Hi There,

My CPU is hitting 100% every 10 - 20 minutes for 2 - 3 minutes, not too sure what it could be.

I got hit by a virus last week and have updated Windows, AV and spyware. Scanned and scanned but still nothing. Run regisrty cleaners / checkers and system performance checkers / boosters, scanned TCP ports and disabled Dcom but still the CPU keeps going outta control freezing my system.

Any help on what is happening is most appreciated as this is driving me nuts.

digi-b

What services are running on your system? What O/S are you using?

Hi There,

My CPU is hitting 100% every 10 - 20 minutes for 2 - 3 minutes, not too sure what it could be.

I got hit by a virus last week and have updated Windows, AV and spyware. Scanned and scanned but still nothing. Run regisrty cleaners / checkers and system performance checkers / boosters, scanned TCP ports and disabled Dcom but still the CPU keeps going outta control freezing my system.

Any help on what is happening is most appreciated as this is driving me nuts.

digi-b

First please get Spybot S&D to clear out most of the spyware.

Short tutorial and download link here:
http://tomcoyote.org/SPYBOT/

Fix everything SpybotSD labels in red.

Then after reboot:
Download 'Hijack This!'. http://www.tomcoyote.org/hjt/
Unzip to a permanent folder, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, load it in Notepad, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.
then post the log here

Hi,

Thanks for the replies.

I am running Windows 2000 AMD 1.2 with 512k Ram.

I have run Spybot in the last fewdays but will give it a go again.

Have you got another link for Hijack This! as http://www.tomcoyote.org/hjt/ does not work for me?

Sara

I think there server must be down

none of the links I have tried are working.

I even tried archive.org - close but got an error.

Don't know if this will help but it's basically like a better task manager, it shows you the processes you are currently running, and the ones that startup when your computer starts up.
See if it shows what process is the one using all the CPU
http://www.webattack.com/get/starter.html

Looks like its SERVICES.EXE thats doing the damage but am not to sure.

Startup


Item,Value,Section
^SetupICWDesktop,"F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop","Registry - Def User RunOnce"
ExplorerTask,F:\WINNT\ServicePackFiles\i386\explorer.exe,"Registry - Machine Run"
internat.exe,internat.exe,"Registry - Def User Run"
LoadQM,loadqm.exe,"Registry - Machine Run"
"Microsoft Office.lnk","F:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l","Startup - All Users"
"QuickTime Task",F:\WINNT\System32\qttask.exe,"Registry - Machine Run"
"Synchronization Manager","mobsync.exe /logon","Registry - Machine Run"

Processes Running

Process,PID,"Mem usage",Executable,Priority,"Page fault count","Mem usage (peak)","Paged pool (peak)","Paged pool","Nonpaged pool (peak)","Nonpaged pool","Pagefile (peak)",Pagefile
,,,,,,,,,,,,
crypserv.exe,484,,F:\WINNT\system32\crypserv.exe,"80 (High)",,,,,,,,
csrss.exe,168,,F:\WINNT\system32\csrss.exe,"20 (Normal)",,,,,,,,
Explorer.EXE,988,,F:\WINNT\Explorer.EXE,"20 (Normal)",,,,,,,,
Idle,0,,,"0 (Normal)",,,,,,,,
lsass.exe,228,,F:\WINNT\system32\lsass.exe,"20 (Normal)",,,,,,,,
mspmspsv.exe,820,,F:\WINNT\System32\mspmspsv.exe,"20 (Normal)",,,,,,,,
MSTask.exe,620,,F:\WINNT\system32\MSTask.exe,"20 (Normal)",,,,,,,,
NOTEPAD.EXE,860,,F:\WINNT\system32\NOTEPAD.EXE,"20 (Normal)",,,,,,,,
opera.exe,1492,,"F:\Program Files\Opera7\opera.exe","20 (Normal)",,,,,,,,
qttask.exe,1212,,F:\WINNT\System32\qttask.exe,"20 (Normal)",,,,,,,,
regsvc.exe,564,,F:\WINNT\system32\regsvc.exe,"20 (Normal)",,,,,,,,
SAgent2.exe,500,,"F:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe","20 (Normal)",,,,,,,,
services.exe,216,,F:\WINNT\system32\services.exe,"20 (Normal)",,,,,,,,
smss.exe,140,,F:\WINNT\System32\smss.exe,"20 (Normal)",,,,,,,,
Starter.exe,364,,"F:\Program Files\CodeStuff\Starter\Starter.exe","20 (Normal)",,,,,,,,
svchost.exe,300,,F:\WINNT\system32\svchost.exe,"20 (Normal)",,,,,,,,
svchost.exe,512,,F:\WINNT\System32\svchost.exe,"20 (Normal)",,,,,,,,
svchost.exe,832,,F:\WINNT\system32\svchost.exe,"20 (Normal)",,,,,,,,
symlcsvc.exe,772,,"F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe","20 (Normal)",,,,,,,,
System,8,,,"20 (Normal)",,,,,,,,
taskmgr.exe,1468,,F:\WINNT\system32\taskmgr.exe,"80 (High)",,,,,,,,
tinyresmeter.exe,1256,,"F:\Documents and Settings\Administrator\Desktop\tinyresmeter.exe","20 (Normal)",,,,,,,,
winamp.exe,424,,"F:\Program Files\Winamp\winamp.exe","20 (Normal)",,,,,,,,
winlogon.exe,188,,F:\WINNT\system32\winlogon.exe,"80 (High)",,,,,,,,
WinMgmt.exe,804,,F:\WINNT\System32\WBEM\WinMgmt.exe,"20 (Normal)",,,,,,,,

Thanks I will give it a go.

I had a look at my services.exe file:

"Module (49)",Handle,Size,"Full Path"
ACTIVEDS.DLL,773B0000,"192,512",F:\WINNT\system32\ACTIVEDS.DLL
ADSLDPC.DLL,77380000,"143,360",F:\WINNT\system32\ADSLDPC.DLL
ADVAPI32.dll,7C2D0000,"401,408",F:\WINNT\system32\ADVAPI32.dll
CFGMGR32.DLL,770B0000,"28,672",F:\WINNT\system32\CFGMGR32.DLL
COMCTL32.DLL,71710000,"540,672",F:\WINNT\system32\COMCTL32.DLL
cryptdll.dll,76670000,"57,344",F:\WINNT\system32\cryptdll.dll
cryptsvc.dll,768D0000,"81,920",F:\WINNT\system32\cryptsvc.dll
dhcpcsvc.dll,77360000,"102,400",F:\WINNT\system32\dhcpcsvc.dll
dmserver.dll,768C0000,"24,576",F:\WINNT\system32\dmserver.dll
DNSAPI.DLL,77980000,"147,456",F:\WINNT\system32\DNSAPI.DLL
dnsrslvr.dll,768A0000,"102,400",F:\WINNT\system32\dnsrslvr.dll
eventlog.dll,76890000,"61,440",F:\WINNT\system32\eventlog.dll
GDI32.dll,77F40000,"233,472",F:\WINNT\system32\GDI32.dll
ICMP.DLL,77520000,"20,480",F:\WINNT\system32\ICMP.DLL
IPHLPAPI.DLL,77340000,"77,824",F:\WINNT\system32\IPHLPAPI.DLL
KERNEL32.dll,7C570000,"733,184",F:\WINNT\system32\KERNEL32.dll
lmhsvc.dll,76880000,"24,576",F:\WINNT\system32\lmhsvc.dll
MPR.DLL,76620000,"69,632",F:\WINNT\system32\MPR.DLL
MPRAPI.DLL,77320000,"94,208",F:\WINNT\system32\MPRAPI.DLL
msafd.dll,74FD0000,"122,880",F:\WINNT\system32\msafd.dll
MSVCRT.DLL,78000000,"282,624",F:\WINNT\system32\MSVCRT.DLL
NETAPI32.DLL,75170000,"323,584",F:\WINNT\system32\NETAPI32.DLL
NETRAP.DLL,751C0000,"24,576",F:\WINNT\system32\NETRAP.DLL
ntdll.dll,77F80000,"503,808",F:\WINNT\system32\ntdll.dll
NTDSAPI.DLL,77BF0000,"69,632",F:\WINNT\system32\NTDSAPI.DLL
OLE32.DLL,77A50000,"966,656",F:\WINNT\system32\OLE32.DLL
OLEAUT32.DLL,779B0000,"634,880",F:\WINNT\system32\OLEAUT32.DLL
RASAPI32.DLL,774E0000,"208,896",F:\WINNT\system32\RASAPI32.DLL
RASMAN.DLL,774C0000,"69,632",F:\WINNT\system32\RASMAN.DLL
RPCRT4.DLL,77D30000,"450,560",F:\WINNT\system32\RPCRT4.DLL
RTUTILS.DLL,77830000,"57,344",F:\WINNT\system32\RTUTILS.DLL
SAMLIB.DLL,75150000,"61,440",F:\WINNT\system32\SAMLIB.DLL
SCESRV.DLL,76460000,"270,336",F:\WINNT\system32\SCESRV.DLL
SECUR32.DLL,7C340000,"61,440",F:\WINNT\system32\SECUR32.DLL
SETUPAPI.DLL,77880000,"581,632",F:\WINNT\system32\SETUPAPI.DLL
SHLWAPI.DLL,70A70000,"413,696",F:\WINNT\system32\SHLWAPI.DLL
Srvsvc.dll,767E0000,"90,112",F:\WINNT\system32\Srvsvc.dll
TAPI32.DLL,77530000,"139,264",F:\WINNT\system32\TAPI32.DLL
UMPNPMGR.DLL,767A0000,"98,304",F:\WINNT\system32\UMPNPMGR.DLL
USER32.DLL,77E10000,"389,120",F:\WINNT\system32\USER32.DLL
USERENV.DLL,7C0F0000,"397,312",F:\WINNT\system32\USERENV.DLL
WINSPOOL.DRV,77800000,"122,880",F:\WINNT\system32\WINSPOOL.DRV
WINSTA.DLL,65780000,"53,248",F:\WINNT\system32\WINSTA.DLL
wkssvc.dll,76770000,"110,592",F:\WINNT\system32\wkssvc.dll
WLDAP32.DLL,77950000,"172,032",F:\WINNT\system32\WLDAP32.DLL
WS2_32.DLL,75030000,"81,920",F:\WINNT\system32\WS2_32.DLL
WS2HELP.DLL,75020000,"32,768",F:\WINNT\system32\WS2HELP.DLL
wshtcpip.dll,75010000,"28,672",F:\WINNT\System32\wshtcpip.dll
WSOCK32.DLL,75050000,"32,768",F:\WINNT\system32\WSOCK32.DLL

hmmm, I thought I was running the lastest service packs.

I finally managed to get hold of Hijack This..


Logfile of HijackThis v1.94.0
Scan saved at 23:13:42, on 13/02/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer provided by BT Openworld
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=208.62.208.110:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: Search - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - F:\Program Files\FerretSoft\WebFerret\FerretBand.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] F:\WINNT\System32\qttask.exe
O4 - HKLM\..\Run: [ExplorerTask] F:\WINNT\ServicePackFiles\i386\explorer.exe
O8 - Extra context menu item: AccountLogon - F:\WINNT\al-popup-administrator.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AccountLogon (HKCU)
O9 - Extra 'Tools' menuitem: AccountLogon (HKCU)
O9 - Extra button: Help (HKCU)
O9 - Extra button: BT (HKCU)
O9 - Extra button: Homepage (HKCU)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://activex.microsoft.com/activex/controls/macromedia/Swdir.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38027.4825578704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4323/mcfscan.cab

The site was hit with a DDOS attack!!:(

Not a full log ,where is the top part ,with the services that are running .did you save log in note pad and copy paste it here . the scan button turns into save log button .
log looks ok just a few things to fix ,post the top part first before you fix these ..

Only thing that needs to be fixed will be these .

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)

Not sure if the log produced is short because I am running an older version of Hijack This, or the version I DL'd from archive.org is possibly corrupt.

It has the option to generate a start up list:

StartupList report, 14/02/2004, 12:37:32
StartupList version: 1.52
Started from : F:\Program Files\hijack this\hijackthis\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\WINNT\system32\crypserv.exe
F:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
F:\WINNT\System32\svchost.exe
F:\WINNT\system32\regsvc.exe
F:\WINNT\system32\MSTask.exe
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
F:\WINNT\System32\mspmspsv.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\Explorer.EXE
F:\WINNT\System32\qttask.exe
F:\WINNT\system32\taskmgr.exe
F:\WINNT\System32\svchost.exe
F:\WINNT\system32\notepad.exe
F:\Program Files\Opera7\opera.exe
F:\WINNT\system32\NOTEPAD.EXE
F:\Program Files\hijack this\hijackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[F:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = F:\WINNT\System32\Userinit.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
LoadQM = loadqm.exe
QuickTime Task = F:\WINNT\System32\qttask.exe
ExplorerTask = F:\WINNT\ServicePackFiles\i386\explorer.exe

--------------------------------------------------

Shell & screensaver key from F:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - (no file) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB}
(no name) - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = F:\WINNT\system32\Macromed\Director\SwDir.dll
CODEBASE = http://activex.microsoft.com/activex/controls/macromedia/Swdir.cab

[HouseCall Control]
InProcServer32 = F:\WINNT\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab

[InstallShield International Setup Player]
InProcServer32 = f:\winnt\downlo~1\isetup.dll
CODEBASE = http://www.installengine.com/engine/isetup.cab

[Update Class]
InProcServer32 = F:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38027.4825578704

[Shockwave Flash Object]
InProcServer32 = F:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[McFreeScan Class]
InProcServer32 = F:\WINNT\McAfee.com\FreeScan\mcfscan.dll
CODEBASE = http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4323/mcfscan.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: F:\WINNT\system32\NETSHELL.dll
WebCheck: F:\WINNT\system32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 4,870 bytes
Report generated in 0.030 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Ran the main scan just to make sure:

Logfile of HijackThis v1.94.0
Scan saved at 12:33:21, on 14/02/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer provided by BT Openworld
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer=208.62.208.110:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: Search - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - F:\Program Files\FerretSoft\WebFerret\FerretBand.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] F:\WINNT\System32\qttask.exe
O4 - HKLM\..\Run: [ExplorerTask] F:\WINNT\ServicePackFiles\i386\explorer.exe
O8 - Extra context menu item: AccountLogon - F:\WINNT\al-popup-administrator.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AccountLogon (HKCU)
O9 - Extra 'Tools' menuitem: AccountLogon (HKCU)
O9 - Extra button: Help (HKCU)
O9 - Extra button: BT (HKCU)
O9 - Extra button: Homepage (HKCU)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://activex.microsoft.com/activex/controls/macromedia/Swdir.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38027.4825578704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4323/mcfscan.cab

I updated HijackThis from Caperkacks signature, does anyone see anything that needs rectifying in this log file?

Logfile of HijackThis v1.97.7
Scan saved at 14:35:27, on 16/02/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\system32\spoolsv.exe
F:\WINNT\system32\crypserv.exe
F:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
F:\WINNT\System32\svchost.exe
F:\WINNT\system32\regsvc.exe
F:\WINNT\system32\MSTask.exe
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
F:\WINNT\System32\mspmspsv.exe
F:\WINNT\system32\svchost.exe
F:\WINNT\Explorer.EXE
F:\WINNT\System32\qttask.exe
F:\Program Files\Opera7\opera.exe
F:\WINNT\system32\notepad.exe
F:\Documents and Settings\Administrator\Desktop\HijackThis1977.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Openworld
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 208.62.208.110:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=F:\WINNT\System32\Userinit.exe
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: Search - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - F:\Program Files\FerretSoft\WebFerret\FerretBand.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] F:\WINNT\System32\qttask.exe
O4 - HKLM\..\Run: [ExplorerTask] F:\WINNT\ServicePackFiles\i386\explorer.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: AccountLogon - F:\WINNT\al-popup-administrator.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: AccountLogon (HKCU)
O9 - Extra 'Tools' menuitem: AccountLogon (HKCU)
O9 - Extra button: Help (HKCU)
O9 - Extra button: BT (HKCU)
O9 - Extra button: Homepage (HKCU)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://activex.microsoft.com/activex/controls/macromedia/Swdir.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38027.4825578704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4323/mcfscan.cab

First put hijackthis .exe in its own folder on you hard drive ,something like f:\HJT\hijackthis.exe ,because it will make back of fixes incause you need to redo a bad fix .


Please Check and Remove the Following Entries from Hijack This

Note: When removing these entries or files, make sure NO Internet Explorer windows are open. Now Reboot, and if theirs any more problems, post another log here please


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)


O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.