[Inactive] I've done the 8-step process

By pwn3dchoo
Jul 11, 2010
Topic Status:
Not open for further replies.
  1. So my laptop recently has become extremely laggy starting three days ago. Aside from the lag, McAfee keeps telling me that it is off even though I had not touched it. It will say that everything is off then say that everything is turned on. I also found out that I have a folder containing a file named "cmd.cfxxe.mui" I looked online and noticed that the file isn't a good thing?

    Please hel me with this.

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    I'll check you logs, but wanted to refer you to this:http://www.threatexpert.com/report.aspx?md5=6b1e43aa88897f983eb50abe7c94f992

    When you do a Google search, no matter what the search string is, it will show in bold type, even if it's a normal file. It's just how a search engine works. As you can see by this description, it can be a legitimate entry-or not:
    cmd= command and
    cfxxe is in Combofix
    (MUI) =Multilingual User Interface

    Can you tell me what laggy means please? Is that 'slow'? Describe.
  3. pwn3dchoo

    pwn3dchoo Newcomer, in training Topic Starter

    Hmm I see. What am i supposed to look for in that site? Sorry, I'm not that computer savvy haha. Ya my computer has been running really slowly recently. I tried making this thread last night but my computer just froze. I tried running MBAM to do a full scan but my computer restarted itself. I came back to a BSOD. When I restarted again, the screen stated "Boot Device Not Found." But the next time I turned it on, everything seemed fine.

    I'm running my laptop in safe mode right now, but I ran the scans in normal mode.
    Thank you for looking over my logs.


    EDIT: My laptop keeps turning McAfee's Real Time Scanning off.
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    There is a legitimate entry and a malware entry for "cmd.cfxxe.mui".My referral to the site was for you to read the information about it.
    Why are you running the computer in Safe Mode? If 'laggy' means slow, it can be because you have so many processes starting up.
    Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
      [​IMG]

    Now download and run cuurent Combofix:
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..
    Re-enable your Antivirus software.
  5. pwn3dchoo

    pwn3dchoo Newcomer, in training Topic Starter

    I've attached the report because of the character limit.

    Attached Files:

  6. pwn3dchoo

    pwn3dchoo Newcomer, in training Topic Starter

    Hey Bobbyeye, are you still going to help me?
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    I see you were very active with the DIVX program. Now you have all that data from 7/13 on the system that you didn't have before. I note that you installed Avast also on 7/13. You already have the McAfee Security suite running. Remove Avast and it's data please:
    Avast Removal

    Reboot the computer when finished.
    Before running a Combofix scan, security programs are suppose to be disabled per the instructions. Part of the Combofix header is missing- the part that tell me that either the security was enabled or disabled and the names of the programs.
    =====================================
    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    c:\programdata\ezsidmv.dat
    c:\program files\Viewpoint\Common\ViewpointService.exe
    Folder::
    C:\32788R22FWJFW
    c:\users\Public\AppData\Local\temp
    c:\users\Default\AppData\Local\temp
    
    FileLook::
    c:\windows\system32\pool.bin
    
    Registry::
    RegLock::
    [HKEY_LOCAL_MACHINE\SOFTWARE\DeterministicNetworks\DNE\Parameters]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
    
    RegNull::
    [HKEY_USERS\S-1-5-21-2042099839-2594529637-3938066469-1000\Software\SecuROM\License information*]
    
    Extra::
    File::
    c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
    Firefox::
    Firefox-: -Profile- c:\users\Yves\AppData\Roaming\Mozilla\Firefox\Profiles\i832u5x6.default\
    
    Driver::
    Viewpoint Manager Service
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
  8. pwn3dchoo

    pwn3dchoo Newcomer, in training Topic Starter

    Hey Bobbye, I've attached the ComboFix log but I don't the log for the ESET scan. I ran the scan four times and three of those times resulted in my laptop crashing. I would step away for a few hours and see the words "Boot Device Not Found" telling me I need to load an operating system. I stopped the scan one time because it had been scanning for 4 hours and I guess was stuck on a file for over an hour and at 99%.

    During each scan, ESET found these six things:

    C:\HP\HPQWare\aim_icq\triton_de_de\setup.exe probably a variant of Win32/Agent trojan
    C:\HP\HPQWare\aim_icq\triton_en_gb\setup.exe probably a variant of Win32/Agent trojan
    C:\HP\HPQWare\aim_icq\triton_es_es\setup.exe probably a variant of Win32/Agent trojan
    C:\HP\HPQWare\aim_icq\triton_fr_fr\setup.exe probably a variant of Win32/Agent trojan
    C:\HP\HPQWare\aim_icq\triton_it_it\setup.exe probably a variant of Win32/Agent trojan
    C:\HP\HPQWare\aim_icq\triton_nl_nl\setup.exe probably a variant of Win32/Agent trojan

    Attached Files:

  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    I don't do this often, but let's give it a try, since I am familiar with these entries: Do you see the ICQ/AIM in the entries? That should give you a good idea where they came from.

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processes	
      
      :Services
      
      :Reg
      
      :Files  
      C:\HP\HPQWare\aim_icq\triton_de_de\setup.exe 
      C:\HP\HPQWare\aim_icq\triton_en_gb\setup.exe 
      C:\HP\HPQWare\aim_icq\triton_es_es\setup.exe 
      C:\HP\HPQWare\aim_icq\triton_fr_fr\setup.exe 
      C:\HP\HPQWare\aim_icq\triton_it_it\setup.exe 
      C:\HP\HPQWare\aim_icq\triton_nl_nl\setup.exe 
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =========================================
    Then run this one: Choose v2.0.4:

    Download the HijackThis Installer HERE and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    Let's make sure those files get moved- I will have you run another online scan and will come back to Combofix after these.
  10. pwn3dchoo

    pwn3dchoo Newcomer, in training Topic Starter

    I've attached the OTM log at the bottom
    ------

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 10:17:52 AM, on 7/18/2010
    Platform: Windows 7 (WinNT 6.00.3504)
    MSIE: Internet Explorer v8.00 (8.00.7600.16385)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskhost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\IDT\WDM\sttray.exe
    C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
    C:\Program Files\HP\QuickPlay\QPService.exe
    C:\Program Files\Zune\ZuneLauncher.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=83&bd=Pavilion&pf=cnnb
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=mcafee&p=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - (no file)
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100512164654.dll
    O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
    O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
    O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
    O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\2.0"
    O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
    O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
    O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
    O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - Global Startup: VPN Client.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
    O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_fb1c4256d359bf22\aestsrv.exe
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Program Files\LSI SoftModem\agrsmsvc.exe
    O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
    O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: HP Service (hpsrv) - Hewlett-Packard Corporation - C:\Windows\system32\Hpservice.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
    O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
    O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
    O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
    O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
    O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_fb1c4256d359bf22\STacSV.exe
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

    --
    End of file - 9566 bytes

    Attached Files:

  11. pwn3dchoo

    pwn3dchoo Newcomer, in training Topic Starter

    Should I scan with ESET again?
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    No. Just give me the log from OTMoveIt. I'm finishing up Combofix now.

    How are system problems now?
  13. pwn3dchoo

    pwn3dchoo Newcomer, in training Topic Starter

    Here is the OTMoveit log.


    All processes killed
    ========== PROCESSES ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    C:\HP\HPQWare\aim_icq\triton_de_de\setup.exe moved successfully.
    C:\HP\HPQWare\aim_icq\triton_en_gb\setup.exe moved successfully.
    C:\HP\HPQWare\aim_icq\triton_es_es\setup.exe moved successfully.
    C:\HP\HPQWare\aim_icq\triton_fr_fr\setup.exe moved successfully.
    C:\HP\HPQWare\aim_icq\triton_it_it\setup.exe moved successfully.
    C:\HP\HPQWare\aim_icq\triton_nl_nl\setup.exe moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: Yves
    ->Temp folder emptied: 1243689 bytes
    ->Temporary Internet Files folder emptied: 30277754 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 41096480 bytes
    ->Flash cache emptied: 5771 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 32717 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 69.00 mb


    OTM by OldTimer - Version 3.1.15.0 log created on 07182010_100428

    Files moved on Reboot...
    C:\Users\Yves\AppData\Local\Temp\ehmsas.txt moved successfully.

    Registry entries deleted on Reboot...
  14. pwn3dchoo

    pwn3dchoo Newcomer, in training Topic Starter

    I'm not sure if I did anything wrong, but I think my laptop is running worse. I'm on safe mode right now because my laptop is having difficulties doing the simplest of task such as opening Firefox or My Folders. This is a bit frustrating because trying to click the start button takes over a minute for the menu to come up.
  15. pwn3dchoo

    pwn3dchoo Newcomer, in training Topic Starter

    Hey Bobbye, as of right now, my computer is running fairly well. However, I have a Windows Update for MS Outlook 07 even though I don't have Outlook installed. I looked over the update history and it shows that it has been trying to do this update ever since 7-15, five days ago. The update has failed each time.

    Also, my McAfee Real-Time Scanning continually keeps turning off and on. The same goes for Windows Defenfder
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    These are a few of the Event Errors in the Attach.txt log. They are all repeating and all need to be dealt with. You are having serious system problems and the computer isn't going to work until you follow through and correct these problems:

    7/8/2010 11:19:46 PM, Error: Microsoft-Windows-CorruptedFileRecovery-Server [6] - The system file C:\Windows\System32\NlsData0003.dll was corrupted, which may have caused the application C:\Windows\system32\SearchIndexer.exe to stop working. Windows was unable to repair this file (error code 0). Run the command "sfc /scannow" at an administrative command prompt to check for errors and to repair the file if necessary.

    7/9/2010 5:06:12 AM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume D:.

    7/9/2010 7:46:13 AM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume HP_RECOVERY.

    7/10/2010 4:09:57 AM, Error: Service Control Manager [7038] - The WSearch service was unable to log on as NT AUTHORITY\SYSTEM with the currently configured password due to the following error: The request is not supported. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

    7/10/2010 1:35:59 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: hpdskflt (Hpdskflt.sys with description HP Disk Filter is a driver file from company Hewlett-Packard Corporation belonging to product Hewlett-Packard Corporation Mobile Data Protection System.)

    7/10/2010 1:33:51 AM, Error: Service Control Manager [7038] - The McShield service was unable to log on as NT AUTHORITY\SYSTEM with the currently configured password due to the following error: The request is not supported. To ensure that the service is configured properly, use the Services snap-in in Microsoft Management Console (MMC).

    7/11/2010 12:02:10 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: discache spldr Wanarpv6
    (Note: spldr is Microsoft Windows security process loader
    Wanarpv6 is Remote Access IPv6 ARP Driver)

    7/11/2010 10:53:00 AM, Error: Service Control Manager [7034] - The Windows Search service terminated unexpectedly. It has done this 24 time(s).

    As for Outlook: The following are installed:
    Activation Assistant for the 2007 Microsoft Office suites
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Security Update for Microsoft Office Outlook 2007 (KB972363)
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Outlook 2007 Help (KB963677)

    You are not going to be able to do anything until you handle the system problems indicated in the Event Errors. Take one at a time- follow any directions given.
  17. pwn3dchoo

    pwn3dchoo Newcomer, in training Topic Starter

    I ran chkdsk here are the results.

    Microsoft Windows [Version 6.1.7600]
    Copyright (c) 2009 Microsoft Corporation. All rights reserved.

    C:\Windows\system32>chkdsk D:
    The type of the file system is NTFS.
    Volume label is HP_RECOVERY.

    WARNING! F parameter not specified.
    Running CHKDSK in read-only mode.

    CHKDSK is verifying files (stage 1 of 3)...
    448 file records processed.
    File verification completed.
    0 large file records processed.
    0 bad file records processed.
    0 EA records processed.
    0 reparse records processed.
    CHKDSK is verifying indexes (stage 2 of 3)...
    528 index entries processed.
    Index verification completed.
    0 unindexed files scanned.
    0 unindexed files recovered.
    CHKDSK is verifying security descriptors (stage 3 of 3)...
    448 file SDs/SIDs processed.
    Security descriptor verification completed.
    40 data files processed.
    Windows has checked the file system and found no problems.

    10471423 KB total disk space.
    8909248 KB in 361 files.
    132 KB in 42 indexes.
    24 KB in bad sectors.
    55599 KB in use by the system.
    54416 KB occupied by the log file.
    1506420 KB available on disk.

    4096 bytes in each allocation unit.
    2617855 total allocation units on disk.
    376605 allocation units available on disk.

    C:\Windows\system32>

    ----

    The sfc /scannow result

    Microsoft Windows [Version 6.1.7600]
    Copyright (c) 2009 Microsoft Corporation. All rights reserved.

    C:\Windows\system32>sfc /scannow

    Beginning system scan. This process will take some time.

    Beginning verification phase of system scan.
    Verification 100% complete.
    Windows Resource Protection found corrupt files but was unable to fix some of th
    em.
    Details are included in the CBS.Log windir\Logs\CBS\CBS.log. For example
    C:\Windows\Logs\CBS\CBS.log

    C:\Windows\system32>
  18. pwn3dchoo

    pwn3dchoo Newcomer, in training Topic Starter

    What am I supposed to do in MMC? It says McShield and Windows Search have both started and logged on as Local system.

    How do I load the Hpdskflt.sys and discache spldr Wanarpv6?
     
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Please reboot the computer and see how the system is working. You have got to be more specific about the problem you're having.
  20. pwn3dchoo

    pwn3dchoo Newcomer, in training Topic Starter

    The computer seems to work well for about the first 10 mins. At this point, the computer runs smoothly. Short after though, whatever program is open will begin to run slowly. I can't open much programs because it would freeze up
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    I am confused. The following are both comments made 2 days ago:
    Post 17:
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    1. How much installed RAM do you have?

    2. Open the Task Manager Choose Processes tab> look at the bottom right corner> how many process are running?

    3. Click on Start> Run> type in msconfig[/c]> Enter> Selective startup> how many processes are checked in Startup.
  23. pwn3dchoo

    pwn3dchoo Newcomer, in training Topic Starter

    Sorry for the late response, I was not at home for the last three days. Sorry for the conflicting response, but what I meant is that starting a programs would take ~5mins until it would seem to run normally, but starting a new program takes much longer as the first program. For example, I would try to start Firefox and that would take about 5mins then I would try to start Zune but the program, along with Firefox and any other windows to freeze up.

    There are 18 processes checked in Startup and 31 processes in Task Manager. I have 3GBs of RAM. I will do the steps as soon as I can in the morning.

    I really appreciate and thank you for helping me out with this laptop issue :):)
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +35

    Okay RAM is enough if it's all good. Number of processes in Task Manager is very good.

    Number of processes check in Startup is about 12 too many! Whether you actually use the processes or not, if they start on boot, they will continue to run in the background. As you surf, the temporary internet files are adding up and at some point, processes are going to start competing with each other for available RAM.

    Also, if you have a lot of either or both tabs and add-ins on Firefox, it will take it longer to load. If your homepage has multiple tabs to load, try creating a shortcut for Firefox that is just the browser itself, no tab and see if that makes a difference. I have 7 tabs on my Firefox home page. Most of the time, it loads okay, but occasionally there is a problem with the site on one of the tabs that slows down the entire loading.

    It could also be that you have a lot of addons in Firefox that are taking longer to load. Review those and see if you can remove some- if that makes a difference.

    I went back and reviewed the HJT log and see the following running: (they only need to be running if you are actively using them)
    CyberLink
    ZuneLauncher
    DivXUpdate
    SunJavaUpdateSched
    HP Digital Imaging and Smart Web Printing
    RIMAutoUpdate


    and there are 16 Services currently running (other than those for McAfee) that may be on Automatic Startup and could be on Manual.
  25. pwn3dchoo

    pwn3dchoo Newcomer, in training Topic Starter

    I've turned off a majority of my startup processes and only checked those that I think I need.
    Also, I noticed a have multiple svchost.exe running, 16 to be exact. Could this be causing any issues?
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.