# please analyze hijackthis log-computer freezing

Discussion in 'Virus & Other Malware Removal' started by jesseskipper, Apr 30, 2004.

Not open for further replies.
1. ### jesseskipperThread Starter

Joined:
Apr 30, 2004
Messages:
24
My computer has been very slow and occasionally freezing up the past few days. It has never donme this before. I am running windows 2000. I have webroot spysweeper (purchased at office depot), zone alarm firewall, and symantec anti-virus. I've also downloaded bazooka and spy hunter free anti-spyware. none of the anti-spyware programs shows anything except: spy hunter shows "seekseek" in a certain registry location, but will not remove it without my buying the full software. I looked around and found instructions for removing seekseek myself, and based on that it looks like I don't have it: the files I am supposed to remove are not on my computer, either in the places they say they should be, or, based on a search, at all; and the registry entries I am supposed to change aren't there either. Is this a scam to get me to buy the software, or is the seekseek program sometimes in different places and in different forms than what I read?

of course, i get a dozen or more e-mails every day with virus attachments on them. I never open them, and often get the notification windows asking me what to do. I always choose to delete the attachment, then i delete the e-mail altogether and then empty the deleted items folder.

I particpate in several list serves, and sometimes open attachments, but of course not if there's been a warning the attachment is infected.

In checking my processes through task manager, I have noted huge cpu use by CFD.exe. I've tried to shut it down, but it doesn't stay shut down and it appears it is in fact somehow necessary despite what I've read over the past few days while trying to figure this out on my own. Also, i've had some runtime error messages for cfd.exe, most recently that it shut down incorrectly (or something like that) when I haven't done anything.

also, ccd.exe always asks permission to access the internet, which i grant based on what i read earlier.

anyway, here's my hijackthis log. I hope someone can help me, I have a lot of work to do and this is really slowing me down.

Logfile of HijackThis v1.97.7
Scan saved at 8:51:19 PM, on 4/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINNT\system32\BRMFRSMG.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\PROGRA~1\HPCD-W~1\DirectCD\directcd.exe
C:\Program Files\Navnt\POPROXY.EXE
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\ScanSoft\PaperPort\PopUp\SmartUI.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Navnt\navapw32.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DirectCD\directcd.exe
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [3c1807pd] C:\WINNT\SYSTEM32\3cmlink.exe RunServices \Device\3cpipe-3c1807pd
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POPROXY.EXE
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\BRMFLPRO\SetDefPrt.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray /deaf
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKLM\..\RunOnce: [KB837272] "C:\WINNT\INF\unregmp2.exe" /UpdateWMP
O4 - Startup: Medic.lnk = C:\Program Files\Road Runner\Medic\RRMedic.exe
O4 - Global Startup: Brother SmartUI PopUp.lnk = C:\Program Files\ScanSoft\PaperPort\PopUp\SmartUI.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://activex.microsoft.com/activex/controls/macromedia/Swdir.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a224.g.akamai.net/7/224/52/2...apple.com/qt502/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/16758e7da707b7b6d515/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37880.9156712963
O16 - DPF: {ACEFFC26-4628-11D1-B14A-105C01C13001} (WSpell Spelling Checker Control) - https://www.pdesigner.com/pd3/htmlEditor/wspell.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DCE3340D-3568-4883-8B15-F6E296BC9445} (NCSVersion Class) - http://www.leepa.org/ecwplugins/ncs.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! WebCam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

2. ### jesseskipperThread Starter

Joined:
Apr 30, 2004
Messages:
24
btw, another reason I don't think I have seek seek is that it is suppsoed to divert your home page to sme other home page. that isn't happening. also, I got the spy hunter weeks ago, and it showed the seekseek, well before my problems started a few days ago.

Joined:
Apr 30, 2004
Messages:
24
no help?

4. ### cybertechRetired Moderator

Joined:
Apr 16, 2002
Messages:
72,115
Is this a stand alone or networked pc?

5. ### jesseskipperThread Starter

Joined:
Apr 30, 2004
Messages:
24
one other computer is networked.

6. ### jesseskipperThread Starter

Joined:
Apr 30, 2004
Messages:
24
in other words, this computer is networked to one other. a friend did it, but i understand it's a very basic networking set-up, using the software that was included with windows in the computers. i have a cable modem and router, so both computers go through the router.

btw, my original post referred to spyhunter, and i had an experience with it today that prompted me to come back here to see what i could find out about it. following is my reply post on another thread. it may be interesting.

anyway, i'd still apreciate any help with my hjt log.

"I posted a hijackthis log and questions a few days ago and no one has replied. the following is related to that post, so if this piques your interest and you'd like to take a look i'd appreciate it.

as mentioned in my earlier post, i had downloaded the free spyhunter weeks ago and it also showed seekseek. i also did not want to buy spyhunter, so searched the internet for instructions on how to remove seekseek. what I found gave instructions for removing specific files and changing specific registry entries. I did not have any of these files or entries on my computer, leading me to believe that spyhunter was mistaken and probably intentionally giving a false alarm in order to sell their software.

the post above tends to confirm that suspicion.

last week, based on info here, i downloaded ad-aware, ran it, and removed what I think were some dialers inadvertently downloaded while surfing. ad-aware did not show me having seekseek. i also have webroot spyseeker, which has never shown seekseek.

today i updated ad-aware, scanned again, and lo and behold it showed the spy hunter software as undesirable, calling it a data miner. so i deleted spy hunter.

it appears ad-aware has concluded that not only is spy hunter ineffective but is a form of spyware (malware? I'm not sure I've got the terminology down yet) itself.

anyone else have the same experience? any comments on spyhunter? i'd like to know, and I am posting this for general info."

7. ### cybertechRetired Moderator

Joined:
Apr 16, 2002
Messages:
72,115
Spyhunter question has been answered in the other thread.

Do you and the other machine share a printer?
If so is it on the slow machine or the other machine.

8. ### jesseskipperThread Starter

Joined:
Apr 30, 2004
Messages:
24
no, at least we don't actually do it. whether or not it's set up that way i don't know. i don't think so.

btw, just had another of the CFD.exe error messages. twice in the past 15 minutes i got the following error message:

microsoft visual c++ runtime library

Runtime error!

R6025
-pure virtual function call

9. ### jesseskipperThread Starter

Joined:
Apr 30, 2004
Messages:
24
what do you mean the spyhunter question has been answered in the other thread? which other thread?

and, i am curious why you are asking about my networking set-up?

10. ### jesseskipperThread Starter

Joined:
Apr 30, 2004
Messages:
24
i realize i may not have answered your question. if a printer is shared, it's the printer on the slow computer.

Joined:
Apr 16, 2002
Messages:
72,115
12. ### cybertechRetired Moderator

Joined:
Apr 16, 2002
Messages:
72,115
W2K can act very much like you are describing in a network environment if you have mapped drives that are not currently on line or shared printers can do the same thing if it is set as the default and not available.

As Seen On

### Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

over 733,556 other people just like you!