Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

p0peye2

16 Posts

2309

January 1st, 2007 13:00

Looking for hijack log help

I am new to this forum and am looking for help with a problem with the CPU running at 100%. I have tried virus and spyware scans with no luck in correcting my problem. In reading some posts it appears that I may have malware, but not sure how to handle it.
 
Thanks - here is my log.
 
Logfile of HijackThis v1.99.1
Scan saved at 8:46:28 AM, on 1/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfaem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.0.419.0\QOELoader.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\WINDOWS\system32\taskmgr.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfaem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfaem.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.0.419.0\QOELoader.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167499489333
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167505439843
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PFW - C:\WINDOWS\SYSTEM32\UmxWnp.Dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
 

bamajim

10.4K Posts

January 2nd, 2007 01:00

p0peye2
 
Not much showing up in your log.
 
Open Taskmanger and in your reply list the processes that are using the most CPU
 
bamajim   Graduate of MRU

 
 

p0peye2

16 Posts

January 7th, 2007 12:00

bamajim
 
Sorry for the delay, my system was not allowing me to respond to this post.
 
cctray.exe (2 entries)
svchost.exe (6 entries)
UmxCfg.exe
hphmon05.exe (2 entries)
iexplorer.exe
ITMRTSVC.exe
 
thxs - p0peye2

bamajim

10.4K Posts

January 8th, 2007 00:00

p0peye2

1. *NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!

Download CCleaner from here to clean temp files from your computer.

  • Double click on the file to start the installation of the program.
  • Select your language and click OK, then next.
  • Read the license agreement and click I Agree.
  • Click next to use the default install location. Click Install then finish to complete installation.
  • Double click the CCleaner shortcut on the desktop to start the program.
  • On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
  • If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
  • Click on the "Options" icon at the left side of the window, then click on "Advanced." deselect "Only delete files in Windows Temp folders older than 48 hours."
  • Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
  • Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
  • After CCleaner has completed its process, click Exit.

2. Please perform an Ewido Online Malware Scan

  • When a dialog box appears asking you if you would like to download and install the ewido anti-spyware online scanner please click Yes to allow the download.
  • Click on Start Scan.
  • after the scan completes i twill produce a log for you, copy and paste the results of that scan as a reply to this thread
  • If any infections are found, (After you save the logfile), Click on Remove Infections.
bamajim   Graduate of MRU

p0peye2

16 Posts

January 8th, 2007 22:00

bamajim
 
I have run CCleaner and here is the output from ewido.
 
p0peye2
 
==============================================
 

__________________________________________________

ewido anti-spyware online scanner

     http://www.ewido.net

__________________________________________________

 

 

Name: TrackingCookie.Advertising

Path: :mozilla.20:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\j5nz0ok2.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.Advertising

Path: :mozilla.21:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\j5nz0ok2.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.Advertising

Path: :mozilla.22:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\j5nz0ok2.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.Advertising

Path: :mozilla.23:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\j5nz0ok2.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.Atdmt

Path: :mozilla.28:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\j5nz0ok2.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.Casalemedia

Path: :mozilla.29:C:\Documents and Settings\Dad\Application Data\Mozilla\Firefox\Profiles\j5nz0ok2.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.Atdmt

Path: C:\Documents and Settings\Dad\Cookies\dad@atdmt[2].txt

Risk: Medium

 

Name: TrackingCookie.Bluestreak

Path: C:\Documents and Settings\Dad\Cookies\dad@bluestreak[1].txt

Risk: Medium

 

Name: TrackingCookie.Casalemedia

Path: :mozilla.27:C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\ggpgwzaa.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.Atdmt

Path: :mozilla.32:C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\ggpgwzaa.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.Advertising

Path: :mozilla.33:C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\ggpgwzaa.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.Advertising

Path: :mozilla.35:C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\ggpgwzaa.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.Advertising

Path: :mozilla.36:C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\ggpgwzaa.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.Advertising

Path: :mozilla.37:C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\ggpgwzaa.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.Advertising

Path: :mozilla.38:C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\ggpgwzaa.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.Adrevolver

Path: :mozilla.39:C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\ggpgwzaa.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.Adrevolver

Path: :mozilla.40:C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\ggpgwzaa.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.Adrevolver

Path: :mozilla.41:C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\ggpgwzaa.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.Adrevolver

Path: :mozilla.42:C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\ggpgwzaa.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.Adrevolver

Path: :mozilla.45:C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\ggpgwzaa.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.Adrevolver

Path: :mozilla.46:C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\ggpgwzaa.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.Mediaplex

Path: :mozilla.48:C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\ggpgwzaa.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.Bluestreak

Path: :mozilla.50:C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\ggpgwzaa.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.Tacoda

Path: :mozilla.59:C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\ggpgwzaa.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.Hitbox

Path: :mozilla.63:C:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\ggpgwzaa.default\cookies.txt

Risk: Medium

 

Name: TrackingCookie.Adrevolver

Path: C:\Documents and Settings\Talgar\Cookies\talgar@adrevolver[3].txt

Risk: Medium

 

Name: TrackingCookie.Casalemedia

Path: C:\Documents and Settings\Talgar\Cookies\talgar@as.casalemedia[1].txt

Risk: Medium

 

Name: TrackingCookie.2o7

Path: C:\Documents and Settings\Talgar\Cookies\talgar@msnportal.112.2o7[1].txt

Risk: Medium

 

Name: Adware.Wildtangent

Path: C:\WINDOWS\wt\backup\1.6.0.037\wcmdmgr.exe

Risk: Medium

 

Name: Adware.Wildtangent

Path: C:\WINDOWS\wt\updater\wcmdmgr.exe

Risk: Medium

 

bamajim

10.4K Posts

January 8th, 2007 23:00

p0peye2
 
Let me a fresh Hijackthis log please and give me an update on how your PC is running.
 
bamajim   Graduate of MRU

 

p0peye2

16 Posts

January 9th, 2007 21:00

bamajim
 
The system is still running @ 100%. It appears to start out running ok but soon after it gets bogged down.Here are the programs taking the most CPU:
 
svchost.exe
iexplorer.exe
UMxCfg.exe
cctray.exe
hpmon05.exe
System
lsass.exe
ITMRTSVC.exe
 
Thanks, p0peye2
 
Here is the latest run of hijackthis:
 
Logfile of HijackThis v1.99.1
Scan saved at 4:47:00 PM, on 1/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfaem.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.0.419.0\QOELoader.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\WINDOWS\system32\taskmgr.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netservices.verizon.net/portal/link/main/vzcentral
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfaem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfaem.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.0.419.0\QOELoader.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167499489333
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167505439843
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PFW - C:\WINDOWS\SYSTEM32\UmxWnp.Dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
 

bamajim

10.4K Posts

January 9th, 2007 23:00

p0peye2

Well that doesn't make me happy

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

You may have to post the results in more than one reply
 
bamajim   Graduate of MRU

 

p0peye2

16 Posts

January 10th, 2007 00:00

Thanks again - here we go with combofix output...part 1
 
Owner - 07-01-09 20:12:31.89    Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Owner\My Documents"
(((((((((((((((((((((((((((((((   Files Created from 2006-12-09 to 2007-01-09  ))))))))))))))))))))))))))))))))))
 
 
2007-01-09 19:00   d-------- C:\WINDOWS\LastGood
2007-01-09 19:00   d-------- C:\WINDOWS\ie7updates
2007-01-08 17:02   dr-h----- C:\Documents and Settings\Owner\Recent
2007-01-07 22:00   d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-01-07 21:55   d-------- C:\Program Files\Yahoo!
2007-01-07 21:49   d-------- C:\Program Files\CCleaner
2007-01-05 22:54   d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2007-01-05 22:53   d-------- C:\Program Files\iPod
2007-01-05 22:52   d-------- C:\Program Files\iTunes
2007-01-05 22:51   d-------- C:\Program Files\QuickTime
2007-01-05 22:44   d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-01-05 18:53   d-------- C:\WINDOWS\AiOTemp
2007-01-05 18:52   d-------- C:\temp
2007-01-05 16:35   d-------- C:\Program Files\Common Files\Adobe
2007-01-04 20:14   d-------- C:\WINDOWS\WBEM
2007-01-04 20:14   d-------- C:\WINDOWS\system32\en-US
2007-01-04 20:12   d--h-c--- C:\WINDOWS\ie7
2007-01-04 20:08 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2007-01-04 20:07   d-------- C:\WINDOWS\network diagnostic
2007-01-02 23:05   d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2007-01-01 08:44   d-------- C:\hijackthis
2006-12-31 13:25   d-------- C:\Program Files\Mozilla Firefox
2006-12-31 08:47 159,744 --a------ C:\WINDOWS\system32\igfxres.dll
2006-12-31 00:50   d-------- C:\1b61646c1061c996423a53af
2006-12-31 00:29 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2006-12-30 18:47 4,113 --a------ C:\WINDOWS\viassary-hp.reg
2006-12-30 18:35   d-------- C:\WINDOWS\Sun
2006-12-30 18:33   d-------- C:\WINDOWS\wt
2006-12-30 17:23   d-------- C:\WINDOWS\Prefetch
2006-12-30 16:00   d-------- C:\WINDOWS\provisioning
2006-12-30 16:00   d-------- C:\WINDOWS\peernet
2006-12-30 15:53   d-------- C:\WINDOWS\ServicePackFiles
2006-12-30 15:41   d-------- C:\WINDOWS\EHome
2006-12-30 15:23 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2006-12-30 15:17 8,704 --a------ C:\WINDOWS\system32\drivers\Dot4Scan.sys
2006-12-30 15:17 23,808 --a------ C:\WINDOWS\system32\drivers\Dot4usb.sys
2006-12-30 15:17 207,360 --a------ C:\WINDOWS\system32\drivers\dot4.sys
2006-12-30 15:17 12,928 --a------ C:\WINDOWS\system32\drivers\Dot4Prt.sys
2006-12-30 15:16 90,112 --a------ C:\WINDOWS\system32\hpocon09.exe
2006-12-30 15:16 69,632 --------- C:\WINDOWS\system32\hpogpcon.exe
2006-12-30 15:16 61,440 --------- C:\WINDOWS\hpgpunin.exe
2006-12-30 15:16 341,504 --------- C:\WINDOWS\system32\hpojgpwia.dll
2006-12-30 15:16 22,139 --a------ C:\WINDOWS\system32\hpocoi08.dll
2006-12-30 15:16   d-------- C:\Program Files\HP TWAIN Data Source
2006-12-30 15:15   d-------- C:\Program Files\HP Officejet 7100 Series_WebPack_English_WinXP
2006-12-30 14:21   d-------- C:\Program Files\MSXML 4.0
2006-12-30 13:48 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2006-12-30 13:48 39,936 --a------ C:\WINDOWS\system32\mf3216.dll
2006-12-30 13:48 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2006-12-30 13:47 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2006-12-30 13:47 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2006-12-30 13:28   d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2006-12-30 12:51   d-------- C:\WINDOWS\pss
2006-12-30 12:22 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2006-12-30 12:21   d-------- C:\WINDOWS\CAVTemp
2006-12-30 12:14   d-------- C:\Documents and Settings\Owner\Application Data\Macromedia
2006-12-30 12:07   d--hs---- C:\System Volume Information
2006-12-30 12:05 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2006-12-30 12:05 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2006-12-30 12:05 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2006-12-30 12:05 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2006-12-30 12:05 52,864 --a------ C:\WINDOWS\system32\drivers\dmusic.sys
2006-12-30 12:05 26,496 --a------ C:\WINDOWS\system32\drivers\usbstor.sys
2006-12-30 12:05 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2006-12-30 12:05 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2006-12-30 12:05 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2006-12-30 12:04 61,056 --a------ C:\WINDOWS\system32\drivers\ohci1394.sys
2006-12-30 12:04 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2006-12-30 12:03 800,272 --a------ C:\Documents and Settings\Owner\ppctl.dll
2006-12-30 12:00 75,280 --a------ C:\WINDOWS\system32\isafprod.dll
2006-12-30 12:00 629,264 --a------ C:\WINDOWS\system32\drivers\vetefile.sys
2006-12-30 12:00 32,528 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2006-12-30 12:00 26,640 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2006-12-30 12:00 21,648 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2006-12-30 12:00 21,392 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2006-12-30 12:00 108,592 --a------ C:\WINDOWS\system32\drivers\veteboot.sys
2006-12-30 11:55 95,760 --a------ C:\WINDOWS\system32\isafeif.dll
2006-12-30 11:55 75,280 --a------ C:\WINDOWS\system32\vetredir.dll
2006-12-30 11:55   d-------- C:\Program Files\Common Files\Scanner
2006-12-30 11:55   d-------- C:\Program Files\CA
2006-12-30 11:55   d-------- C:\Documents and Settings\All Users\Application Data\CA
2006-12-30 11:46   dr-h----- C:\Documents and Settings\Owner\SendTo
2006-12-30 11:46   dr-h----- C:\Documents and Settings\Owner\Application Data\.
2006-12-30 11:46   dr-h----- C:\Documents and Settings\Owner\Application Data
2006-12-30 11:46   dr-h----- C:\Documents and Settings\All Users\Application Data\.
2006-12-30 11:46   dr-h----- C:\Documents and Settings\All Users\Application Data
2006-12-30 11:46   dr--s---- C:\WINDOWS\assembly
2006-12-30 11:46   dr------- C:\WINDOWS\Offline Web Pages
2006-12-30 11:46   dr------- C:\Program Files\.
2006-12-30 11:46   dr------- C:\Program Files
2006-12-30 11:46   dr------- C:\Documents and Settings\Owner\Start Menu
2006-12-30 11:46   dr------- C:\Documents and Settings\Owner\My Documents
2006-12-30 11:46   dr------- C:\Documents and Settings\Owner\Favorites
2006-12-30 11:46   dr------- C:\Documents and Settings\All Users\Start Menu
2006-12-30 11:46   dr------- C:\Documents and Settings\All Users\Documents
2006-12-30 11:46   d-ahs---- C:\Program Files\..
2006-12-30 11:46   d-------- C:\Documents and Settings\Owner\Application Data\..
2006-12-30 11:46   d-------- C:\Documents and Settings\All Users\Application Data\..
2006-12-30 11:44   dr-hsc--- C:\WINDOWS\system32\dllcache
2006-12-30 11:44   d-------- C:\Documents and Settings\Owner\Application Data\Motive
2006-12-30 11:39 1,082,368 --a------ C:\WINDOWS\system32\esent.dll
2006-12-30 11:32   dr-hs---- C:\cmdcons
2006-12-30 11:32   d-------- C:\WINDOWS\setupupd
2006-12-30 11:32   d-------- C:\WINDOWS\setup.pss
2006-12-30 11:29 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-12-30 11:29   d--h----- C:\WINDOWS\$hf_mig$
2006-12-30 11:29   d-------- C:\WINDOWS\system32\PreInstall
2006-12-30 11:28 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll
2006-12-30 11:28 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2006-12-30 11:28 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2006-12-30 11:28 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2006-12-30 11:28   d-------- C:\WINDOWS\system32\bits
2006-12-30 11:25 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
2006-12-30 11:25 41,240 --a------ C:\WINDOWS\system32\wups.dll
2006-12-30 11:25 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2006-12-30 11:25 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2006-12-30 11:25 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2006-12-30 11:25 127,256 --a------ C:\WINDOWS\system32\wucltui.dll
2006-12-30 11:25   d-------- C:\WINDOWS\SoftwareDistribution
2006-12-30 11:24   d--hs---- C:\Documents and Settings\Owner\UserData
2006-12-30 11:21   d--hs---- C:\RECYCLER
2006-12-30 11:20 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2006-12-30 11:20   d-------- C:\WUTemp
2006-12-30 11:18 182,880 --a------ C:\WINDOWS\system32\iuenginenew.dll
2006-12-30 11:15 81,920 --a------ C:\WINDOWS\system32\mplaw7.dll
2006-12-30 11:15 81,920 --a------ C:\WINDOWS\system32\mplaa6.dll
2006-12-30 11:15 69,632 --a------ C:\WINDOWS\system32\mplapx.dll
2006-12-30 11:15 69,632 --a------ C:\WINDOWS\system32\mplam6.dll
2006-12-30 11:15 49,152 --a------ C:\WINDOWS\system32\cpuinf32.dll
2006-12-30 11:15 10,368 --a------ C:\WINDOWS\system32\drivers\pfc.sys
2006-12-30 11:15 1,675,264 --a------ C:\WINDOWS\system32\mplva6.dll
2006-12-30 11:15 1,630,208 --a------ C:\WINDOWS\system32\mplvw7.dll
2006-12-30 11:15 1,581,056 --a------ C:\WINDOWS\system32\mplvm6.dll
2006-12-30 11:15 1,150,976 --a------ C:\WINDOWS\system32\mplvpx.dll
2006-12-30 11:14 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2006-12-30 11:14   d-------- C:\Program Files\ArcSoft
2006-12-30 11:13   d-------- C:\WINDOWS\Downloaded Installations
2006-12-30 11:13   d-------- C:\Program Files\Multimedia Card Reader
2006-12-30 11:12 68,224 --a------ C:\WINDOWS\system32\drivers\pci.sys
2006-12-30 11:11 35,840 --a------ C:\WINDOWS\system32\drivers\isapnp.sys
2006-12-30 11:10 52,736 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys
2006-12-30 11:10 24,576 --a------ C:\WINDOWS\system32\drivers\kbdclass.sys

((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-12-07 17:02 2174976 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-11-07 23:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-19 07:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-17 12:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 12:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 12:05 206336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 12:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 12:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 12:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 11:58 61952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 11:58 12288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 11:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 11:57 266752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 11:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 11:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 11:27 380928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-10-13 06:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
 
 

p0peye2

16 Posts

January 10th, 2007 00:00

combofix part 2
 
((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))
 
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"RecordNow!"=""
"NVIEW"="rundll32.exe nview.dll,nViewLoadHook"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"HPHmon05"="C:\\WINDOWS\\System32\\hphmon05.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"VTTimer"="VTTimer.exe"
"LTMSG"="LTMSG.exe 7"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"cctray"="\"C:\\Program Files\\CA\\CA Internet Security Suite\\cctray\\cctray.exe\""
@=""
"CAVRID"="\"C:\\Program Files\\CA\\CA Internet Security Suite\\CA Anti-Virus\\CAVRID.exe\""
"cafwc"="C:\\Program Files\\CA\\CA Internet Security Suite\\CA Personal Firewall\\cafw.exe -cl"
"capfaem"="C:\\Program Files\\CA\\CA Internet Security Suite\\CA Personal Firewall\\capfaem.exe"
"QOELOADER"="\"C:\\Program Files\\CA\\CA Internet Security Suite\\CA Anti-Spam\\QSP-5.0.419.0\\QOELoader.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,96,00,00,00,00,00,00,00,6a,03,00,00,e2,02,00,00,00,\
 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
 ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
 00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Digital Imaging Monitor.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Digital Imaging Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqtra08.exe "
"item"="HP Digital Imaging Monitor"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet 7100 series) - 1.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HPAiODevice(hp officejet 7100 series) - 1.lnk"
"backup"="C:\\WINDOWS\\pss\\HPAiODevice(hp officejet 7100 series) - 1.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HEWLET~1\\AiO\\HPOFFI~1\\Bin\\hpogrp07.exe -DeviceID 1168045088"
"item"="HPAiODevice(hp officejet 7100 series) - 1"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Quicken Scheduled Updates.lnk"
"backup"="C:\\WINDOWS\\pss\\Quicken Scheduled Updates.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Quicken\\bagent.exe "
"item"="Quicken Scheduled Updates"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Updates from HP.lnk"
"backup"="C:\\WINDOWS\\pss\\Updates from HP.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\UPDATE~1\\137903\\Program\\BACKWE~1.EXE -startup"
"item"="Updates from HP"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Organize.lnk]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\Organize.lnk"
"backup"="C:\\WINDOWS\\pss\\Organize.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\HEWLET~1\\HPORGA~1\\bin\\DISPLA~1.EXE \"-application\" \"core.hp.main/application.xml\" \"-appname\" \"eLife\""
"item"="Organize"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^spamsubtract.lnk]
"path"="C:\\Documents and Settings\\Owner\\Start Menu\\Programs\\Startup\\spamsubtract.lnk"
"backup"="C:\\WINDOWS\\pss\\spamsubtract.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\INTERM~1\\SPAMSU~1\\SpamSub.exe -q"
"item"="spamsubtract"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ALCXMNTR"
"hkey"="HKLM"
"command"="ALCXMNTR.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTKit]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AUTOTKIT"
"hkey"="HKLM"
"command"="C:\\hp\\bin\\AUTOTKIT.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpqcmon"
"hkey"="HKLM"
"command"="c:\\Program Files\\HP\\Digital Imaging\\Unload\\hpqcmon.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hphupd05"
"hkey"="HKLM"
"command"="c:\\Program Files\\HP\\{45B6180B-DCAB-4093-8EE8-6164457517F0}\\hphupd05.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpsysdrv"
"hkey"="HKLM"
"command"="c:\\windows\\system\\hpsysdrv.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="igfxtray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\igfxtray.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="KBD"
"hkey"="HKLM"
"command"="C:\\HP\\KBD\\KBD.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mmtask"
"hkey"="HKLM"
"command"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MSMSGS"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sunkist2k]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="shwicon2k"
"hkey"="HKLM"
"command"="C:\\Program Files\\Multimedia Card Reader\\shwicon2k.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sgtray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcmdmgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wcmdmgrl"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\wt\\updater\\wcmdmgrl.exe -launch"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WT GameChannel]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GameChannel"
"hkey"="HKLM"
"command"="C:\\Program Files\\WildTangent\\Apps\\GameChannel.exe"
"inimapping"="0"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] 
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
 
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\CAAntiSpywareScan_Daily as Owner at 11 55 AM.job
Completion time: 07-01-09 20:21:35.18
C:\ComboFix.txt ... 07-01-09 20:21

bamajim

10.4K Posts

January 12th, 2007 12:00

p0peye2

Sorry for the delay

Open Notepad (Not Wordpad)
Copy and paste the following into notepad
(Making sure there is no space between the top of the window and the first line)

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
After you copy and paste it your cursor should be at the end of the first line
Hit Enter so your cursor is under the last line
  • Click File->> Save as->>type in fix.reg->>
    Under " Save as type" Select " All Files"->> save it to your Desktop
    Close Notepad

The fix.reg file should now appear on your Desktop

Rt Click and Select merge->>If prompted to merge this Select Yes (it will appear that nothing has happened but that's o.k.)

Reboot your PC->>Give me an update on CPU useage
 
Also are you running XP Home or XP pro
 
bamajim   Graduate of MRU
 

p0peye2

16 Posts

January 12th, 2007 15:00

bamajim
 
I followed your instructions but received the following error, "cannot import the specified file is not a registry script. You can only import binary registry files from within the registery editor."
 
I can only assume that this is not what you expected. I will shut down and see if anything changes upon power up. I will post again later today with the an update on CPU.
 
I am running XP Home
 
thanks,
p0peye2

p0peye2

16 Posts

January 13th, 2007 01:00

bamajim
 
Here are a few bits of history info and where i stand tonight.
 
About a month ago is when the system started acting up, it got to the point that it would not even let you shut it off, I had to kill the power to turn it off. Then it would only start in the safe mode. It then got to the point where it would not boot at all. I then did a system restored and it seemed to be functioning good for a few days before reverting back to CPU 100%.
 
I have 4 different accounts set up on the machine, 1 as admin only and then 3 family members. We only use the admin account strictly for administration and the other accounts for daily activities. Today, I am noticing that if I sign-on to the admin account and do not have any of the other accounts open the machine appears to be running well (this may have been the case all along but it just dawned on me that problem seems to only occur when multiple users are logged on. Right now I am on the admin account and the CPU is running 4%-11% and spiking to 44% periodically.
 
Thanks for the hand,
p0peye2

bamajim

10.4K Posts

January 13th, 2007 22:00

p0peye2
 
You need to log in as admin in order to run the fix reg file I had you create.
 
2. You need to run CCleaner in each one of the logins. And yes running more than one account at a time could create CPU running extremely high depending on the RAM you have available on your PC.
 
bamajim   Graduate of MRU

 

p0peye2

16 Posts

January 14th, 2007 01:00

bamajim

The file that received the error I posted earlier was run as administrator.

I have run CCleaner on each account.

I understand that the system will run slower with multiple users logged on. We have never had the system unable to function with 2 users logged on. It is getting to the point that the system is so bogged down it will not even allow you to turn it off. CPU is still running @ 100%.

p0peye2

bamajim

10.4K Posts

January 15th, 2007 00:00

p0peye2

Let's see if we have something running in the background, that is not showing up in the information we have.

Log into ione of the accounts (one you are having trouble with)

1. Please download F-Secure Blacklight (blbeta.exe)
  • and Save to your Desktop
    Double click the file to run it
    It will create the "fsbl-xxxxxxx.log" on your desktop.
    The log will have a list of all items found. Do not choose to rename any yet! I want to see the log first because legitimate items can also be present...like "wbemtest.exe".
    Exit Blacklight and post the contents of the log in your next reply.
2. Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As" ) to download Silent Runners.

  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt "All Done!", double-click the new text file on the desktop, copy that entire log, and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

Then post the results of both scans
 
bamajim   Graduate of MRU
 

Was this post helpful?

View All

No Events found!

Top