Find your solution!

waxxedazz · 02-Jun-2008, 11:13 PM #1

Lately I have been having problems with my active windows going from active to inactive repeatedly. I have odd things happening in background windows. My system is constantly at 50% usage and whatever is going on is bogging down my system at certain times. I am not the most experianced but from what I can tell it seems like some sort of key logger. While the flickering is going on I cannot turn off the computer with the start button I have to use the task manager. I can click start but as soon as I go to the shutdown window it automaticaly closes it. I have run updated norton, AVG and ESET scans without it being caught. Im not sure exactly what is happening but I know it is automated. I have also run spybot. Any help would be much appreciated or at least a point in the right direction. The fact that 3 of the more known antivirus programs arent finding anything bothers me. Thanks in advance.

waxxedazz · 03-Jun-2008, 12:52 AM #2

A friend of mine suggested I might have the flash bug. Evidently an exploit was found in the later versions of flash player allowing people to access your PC. I have updated this and am still having my problems. Since it was out of date I may be in trouble. My CPU has been running at 50% usage for a few days. A lot could have been done. I am installing zone alarm. it was suggested I do that by my friend.

lunarlander · 03-Jun-2008, 06:28 PM #3

You may want to try some of the online scanners listed in this forum's sticky 'security help tools' .

You may also want to post a HijackThis scan log for one of the golden-shields to take a look at. HijackThis is available here:

http://www.trendsecure.com/portal/en...kthis/download

Use "Do a system scan and save a log file", and notepad will open with a log of what it finds, copy and paste the contents here. Don't ask it to fix anything.

waxxedazz · 03-Jun-2008, 08:43 PM #4

Here you go. I will check out a few of the online scanners I know about thanks.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:42:33 PM, on 6/3/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Logitech\G-series Software\LCDMon.exe
C:\Program Files\Razer\Lachesis\razerhid.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\pcaui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Razer\Lachesis\OSD.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDClock.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDCountdown\LCDCountdown.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDPop3\LCDPOP3.exe
C:\Program Files\Logitech\G-series Software\Applets\LCDMedia.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Razer\Lachesis\razertra.exe
C:\Program Files\Razer\Lachesis\razerofa.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Joe\Downloads\HiJackThis.exe
C:\Windows\system32\WerCon.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\G-series Software\LCDMon.exe"
O4 - HKLM\..\Run: [Lachesis] C:\Program Files\Razer\Lachesis\razerhid.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\Windows\System32\ZoneLabs\vsmon.exe
--
End of file - 8483 bytes

anthonyb · 05-Jun-2008, 12:00 AM #5

WAXXED

I am not an expert in any of this, but it appears from your post that you are running two or thee anti-virus programs on your machine. Most experts recommend against doing that, because of conflicts with each other. You may want to dump all but one of them.
A second thing --- Zone Alarm is a firewall and will not remove any infcetions/spyware/malware, etc. you have on your machine. If you install Zone Alarm, which you should have done long ago (my opinion) you should shut down your Windows fire wall. Zone Alarm blocks incoming and outgoing ... The Windows fire wall does not and you should not have two firewalls running simultaneously.

Good luck

waxxedazz · 05-Jun-2008, 06:55 PM #6

I have zone alarm suite. It has antivirus and firewall. I turned off the antivirus on zone alarm and only use eset for antivirus. I just prefer the UI on it. Also I uninstalled norton so im not sure why anything for symantec is on there.

stocker340 · 07-Jun-2008, 01:42 AM #7

Just because you uninstall Noton it does not mean many remnants are not hanging around
http://service1.symantec.com/Support...05033108162039

Get rid of the multiple antivirus programs!!
BAD DEAL!
Looking at the Hijack you have way to much stuff going on and installed on this PC

TOGG · 07-Jun-2008, 04:37 PM #8

I'm not an expert on HJT logs either, but these are the things I noticed;

1.Your version of Sun Java is hopelessly out of date and old versions can be security risks, uninstall it and get the latest version, 1.6.0_6 from here; http://www.java.com/en/download/manual.jsp

2. Eset Smart Security is an anti virus, firewall, anti spam and anti spyware program so, if you have a Zone Alarm suite and a residue of Symantec still running, it is not surprising that your CPU usage is so high! If you want to use 'suites' you must decide which one you prefer and get rid of the others.

3. It would be a good idea to click on the 'Report' option and ask a Moderator to transfer this thread to the Malware Removal Forum so that the real experts can take a look at it.

waxxedazz · 09-Jun-2008, 01:09 AM #9

Ok I see what your talking about now. I am using ESET alone now and am going to get rid of zonealarm. I had too many problems getting it installed with vista anyways.

TechOutsider · 09-Jun-2008, 09:44 AM **#10**

C:\Windows\System32\rundll32.exe looks suspicious....scan it with a anti-virus scanner you have.

rangerdud105 · 20-Jun-2008, 12:56 AM **#11**

Quote:

Originally Posted by TechOutsider

C:\Windows\System32\rundll32.exe looks suspicious....scan it with a anti-virus scanner you have.

It shouldn't be suspicious. rundll32.exe is important to your computer. ( http://support.microsoft.com/kb/164787 )

Rundll32 loads and runs 32-bit DLLs.

TechOutsider · 20-Jun-2008, 12:59 PM **#12**

Try clamwin AV and use the scan memory feature. Numerous malicious programs use rundll32...such as trojan.vundo.

Also try terminating the process. If it reappears, somethings is wrong.

suns2remember · 20-Jun-2008, 03:40 PM **#13**

First of all, I dont recommend using 3 programs for the same....
You have 3 running- Norton, Zone Lab and Windows Defender

The other guy was right- Use one that you think it will benifit you the most. I use " ONLY " BitDefender for both my antivirus and firewall. I shut down my windows firewall too.

For spywares, I run spyware dr once a week and not on the startup.

Plus Mil Shield runs after I log out of my puter...

" Mil Shield 6.2 is the answer of all privacy questions. It protects your privacy by removing all tracks from your online or offline computer activities. Mil Shield also shreds the content of the infamous INDEX.DAT files. Cleaning up the history of your activities completely and safely is impossible without specialized program because most of the tracks are not visible by any standard means and can not be removed manually."

waxxedazz · 29-Jun-2008, 11:30 AM **#14**

Ok, I uninstalled the extra antivirus. The norton entry was residual from the uninstall I guess. I had a little help from a friend and we both ended up stumped again. I tried rolling back to an earlier date without effect. I finally decided to stop messing around with it and format. I needed my comp for school and didnt have time to mess around any more. Within a week it was back. I figured the only way for this would be to have gotten it from either my flash drive or my usb drive. I dont think they were connected when I was running these scans because I found a trojan and three adinstallers. Eset noted the trojan as

Quote:

6/28/2008 4:25:37 PM Real-time file system protection file F:\$RECYCLE.BIN\S-1-5-21-2189906899-3719092395-1426959495-1000\$RM8H3E0.EXE probably a variant of Win32/Rbot trojan deleted - quarantined Event occurred on a file modified by the application: C:\Windows\system32\DllHost.exe.

As soon as ESET found the ad program on my USB drive the blinking stopped. Im guessing it was from the ad program popups attempting to display the ads and my software was blocking them repeatedly. I appreciate the help you guys/gals gave me thanks a ton.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)