 |  |  |  |  |  |  |  |
CPU bogged down. Spyware/Malware?
Thread Solved |
My computer has recently been bogged down by what was at first a virus, and then a series of adware/malware programs that were (and some still are) running. I've gone through the "Fixes for Specific Infections" thread, as well as the "PC Cleaning Procedures & Detection Tools" thread, but I'm still having a huge delay in booting/shutting down the system, and unless I set priorities to my programs (Firefox, Explorer etc.) they take forever to load. I've had to disable IExplorer (Windows XP SP2) because I was getting popups for spyware/adware detectors all the time, which again slowed down my system. I'm not really sure what else I can do with this, as I've gone through the big threads (listed above) and haven't had full success.
I'm getting programs like ping.exe running always (with the address of C:\WINDOWS\system32\CROSOF~1\ping.exe and an extension of "C:\WINDOWS\system32\CROSOF~1\ping.exe" -vt ndrv running) and another one called jvaw~1.exe but I can't seem to remove them, no matter what I do.
Can anyone help me? Thanks in advance.
I'm getting programs like ping.exe running always (with the address of C:\WINDOWS\system32\CROSOF~1\ping.exe and an extension of "C:\WINDOWS\system32\CROSOF~1\ping.exe" -vt ndrv running) and another one called jvaw~1.exe but I can't seem to remove them, no matter what I do.
Can anyone help me? Thanks in advance.
•
•
Join Date: May 2006
Posts: 599
Reputation: 
Solved Threads: 36
A.K.A. The Laughing Man
Plz download HJT from here.
After you download the zip extract the contents to a permanent folder such as C:\HJT or something similar.
Run the program and scan your computer. It will come up with alot of entries.(don't fix anything yet) There should be a save log option. It will save a log of the scan.
Post the HJT log in your next reply.
After you download the zip extract the contents to a permanent folder such as C:\HJT or something similar.
Run the program and scan your computer. It will come up with alot of entries.(don't fix anything yet) There should be a save log option. It will save a log of the scan.
Post the HJT log in your next reply.
This is my HJT log.
•
•
•
•
Logfile of HijackThis v1.99.1
Scan saved at 11:43:21 PM, on 25/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\CROSOF~1\ping.exe
C:\Documents and Settings\Family\My Documents\??stem\?ttrib.exe
C:\Documents and Settings\Family\Desktop\HJT\HijackThis.exe
R3 - URLSearchHook: (no name) - {0AA45C7C-98BD-B118-999D-E5FC5FF0BCE1} - C:\WINDOWS\system32\mchj.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Ucur] "C:\WINDOWS\system32\CROSOF~1\ping.exe" -vt ndrv
O4 - HKCU\..\Run: [Dzqn] C:\Documents and Settings\Family\My Documents\??stem\?ttrib.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: arpa.dll mmc.dll rundll.dll C:\WINDOWS\system32\arpa.dll
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
I also get a pop-up that says 'This action cannot be completed because the other program is busy. Choose "Switch To" to activate the busy program and correct the problem,' with a "Switch To..." and "Retry" button able to be pushed. I'm not sure if this is a Windows notification, or a 3rd party scam.
Any ideas?
Any ideas?
•
•
Join Date: May 2006
Posts: 599
Reputation:
Solved Threads: 36
A.K.A. The Laughing Man
Ping.exe is a valid process but jvaw~1.exe is not so lets get started.
First run HJT and check the following.
O4 - HKCU\..\Run: [Dzqn] C:\Documents and Settings\Family\My Documents\??stem\?ttrib.exe
O20 - AppInit_DLLs: arpa.dll mmc.dll rundll.dll C:\WINDOWS\system32\arpa.dll
Close all other windows and click fix checked.
Reboot to safe mode by tapping the F8 key during startup.
Delete the following files and folders.
C:\Documents and Settings\Family\My Documents\??stem\?ttrib.exe
C:\Documents and Settings\Family\My Documents\??stem
C:\WINDOWS\system32\arpa.dll
C:\WINDOWS\SYSTEM32\JVAW~1.EXE
Reboot Normally and reply with any problems that still exist. Also post a new HJT log.
First run HJT and check the following.
O4 - HKCU\..\Run: [Dzqn] C:\Documents and Settings\Family\My Documents\??stem\?ttrib.exe
O20 - AppInit_DLLs: arpa.dll mmc.dll rundll.dll C:\WINDOWS\system32\arpa.dll
Close all other windows and click fix checked.
Reboot to safe mode by tapping the F8 key during startup.
Delete the following files and folders.
C:\Documents and Settings\Family\My Documents\??stem\?ttrib.exe
C:\Documents and Settings\Family\My Documents\??stem
C:\WINDOWS\system32\arpa.dll
C:\WINDOWS\SYSTEM32\JVAW~1.EXE
Reboot Normally and reply with any problems that still exist. Also post a new HJT log.
When I try to fix those entries in HJT I'm given an error pop-up:
What do I do now?
•
•
•
•
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: mmc.dll arpa.dll)
Error #5 - Invalid procedure call or argument
Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible
Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1
This message has been copied to your clipboard.
Click OK to continue the rest of the scan.
•
•
Join Date: May 2006
Posts: 599
Reputation:
Solved Threads: 36
A.K.A. The Laughing Man
Move HJT to C:\HJT and try again.
When I moved the folder to C:\ drive and retried the fix, I got the same error.
I booted into SafeMode and was able to delete the "?ttrib.exe" file and the "??stem" folder (system\attrib.exe), but was unable to delete the arpa.dll file. It said that it was in use by another program. Also, the jvaw~1.exe file did not exist. I'm really confused now ...
Here's my new HJT log file:
I booted into SafeMode and was able to delete the "?ttrib.exe" file and the "??stem" folder (system\attrib.exe), but was unable to delete the arpa.dll file. It said that it was in use by another program. Also, the jvaw~1.exe file did not exist. I'm really confused now ...
Here's my new HJT log file:
•
•
•
•
Logfile of HijackThis v1.99.1
Scan saved at 1:31:35 AM, on 28/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\CROSOF~1\ping.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R3 - URLSearchHook: (no name) - {00755647-9D85-EB24-A360-EF1C819DB3B1} - C:\WINDOWS\system32\dojuzf.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Ucur] "C:\WINDOWS\system32\CROSOF~1\ping.exe" -vt ndrv
O4 - HKCU\..\Run: [Dzqn] C:\DOCUME~1\MYDOCU~1\STEM~1\TTRIB~1.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: arpa.dll rundll.dll mmc.dll C:\WINDOWS\system32\arpa.dll
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
•
•
Join Date: May 2006
Posts: 599
Reputation:
Solved Threads: 36
A.K.A. The Laughing Man
Ok download pocket killbox from here.
Run killbox and check the box that says delete files on reboot.
Then select the all files button.
Go to the folder icon and navagate to the apra.dll and TTrib~1.exe click ok. When you go to the drop down box you should see them there.
Close all other windows and click on the kill button.(red circle with white x) Killbox should reboot your computer. After its done post a new HJT log.
Run killbox and check the box that says delete files on reboot.
Then select the all files button.
Go to the folder icon and navagate to the apra.dll and TTrib~1.exe click ok. When you go to the drop down box you should see them there.
Close all other windows and click on the kill button.(red circle with white x) Killbox should reboot your computer. After its done post a new HJT log.
I can never find "TTRIB~1.EXE"! I deleted it in SafeMode once, but I've never been able to find it since (SafeMode or normal).
Here's the NEW log ...
Here's the NEW log ...
•
•
•
•
Logfile of HijackThis v1.99.1
Scan saved at 11:44:43 PM, on 28/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\CROSOF~1\ping.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
R3 - URLSearchHook: (no name) - {00755647-9D85-EB24-A360-EF1C819DB3B1} - C:\WINDOWS\system32\dojuzf.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Ucur] "C:\WINDOWS\system32\CROSOF~1\ping.exe" -vt ndrv
O4 - HKCU\..\Run: [Dzqn] C:\DOCUME~1\MYDOCU~1\STEM~1\TTRIB~1.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
 |
Similar Threads
- pegged CPU, possible peper? (Web Browsers)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Downloader EV Trojan--can't remove
- Next Thread: atmclk.exe virus help?
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus attack audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email europe exam exploit facebook fake fancheckvirus gaming gumblar halloween herss.exe hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec trojan unwanted update usa virus viruses vista war warning windows worm yahoo zeroday
