View Full Version : svchost.exe
kiemusic
2007-05-10, 20:02
Hi,
My laptop has been sluggish and has gradually worsened now freezing on bootup, there are 5 svchost.exe running in Task Manager,one at 100%. I can disable this process then proceed. I ran spybot and it found MainPean.
I am worried it may be more sinister... below is my Hijack log,
Regards, joe
Logfile of HijackThis v1.99.1
Scan saved at 17:21:20, on 10/05/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Karen\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/ie/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.eircom.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/ie/enu/gen/default.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/ie/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/ie/enu/gen/default.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: C&W Utility.lnk = C:\Program Files\Cable & Wireless\Cable & Wireless 802.11g Series Wireless LAN PC Card\Installer\WINXP\C&WConfig.exe
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145377348220
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {E0B795B4-FD95-4ABD-A375-27962EFCE8CF} - http://install.serviceurl.de/StarInstall.ocx
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
pskelley
2007-05-11, 02:23
Hello Joe, welcome to Safer Networking, if you still need help and are not receiving it elsewhere, it appears you have missed some important instructions our administrator has posted at the top of the forum, especially this: "BEFORE you POST" Mandatory Steps Before Requesting Assistance
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please read and follow all instructions and post all required logs or reports, anything less will slow your process.
Use "Post Reply" to post the information in the instructions and stay in the same topic.
svchost.exe is a valid part of Windows, unfortunately the bad guys use any name they want also.
http://www.google.com/search?hl=en&q=svchost.exe&btnG=Google+Search
HJT can only show so much, that is the reason for the online scan we ask for. I see the item you mentioned:
Full Name: StarDialer 1.0Websearch
http://www.spywareguide.com/product_show.php?id=414
Read about it, a dialer and a nasty one. Let's remove it and clean a little and see how you are running.
I would also like to run a good scan to see if anything is hidden, takes around an hour.
1) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
2) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
(the first two are not malware, but are resource waster related to the Alexa toolbar. If you don't use Alexa, get rid of them)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {E0B795B4-FD95-4ABD-A375-27962EFCE8CF} - http://install.serviceurl.de/StarInstall.ocx
StarDialer
Close all programs but HJT and all browser windows, then click on "Fix Checked"
3) Follow the directions in this link to download, install, update and run AVG Anti-Spyware, make sure you delete or at least quarantine anything it finds and save the scan report to post.
http://forums.security-central.us/showthread.php?t=3165
4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post the scan results from AVG Anti-Spyware and a new HJT log. Let me know how the computer is running now.
Thanks
kiemusic
2007-05-11, 15:23
Hi and thanks for the speedy reply.
I followed you steps carefully. I also turned off windows automatic updates.
I thought we were fixed then it froze again cup at 100. dadtray.exe and explorer.exe taking 52 and 48% respectivly. The fan is running hard now too.
Below are the scan results and log. I aso included a scan from Kasperskys..
Thanks again
Joe
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 10:39:06 11/05/2007
+ Scan result:
:mozilla.44:C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\q54dt7t0.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Karen\Cookies\karen@112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Karen\Cookies\karen@2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Karen\Cookies\karen@aerlingus.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Karen\Cookies\karen@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Karen\Cookies\karen@z1.adserver[1].txt -> TrackingCookie.Adserver : No action taken.
:mozilla.64:C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\q54dt7t0.default\cookies.txt -> TrackingCookie.Adtech : No action taken.
:mozilla.65:C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\q54dt7t0.default\cookies.txt -> TrackingCookie.Adtech : No action taken.
C:\Documents and Settings\Karen\Cookies\karen@adtech[2].txt -> TrackingCookie.Adtech : No action taken.
C:\Documents and Settings\Karen\Cookies\karen@advertising[2].txt -> TrackingCookie.Advertising : No action taken.
:mozilla.114:C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\q54dt7t0.default\cookies.txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Karen\Cookies\karen@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Karen\Cookies\karen@bluestreak[2].txt -> TrackingCookie.Bluestreak : No action taken.
C:\Documents and Settings\Karen\Cookies\karen@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : No action taken.
C:\Documents and Settings\Karen\Cookies\karen@data.coremetrics[1].txt -> TrackingCookie.Coremetrics : No action taken.
:mozilla.29:C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\q54dt7t0.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Karen\Cookies\karen@doubleclick[2].txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.142:C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\q54dt7t0.default\cookies.txt -> TrackingCookie.Esomniture : No action taken.
:mozilla.88:C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\q54dt7t0.default\cookies.txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Karen\Cookies\karen@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : No action taken.
C:\Documents and Settings\Karen\Cookies\karen@as1.falkag[1].txt -> TrackingCookie.Falkag : No action taken.
:mozilla.78:C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\q54dt7t0.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\Karen\Cookies\karen@fastclick[1].txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.118:C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\q54dt7t0.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.119:C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\q54dt7t0.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
:mozilla.120:C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\q54dt7t0.default\cookies.txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Karen\Cookies\karen@ehg-debenhams.hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Karen\Cookies\karen@hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Karen\Cookies\karen@counter.hitslink[2].txt -> TrackingCookie.Hitslink : No action taken.
:mozilla.121:C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\q54dt7t0.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.122:C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\q54dt7t0.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.123:C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\q54dt7t0.default\cookies.txt -> TrackingCookie.Liveperson : No action taken.
C:\Documents and Settings\Karen\Cookies\karen@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : No action taken.
:mozilla.97:C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\q54dt7t0.default\cookies.txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Karen\Cookies\karen@mediaplex[2].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Karen\Cookies\karen@search.msn[1].txt -> TrackingCookie.Msn : No action taken.
C:\Documents and Settings\Karen\Cookies\karen@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : No action taken.
:mozilla.79:C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\q54dt7t0.default\cookies.txt -> TrackingCookie.Onestat : No action taken.
:mozilla.80:C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\q54dt7t0.default\cookies.txt -> TrackingCookie.Onestat : No action taken.
C:\Documents and Settings\Karen\Cookies\karen@stat.onestat[2].txt -> TrackingCookie.Onestat : No action taken.
:mozilla.115:C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\q54dt7t0.default\cookies.txt -> TrackingCookie.Overture : No action taken.
:mozilla.116:C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\q54dt7t0.default\cookies.txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Karen\Cookies\karen@overture[2].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Karen\Cookies\karen@perf.overture[1].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Karen\Cookies\karen@ads.pointroll[2].txt -> TrackingCookie.Pointroll : No action taken.
C:\Documents and Settings\Karen\Cookies\karen@questionmarket[1].txt -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\Karen\Cookies\karen@realmedia[2].txt -> TrackingCookie.Realmedia : No action taken.
:mozilla.30:C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\q54dt7t0.default\cookies.txt -> TrackingCookie.Revsci : No action taken.
:mozilla.31:C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\q54dt7t0.default\cookies.txt -> TrackingCookie.Revsci : No action taken.
C:\Documents and Settings\Karen\Cookies\karen@edge.ru4[1].txt -> TrackingCookie.Ru4 : No action taken.
:mozilla.46:C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\q54dt7t0.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.47:C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\q54dt7t0.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.48:C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\q54dt7t0.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.49:C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\q54dt7t0.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.24:C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\q54dt7t0.default\cookies.txt -> TrackingCookie.Sexlist : No action taken.
:mozilla.25:C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\q54dt7t0.default\cookies.txt -> TrackingCookie.Sexlist : No action taken.
C:\Documents and Settings\Karen\Cookies\karen@skype[2].txt -> TrackingCookie.Skype : No action taken.
:mozilla.34:C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\q54dt7t0.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
C:\Documents and Settings\Karen\Cookies\karen@statcounter[1].txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.143:C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\q54dt7t0.default\cookies.txt -> TrackingCookie.Toplist : No action taken.
:mozilla.52:C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\q54dt7t0.default\cookies.txt -> TrackingCookie.Tradedoubler : No action taken.
C:\Documents and Settings\Karen\Cookies\karen@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : No action taken.
:mozilla.77:C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\q54dt7t0.default\cookies.txt -> TrackingCookie.Trafic : No action taken.
:mozilla.67:C:\Documents and Settings\Karen\Application Data\Mozilla\Firefox\Profiles\q54dt7t0.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
C:\Documents and Settings\Karen\Cookies\karen@m.webtrends[2].txt -> TrackingCookie.Webtrends : No action taken.
C:\Documents and Settings\Karen\Cookies\karen@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : No action taken.
C:\Documents and Settings\Karen\Cookies\karen@zedo[1].txt -> TrackingCookie.Zedo : No action taken.
::Report end
Logfile of HijackThis v1.99.1
Scan saved at 14:21:58, on 11/05/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Cable & Wireless\Cable & Wireless 802.11g Series Wireless LAN PC Card\Installer\WINXP\C&WConfig.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\taskmgr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Karen\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/ie/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.eircom.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/ie/enu/gen/default.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/ie/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/ie/enu/gen/default.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: C&W Utility.lnk = C:\Program Files\Cable & Wireless\Cable & Wireless 802.11g Series Wireless LAN PC Card\Installer\WINXP\C&WConfig.exe
O4 - Global Startup: Photo Express Calendar Checker SE.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\CalCheck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1145377348220
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
kiemusic
2007-05-11, 15:24
KASPERSKY ONLINE SCANNER REPORT
Friday, May 11, 2007 1:29:22 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 11/05/2007
Kaspersky Anti-Virus database records: 298128
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
Scan Statistics
Total number of scanned objects 34322
Number of viruses found 0
Number of infected objects 0 / 0
Number of suspicious objects 0
Duration of the scan process 00:33:32
Infected Object Name Virus Name Last Action
C:\Documents and Settings\Karen\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Karen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Karen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Karen\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Karen\Local Settings\History\History.IE5\MSHist012007051120070512\index.dat Object is locked skipped
C:\Documents and Settings\Karen\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Karen\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Karen\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP304\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Antivirus.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_534.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
pskelley
2007-05-11, 15:49
Joe...this could easily be a hardware issue also?
The fan is running hard now too
When was the last time you cleaned the dust out of the cabinet?
dadtray.exe
http://www.liutilities.com/products/wintaskspro/processlibrary/dadtray/
explorer.exe
http://www.liutilities.com/products/wintaskspro/processlibrary/explorer/
Unlikely that is a trojan, but you can scan the file free here:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
AVG Anti-Spyware - Scan Report ??? NO ACTION TAKEN?
make sure you delete or at least quarantine anything it findsThose all look like cookies anyway, you do know how to clean your cookies?
Here's some information to help you control them:
http://www.mvps.org/winhelp2002/cookies.htm
http://www.microsoft.com/windows/ie/using/howto/privacy/config.mspx
Logfile of HijackThis v1.99.1 Scan saved at 14:21:58, on 11/05/2007You HJT log looks fine, AVG Anti-Spyware is using some resources, if you don't own the program I will suggest turning it off (you can keep the scanner) to save those resources.
Have a look at this information:
http://www.google.com/search?hl=en&q=clean+inside+the+computer&btnG=Google+Search
I also suggest a diagnostic here: http://www.pcpitstop.com/
Results: http://pcpitstop.invisionzone.com/index.php?showforum=6
TechExpress - Step by Step Instructions
http://www.pcpitstop.com/techexpress/howto1.asp
Post a link to that diagnostic if you would.
Keep me posted
Thanks
pskelley
2007-05-21, 15:46
No response since 2007-05-11, 09:49
Topic is closed, If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Thanks