Constant drive activity et al

My hard drive runs constantly. This has been happening for at least a year. IE hangs up frequently now. It had been happening for a few months but recently got worse. Another symptom I have is the special icons in website addresses are not there (ie default "e" for Yahoo, Google, etc.) or are the wrong ones completely. Also the little arrow icon for some shortcut links are weird (rounded blue squares with white double ">>" arrows in them). I suspect that I have a spam mailbot worm or some internet connection hijacking virus:confused.

I have been using Symantec products (probably not a good choice) for a few years and I upgraded to Norton 360 a few months ago. Quite some time ago I think I did something stupid. I allowed a registry change that SDHelper warned me about. The warning said something about Symantec, startup list, and author named Paul Collins. Since that time the Norton product icons appeared last or much later than the internet connection icon in the system tray.

I have done all the steps in chaslang's READ & RUN ME FIRST. Malware Removal Guide. The log files are attached. Any help by your expert helpers would be greatly appreciated.

 

Here is the MGlogs.zip attachment

 

I forgot to include another reason that I believe the problem is related to the internet connection. The error message:

"ccSvchost.exe application error. The exception privileged instruction occurred in.....(various numbers and letters)"

when I shut down the computer about 50% of the time. ccSvchost.exe is the Symantec firewall. Also my internet connection statistics as reported by Windows indicate the packets sent are greater than or nearly equal to packets received.

Thank you in advance for your help.

 

Hi Private_Geek16,
Welcome to Major Geeks!

I don't think this is a malware problem. Did it start with either the installation of or an upgrade to Symantec? My recommendation is to see if it's related to your Symantec. If you would like to do this, you will need several steps which have been outlined below, in which you'll be asked to download a free antivirus software installation program (without installing it). Then remove the Symantec software using special removal tools and instructions, install the free antivirus program and then reconnect to the internet.

If you decide to try this, you need to know that Norton requires a two-step deinstallation process. The first involves emptying the Norton Quarantine. The second involves running the Norton Removal Tool. It cannot be uninstalled using add/remove programs.

I'll give you the links you would need to use if you decide to try this, but first I would like for you to take a look at your startup processes and have you run a removal tool for Windows Messenger which is an unnecessary vulnerability.

Before we start, please tell me what is in the following two folders under C:\
You can open the folders, but don't open any of the files. Also, you can right-click on the folders and select properties for more information.

C:\sj753
C:\Temp1

And now, if you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


Next, please run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

Do all of the following programs need to load at startup, or can some of them be removed? HijackThis will keep a backup, so they can be retrieved as long as the backup is kept.


O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" /OM
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

After you click fix, just close hijackthis.

-------------------------------------------------------------------------------------------------------------------------------------------------------

And now, I will give you the instructions for removing Symantec, or alternatively, you can try to get information directly from Symantec as to the problems you've been having. There is a Symantec representative who comes here sometimes and can advise you about their products.

1) First go to How to Protect Yourself from Malware and download one of the free resident antivirus programs. Do not install it. Only download the installation program to someplace where you can find it later.

2) Make sure you have your activation key for Symantec, so you can reinstall their software again.

3) Go to Removing Files from Norton Antivirus Quarantine and remove any files in quarantine.

4) Go to Norton Removal Tool & Instructions from Symantec and select the product you want to remove. If it runs online, go ahead and let it run, but disconnect from the internet as soon as the connection is no longer required. If you can run it without being connected to the internet, physically unplug your computer from the internet.

5) After removing Symantec, find the installation program for the free antivirus program you downloaded in Step 1 and install it. If it asks you if it can update, reconnect to the internet and allow it to update. Otherwise, do this yourself.

Please let me know what, if any, of the above steps you decided to do and if any of them helped.

Thanks.
abri

 

Hi abri,

thanks for viewing my logs and the help you suggested.

I will follow those steps when I have enough time to do in one session.

In answer to your questions about Temp1 and sj753:

Temp1 (183 MB Read only) is a folder I created to place the software extracted from HP to update all software (complete, full new web release) for HP psc 2200 series All-In-One printer, scanner, copier, fax machine.

sj753 (10.6 MB Read only) I have no idea where it came from. It contains:

folders bin and DocProc
and cpeupdate.dll, loc.dll, and setup.exe (icon looks like color scanner).

in folder bin:
HPXMLPDF.exe and HPXtoPps.dll

in folder DocProc:
DocProc.exe
DPCps.dll
dpe_ocr.exe
drs832.dll
fmtcp8.dll
regstr.cfg

Thanks again, bye for now.

 

Hi Private_Geek16

I should warn you, that using the Norton Removal Tools will uninstall ALL of their software, so you may lose things you want to keep. It might be better to test this idea by simply disabling things in a systematic way and seeing if you get an improvement in your computer that way.

abri

 

Not fixed yet

Hi abri,

Sorry for the long delay of my reply.

I have done all steps up to removing Symantec, and ccSvchost error message still appears at shutdown. I just finished a long support chat with Symantec (I let them use remote control) :cry. I have more than one ccSvchost process. They said ccSvchost is not a Norton process, but a system process to manage all installed programs, even those not currently running. Is that true? Isn't the fuction of Svchost to do this for running programs? Can you please check with the Symantec expert you mentioned earlier?

Can the constant hard drive operation (which has been happening a long time) be due to my Raid 0 (data striping, not data duplication) configuration?

I still think the problem is my computer has been hijacked. But then you already checked the hijackthis log.

Also, after running all steps in Removing Malware by chaslang my sound does not work at all . My speakers are fine and Creative diagnostic passes all tests except SoundFont. Should I start a new thread in hardware forum for this?

I will await your reply before going any further (removing Symantec).

Thanks again, bye for now.

 

Hi Private_Geek16,

Sorry for the continuing difficulties. I think it would help me to see a screen shot of the error you're getting at shutdown if you can get one. Or write the error message out exactly as it is.

The file C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe is different than what I think the rep at Symantec was referring to, which was svchost.

Also, please attach a fresh set of MGlogs.zip so I can see how things look now. To get this file, please go to the MGTools folder under C:\ and in it find the file called GetLogs.bat. Double-click on this and allow it to run until you get the Hit any key message.

abri

 

Hi abri,

the error message is as follows:

"ccSvchost.exe application error
The exception privileged instruction occurred in:
0x6fbf8f59f
OK to terminate, cancel to debug"

I am attaching latest MGlogs.zip

What do you recommend about the sound problem? Should I start a new thread? As for my other comments in last post what do you think?

I will go ahead and remove Symantec products and complete the procedure you recommended earlier.

Thanks again.

 

Hi Private Geek,

I think the error message you're getting is because of a corrupted file. It might be possible to track it down by turning off some things. Can you simply disable the Symantec Firewall and see if the error message goes away?

Do you know at what point you lost your sound? MalwareBytes, SuperAntispyware and Combofix didn't remove anything. The MGTools is only a scan for information. It doesn't remove anything. CCleaner in the default setting removes only a variety of temporary files. I'm not sure why you lost your sound in the process. If you go to the device manager, can you see a yellow warning shield next to the audio? To get to the device manager, go to Start and right-click on My Computer. Select Properties, and then go to the Hardware Tab. The top of the choices on that tab should be the device manager. Click on the button for this. Expand the Audio entry and see if there are any yellow warning signs anywhere. If so, right click on it and tell it to look for the driver. If that doesn't help, I think your Creative diagnostic would be useful in a Hardware Thread.


If you haven't removed Symantec, try the following. Go to Start / Run and copy/paste in services.msc and click on okay. In the Window that opens up, scroll down to the Symantec entries and highlight them one at a time and right-click on them. Select properties and check to see that the Startup type is set to automatic. If it's set to manual, use the dropdown arrow over on the right-side to select automatic.

abri

 

Hi abri,

I finally uninstalled all Symantec software ( I used Norton tools "budump" and "Norton Removal Tool" ) and installed Avast aintivirus and Online Armor firewall. At the current time Avast is running for the first time and it has already found a backdoor virus which was in the Symantec shared folder. I have quarantined it, because Avast could not repair it. The initial scan is still running. It also found the gobackio file which was left over from Symantec. Thanks for your recommendation to remove Symantec. It seems to have worked. I will continue to use Avast, Online Armor, Spybot SD, Ad-Aware by lavasoft, a2squared, Superantispware, Malware bytes, combofix, and MGtools as my protection system. I won't use Norton anymore (I'll save money and be safer).

Thank You So Much for your help!

p.s. How do you log this thank you as a statistic in your nickname banner?