to fixes and workarounds for all sorts of common and not-so-common issues.


Sorry - I overlooked that. Rules of thumb:
Have only one real-time antivirus app configured to run at boot - multible antivirus apps running simultaneously can and generally do cause conflicts. Ditto for antispyware apps which load and run as a service, providing real-time monitoring/scanning. A combination of antispyware apps that generally plays well together includes Ad-Aware SE, Microsoft Antispyware, (configured for active, real-time protection), Spybot S&D - WITHOT "TeaTimer" enabled, and Spyware Blaster (also some folks swear by SpywareBlaster's companion, SpywareGuard). Toolbars with security/privacy features, such as Google, Yahoo, MSN, AOL and even A2K's Own Excellent Toolbar, can conflict with one another if run concurrently, and may also in some instances conflict with XP's built-in privacy protection, particularly XP's popup blocker. Experimentation is about the only way to sort out what toolbars work best for you; I've found A2K's and Google's OR Yahoo's work well for me, but they sorta seem to argue with one another when I have all 3 enabled. Another common conflict area lies in firewalls; often, XP's firewall and 3rd Party software firewalls don't play well together, and if you also have a hardware firewall, such as commonly are included with routers, there can be other issues. Again, experimentation is the key; shut off all but one item, try things, add another item, try things, etc.[/quote]



Yer weccum - glad to try to help, hope sometimes the help I offer does some good. There's prolly not a computer screwup I haven't carelessly inflicted upon myself and had to figure out