PDA

View Full Version : HiJack log Weird system problem



jupiter1
03-07-2012, 09:19 PM
Win xp sp3 2 Gb ram pentium P4-2.53

After booting program launches takes a long time and screen freezes sometimes,
this usually associated with web browsing.

Mem test ok. tried 2 different video cards. firefox mozilla and chrome browsers.

Can someone check out the hijack log following and advise any changes please.
I'm sure that there is a lot of baggage in there.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:08:42 p.m., on 3/07/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Megatec\UPSilon 2000\RupsMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Tools\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Ad-Aware Security Toolbar - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Ad-Aware Security Toolbar - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Ad-Aware Security Toolbar - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [adaware_XP] reg.exe delete "HKCU\Software\adaware" /f (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [adaware] reg.exe delete "HKCU\Software\AppDataLow\Software\adaware" /f (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft Limited - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Rupsmon - Mega System Technologies, Inc. - C:\Program Files\Megatec\UPSilon 2000\RupsMon.exe
O23 - Service: USBMate - Mega Corp. - C:\Program Files\Megatec\UPSilon 2000\USBMate.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Phil/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

--
End of file - 6921 bytes

Speedy Gonzales
03-07-2012, 09:25 PM
Whats this?

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Phil/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

I would uninstall adaware and use malwarebytes instead

I wouldnt be surprised, if the slowness is because this uses a SIS chipset (I think thats what sisusbrg.exe is for). I had a mobo a few yrs ago, that was SIS-based. It lagged big time. With nearly everything I ran on it. In the end I biffed the mobo and replaced it with an Intel based mobo

Nick G
03-07-2012, 09:32 PM
I'll add to Speedy's comment about adaware, you could also replace avast with mse.

EDIT.
R3 - URLSearchHook: Ad-Aware Security Toolbar - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Ad-Aware Security Toolbar - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O3 - Toolbar: Ad-Aware Security Toolbar - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll

These will all be slowing down you web browser. Even if you keep both Adaware and Avast, I'd get rid of these.

jupiter1
03-07-2012, 09:42 PM
Whats this?

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Phil/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg
This location is empty.

I would uninstall adaware and use malwarebytes instead

I wouldnt be surprised, if the slowness is because this uses a SIS chipset (I think thats what sisusbrg.exe is for). I had a mobo a few yrs ago, that was SIS-based. It lagged big time. With nearly everything I ran on it. In the end I biffed the mobo and replaced it with an Intel based mobo

The 024 location is empty ie no clip image there.

This slowness has only recently started. Once a progy has been launched, used and then closed it launches quick from then on un till re boot again.

jupiter1
03-07-2012, 10:37 PM
That's all done

Agent_24
03-07-2012, 11:29 PM
Could be that the Hard Drive's DMA settings have gone to PIO mode, that will always cause slow system performance.

Check this out: http://winhlp.com/node/10

jupiter1
04-07-2012, 12:53 AM
Thanks Agent. definitely in ultra DMA mode 6

jupiter1
06-07-2012, 04:33 PM
All above suggestions have been done.
There is a slight improvement in program launch speed but not a lot.
When I click start it takes several seconds ( about 6) to display the items in the upper panel the first time after booting.
control panel also takes quite a while to "populate" the icons first time after booting.
"Programs" also takes a couple of seconds to display the list thereof.

Speedy Gonzales
06-07-2012, 04:37 PM
Whats the brand / model of the mobo? It looks like AvastSvc.exe can cause freezing (this belongs to Avast)

Agent_24
06-07-2012, 04:43 PM
How old is the installation of Windows? Has it always performed this bad?

It may have just slowed down over time and would benefit with a reinstall to speed things up.

Or the HDD may be on its way out, bad sectors or such.

jupiter1
06-07-2012, 05:05 PM
Speedy,
Mobo = Elite (I think) model L4S8A2
Avast has been un-installed and all reference to it removed from the registry, hijack and startup (by Ccleaner).
I can not find any reference to avast anywhere else.

Agent,
No, this install of XP has always performed well.
Had a lot of trouble updating WinXP sp2 to sp3 over the past year or so.
With Speedy's help recently I was able to update to sp3 a few weeks ago.

This "slow down" has occurred in the past week only, I think MS tried to auto d/l some more updates which may have caused this
though nothing has been installed as far as I am aware.
HDD diagnostics indicate no problem with HDD. chkdisk and surface scan appear OK.

jupiter1
06-07-2012, 05:13 PM
Speedy, Mobo is made by ECS model above is correct.

Speedy Gonzales
06-07-2012, 05:46 PM
Use the Avast removal tool (http://www.avast.com/uninstall-utility)

I see it is a sis-based system. I would say this has something to do with this prob

Agent_24
06-07-2012, 07:00 PM
I see it is a sis-based system. I would say this has something to do with this prob

Well considering he said it's been working fine until this week I would be doubtful of that.

jupiter1
06-07-2012, 07:39 PM
Just up dated AdAware, Spybot, Malwerabytes and ms essentials and run all 4.

No nasties found by any of them !
Run Ccleaner and defrag.

jupiter1
06-07-2012, 07:47 PM
Just powered of and then re booted.

25 secs to boot issues mentioned above seem to be slightly better, time will tell, stay tuned.

MS PERSITENTLY keeps turning on Auto updates.
I PERSITENTLY keep turning them off. I dont trust MS. I have had nothing but problems with them sinc my old 286 back in 1995 !

Agent_24
06-07-2012, 07:57 PM
That's strange, when I turn updates off they stay off. I prefer to do updates manually. I let it notify me of new ones automatically though.

jupiter1
06-07-2012, 08:25 PM
That's strange, when I turn updates off they stay off. I prefer to do updates manually. I let it notify me of new ones automatically though.

Yep, that's how I like it but it don't happen that way.
25 secs to boot is good though !

Slankydudl
06-07-2012, 09:37 PM
25sec boot is damn good.

jupiter1
06-07-2012, 09:51 PM
25 sec is a bit mis-leading.
That is to the desktop being ready.
windows is doing something causing lots of HDD activity for a further 2 to 3 minutes !

zqwerty
06-07-2012, 10:53 PM
Have a look in Task Manager/Processes and see what is running and using CPU cycles/time, System Idle Process should be at 99% when ready to go.

jupiter1
07-07-2012, 04:03 PM
zqwerty,
Taskmngr/processes.
On my m-c the excessive disk activity prevents me activating task mngr for sometime.
When I do get it activated all or most CPU usage figures are 00.
Memory figures are all over the place but most of them are in the 0 to 9999 range.
However, 3 seem very high....
exrlorer.exe = 17000 svchost = 26000 msmpeng.exe = 57000

we are now in an area which all smoke and mirrors to me.

Nick G
07-07-2012, 04:15 PM
They're not that high. For example, my explorer.exe is using 32,280. I've got 11 svchost's, the largest single one is using 106,248. And something like opera is using over 300,000.

In your processes tab of the task manager, at the bottom it should show how much physical memory is being used, as well as how many tasks are running. Boot windows up, and then check that before opening anything else. What percent of physical memory is being used, and how many processes are open?

jupiter1
07-07-2012, 04:40 PM
Nick G,
No Proc's = 28 Phys Mem = 248/4397

Most (but not all) of the heavy HDD activity has finished by the time I can get in and launch Task Mngr.

Agent_24
07-07-2012, 04:48 PM
Memory figures are all over the place but most of them are in the 0 to 9999 range.
However, 3 seem very high....
exrlorer.exe = 17000 svchost = 26000 msmpeng.exe = 57000

Those are not unusually high.

But "exrlorer.exe" is not a legitimate Windows process. If that is not a spelling error, it is suspect.

Nick G
07-07-2012, 04:53 PM
Nick G,
No Proc's = 28 Phys Mem = 248/4397

Most (but not all) of the heavy HDD activity has finished by the time I can get in and launch Task Mngr.
I'm in win7, so I'm not sure if its the same in xp, but can you get into the task manager quicker by right clicking on the taskbar, and clicking start task manager. Also, as agent_24 said, exrlorer.exe isn't legit. Was it a typing error or is exrlorer.exe actually listing as a process?

jupiter1
07-07-2012, 05:04 PM
Agent_24 yep, typo explorer.exe

Nick G, I am Rt clicking T/bar.

I appreciate everybody's help on this.

One thought to consider. For the past several months I have been using DeFraggler by Piriform instead of DeFrag by MS.
Early yesterday after running adaware, spybot, malwarebytes and ms essentials (all clean), I ran MS defrag and since then the
machine has been a "little" faster.

I also applied the fixes to Hijack as suggested

Nick G
07-07-2012, 05:27 PM
You really don't need adaware, so uninstall that. How often are you defragging? On a modern system you really don't need to.

jupiter1
07-07-2012, 06:04 PM
I sometimes find that Adaware finds an issue that the other 3 miss.
I defrag about every 3 months or so. The graphic usually shows the disk quite badly fragmented.

After the boot up the first time I launch something like word or excel for instance it takes 5 to 7 secs to come in.
If I close the progy and launch again sometime later (without a re boot) it comes up in about 1-2 secs.
It seems many moons ago now but progys used to launch almost instantly.

Populating the icons in control panel and the progy names in the start menu also exhibits the same symptoms

Nick G
07-07-2012, 06:27 PM
That doesn't sound too bad program start wise. If you want to, try this (http://www.carolsvault.com/howto-make-your-programs-start-faster-in-windows-xp) and see if it make a difference

jupiter1
08-07-2012, 12:38 PM
tried that. no difference.

Then I found ....
http://home.comcast.net/~SupportCD/XPMyths.html

About half way down see Prefetch - Enabling prefetcher. States 4, 5, 6 dont exist !
Cheers,

apsattv
08-07-2012, 10:29 PM
Easy , go in Defraggler settings "Boot time defrag" set it to disabled.

Problem resolved?

jupiter1
09-07-2012, 09:45 AM
Thanks.

It is and always has been disabled.
Cheers,