Slow computer and suspicious windows file and folder behaviour
Hi
I'm just about at my wits end with this computer at the moment!
System Details
Windows XP Pro SP2
1GB Ram
80GB HD
Firewall - ZoneAlarm
Anti-Virus - NOD32
Anti-Spyware - see below
Problems
Speed Issues
The computer is running very slowly, particularly when I'm on the internet. Opening links can be extremely slow and recently, sometimes when I do a search, the google search results page opens up OK, but any links I click on don't connect. I get a message dialogue box saying that my internet connection is OK and then have a range of options available like retry, ping, whois, etc (maybe that's due to a Firefox Extension I've installed - I'm not sure).
Wierd Things
The weird things relate mainly to my directory structure(s) including things like - I have folders with multiple sub-folders but nothing in them (even when I show all files including those that are normally hidden). I have new folders added to the C:\ directory every now and then. In the C:\Temp directory, I have files and folders dating back a year or so, when I've run programs that clean out temp files in the last few days. Although I have IE7 installed, there is reference to IE5 when I run software to delete temp files etc
What I've tried to resolve the problems -
First I ran NOD32 - the first time I ran it in relation to this problem, I found I had an infection (Win32 Netsky).
I quarantined the offending files, found that they were residing in a folder I didn't even know I had under C:\Import. This directory, which was not created by me, seemed to be a duplicate of my C: Drive and contained 2 folders - Drive C and Drive D. I've since removed this directory to an external drive and don't think it's causing me any problems.
Then I ran NOD32 again and can't remember now whether I found no further threats or aborted the scan after it was taking so long (I mean hours and hours).
I then ran -
Weebroot SpySweeper
Spybot Search & Destroy
Lavasoft Adaware
CCleaner
NTREGOPT (to optimise the registry)
There were no further threats detected and I had thought that the system should be pretty clean by this stage but there was still an issue with the speed.
Because of the Weird Things mentioned above, I thought I might have some corrupt windows files so I tried to do a Windows Repair but when I tried to select the option on the installation CD to install windows, I received an error message saying that the version of windows on my computer was a later version than what was on the disc and I couldn't get to the point where you would normally get the options to repair or install. Even though I've installed all windows updates and hotfixes etc, I'm pretty sure I've been able to repair windows files before using this method so I checked that the serial numbers matched using Belarc Advisor and they do.
I then purchased Uniblue Power Suite and ran Registry Booster and SpeedUpMyPC which seemed to make a difference but it was still taking a long time to do things like forwarding emails, accessing the internet, etc. Then when I ran SpyEraser (the 3rd part of the Power Suite), it scanned cookies, memory and registry fairly quickly, detected a few registry issues but was still scanning files more than 8 hours later. I sent Uniblue an email to see if this was normal and I received a reply saying it could be depending on what was running and to try running SpyEraser in Safe Mode which I did. Again, it scanned cookies, memory and registry fairly quickly, detected no registry issues this time, but was still scanning files more than 2 hours later so I had to abort the scan and get some real work done.
In the meantime, I had some extra RAM installed which has made a difference but startup is still slow, my Uniblue Power Suite had some components missing when I rebooted and Webroot SpySweeper has been removed.
In relation to the Weird Things, today I noticed another new folder under C:\Documents and Settings. A directory called Administrator:BACKOFFICE which contains directories for things I don't even recognise. I've also noticed a bunch of files in the root directory with an .sqm extension.
So, to cut a long story short, the strange files and folders thing is making me wonder if there is serious problem I haven't been able to detect/remove and the speed thing is still an issue.
Any thoughts on where to from here would be greatly appreciated.
If I need to run a HijackThis scan, would you mind including some instructions on what to do to be able to post it back here?
Many thanks
I'm just about at my wits end with this computer at the moment!
System Details
Windows XP Pro SP2
1GB Ram
80GB HD
Firewall - ZoneAlarm
Anti-Virus - NOD32
Anti-Spyware - see below
Problems
Speed Issues
The computer is running very slowly, particularly when I'm on the internet. Opening links can be extremely slow and recently, sometimes when I do a search, the google search results page opens up OK, but any links I click on don't connect. I get a message dialogue box saying that my internet connection is OK and then have a range of options available like retry, ping, whois, etc (maybe that's due to a Firefox Extension I've installed - I'm not sure).
Wierd Things
The weird things relate mainly to my directory structure(s) including things like - I have folders with multiple sub-folders but nothing in them (even when I show all files including those that are normally hidden). I have new folders added to the C:\ directory every now and then. In the C:\Temp directory, I have files and folders dating back a year or so, when I've run programs that clean out temp files in the last few days. Although I have IE7 installed, there is reference to IE5 when I run software to delete temp files etc
What I've tried to resolve the problems -
First I ran NOD32 - the first time I ran it in relation to this problem, I found I had an infection (Win32 Netsky).
I quarantined the offending files, found that they were residing in a folder I didn't even know I had under C:\Import. This directory, which was not created by me, seemed to be a duplicate of my C: Drive and contained 2 folders - Drive C and Drive D. I've since removed this directory to an external drive and don't think it's causing me any problems.
Then I ran NOD32 again and can't remember now whether I found no further threats or aborted the scan after it was taking so long (I mean hours and hours).
I then ran -
Weebroot SpySweeper
Spybot Search & Destroy
Lavasoft Adaware
CCleaner
NTREGOPT (to optimise the registry)
There were no further threats detected and I had thought that the system should be pretty clean by this stage but there was still an issue with the speed.
Because of the Weird Things mentioned above, I thought I might have some corrupt windows files so I tried to do a Windows Repair but when I tried to select the option on the installation CD to install windows, I received an error message saying that the version of windows on my computer was a later version than what was on the disc and I couldn't get to the point where you would normally get the options to repair or install. Even though I've installed all windows updates and hotfixes etc, I'm pretty sure I've been able to repair windows files before using this method so I checked that the serial numbers matched using Belarc Advisor and they do.
I then purchased Uniblue Power Suite and ran Registry Booster and SpeedUpMyPC which seemed to make a difference but it was still taking a long time to do things like forwarding emails, accessing the internet, etc. Then when I ran SpyEraser (the 3rd part of the Power Suite), it scanned cookies, memory and registry fairly quickly, detected a few registry issues but was still scanning files more than 8 hours later. I sent Uniblue an email to see if this was normal and I received a reply saying it could be depending on what was running and to try running SpyEraser in Safe Mode which I did. Again, it scanned cookies, memory and registry fairly quickly, detected no registry issues this time, but was still scanning files more than 2 hours later so I had to abort the scan and get some real work done.
In the meantime, I had some extra RAM installed which has made a difference but startup is still slow, my Uniblue Power Suite had some components missing when I rebooted and Webroot SpySweeper has been removed.
In relation to the Weird Things, today I noticed another new folder under C:\Documents and Settings. A directory called Administrator:BACKOFFICE which contains directories for things I don't even recognise. I've also noticed a bunch of files in the root directory with an .sqm extension.
So, to cut a long story short, the strange files and folders thing is making me wonder if there is serious problem I haven't been able to detect/remove and the speed thing is still an issue.
Any thoughts on where to from here would be greatly appreciated.
If I need to run a HijackThis scan, would you mind including some instructions on what to do to be able to post it back here?
Many thanks
First, try SUPERAntiSpyware (http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE). Then download and open Dial-a-fix (http://djlizard.net/software/Dial-a-fix-v0.60.0.24.zip), check all checkboxes under the "Registration center" section, and click "GO".
Not a bad idea to run HijackThis. Download it from http://www.hijackthis.de/ (link is at top-right corner of that page). Unzip the contents to some folder (not the Desktop) then run the .exe file by double-clicking on it. It shows the results in a window - just copy and paste the results here.
ASKER
Thank you for your quick replies to my posting.
As you might have gathered, I've been doing everything possible to try to avoid a fresh install of windows as I'm really short on time and run a few business applications which I can't afford to mess up. Having said that though, it's looking more and more like a fresh install is going to be about the only way to go.
I installed and ran Super Antispyware - no problems detected.
I also downloaded and ran Dial-a-fix and have copied the log file below -
Bit early to tell how effective it was but I thought I'd post a copy of the file here to see if you think there's anything obvious in it -
Notes about this log:
1) "->" denotes an external command being executed, and "-> (number)" indicates
the return code from the previous command
2) Not all external command return codes are accurate, or useful
3) Sometimes commands return 0 (no error) even when they fail or crash
4) If an error occurs while registering an object, please send an email to:
dial-a-fix@DjLizard.net and include a copy of this log
DAF version: v0.60.0.24
--- System info ---
OS: Microsoft Windows XP Service Pack 2
IE version: 7.0.5730.11
MPC: 55276-013
CPU: AMD Athlon(tm) (~1250MHz)
BIOS: 15/09/2003
Memory (approx): 991MB
Uptime: 12 hour(s)
Current directory: C:\Documents and Settings\Admin\Desktop\Dow
---
04/10/2007 9:09:51 PM -- Dial-a-fix : [v0.60.0.24] -- started
9:09:51 PM | Policy scan started
9:09:51 PM | Policy scan ended - no restrictive policies were found
--- Emptying temp folders ---
9:41:02 PM | Deleting C:\Documents and Settings\Admin\Local Settings\Temp...
9:41:03 PM | C:\Documents and Settings\Admin\Local Settings\Temp could not be completely emptied, please reboot and try again
9:41:03 PM | Deleting C:\WINDOWS\temp...
9:41:03 PM | C:\WINDOWS\temp could not be completely emptied, please reboot and try again
9:41:03 PM | Deleting C:\DOCUME~1\Admin\LOCALS~1
9:41:03 PM | C:\DOCUME~1\Admin\LOCALS~1
--- MSI ---
9:53:42 PM | Registered: C:\WINDOWS\system32\msi.dl
--- Registration: ActiveX controls/codecs ---
9:55:11 PM | Registered: C:\WINDOWS\system32\acelpd
9:55:11 PM | Registered: C:\WINDOWS\system32\actxpr
9:55:11 PM | Registered: C:\WINDOWS\system32\asctrl
9:55:11 PM | Registered: C:\WINDOWS\system32\daxctl
9:55:11 PM | Registered: C:\WINDOWS\system32\hhctrl
9:55:11 PM | Registered: C:\WINDOWS\system32\l3code
9:55:11 PM | Registered: C:\WINDOWS\system32\licmgr
9:55:11 PM | Registered: C:\WINDOWS\system32\mpg4ds
9:55:14 PM | Registered: C:\WINDOWS\system32\msdxm.
9:55:14 PM | Registered: C:\WINDOWS\system32\procte
9:55:14 PM | Registered: C:\WINDOWS\system32\tdc.oc
9:55:15 PM | Registered: C:\WINDOWS\system32\wshom.
--- Registration: Control Panel applets ---
9:55:18 PM | DllInstalled: C:\WINDOWS\system32\inetcp
9:55:18 PM | DllInstalled: C:\WINDOWS\system32\nusrmg
9:55:19 PM | Registered: C:\WINDOWS\system32\nusrmg
--- Registration: Direct[X|Draw|Show|Media] ---
9:55:19 PM | Registered: C:\WINDOWS\system32\quartz
9:55:20 PM | Registered: C:\WINDOWS\system32\danim.
9:55:20 PM | Registered: C:\WINDOWS\system32\dmscri
9:55:20 PM | Registered: C:\WINDOWS\system32\dmstyl
9:55:20 PM | Registered: C:\WINDOWS\system32\dxmasf
9:55:20 PM | Registered: C:\WINDOWS\system32\dxtmsf
9:55:20 PM | Registered: C:\WINDOWS\system32\dxtran
9:55:20 PM | Registered: C:\WINDOWS\system32\sbe.dl
--- Registration: Programming cores/runtimes ---
9:55:20 PM | Registered: C:\WINDOWS\system32\atl.dl
9:55:20 PM | Registered: C:\WINDOWS\system32\corpol
9:55:21 PM | Registered: C:\WINDOWS\system32\jscrip
9:55:21 PM | Registered: C:\WINDOWS\system32\dispex
9:55:21 PM | Registered: C:\WINDOWS\system32\scrrun
9:55:21 PM | Registered: C:\WINDOWS\system32\scrobj
9:55:21 PM | Registered: C:\WINDOWS\system32\vbscri
9:55:21 PM | Registered: C:\WINDOWS\system32\wshext
--- Registration: Explorer/IE/OE/shell/WMP ---
9:55:21 PM | Registered: C:\WINDOWS\system32\active
9:55:21 PM | Registered: C:\WINDOWS\system32\audiod
9:55:22 PM | Registered: C:\WINDOWS\system32\browse
9:55:22 PM | Registered: C:\WINDOWS\system32\cabvie
9:55:22 PM | Registered: C:\WINDOWS\system32\cdfvie
9:55:22 PM | Registered: C:\WINDOWS\system32\clbcat
9:55:22 PM | Registered: C:\WINDOWS\system32\clbcat
9:55:22 PM | Registered: C:\WINDOWS\system32\comcat
9:55:22 PM | Registered: C:\WINDOWS\system32\cscui.
9:55:22 PM | Registered: C:\WINDOWS\system32\credui
9:55:23 PM | Registered: C:\WINDOWS\system32\datime
9:55:23 PM | Registered: C:\WINDOWS\system32\devmgr
9:55:23 PM | Registered: C:\WINDOWS\system32\dfsshl
9:55:24 PM | Registered: C:\WINDOWS\system32\dmdlgs
9:55:24 PM | Registered: C:\WINDOWS\system32\dmdskm
9:55:24 PM | Registered: C:\WINDOWS\system32\dmload
9:55:24 PM | Registered: C:\WINDOWS\system32\dmocx.
9:55:24 PM | Registered: C:\WINDOWS\system32\dmview
9:55:24 PM | DllInstalled: C:\WINDOWS\system32\dsuiex
9:55:24 PM | Registered: C:\WINDOWS\system32\dsuiex
9:55:24 PM | DllInstalled: C:\WINDOWS\system32\dsquer
9:55:24 PM | Registered: C:\WINDOWS\system32\dsquer
9:55:24 PM | Registered: C:\WINDOWS\system32\dskquo
9:55:25 PM | Registered: C:\WINDOWS\system32\els.dl
9:55:25 PM | Registered: C:\WINDOWS\system32\es.dll
9:55:25 PM | Registered: C:\WINDOWS\system32\fontex
9:55:25 PM | Registered: C:\WINDOWS\system32\hlink.
9:55:25 PM | Registered: C:\WINDOWS\system32\hnetcf
9:55:26 PM | Registered: C:\WINDOWS\system32\iedkcs
9:55:26 PM | Registered: C:\WINDOWS\system32\iepeer
9:55:26 PM | Registered: C:\WINDOWS\system32\ils.dl
9:55:26 PM | Registered: C:\WINDOWS\system32\inetcf
9:55:26 PM | Registered: C:\WINDOWS\system32\inetco
9:55:26 PM | Registered: C:\WINDOWS\system32\laprxy
9:55:27 PM | Registered: C:\WINDOWS\system32\lmrt.d
9:55:27 PM | Registered: C:\WINDOWS\system32\mlang.
9:55:28 PM | Registered: C:\WINDOWS\system32\mmcndm
9:55:28 PM | Registered: C:\WINDOWS\system32\mmcshe
9:55:28 PM | Registered: C:\WINDOWS\system32\mscore
9:55:28 PM | Registered: C:\WINDOWS\system32\mshtml
9:55:29 PM | Registered: C:\WINDOWS\system32\msoeac
9:55:29 PM | Registered: C:\WINDOWS\system32\msr2c.
9:55:29 PM | DllInstalled: C:\WINDOWS\system32\mydocs
9:55:29 PM | Registered: C:\WINDOWS\system32\mydocs
9:55:29 PM | Registered: C:\WINDOWS\system32\mstime
9:55:30 PM | Registered: C:\WINDOWS\system32\netcfg
9:55:30 PM | DllInstalled: C:\WINDOWS\system32\netplw
9:55:30 PM | Registered: C:\WINDOWS\system32\netplw
9:55:30 PM | Registered: C:\WINDOWS\system32\netman
9:55:31 PM | Registered: C:\WINDOWS\system32\netshe
9:55:31 PM | Registered: C:\WINDOWS\system32\ntmsev
9:55:31 PM | Registered: C:\WINDOWS\system32\ntmsmg
9:55:31 PM | DllInstalled: C:\WINDOWS\system32\ntmssv
9:55:31 PM | Registered: C:\WINDOWS\system32\ntmssv
9:55:31 PM | DllInstalled: C:\WINDOWS\system32\occach
9:55:31 PM | Registered: C:\WINDOWS\system32\occach
9:55:31 PM | Registered: C:\WINDOWS\system32\ole32.
9:55:31 PM | Registered: C:\WINDOWS\system32\oleaut
9:55:31 PM | Registered: C:\WINDOWS\system32\oleacc
9:55:31 PM | Registered: C:\WINDOWS\system32\olepro
9:55:31 PM | DllInstalled: C:\WINDOWS\system32\photow
9:55:32 PM | Registered: C:\WINDOWS\system32\photow
9:55:32 PM | Registered: C:\WINDOWS\system32\remote
9:55:32 PM | Registered: C:\WINDOWS\system32\rpcrt4
9:55:32 PM | Registered: C:\WINDOWS\system32\rshx32
9:55:32 PM | Registered: C:\WINDOWS\system32\sendma
9:55:32 PM | Registered: C:\WINDOWS\system32\slayer
9:55:32 PM | Registered: C:\WINDOWS\system32\shell3
9:55:35 PM | DllInstalled: C:\WINDOWS\system32\shell3
9:55:36 PM | Registered: C:\WINDOWS\system32\shmedi
9:55:36 PM | DllInstalled: C:\WINDOWS\system32\shimgv
9:55:36 PM | Registered: C:\WINDOWS\system32\shimgv
9:55:36 PM | DllInstalled: C:\WINDOWS\system32\shsvcs
9:55:37 PM | Registered: C:\WINDOWS\system32\shsvcs
9:55:37 PM | Registered: C:\WINDOWS\system32\srclie
9:55:37 PM | Unregistered: C:\WINDOWS\system32\stobje
9:55:37 PM | Registered: C:\WINDOWS\system32\stobje
9:55:37 PM | Registered: C:\WINDOWS\system32\twext.
9:55:40 PM | DllInstalled: C:\WINDOWS\system32\urlmon
9:55:40 PM | Registered: C:\WINDOWS\system32\urlmon
9:55:40 PM | Registered: C:\WINDOWS\system32\useren
9:55:40 PM | Registered: C:\WINDOWS\system32\winhtt
9:55:40 PM | DllInstalled: C:\WINDOWS\system32\winine
9:55:40 PM | Registered: C:\WINDOWS\system32\zipfld
9:55:40 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdadc.dll
9:55:40 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaenum.dll
9:55:40 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaer.dll
9:55:40 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaipp.dll
9:55:41 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaora.dll
9:55:41 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaosp.dll
9:55:41 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaps.dll
9:55:41 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdasc.dll
9:55:41 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdasql.dll
9:55:41 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdatt.dll
9:55:41 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaurl.dll
9:55:42 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdmeng.dll
9:55:42 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdmine.dll
9:55:42 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msmdcb80.dll
9:55:43 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msmdgd80.dll
9:55:44 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msolap80.dll
9:55:44 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msolui80.dll
9:55:44 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msxactps.dll
9:55:44 PM | Registered: C:\Program Files\Common Files\system\Ole DB\oledb32.dll
9:55:44 PM | Registered: C:\Program Files\Common Files\system\Ole DB\oledb32r.dll
9:55:44 PM | Registered: C:\Program Files\Common Files\system\Ole DB\sqloledb.dll
9:55:44 PM | Registered: C:\Program Files\Common Files\system\Ole DB\sqlxmlx.dll
You might have noticed that there is a message near the start saying that certain temp files could not be deleted and advising that you should reboot and try again, which I did - but the temp files were still unable to be deleted. Any thoughts?
I also ran Hijack this and got an error message (something about HOSTS file) and it shutdown very quicly. The log file from that scan is also attached -
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:58 PM, on 04/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\ZoneLa
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spools
C:\WINDOWS\system32\cisvc.
C:\WINDOWS\system32\inetsr
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\snmp.e
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\mqsvc.
C:\WINDOWS\system32\BRMFRS
C:\WINDOWS\system32\mqtgsv
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.ex
C:\Program Files\Uniblue\PowerSuite\P
C:\Program Files\Uniblue\RegistryBoos
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
C:\Program Files\Uniblue\SpyEraser\Sp
C:\WINDOWS\system32\ctfmon
C:\Program Files\SUPERAntiSpyware\SUP
C:\Program Files\FinePixViewer\QuickD
C:\mpi32\Mpi32.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EX
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaem
C:\WINDOWS\system32\cidaem
C:\Program Files\Trend Micro\HijackThis\HijackThi
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-0
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-0
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Media Codec Update Service] "C:\Program Files\Essentials Codec Pack\update.exe" -silent
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.ex
O4 - HKCU\..\Run: [Uniblue PowerSuite] C:\Program Files\Uniblue\PowerSuite\P
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBoos
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\Sp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUP
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: MPI32 Call Costing Engine.lnk = C:\mpi32\Mpi32.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprov
O16 - DPF: {17492023-C23A-453E-A040-C
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-9
O16 - DPF: {5ED80217-570B-4DA9-BF44-B
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {B495C654-5860-45D4-8EAA-5
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O16 - DPF: {E8F628B5-259A-4734-97EE-B
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SAS
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLa
--
End of file - 7585 bytes
Thanks again - l;ook forward to hearing from you.
Cheers
As you might have gathered, I've been doing everything possible to try to avoid a fresh install of windows as I'm really short on time and run a few business applications which I can't afford to mess up. Having said that though, it's looking more and more like a fresh install is going to be about the only way to go.
I installed and ran Super Antispyware - no problems detected.
I also downloaded and ran Dial-a-fix and have copied the log file below -
Bit early to tell how effective it was but I thought I'd post a copy of the file here to see if you think there's anything obvious in it -
Notes about this log:
1) "->" denotes an external command being executed, and "-> (number)" indicates
the return code from the previous command
2) Not all external command return codes are accurate, or useful
3) Sometimes commands return 0 (no error) even when they fail or crash
4) If an error occurs while registering an object, please send an email to:
dial-a-fix@DjLizard.net and include a copy of this log
DAF version: v0.60.0.24
--- System info ---
OS: Microsoft Windows XP Service Pack 2
IE version: 7.0.5730.11
MPC: 55276-013
CPU: AMD Athlon(tm) (~1250MHz)
BIOS: 15/09/2003
Memory (approx): 991MB
Uptime: 12 hour(s)
Current directory: C:\Documents and Settings\Admin\Desktop\Dow
---
04/10/2007 9:09:51 PM -- Dial-a-fix : [v0.60.0.24] -- started
9:09:51 PM | Policy scan started
9:09:51 PM | Policy scan ended - no restrictive policies were found
--- Emptying temp folders ---
9:41:02 PM | Deleting C:\Documents and Settings\Admin\Local Settings\Temp...
9:41:03 PM | C:\Documents and Settings\Admin\Local Settings\Temp could not be completely emptied, please reboot and try again
9:41:03 PM | Deleting C:\WINDOWS\temp...
9:41:03 PM | C:\WINDOWS\temp could not be completely emptied, please reboot and try again
9:41:03 PM | Deleting C:\DOCUME~1\Admin\LOCALS~1
9:41:03 PM | C:\DOCUME~1\Admin\LOCALS~1
--- MSI ---
9:53:42 PM | Registered: C:\WINDOWS\system32\msi.dl
--- Registration: ActiveX controls/codecs ---
9:55:11 PM | Registered: C:\WINDOWS\system32\acelpd
9:55:11 PM | Registered: C:\WINDOWS\system32\actxpr
9:55:11 PM | Registered: C:\WINDOWS\system32\asctrl
9:55:11 PM | Registered: C:\WINDOWS\system32\daxctl
9:55:11 PM | Registered: C:\WINDOWS\system32\hhctrl
9:55:11 PM | Registered: C:\WINDOWS\system32\l3code
9:55:11 PM | Registered: C:\WINDOWS\system32\licmgr
9:55:11 PM | Registered: C:\WINDOWS\system32\mpg4ds
9:55:14 PM | Registered: C:\WINDOWS\system32\msdxm.
9:55:14 PM | Registered: C:\WINDOWS\system32\procte
9:55:14 PM | Registered: C:\WINDOWS\system32\tdc.oc
9:55:15 PM | Registered: C:\WINDOWS\system32\wshom.
--- Registration: Control Panel applets ---
9:55:18 PM | DllInstalled: C:\WINDOWS\system32\inetcp
9:55:18 PM | DllInstalled: C:\WINDOWS\system32\nusrmg
9:55:19 PM | Registered: C:\WINDOWS\system32\nusrmg
--- Registration: Direct[X|Draw|Show|Media] ---
9:55:19 PM | Registered: C:\WINDOWS\system32\quartz
9:55:20 PM | Registered: C:\WINDOWS\system32\danim.
9:55:20 PM | Registered: C:\WINDOWS\system32\dmscri
9:55:20 PM | Registered: C:\WINDOWS\system32\dmstyl
9:55:20 PM | Registered: C:\WINDOWS\system32\dxmasf
9:55:20 PM | Registered: C:\WINDOWS\system32\dxtmsf
9:55:20 PM | Registered: C:\WINDOWS\system32\dxtran
9:55:20 PM | Registered: C:\WINDOWS\system32\sbe.dl
--- Registration: Programming cores/runtimes ---
9:55:20 PM | Registered: C:\WINDOWS\system32\atl.dl
9:55:20 PM | Registered: C:\WINDOWS\system32\corpol
9:55:21 PM | Registered: C:\WINDOWS\system32\jscrip
9:55:21 PM | Registered: C:\WINDOWS\system32\dispex
9:55:21 PM | Registered: C:\WINDOWS\system32\scrrun
9:55:21 PM | Registered: C:\WINDOWS\system32\scrobj
9:55:21 PM | Registered: C:\WINDOWS\system32\vbscri
9:55:21 PM | Registered: C:\WINDOWS\system32\wshext
--- Registration: Explorer/IE/OE/shell/WMP ---
9:55:21 PM | Registered: C:\WINDOWS\system32\active
9:55:21 PM | Registered: C:\WINDOWS\system32\audiod
9:55:22 PM | Registered: C:\WINDOWS\system32\browse
9:55:22 PM | Registered: C:\WINDOWS\system32\cabvie
9:55:22 PM | Registered: C:\WINDOWS\system32\cdfvie
9:55:22 PM | Registered: C:\WINDOWS\system32\clbcat
9:55:22 PM | Registered: C:\WINDOWS\system32\clbcat
9:55:22 PM | Registered: C:\WINDOWS\system32\comcat
9:55:22 PM | Registered: C:\WINDOWS\system32\cscui.
9:55:22 PM | Registered: C:\WINDOWS\system32\credui
9:55:23 PM | Registered: C:\WINDOWS\system32\datime
9:55:23 PM | Registered: C:\WINDOWS\system32\devmgr
9:55:23 PM | Registered: C:\WINDOWS\system32\dfsshl
9:55:24 PM | Registered: C:\WINDOWS\system32\dmdlgs
9:55:24 PM | Registered: C:\WINDOWS\system32\dmdskm
9:55:24 PM | Registered: C:\WINDOWS\system32\dmload
9:55:24 PM | Registered: C:\WINDOWS\system32\dmocx.
9:55:24 PM | Registered: C:\WINDOWS\system32\dmview
9:55:24 PM | DllInstalled: C:\WINDOWS\system32\dsuiex
9:55:24 PM | Registered: C:\WINDOWS\system32\dsuiex
9:55:24 PM | DllInstalled: C:\WINDOWS\system32\dsquer
9:55:24 PM | Registered: C:\WINDOWS\system32\dsquer
9:55:24 PM | Registered: C:\WINDOWS\system32\dskquo
9:55:25 PM | Registered: C:\WINDOWS\system32\els.dl
9:55:25 PM | Registered: C:\WINDOWS\system32\es.dll
9:55:25 PM | Registered: C:\WINDOWS\system32\fontex
9:55:25 PM | Registered: C:\WINDOWS\system32\hlink.
9:55:25 PM | Registered: C:\WINDOWS\system32\hnetcf
9:55:26 PM | Registered: C:\WINDOWS\system32\iedkcs
9:55:26 PM | Registered: C:\WINDOWS\system32\iepeer
9:55:26 PM | Registered: C:\WINDOWS\system32\ils.dl
9:55:26 PM | Registered: C:\WINDOWS\system32\inetcf
9:55:26 PM | Registered: C:\WINDOWS\system32\inetco
9:55:26 PM | Registered: C:\WINDOWS\system32\laprxy
9:55:27 PM | Registered: C:\WINDOWS\system32\lmrt.d
9:55:27 PM | Registered: C:\WINDOWS\system32\mlang.
9:55:28 PM | Registered: C:\WINDOWS\system32\mmcndm
9:55:28 PM | Registered: C:\WINDOWS\system32\mmcshe
9:55:28 PM | Registered: C:\WINDOWS\system32\mscore
9:55:28 PM | Registered: C:\WINDOWS\system32\mshtml
9:55:29 PM | Registered: C:\WINDOWS\system32\msoeac
9:55:29 PM | Registered: C:\WINDOWS\system32\msr2c.
9:55:29 PM | DllInstalled: C:\WINDOWS\system32\mydocs
9:55:29 PM | Registered: C:\WINDOWS\system32\mydocs
9:55:29 PM | Registered: C:\WINDOWS\system32\mstime
9:55:30 PM | Registered: C:\WINDOWS\system32\netcfg
9:55:30 PM | DllInstalled: C:\WINDOWS\system32\netplw
9:55:30 PM | Registered: C:\WINDOWS\system32\netplw
9:55:30 PM | Registered: C:\WINDOWS\system32\netman
9:55:31 PM | Registered: C:\WINDOWS\system32\netshe
9:55:31 PM | Registered: C:\WINDOWS\system32\ntmsev
9:55:31 PM | Registered: C:\WINDOWS\system32\ntmsmg
9:55:31 PM | DllInstalled: C:\WINDOWS\system32\ntmssv
9:55:31 PM | Registered: C:\WINDOWS\system32\ntmssv
9:55:31 PM | DllInstalled: C:\WINDOWS\system32\occach
9:55:31 PM | Registered: C:\WINDOWS\system32\occach
9:55:31 PM | Registered: C:\WINDOWS\system32\ole32.
9:55:31 PM | Registered: C:\WINDOWS\system32\oleaut
9:55:31 PM | Registered: C:\WINDOWS\system32\oleacc
9:55:31 PM | Registered: C:\WINDOWS\system32\olepro
9:55:31 PM | DllInstalled: C:\WINDOWS\system32\photow
9:55:32 PM | Registered: C:\WINDOWS\system32\photow
9:55:32 PM | Registered: C:\WINDOWS\system32\remote
9:55:32 PM | Registered: C:\WINDOWS\system32\rpcrt4
9:55:32 PM | Registered: C:\WINDOWS\system32\rshx32
9:55:32 PM | Registered: C:\WINDOWS\system32\sendma
9:55:32 PM | Registered: C:\WINDOWS\system32\slayer
9:55:32 PM | Registered: C:\WINDOWS\system32\shell3
9:55:35 PM | DllInstalled: C:\WINDOWS\system32\shell3
9:55:36 PM | Registered: C:\WINDOWS\system32\shmedi
9:55:36 PM | DllInstalled: C:\WINDOWS\system32\shimgv
9:55:36 PM | Registered: C:\WINDOWS\system32\shimgv
9:55:36 PM | DllInstalled: C:\WINDOWS\system32\shsvcs
9:55:37 PM | Registered: C:\WINDOWS\system32\shsvcs
9:55:37 PM | Registered: C:\WINDOWS\system32\srclie
9:55:37 PM | Unregistered: C:\WINDOWS\system32\stobje
9:55:37 PM | Registered: C:\WINDOWS\system32\stobje
9:55:37 PM | Registered: C:\WINDOWS\system32\twext.
9:55:40 PM | DllInstalled: C:\WINDOWS\system32\urlmon
9:55:40 PM | Registered: C:\WINDOWS\system32\urlmon
9:55:40 PM | Registered: C:\WINDOWS\system32\useren
9:55:40 PM | Registered: C:\WINDOWS\system32\winhtt
9:55:40 PM | DllInstalled: C:\WINDOWS\system32\winine
9:55:40 PM | Registered: C:\WINDOWS\system32\zipfld
9:55:40 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdadc.dll
9:55:40 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaenum.dll
9:55:40 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaer.dll
9:55:40 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaipp.dll
9:55:41 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaora.dll
9:55:41 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaosp.dll
9:55:41 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaps.dll
9:55:41 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdasc.dll
9:55:41 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdasql.dll
9:55:41 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdatt.dll
9:55:41 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdaurl.dll
9:55:42 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdmeng.dll
9:55:42 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msdmine.dll
9:55:42 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msmdcb80.dll
9:55:43 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msmdgd80.dll
9:55:44 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msolap80.dll
9:55:44 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msolui80.dll
9:55:44 PM | Registered: C:\Program Files\Common Files\system\Ole DB\msxactps.dll
9:55:44 PM | Registered: C:\Program Files\Common Files\system\Ole DB\oledb32.dll
9:55:44 PM | Registered: C:\Program Files\Common Files\system\Ole DB\oledb32r.dll
9:55:44 PM | Registered: C:\Program Files\Common Files\system\Ole DB\sqloledb.dll
9:55:44 PM | Registered: C:\Program Files\Common Files\system\Ole DB\sqlxmlx.dll
You might have noticed that there is a message near the start saying that certain temp files could not be deleted and advising that you should reboot and try again, which I did - but the temp files were still unable to be deleted. Any thoughts?
I also ran Hijack this and got an error message (something about HOSTS file) and it shutdown very quicly. The log file from that scan is also attached -
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:58 PM, on 04/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\ZoneLa
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spools
C:\WINDOWS\system32\cisvc.
C:\WINDOWS\system32\inetsr
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\snmp.e
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\mqsvc.
C:\WINDOWS\system32\BRMFRS
C:\WINDOWS\system32\mqtgsv
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.ex
C:\Program Files\Uniblue\PowerSuite\P
C:\Program Files\Uniblue\RegistryBoos
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
C:\Program Files\Uniblue\SpyEraser\Sp
C:\WINDOWS\system32\ctfmon
C:\Program Files\SUPERAntiSpyware\SUP
C:\Program Files\FinePixViewer\QuickD
C:\mpi32\Mpi32.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EX
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaem
C:\WINDOWS\system32\cidaem
C:\Program Files\Trend Micro\HijackThis\HijackThi
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-0
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-C
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-0
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [Media Codec Update Service] "C:\Program Files\Essentials Codec Pack\update.exe" -silent
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.ex
O4 - HKCU\..\Run: [Uniblue PowerSuite] C:\Program Files\Uniblue\PowerSuite\P
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBoos
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\Sp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUP
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: MPI32 Call Costing Engine.lnk = C:\mpi32\Mpi32.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprov
O16 - DPF: {17492023-C23A-453E-A040-C
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-9
O16 - DPF: {5ED80217-570B-4DA9-BF44-B
O16 - DPF: {6414512B-B978-451D-A0D8-F
O16 - DPF: {6E32070A-766D-4EE6-879C-D
O16 - DPF: {B495C654-5860-45D4-8EAA-5
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-4
O16 - DPF: {E8F628B5-259A-4734-97EE-B
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SAS
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLa
--
End of file - 7585 bytes
Thanks again - l;ook forward to hearing from you.
Cheers
Have you tried superantispyware in safe mode?
To remove temporary files I always use www.ccleaner.com
ASKER
I ran ccleaner at the outset but it didn't work.
I may have discovered a clue however.
Firstly, I've been having problems with windows installer, Can I just remove it and reinstall to see if that helps?
On the slow computer issue, today I was looking for something in the Volume System Information directory and what I found was hardly any files I expected to find together with stacks of RP entries which I assume is Restore Point, Anyway, when I checked the properties of the directory I noticed that the size of this directory is over 12 GB!! (that's not a misprint) Any ideas on why this would be so?
I must admit, it is seriously looking like needing to reinstall windows xp pro SP2.
Cheers
I may have discovered a clue however.
Firstly, I've been having problems with windows installer, Can I just remove it and reinstall to see if that helps?
On the slow computer issue, today I was looking for something in the Volume System Information directory and what I found was hardly any files I expected to find together with stacks of RP entries which I assume is Restore Point, Anyway, when I checked the properties of the directory I noticed that the size of this directory is over 12 GB!! (that's not a misprint) Any ideas on why this would be so?
I must admit, it is seriously looking like needing to reinstall windows xp pro SP2.
Cheers
You can reinstall Windows Installer by using Dial-a-fix. Check the "Fix Windows Installer:" checkbox and click "GO". Also, just because you have a folder that's over 12 GB, it doesn't necessarily mean it's linked to a slow computer and weird behavior.
12 GB of unexplained space is certainly very suspicious. Since that folder is often the target of hackers (to store bootleg music and videos), it is best to rule that out first.
I notice one suspicious entry in your HJT log:
O4 - Startup: MPI32 Call Costing Engine.lnk = C:\mpi32\Mpi32.exe
Are you familiar with what this is?
If not, please submit this file (Mpi32.exe) on-line to this site:
http://www.virustotal.com/
and they will tell you right-away whether it is known malware.
Also, do a scan with RootkitRevealer:
Download and run RootkitRevealer from: http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx
and click on "Scan" to scan your drives.
It takes a while, so be patient.
Try not to use the system too much during that time to avoid false positives.
If it produces anything interesting, use "File -> Save As.." to save the
results to a text file (Important -> you may need that file later)
Copy-and-paste the results here, but if the results are very long, then just copy-and-paste the
first 30 lines or so.
I notice one suspicious entry in your HJT log:
O4 - Startup: MPI32 Call Costing Engine.lnk = C:\mpi32\Mpi32.exe
Are you familiar with what this is?
If not, please submit this file (Mpi32.exe) on-line to this site:
http://www.virustotal.com/
and they will tell you right-away whether it is known malware.
Also, do a scan with RootkitRevealer:
Download and run RootkitRevealer from: http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx
and click on "Scan" to scan your drives.
It takes a while, so be patient.
Try not to use the system too much during that time to avoid false positives.
If it produces anything interesting, use "File -> Save As.." to save the
results to a text file (Important -> you may need that file later)
Copy-and-paste the results here, but if the results are very long, then just copy-and-paste the
first 30 lines or so.
ASKER
Thanks for the advice. I'll give them all a go. I'll be away for the next few days so will do my homework and post back here later in the week.
The mpi32 entry is our pabx phone management software (I manage a holiday resort).
Cheers
The mpi32 entry is our pabx phone management software (I manage a holiday resort).
Cheers
r-k, oh yeah, a rootkit scan may be a good idea.
ASKER
Hi Wizard
I think you might be on to something. I downloaded and ran a scan with Rootkit Revealer. The first time I ran it, I turned everything off I could think of (AV, Anti-spyware, Fwall, etc) so the system was as idle as I could get it. I saved the file to desktop and my docs but couldn't find it when I opened those directories using my computer. I thought maybe some malware might be hiding it so I ran another scan but this time left everything active.
Anyway, to cut a long story short, I eventually found them under C:\Docs & Settings\Local Services\Desktop. This is the results of the first scan -
HKLM\SECURITY\Policy\Secre
HKLM\SECURITY\Policy\Secre
HKLM\SECURITY\Policy\Secre
C:\Program Files\ESET\cache\FND0.NFI 20/10/2007 11:01 AM 259 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\00
C:\System Volume Information\catalog.wci\00
C:\System Volume Information\catalog.wci\00
C:\System Volume Information\catalog.wci\00
C:\WINDOWS\system32\spool\
C:\WINDOWS\system32\spool\
The following is the results of the second scan where I didn't stop anything first -
HKU\S-1-5-21-2052111302-19
HKLM\SECURITY\Policy\Secre
HKLM\SECURITY\Policy\Secre
HKLM\SECURITY\Policy\Secre
HKLM\SOFTWARE\Classes\CLSI
HKLM\SOFTWARE\Classes\CLSI
HKLM\SOFTWARE\Classes\CLSI
C:\Program Files\ESET\cache\FND0.NFI 20/10/2007 12:49 PM 260 bytes Hidden from Windows API.
C:\System Volume Information\_restore{1D607
Not sure if it means anything, but when I went to look in System Volume Information the other day, when the mouse was hovering over the folder, it was showing Folder Empty, but when I tried to open it anyway, I got an Access Denied message. (I'm pretty sure that's what happened). There were a few other system folders I tried to open but got the same error message.
Cheers
Kim
I think you might be on to something. I downloaded and ran a scan with Rootkit Revealer. The first time I ran it, I turned everything off I could think of (AV, Anti-spyware, Fwall, etc) so the system was as idle as I could get it. I saved the file to desktop and my docs but couldn't find it when I opened those directories using my computer. I thought maybe some malware might be hiding it so I ran another scan but this time left everything active.
Anyway, to cut a long story short, I eventually found them under C:\Docs & Settings\Local Services\Desktop. This is the results of the first scan -
HKLM\SECURITY\Policy\Secre
HKLM\SECURITY\Policy\Secre
HKLM\SECURITY\Policy\Secre
C:\Program Files\ESET\cache\FND0.NFI 20/10/2007 11:01 AM 259 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\00
C:\System Volume Information\catalog.wci\00
C:\System Volume Information\catalog.wci\00
C:\System Volume Information\catalog.wci\00
C:\WINDOWS\system32\spool\
C:\WINDOWS\system32\spool\
The following is the results of the second scan where I didn't stop anything first -
HKU\S-1-5-21-2052111302-19
HKLM\SECURITY\Policy\Secre
HKLM\SECURITY\Policy\Secre
HKLM\SECURITY\Policy\Secre
HKLM\SOFTWARE\Classes\CLSI
HKLM\SOFTWARE\Classes\CLSI
HKLM\SOFTWARE\Classes\CLSI
C:\Program Files\ESET\cache\FND0.NFI 20/10/2007 12:49 PM 260 bytes Hidden from Windows API.
C:\System Volume Information\_restore{1D607
Not sure if it means anything, but when I went to look in System Volume Information the other day, when the mouse was hovering over the folder, it was showing Folder Empty, but when I tried to open it anyway, I got an Access Denied message. (I'm pretty sure that's what happened). There were a few other system folders I tried to open but got the same error message.
Cheers
Kim
Hmm... You don't have a rootkit, so that's good. The results above are just normal "noise" that you'd expect.
That still leaves the question of what is taking up that extra 12 GB space...
You can right-click on tje System Volume Information folder, select Properties -> Security and click "Add" and add your own username and give yourself at least read permission to that folder and all subfolders within (i.e. click on Advanced and see that the box labeled "Replace permission entries on all child objects...") is "checked"
That should allow you to browse inside that folder and see if you can spot the missing 12 GB of stuff.
That still leaves the question of what is taking up that extra 12 GB space...
You can right-click on tje System Volume Information folder, select Properties -> Security and click "Add" and add your own username and give yourself at least read permission to that folder and all subfolders within (i.e. click on Advanced and see that the box labeled "Replace permission entries on all child objects...") is "checked"
That should allow you to browse inside that folder and see if you can spot the missing 12 GB of stuff.
Is C:\System Volume Information\catalog.wci the folder that's taking up the space?
ASKER
That's a relief to hear it's not a rootkit.
Today I'm being permitted access to C:\System Volume Information and it's not saying it's empty.
There are 2 folders and 2 files in this directory - contents are as follows -
Folder 1 -
-restore{1D607D8A- etc} (14GB) (13,290 files, 384 folders) File Folder - Date Modified 20/10/07 (As you can see it's grown 2GB since my first posting on this. The contents of this folder are -
Folder - RP502 - RP597 inclusive, with all folders in between numbered sequentially. With the exception of the last entry (RP597), all other entries are blue so I'm assuming they're compressed.
Files -
_driver.cfg
_filelst.cfg
drivetable.txt
fifo.log
Folder 2 -
cat.wci (104MB) File Folder - Date Modified 21/10/07
This folder contains a collection of files of the following types - C1, FID, PS1, PS2, DIR, 000, 001, 002, HSH, BK1, BK2
File 1 -
MountPointManagerRemoteDat
File 2 -
tracking.log (1000KB) Text Document - Date Modified 13/10/07
The contents of this file are indecipherable with the exception of the word 'backoffice' which appears several times on each line. Not sure if this has anything to do with a user that was created by the system called - administrator:BACKOFFICE which just appeared one day. (I must admit, that's not to say I haven't inadvertently created it unwittingly........)
Will look forward to your next posting.
Cheers
Today I'm being permitted access to C:\System Volume Information and it's not saying it's empty.
There are 2 folders and 2 files in this directory - contents are as follows -
Folder 1 -
-restore{1D607D8A- etc} (14GB) (13,290 files, 384 folders) File Folder - Date Modified 20/10/07 (As you can see it's grown 2GB since my first posting on this. The contents of this folder are -
Folder - RP502 - RP597 inclusive, with all folders in between numbered sequentially. With the exception of the last entry (RP597), all other entries are blue so I'm assuming they're compressed.
Files -
_driver.cfg
_filelst.cfg
drivetable.txt
fifo.log
Folder 2 -
cat.wci (104MB) File Folder - Date Modified 21/10/07
This folder contains a collection of files of the following types - C1, FID, PS1, PS2, DIR, 000, 001, 002, HSH, BK1, BK2
File 1 -
MountPointManagerRemoteDat
File 2 -
tracking.log (1000KB) Text Document - Date Modified 13/10/07
The contents of this file are indecipherable with the exception of the word 'backoffice' which appears several times on each line. Not sure if this has anything to do with a user that was created by the system called - administrator:BACKOFFICE which just appeared one day. (I must admit, that's not to say I haven't inadvertently created it unwittingly........)
Will look forward to your next posting.
Cheers
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
C: drive free space now = 39GB (out of 80GB)
RAM = 1GB
The folder sizes vary. Probably about half are around 40-70MB, others vary from about 100MB to 600Mb and 1 folder alone is about 2GB.
The space allocated to system restore was on max (12% or so) so I've reduced that to 5% for now.
The size of sys vol info is now about 6GB (4740 files - 114 folders) and C: drive free space is now about 42GB. RP580 is still there though which is the 2GB folder.
The slowdown is a bit erratic and sometimes occurs when I'm using basic Office programs but is primarily at it's slowest when I'm trying to do things either in or between Outlook and browsing. I just tried IE7 and that's pretty fast but I usually use firefox which has been painfully slow by comparison.
Just as a matter of interest, now that I've reduced the amount of space allocated to system restore, I presume the earlier folders have been deleted so is it OK to run ccleaner now?
Cheers
RAM = 1GB
The folder sizes vary. Probably about half are around 40-70MB, others vary from about 100MB to 600Mb and 1 folder alone is about 2GB.
The space allocated to system restore was on max (12% or so) so I've reduced that to 5% for now.
The size of sys vol info is now about 6GB (4740 files - 114 folders) and C: drive free space is now about 42GB. RP580 is still there though which is the 2GB folder.
The slowdown is a bit erratic and sometimes occurs when I'm using basic Office programs but is primarily at it's slowest when I'm trying to do things either in or between Outlook and browsing. I just tried IE7 and that's pretty fast but I usually use firefox which has been painfully slow by comparison.
Just as a matter of interest, now that I've reduced the amount of space allocated to system restore, I presume the earlier folders have been deleted so is it OK to run ccleaner now?
Cheers
ASKER
Hi r-k
Just wondered if you'd had time to look at my last post. If you could let me know what your thoughts are, I can allocate points and hopefully close the question.
Cheers
Just wondered if you'd had time to look at my last post. If you could let me know what your thoughts are, I can allocate points and hopefully close the question.
Cheers
Oops, sorry about that, got away from this for a while.
Seems like the abnormal disk space usage has been brought under control and is not a factor any more. RP580 should eventually disappear as new restore points are created, or you can force delete it by disabling all restore points on a one time basis, then re-enable them again.
The slowdown is still unexplained though we can rule out rootkits, low disk space, and probably even malware. If the slowdown is mainly in Firefox I would just remove Firefox as completely as possible (save your bookmarks in case they are of value), then download the latest version and reinstall.
Yes, should be OK to run ccleaner now.
Might be good to post a new summary if my understanding of current problems is off the mark. Thanks.
Seems like the abnormal disk space usage has been brought under control and is not a factor any more. RP580 should eventually disappear as new restore points are created, or you can force delete it by disabling all restore points on a one time basis, then re-enable them again.
The slowdown is still unexplained though we can rule out rootkits, low disk space, and probably even malware. If the slowdown is mainly in Firefox I would just remove Firefox as completely as possible (save your bookmarks in case they are of value), then download the latest version and reinstall.
Yes, should be OK to run ccleaner now.
Might be good to post a new summary if my understanding of current problems is off the mark. Thanks.
ASKER
Hi r-k
Thanks very much for your help with this one. Since my last posting when I said firefox was still slow, after a few reboots, everything is working much faster and the problems seem to have disappeared. I think it was all related to the bloated 12GB being hogged by the restore points. I've reduced the max space allocation to 5% but would be happy to go lower to maybe 3% if possible.
I just wanted to double check that I could go ahead and clean up/defrag, etc safely which I'm sure will speed things up further.
Thanks again
Thanks very much for your help with this one. Since my last posting when I said firefox was still slow, after a few reboots, everything is working much faster and the problems seem to have disappeared. I think it was all related to the bloated 12GB being hogged by the restore points. I've reduced the max space allocation to 5% but would be happy to go lower to maybe 3% if possible.
I just wanted to double check that I could go ahead and clean up/defrag, etc safely which I'm sure will speed things up further.
Thanks again
Thanks. Good to know even Firefox is back to normal. I would definitely feel safe about defragging if you wish (though I am not a fan of unnecessary and frequent defrags). Re, space for Restore points, even 3% on an 80 GB drive means about 2.4 GB, or about 25 restore points, which should really be more than anyone is likely to need.
Thanks and good luck :)
Thanks and good luck :)
Remember to just wipe out the old windows, format the drive and do a fresh install.