Author Topic: [INACTIVE]Log file to peruse - thanks very much...  (Read 1645 times)

0 Members and 1 Guest are viewing this topic.

Offline heatopher

  • Bronze Member
  • Posts: 2
[INACTIVE]Log file to peruse - thanks very much...
« on: September 09, 2008, 11:52:38 am »
Hello. Just been referred to here and elsewhere by Castle Cops, who say they've got staff problems. Hope one of you has a bit of time.

I went through the first step that Castle Cops told me, namely to remove BitTorrent. That is done, but the symptoms persist (as expected). The symptoms are:

1. A relatively old computer (five or six years old, and definitely coming towards the end of its useful life), running XP. There's quite a lot of old junk on there, I suppose. I haven't reinstalled for quite a while. It probably would be a good idea to do that, one last time, before I put it out of service, but I'm a bit busy to do that just now.
2. Generally slow. Of course it may be a little bit to do with low memory by today's standards (768 MB), but I think maybe there's something else.
3. Specific problem: the clock isn't working properly. At first it was falling behind, so that whenever I restarted the machine it was something like a few hours past the last time that I shut down, but anyway not correct. A friend advised that probably the battery on the clock needed changing. I proceeded to get that fixed, but actually that hasn't helped. In fact, the problem is now more severe, and it's resetting to 31/12/1999 (Huh? What is this? The return of the Millenium Bug? (or the eventual appearance, more like). Also, it's generally failing to connect to the Windows time server (I say "generally" because sometimes it does work, but more often it doesn't). There doesn't seem to be any automatic update whatsoever, so i've been having to set the time manually every time I boot up, which is pretty irritating...
So I guess it may be a virus/ghost/spy/worm/whatever that's making trouble.

There are a couple of other things going on, but I think that they may have more to do with hardware issues, and so I'll leave it at that for now. Many thanks in advance,

H

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:17:01, on 07/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\rundll32.exe
E:\Program Files\Winamp\winampa.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
E:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program Files\TuneUp Utilities 2004\memoptimizer.exe
E:\Program Files\Free Download Manager\fdm.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\Winamp\winamp.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Documents and Settings\Kizza\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
D:\Web\Webserver\Apache2\bin\ApacheMonitor.exe
E:\Program Files\Juice\Juice.exe
D:\Web\Webserver\Apache2\bin\Apache.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
D:\Web\Webserver\Apache2\bin\Apache.exe
D:\Web\Webserver\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe
E:\Program Files\Prime95\prime95.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
E:\Program Files\Mozilla Firefox\firefox.exe
E:\Program Files\Mozilla Thunderbird\thunderbird.exe
D:\Kizza\Profiles\Top Shortcuts\Security\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://localhost/petertatchell/add_article_test.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Zone Labs Client] E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [TotalRecorderScheduler] "D:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "E:\Program Files\TuneUp Utilities 2004\memoptimizer.exe" autostart
O4 - HKCU\..\Run: [Free Download Manager] E:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [NBJ] "E:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Winamp] E:\Program Files\Winamp\winamp.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [lightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Kizza\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Juice.lnk = E:\Program Files\Juice\Juice.exe
O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Monitor Apache Servers.lnk = D:\Web\Webserver\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://E:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://E:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://E:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://E:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apache2 - Apache Software Foundation - D:\Web\Webserver\Apache2\bin\Apache.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySQL - Unknown owner - D:\Web\Webserver\MySQL\MySQL.exe (file missing)
O23 - Service: Norton Ghost - Unknown owner - E:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe (file missing)
O23 - Service: Prime95 Service - Unknown owner - E:\Program Files\Prime95\prime95.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - E:\Program Files\TuneUp Utilities 2004\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Zope instance at E:\Program Files\Plone 3\Data (Zope_662221036) - Unknown owner - E:\Program Files\Plone 3\Python\PythonService.exe
« Last Edit: November 06, 2008, 04:57:04 pm by Taz71498 »



Offline AnnMarie

  • Microsoft MVP
  • Security Expert
  • Bronze Member
  • Posts: 259
Re: Log file to peruse - thanks very much...
« Reply #1 on: September 09, 2008, 04:02:49 pm »
Hi heatopher.  I see that you also posted your problem on TSG.  You may not realise this but in doing so, you have potentially created extra work for people.  Trained analysts are in short supply and many of us post on various sites.  It would be polite to let all other sites know that you are being helped here.

I have checked your log and there is no evidence of any malware issues.  While it is true that Hijack This does not identify all malware startups, your symptoms are not typical of an infection but they do indicate a possible problem with your bios chip.  If so,  this can be expensive to fix and it might be more economical to replace your motherboard.  Having said that, I am not a Hardware expert by any stretch of the imagination so please do post a query in the Hardware Forum for a second opinion.

When you replaced the battery, did you use the option to set the BIOS settings to their default values?  If so, see here for an possible explanation of why your computer is running slowly now.
Microsoft MVP Windows Desktop Experience 2004-2009

Offline heatopher

  • Bronze Member
  • Posts: 2
Re: Log file to peruse - thanks very much...
« Reply #2 on: September 09, 2008, 07:06:37 pm »
Well, I did say that I'd been referred "to here and elsewhere" by that Castle Cops link, and since I wasn't getting any response in one place, who's to say I would get a response in one other place? And who's to say for sure that my computer wouldn't die before I heard from someone?

But fair enough, your point is tooken.

I didn't do anything to the BIOS when replacing the battery. Well, I didn't replace it myself - a guy in a shop did. I'm not sure that it's made any positive difference whatsoever. Whether I've inadvertently done something to the BIOS on a previous occasion, I honestly can't remember. I don't go that far down very often.

If it's a matter of replacing the motherboard, for sure I'm just going to get going with getting myself a new PC. There's no point fiddling around the edges with this old thing. But I will first have a look at what else I can do for the hardware before I give up completely.

Thanks - all help appreciated.

Offline AnnMarie

  • Microsoft MVP
  • Security Expert
  • Bronze Member
  • Posts: 259
Re: Log file to peruse - thanks very much...
« Reply #3 on: September 09, 2008, 07:14:14 pm »
Sure.  If this were my machine, I would be tempted to take it back to the repair shop and ask the techie to try another battery and wait while he did it before I looked any further.  It only takes a few minutes to replace the battery and I guess even new batteries can fail.  As I said though, I'm not an expert in this area so it might pay to get a second opinion in the Hardware Forum.
Microsoft MVP Windows Desktop Experience 2004-2009

Offline Taz71498

  • Microsoft® MVP
  • Malware Removal Staff
  • Gold Member
  • Posts: 1206
Re: Log file to peruse - thanks very much...
« Reply #4 on: September 09, 2008, 07:19:03 pm »
heatopher, did you get a response to any of the other forums you posted at?  If not, please go back to those threads you started at those forums and say you are being helped elsewhere.

The thing is heatopher, most of us work at those other forums along with here and at CC.  We have had people getting help at two or more forums for the same problem.  The helper here or elsewhere do not know what is being said to elsewhere, so some things may conflict and cause more problems.  It is kind of like being a new driver of a car and you have 3 teachers in the car telling you different things.  Trying to listen to all of them can cause an accident.  Kind of the same thing but will cause the accident on your computer.

Offline PCBruiser

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 7945
Re: Log file to peruse - thanks very much...
« Reply #5 on: September 15, 2008, 09:44:16 am »
I am moving this topic to our closed HJT logs forum for archiving.  If you need it reopened for any reason, please PM any Moderator or Administrator, and we will move it back here for you.
Don't Read?  Can't learn!