Same Problem Different Computer

Question

I posted a HJT file earlier tonight for a different computer.  The computer I'm currently using now is having the same problem.  Something is eating up my CPU time.   Please help.   Logfile of HijackThis v1.97.7Scan saved at 9:35:50 PM, on 6/6/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exeC:\WINDOWS\system32\cisvc.exeC:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exeC:\Program Files\Norton SystemWorks\Norton AntiVirus
avapsvc.exeC:\Program Files\Norton Personal Firewall\NISUM.EXEC:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXEC:\PROGRA~1\NORTON~1\SPEEDD~1
opdb.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Norton Personal Firewall\SymProxySvc.exeC:\WINDOWS\System32\ZipToA.exeC:\Program Files\Norton Personal Firewall\NISSERV.EXEC:\WINDOWS\Explorer.EXEC:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exeC:\Program Files\Common Files\Dell\EUSW\Support.exeC:\Program Files\Yahoo!\browser\ybrwicon.exeC:\program files\support.com\bin	gcmd.exeC:\PROGRA~1\NORTON~1\NORTON~3
avapw32.exeC:\PROGRA~1\Yahoo!\browser\ycommon.exeC:\Program Files\Norton Personal Firewall\IAMAPP.EXEC:\WINDOWS\System32\hkcmd.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXEC:\Program Files\BroadJump\Client Foundation\CFD.exeC:\WINDOWS\BCMSMMSG.exeC:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exeC:\Program Files\Common Files\Real\Update_OBealsched.exeC:\Program Files\Norton Personal Firewall\ATRACK.EXEC:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exeC:\Program Files\Yahoo!\browser\ybrowser.exeC:\WINDOWS\system32\cidaemon.exeC:\HJT\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.htmlR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htmR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://start.earthlink.net/R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.htmlR1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = ,R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dllO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dllO4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exeO4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exeO4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exeO4 - HKLM\..\Run: [tgcmdprovidersbc] 'c:\program files\support.com\bin	gcmd.exe' /server /startmonitor /deaf /nosystrayO4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~3
avapw32.exeO4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exeO4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXEO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exeO4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 'EPSON Stylus CX3200' /O6 'USB001' /M 'Stylus CX3200'O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exeO4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exeO4 - HKLM\..\Run: [FullAudio] C:\PROGRA~1\MUSICN~1\WMPImporter.exeO4 - HKLM\..\Run: [AdaptecDirectCD] 'C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe'O4 - HKLM\..\Run: [TkBellExe] 'C:\Program Files\Common Files\Real\Update_OBealsched.exe' -osbootO4 - HKCU\..\Run: [IM] C:\Program Files\earthlinkim\aim.exe -cnetwait.odlO4 - HKCU\..\Run: [DivX Updater] C:\WINDOWS\System32\DivX.ExeO4 - HKCU\..\Run: [E6TaskPanel] 'C:\Program Files\EarthLink TotalAccess\TaskPanl.exe' -winstartO4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quietO4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htmO9 - Extra button: Yahoo! Login (HKLM)O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)O9 - Extra button: Messenger (HKLM)O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)O9 - Extra button: Real.com (HKLM)O9 - Extra button: Messenger (HKLM)O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)O16 - DPF: ChatSpace Java Client 3.0.0.205 - http://24.199.8.202/Java/cms3205.cabO16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CABO16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cabO16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Common Files\svchost.exeO16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cabO16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exeO16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,72/mcinsctl.cabO16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exeO16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/Components/Ocx/SurVid/MSSurVid.cabO16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cabO16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37878.8520486111O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dllO16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cabO16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cabO16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{18F5492E-F341-484D-9A79-D2215E0E1F46}: NameServer = 151.164.64.201 151.164.1.8O17 - HKLM\System\CS1\Services\Tcpip\..\{18F5492E-F341-484D-9A79-D2215E0E1F46}: NameServer = 151.164.64.201 151.164.1.8

Texruss · Answer

Hang on for a while...have older posts to check. Texruss

manna · Answer

?????

Texruss · Answer

Sorry...the enemy is legion and we are few.

Run Hijackthis in new folder, scan and check the box left of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = c:\searchpage.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = ,
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Common Files\svchost.exe

With no other windows open click on fix checked button in Hijackthis.

Exit Hijackthis.

Reboot to SAFE MODE and Show HIDDEN FILES and folders (VERY IMPORTANT!)

FAQ 8 and 9 on this page: http://www.russelltexas.com/malware/faqhijackthis.htm

Open Windows Explorer: type the word explorer at Start/Run box and click OK:

Drill on down and delete the following files and/or folders: (Some may be gone)

C:\searchpage.html                                                        file
C:\Program Files\Common Files\svchost.exe               file
Comments: This is a Trojan dropper file and not the legitimate svchost.exe file which is found
in C:\Windows\System32

C:\Program Files\LimeShop                                           delete folder

Reboot in normal mode Windows and run Disk Cleaner: type cleanmgr at Start/Run. Scan all hard drives and check all categories at the end and click OK.

If you have any problems with Disk Cleaner completing...XP users can fix it here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;812248

Or try http://www2.whidbey.net/djdenham/DeleteOldFiles.htm

Download and run these two programs at the following link (Spybot S&D and Adaware). Use Spybot first.

Chris has posted an excellent tutorial by dgosling on how to run Spybot S&D and also how to enable customized deep scanning functions for Adaware. Once you set these options they will be retained for future scans by Adaware.

Follow the directions in this detailed guide for Spybot and Adaware...print out the guide and go slow on the directions for the custom setup of Adaware:

http://www.cjwd.demon.co.uk/spybot-adaware.html

After cleaning with Spybot and Adaware, reboot a final time.

Next...open Internet Explorer, pull down under Tools to Windows Update and check for critical updates at Microsoft.
Install all found.

Browse a bit and post a new Hijackthis log.

After the final all clear is given by us you should flush your Restore Points for XP. That means disabling the Restore Point, rebooting to flush it, then re-enabling a new Restore Point. The reason why we need to do this is to purge the bad files hidden in System Restore which can't be cleaned by your antivirus programs.

See FAQ 12 here: http://www.russelltexas.com/malware/faqhijackthis.htm

All the best,

Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum

Virus & Spyware

Was this post helpful?