Need help with 023 and 09 in HJT log

[yjsk2100]

I am not sure what I have if anything. Every couple of days my computer just shuts off by itself. I did a HJT log to see if there was anything that was bad and there is a McAfee Application Installer Cleanup (0082431273242480) (0082431273242480mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\008243~1.EXE (file missing)

that I keep trying to fix yet it won't go away. I also have a O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

 

Can anyone tell me what they are and if it they are bad what I can do? And thanks

 

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 11:09:16 PM, on 5/28/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Sygate\SPF\smc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

C:\Program Files\LClock\LClock.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AWS\WeatherBug\Weather.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\IObit\IObit Security 360\IS360srv.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\AVG\AVG9\avgemc.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe

C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll

R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll

O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\YTSingleInstance.dll

O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1

O4 - HKLM\..\Run: [smcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui

O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe

O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe

O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot

O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\LClock.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1

O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL

O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1245020954796

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: McAfee Application Installer Cleanup (0082431273242480) (0082431273242480mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\008243~1.EXE (file missing)

O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpDefragService.exe

O23 - Service: TuneUp Utilities Service (TuneUp.UtilitiesSvc) - TuneUp Software - C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe

O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

 

--

End of file - 10725 bytes

[So_sad]

Hi there yjsk2100 ;

 

Nothing bad in that log. The O23 is a McAfee Site Advisor routine that should have been removed by itself, but I gather that WinPatrol likes to flag it as bad (it's not) and removes the file, so the Service key is left there as an orphan.

I strongly suggest that you uninstall Site Advisor completely ; not only should it remove that leftover, but Site Advisor is not something I recommend anymore... They flag some legit sites as bad and don't always flag the bad ones, so it's not the program it used to be.

 

The O9 line has to do with XP's Network Diagnostic (extra menu items and buttons). Just leave those.

 

One last thing : you have two competing anti-malware programs running with shields : WinPatrol and IS360. AVG9 also has an anti-spyware module, but I think it could live alongside one of the other two, but not both. You can't have those two (WinPatrol and IS360) running together because this can create conflicts on the machine, possibly some hangs or worse. Keep just one, and remove the other (your choice).

 

Quick question : is that XP system "modified" and if so, how ?

 

===

[yjsk2100]

Thanks for the quick reply. I just uninstalled Win Patrol. I had installed it just a few days ago because I was looking for a program that stopped Trojans and this one was recommended.

 

I am going also going to uninstall McAfee Site Advisor too. But is there a program that tells you what sites and good and what sites are bad?

 

is that XP system "modified" and if so, how ?

 

Yes, this computer has been modified. When I first got it had Microsoft Works and it was for 2003 programs. I began to have problems with it doing start-up. When I turned it on the bar just rolled and rolled and rolled and would not let my computer get past that page.

 

I have a computer friend who goes all over the state and so I called him. He took the hard drive. When he returned it, it was upgraded it. I now have Microsoft Office 2007 I wanted as this is what I use at work.

 

The next thing I want done is to have him install Windows 7 but will wait for a while.

 

Thanks for reading my log again. And a few questions. Why do I so many C:\ and I have more R0 and R1 than I normally do. Are all of them required? Seems to me some are duplicates but I could be mistaken.

[So_sad]

Hi there yjsk2100 :smile:

 

Thank you for the details. From what I gather, your friend did more than just "tweak" your system ; I can only guess here but it looks like you have a heavily modified XP there, possibly not legal, but we won't get into that since you plan on getting Win7 anyway (good idea !). Just make sure you get one with a licence ;-)

 

I'm not entirely sure what you mean by "Why do I so many C:\", but I'll guess you mean running processes, which are all those lines starting with "C:\" in the first part of the HijackThis log, above the "R1" lines ; those are running processes and you do have many. Let me break those down for you, quickly :

 

- svchost.exe > 6 instances : that's normal and needed by the system to run some Services

 

- antivirus (AVG9) > 8 instances : perfectly normal.

 

- HP stuff > 4 instances : imaging or printing processes which are normal. HP software takes up a lot of resources though and I don't like that much. Same with your antivirus (AVG) ; there are lighter ones available for free.

 

- TuneUp Utilities > 2 instances : I hate those things because they can wreck your registry...

 

- You've got more in there for XP to work properly, + IS360 shields, + WinPatrol (now gone), + 2 for Internet Explorer (normal) and a few more you have running for some utilities.

 

>> You could optimize a bit, but I'm not the person to help you there.

 

---------

 

About the "R0" and "R1" lines : those are normal, and you have quite a few that came with Yahoo! crap (oops). I say "crap" but it's nothing to be worried about, really ; Yahoo! add-ons are just a bit of a pain (Start page, Search page, Search bar...) are stuff added to Internet Explorer so that Yahoo! is in your face all the time.

 

That's about it..

 

Perhaps someone else here has a suggestion for a Site Advisor replacement, because I don't use them.

 

====

[enoskype]

Hi there,

 

There are controversial comments about IoctlSvc.exe sevice for the USB connected drives, be it HD or flash.

 

I would try to disable it in the services and see if there is a problem with connecton to the USB devices, if there is no problem I would disable it as there are malware in the web stealing the name and infecting the PCs under the same name.

 

I would like to see your comment for that service So_sad.:wink:

 

For the site watching, I do use Site Advisor with my XP (because I use McAfee in that PC), but there is also WOT.

Unfortunately, WOT clasification for web pages can be effected by users giving their opinion about a site and even IObit forum was red in last November because of the user's input about IObit and being a forum site, this was a very biased result of which they have corrected later. Personally, I wouldn't use WOT.

 

There is also Zone Alarm's toolbar for site watching and downloading, a bit of a resource user.

 

Cheers.

[yjsk2100]

Thanks for the quick replies. Been real busy with work and all so didn't get here before now.

 

Same with your antivirus (AVG) ; there are lighter ones available for free.

 

Let me know a great free antivirus to use.

 

I would like to see your comment for that service So_sad.

 

What service are you talking about?

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!

 

I use to have one R1 and one R2 and that is why I was asking why so many.

 

My computer still shuts off by itself so I probably will have to have it checked out. Other than that all is fine. I ran and IObit 360 full scan and all that shows up are tracking cookies which I delete. No more trojans or worms for now that is.

 

Any help with the above would be greatly appreciated and once someone helps then this thread could possibly be solved.

[enoskype]

What service are you talking about?

 

Hi there,

 

There are controversial comments about IoctlSvc.exe sevice for the USB connected drives, be it HD or flash.

 

I would try to disable it in the services and see if there is a problem with connecton to the USB devices, if there is no problem I would disable it as there are malware in the web stealing the name and infecting the PCs under the same name.

 

I would like to see your comment for that service So_sad.:wink:

 

I meant the service in red and wanted to learn the opinion of So_sad.

 

About the R1s and R2s:

They are more because you have installed Yahoo and it replaced the originals, so virtually it is more than doubled because of the Yahoo Toolbar.

If you uninstall the Yahoo Toolbar, and change the default search engine to Ms, the # of Rs will be reduced.:mrgreen:

 

For the great free antivirus, I would advice a little search, as the best is subjective. If you have a look at AVG vs. Avast vs. Avira vs. MSSE!? thread, you will understand what I mean.

Anyway, perhaps, So_sad may have a name in his mind.:-)

 

Cheers.