0

Hi

I hope this call for help is in the correct section.

Last night I noticed my CPU was continuously working at 100%. One of the svchost.exe processes seem to be the main cause of this. So I killed the process and all was well.

Until this morning when I tried to boot up my pc and it stopped at the blue screen where it says "Windows is starting up".

It starts fine in Safe mode. So naturally I went into MSCONFIG and disabled everything and restarted. And the pc booted up fine.

I ran ADaware and spybot and antivirus and they found nothing but CWShredder found something called CWS.Msconfig.

Svchost is still making the cpu buzz away at 100%. Clearly something isn't right.

Here's my Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 20:37:29, on 03/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Kris\My Documents\My Pictures\Utilities, Programs, Drivers\hijackthis v199.1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9FD01BE-D0E4-48AE-9628-C6078B6B9C31}: NameServer = 205.188.146.145
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: SysTray.Exys - {7368D5FC-6F5C-4f5b-B964-E67214F67852} - C:\WINDOWS\system32\ggqafpck.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE

Cheers guys/gals

2
Contributors
13
Replies
14
Views
11 Years
Discussion Span
Last Post by DMR
0

I don't know if it's related to the above but I've just noticed both Windows media player and movie maker don't work.

0

O21 - SSODL: SysTray.Exys - {7368D5FC-6F5C-4f5b-B964-E67214F67852} - C:\WINDOWS\system32\ggqafpck.dll

The above log entry is indicative of a trojan infection.

Also, your HijackThis log looks a bit strange. It is missing all of the "O4" entries, and those entries are pretty helpful in determining exactly what malicious files are loading when When Windows starts up.

Please do the following:


You will need to close/quit all web browser programs and disconnect from the Internet for some of the following, so you should print out the following instructions or save them into a text file with Notepad.


1. Download and install these two utilities (but do not run scans with them yet):

ewido Security Suite - http://www.ewido.net/en/download/
Microsoft Anti-Spyware beta - http://www.microsoft.com/downloads/...&displaylang=en

- Open ewido. If you receive a warning message saying "Database not found"; just click "OK" for this. Next, in the main screen, click "Update" and click "Start Update". After the update process completes, exit from Ewido.

- Open MS Antispyware beta. Make sure the "AntiSpyware Autoupdater" feature is enabled, and that it has downloaded the most current antispyware updates. Close the program after you've verified this.

- Open your antivirus program and use its Update feature to download and install the most current virus/spyware definitions file. Close the program once the update is complete.


2. Run HijackThis again, put a check mark in the box to the left of the following entry, and then click the "Fix Checked" button:
O21 - SSODL: SysTray.Exys - {7368D5FC-6F5C-4f5b-B964-E67214F67852} - C:\WINDOWS\system32\ggqafpck.dll


3. Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).


4. Run ewido, MS Antispyware beta, and your anti-virus program consecutively (the order doesn't matter), and have the programs fix whatever they find.
When ewido finds the first malicious object on your system, it will ask you if it should clean it. When it asks this, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK.


5. While still in Safe Mode, open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Locate and delete the following file if it still exists:
C:\WINDOWS\system32\ggqafpck.dll

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!

1. Cookies
2. Local Settings\Temp
3. Local Settings\History
4. Local Settings\Temporary Internet Files

- Delete the entire content of your C:\Windows\Temp folder.

- Delete the entire content of your C:\Windows\Prefetch folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.

- Reboot normally.


6. Run HijackThis again and post the new log. Also post the scan report log that ewido generated.

0

Ok, I've now done all that.
I made the mistake of running ewido while not in safe mode so I saved the scan log and then ran ewido in safe mode and saved the log... Unfortunately the first log has vanished which is irritating because it had about 8 items. The other log just shows:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 05:22:43, 04/12/2005
+ Report-Checksum: 5F0AFE31

+ Scan result:

C:\Program Files\AOL 9.0\fdsf -> Not-A-Virus.Hoax.Renos.ac : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 17:54:51, on 04/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Kris\My Documents\My Pictures\Utilities, Programs, Drivers\hijackthis v199.1\HijackThis.exe

Does it look ok now? Computer certainly seems better.

0

Does it look ok now?

I can't tell; you've only posted the top half of the log... :o

Post the entire log; I'll review it when you do.

0

WTF?! How did I do that! :p
Oh and now I've lost that log too, right I'll run hijackthis again...
Logfile of HijackThis v1.99.1
Scan saved at 19:57:32, on 04/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Kris\My Documents\My Pictures\Utilities, Programs, Drivers\hijackthis v199.1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B9FD01BE-D0E4-48AE-9628-C6078B6B9C31}: NameServer = 205.188.146.145
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\PROGRAM FILES\AVPERSONAL\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

0

WTF?! How did I do that! :p

Sheer talent, I guess. :mrgreen:

Seroiusly, though- your latest HJT log is clean. :)

Does everything seem to be functioning correctly now?

0

I wish I could say it was but I keep crashing. Or rather the screen freezes and nothing will make it unfreeze so I end up having to switch off and restart. And when I restart I notice the quick launch buttons near the start button have vanished. And the folder settings default back to their original settings.

0

To see if the freezes have left any clues, open the Event Viewer utility in your Administrative Tools control panel. Look through the Application and System logs for "Error" or "Warning" entries; double-clicking on the entries will open a window with more details. If you see any entries whose details look like they might relate to your problems, post the full and complete contents of the details window(s) here.

0

Oh my! Where do you want me to start, it's packed with errors and warnings. I'm just trying to think of the exact time it crashed. Doesn't help that I can't copy and paste what it says. I've gone to help and support center and that said,
"Explanation
The system BIOS attempted to incorrectly access hardware resources concurrently with the operating system. This type of access cannot be synchronized and can cause system instability.

User Action
Contact the system vendor for an updated BIOS and follow the vendor's instructions for installation."

Oh the good news is I've got my sounds back and Windows Media Player and Movie maker are working. Seems whatever was on my system b4 played havoc with drivers.

0

PC froze again earlier. Upon restarting it wouldn't get any further than the "windows is starting up" light blue screen.
So I rebooted, pressed F8, selected "Last known good configuration" or whatever its called, and it started up ok. But now I've no sound again!
I ran ewido and it found 2 items:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 03:11:46, 05/12/2005
+ Report-Checksum: 8EA5FF45

+ Scan result:

C:\WINDOWS\system32\eefejfbl.exe -> Proxy.Wopla.n : Cleaned with backup
C:\Documents and Settings\Kris\Cookies\kris@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup


::Report End

0

I rebooted, pressed F8, selected "Last known good configuration" or whatever its called, and it started up ok. But now I've no sound again!
I ran ewido and it found 2 items...

Unfortunately, the "Last known Good" configuration isn't always good. :(
If your computer was infected at the time that Windows saved its last system configuration "snapshot", infected files and the modifications they made to your system were backed up with everything else. Restoring your system to that point will restore the malicious entities along with the valid configuration info.


1. Please run HijackThis again and post the new log.

2.

Doesn't help that I can't copy and paste what it says

You can actually, and having the full details (Event ID, Source, faulting module, etc.) would help. Here's how to copy-n-paste that info:

- Double-click on an error to open the error's Properties window.

- In the Properties window, click on the button with the graphic of two pieces of paper on it; the button is at the right of the window just below the up arrow/down arrow buttons. You won't see anything happen when you click the button, but it will copy all of the details to the Windows clipboard.

- You can then paste the details into your next post in the same way that you paste your HijackThis log- by choosing "Paste" from the "File" menu or by hitting CTRL+V.

0

Hi, sorry that I've not gotten back to you sooner but my pc had a very major crash before I could carry out the above. Something killed most of my services and I couldn't do anything. I ended up reinstalling Windows. However I'm still getting that problem with the system freezing completely.
Do I need to start a new topic or shall I just do what you asked and get back to you here?
Thanks
Kris

0

Sorry I didn't get back to this earlier.
Since the problem persists after you've reinstalled Windows, and your system looks to be free of viruses/spyware, you should probably start a new thread in our Windows 2000/XP forum and post as much background information on the problem as possible. Given the reformat, and the fact that your HJT and ewido logs look good, I don't think the problem is related to malicious infections.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.