1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Process eating up CPU usage... since getting a virus today..hijack this log

Discussion in 'Virus & Other Malware Removal' started by minish1, Feb 15, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. minish1

    minish1 Thread Starter

    Joined:
    Apr 7, 2004
    Messages:
    46
    the other day i got an IM on msn messenger called handcuff.gil? or something similar, and it IMed the link to everyone on my list, then logged me off, and i had to end the process in task manager to relog MSN messenger... since then i got a virus and deleted it successfully, but now there is a process running my CPU at 100%, making my computer run slow... please help!



    Logfile of HijackThis v1.99.0
    Scan saved at 8:09:29 PM, on 2/15/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\runservice.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\mHotkey.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
    C:\Program Files\Messenger Plus! 3\MsgPlus.exe
    C:\WINDOWS\system32\nvsc32.exe
    C:\Program Files\Admanager Controller\AdManCtl.exe
    C:\Program Files\Internet Optimizer\optimize.exe
    C:\Program Files\Admanager Controller\AdManKeep.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\aim\aim.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\DOCUME~1\Tyler\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.cogwtdstkyb.biz/x80YWnKIfXyJ_XkgIgZaOQPvVQmwW1jO0AIZWCRSFS3DDDPzqy_O18p9lzoI5XGN.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
    O1 - Hosts: 127.0.0.0 localhost
    O1 - Hosts: 127.0.0.2 auditmypc.com
    O1 - Hosts: 127.0.0.3 boards.cexx.org
    O1 - Hosts: 127.0.0.4 bulletproofsoft.net
    O1 - Hosts: 127.0.0.5 camtech2000.net
    O1 - Hosts: 127.0.0.6 cexx.org
    O1 - Hosts: 127.0.0.7 computercops.us
    O1 - Hosts: 127.0.0.8 ct7support.com
    O1 - Hosts: 127.0.0.9 doxdesk.com
    O1 - Hosts: 127.0.0.20 kellys-korner-xp.com
    O1 - Hosts: 127.0.0.21 kephyr.com
     
  2. zupadupa

    zupadupa

    Joined:
    Feb 9, 2005
    Messages:
    64
    which process is it and go here to check which process can or cannot (or should not) be terminated:

    http://www.processlibrary.com/

    It will tell you about the process.

    If anything run another virus scan and see if anything is detected
     
  3. sun_beam

    sun_beam

    Joined:
    Apr 18, 2004
    Messages:
    230
    hijack this needs a permanent folder please make a new folder name it hijack, move hijack this to that folder, and post a new full log.
     
  4. minish1

    minish1 Thread Starter

    Joined:
    Apr 7, 2004
    Messages:
    46
    Logfile of HijackThis v1.99.0
    Scan saved at 10:58:27 PM, on 2/15/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\runservice.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\mHotkey.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
    C:\Program Files\Messenger Plus! 3\MsgPlus.exe
    C:\WINDOWS\system32\nvsc32.exe
    C:\Program Files\Admanager Controller\AdManCtl.exe
    C:\Program Files\Internet Optimizer\optimize.exe
    C:\Program Files\Admanager Controller\AdManKeep.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\aim\aim.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\DOCUME~1\Tyler\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.cogwtdstkyb.biz/x80YWnKIfXyJ_XkgIgZaOQPvVQmwW1jO0AIZWCRSFS3DDDPzqy_O18p9lzoI5XGN.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
    O1 - Hosts: 127.0.0.0 localhost
    O1 - Hosts: 127.0.0.2 auditmypc.com
    O1 - Hosts: 127.0.0.3 boards.cexx.org
    O1 - Hosts: 127.0.0.4 bulletproofsoft.net
    O1 - Hosts: 127.0.0.5 camtech2000.net
    O1 - Hosts: 127.0.0.6 cexx.org
    O1 - Hosts: 127.0.0.7 computercops.us
    O1 - Hosts: 127.0.0.8 ct7support.com
    O1 - Hosts: 127.0.0.9 doxdesk.com
    O1 - Hosts: 127.0.0.20 kellys-korner-xp.com
    O1 - Hosts: 127.0.0.21 kephyr.com
    O1 - Hosts: 127.0.0.22 lavasoft.de
    O1 - Hosts: 127.0.0.23 lavasoftusa.com
    O1 - Hosts: 127.0.0.24 lurkhere.com
    O1 - Hosts: 127.0.0.25 majorgeeks.com
    O1 - Hosts: 127.0.0.26 merijn.org
    O1 - Hosts: 127.0.0.27 mjc1.com
    O1 - Hosts: 127.0.0.28 moosoft.com
    O1 - Hosts: 127.0.0.29 mvps.org
    O1 - Hosts: 127.0.0.30 net-integration.net
    O1 - Hosts: 127.0.0.31 noadware.net
    O1 - Hosts: 127.0.0.32 no-spybot.com
    O1 - Hosts: 127.0.0.33 onlinepcfix.com
    O1 - Hosts: 127.0.0.34 pchell.com
    O1 - Hosts: 127.0.0.35 pestpatrol.com
    O1 - Hosts: 127.0.0.36 safer-networking.org
    O1 - Hosts: 127.0.0.37 secure.spykiller.com
    O1 - Hosts: 127.0.0.38 secureie.com
    O1 - Hosts: 127.0.0.39 security.kolla.de
    O1 - Hosts: 127.0.0.40 spybot.info
    O1 - Hosts: 127.0.0.41 spychecker.com
    O1 - Hosts: 127.0.0.42 spychecker.com
    O1 - Hosts: 127.0.0.43 spycop.com
    O1 - Hosts: 127.0.0.44 spyguard.com
    O1 - Hosts: 127.0.0.45 spykiller.com
    O1 - Hosts: 127.0.0.46 spyware.co.uk
    O1 - Hosts: 127.0.0.47 spyware-cop.com
    O1 - Hosts: 127.0.0.48 spywareinfo.com
    O1 - Hosts: 127.0.0.49 spywarenuker.com
    O1 - Hosts: 127.0.0.50 spywareremove.com
    O1 - Hosts: 127.0.0.51 spywareremove.com
    O1 - Hosts: 127.0.0.52 stopzillapro.com
    O1 - Hosts: 127.0.0.53 sunbelt-software.com
    O1 - Hosts: 127.0.0.54 thiefware.com
    O1 - Hosts: 127.0.0.55 tomcoyote.org
    O1 - Hosts: 127.0.0.56 unwantedlinks.com
    O1 - Hosts: 127.0.0.57 webattack.com
    O1 - Hosts: 127.0.0.58 wilders.org
    O1 - Hosts: 127.0.0.59 www.auditmypc.com
    O1 - Hosts: 127.0.0.60 www.bulletproofsoft.net
    O1 - Hosts: 127.0.0.61 www.cexx.org
    O1 - Hosts: 127.0.0.62 www.computercops.us
    O1 - Hosts: 127.0.0.63 www.ct7support.com
    O1 - Hosts: 127.0.0.64 www.doxdesk.com
    O1 - Hosts: 127.0.0.65 www.eblocs.com
    O1 - Hosts: 127.0.0.66 www.enigmasoftwaregroup.com
    O1 - Hosts: 127.0.0.67 www.free-spyware-scan.com
    O1 - Hosts: 127.0.0.68 www.free-web-browsers.com
    O1 - Hosts: 127.0.0.69 www.grc.com
    O1 - Hosts: 127.0.0.70 www.grisoft.com
    O1 - Hosts: 127.0.0.71 www.hackfaq.org
    O1 - Hosts: 127.0.0.72 www.hazeleger.net
    O1 - Hosts: 127.0.0.73 www.javacoolsoftware.com
    O1 - Hosts: 127.0.0.74 www.kellys-korner-xp.com
    O1 - Hosts: 127.0.0.75 www.kephyr.com
    O1 - Hosts: 127.0.0.76 www.lavasoft.de
    O1 - Hosts: 127.0.0.77 www.lavasoftusa.com
    O1 - Hosts: 127.0.0.78 www.lurkhere.com
    O1 - Hosts: 127.0.0.79 www.majorgeeks.com
    O1 - Hosts: 127.0.0.80 www.merijn.org
    O1 - Hosts: 127.0.0.81 www.mjc1.com
    O1 - Hosts: 127.0.0.82 www.moosoft.com
    O1 - Hosts: 127.0.0.83 www.mvps.org
    O1 - Hosts: 127.0.0.84 www.net-integration.net
    O1 - Hosts: 127.0.0.85 www.noadware.net
    O1 - Hosts: 127.0.0.86 www.no-spybot.com
    O1 - Hosts: 127.0.0.87 www.onlinepcfix.com
    O1 - Hosts: 127.0.0.88 www.pchell.com
    O1 - Hosts: 127.0.0.89 www.pestpatrol.com
    O1 - Hosts: 127.0.0.90 www.safer-networking.org
    O1 - Hosts: 127.0.0.91 www.secureie.com
    O1 - Hosts: 127.0.0.92 www.security.kolla.de
    O1 - Hosts: 127.0.0.93 www.spybot.info
    O1 - Hosts: 127.0.0.94 www.spychecker.com
    O1 - Hosts: 127.0.0.95 www.spychecker.com
    O1 - Hosts: 127.0.0.96 www.spycop.com
    O1 - Hosts: 127.0.0.97 www.spyguard.com
    O1 - Hosts: 127.0.0.98 www.spykiller.com
    O1 - Hosts: 127.0.0.99 www.spyware.co.uk
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [nvsv32.exe] asr_fnt.exe
    O4 - HKLM\..\Run: [NvCplScan] nvsc32.exe
    O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\RunServices: [nvsv32.exe] asr_fnt.exe
    O4 - HKLM\..\RunServices: [NvCplScan] nvsc32.exe
    O4 - HKLM\..\RunOnce: [NvCplScan] nvsc32.exe
    O4 - HKLM\..\RunOnce: [nvsv32.exe] asr_fnt.exe
    O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [NvCplScan] nvsc32.exe
    O4 - HKCU\..\Run: [nvsv32.exe] asr_fnt.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\RunOnce: [nvsv32.exe] asr_fnt.exe
    O4 - HKCU\..\RunOnce: [NvCplScan] nvsc32.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
    O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
    O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: LicCtrl Service - Unknown - C:\WINDOWS\runservice.exe
    O23 - Service: SmartLinkService - Unknown - slserv.exe (file missing)
     
  5. minish1

    minish1 Thread Starter

    Joined:
    Apr 7, 2004
    Messages:
    46
    also, i went through my chat logs and found the link that IM'ed itself to everyone on my list and then logged me off etc.: http://members.home.nl/marnixstaal/handcuffs.pif

    i dont know if there is anything illegal about this site or what it does to your computer of even if you guys can do anything about it, but figured i'd at least post it here and hope maybe someone will be warned and not click it if it gets sent to them
     
  6. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
    A new version of Hijack This has been released so get rid of the old one and
    download from this site http://www.thespykiller.co.uk/downloads.htm

    Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described


    CWshredder from http://www.subratam.org/?page=removal
    Spybot - Search & Destroy from http://security.kolla.de
    Download Adaware SE http://www.lavasoftusa.com/support/download/


    then
    Run CWSHREDDER,

    Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.
    and make sure you have all of Microsoft security updates

    then reboot &

    Run Sybot S&D

    After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

    Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

    then reboot &


    Run ADAWARE

    Install the program and launch it.

    First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

    From main window :Click Start then under Select a scan Mode tick Perform full system scan.

    Next deselect Search for negligible risk entries.

    Now to scan just click the Next button.

    When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)



    Reboot &

    Download and install the Micro$oft antispyware BETA from http://www.microsoft.com/athome/security/spyware/software/default.mspx and let it fix anything it finds (when it finds things, please quarantine them rather than delete just in case as it is a beta and occasional False positives happen)

    First press file and check for updates and then run it

    Recent tests suggest that a combination of Adaware & M$AS removes approx 80% of spywares/Adwares, much higher than any other combination


    Restart your computer.


    then post a new hijackthis log
     
  7. minish1

    minish1 Thread Starter

    Joined:
    Apr 7, 2004
    Messages:
    46
    ok, dl'ed those and ran them... each restart i keep getting warnings from avast that a virus has been detected... here is the new hijackthis log:
    Logfile of HijackThis v1.99.1
    Scan saved at 12:51:08 PM, on 2/16/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\runservice.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\mHotkey.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
    C:\Program Files\Messenger Plus! 3\MsgPlus.exe
    C:\Program Files\Admanager Controller\AdManCtl.exe
    C:\WINDOWS\jjugtejd.exe
    C:\Program Files\Admanager Controller\AdManKeep.exe
    C:\WINDOWS\system32\asr_fnt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Tyler\My Documents\hijack\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.cogwtdstkyb.biz/x80YWnKIfXyJ_XkgIgZaOQPvVQmwW1jO0AIZWCRSFS3DDDPzqy_O18p9lzoI5XGN.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [nvsv32.exe] asr_fnt.exe
    O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
    O4 - HKLM\..\Run: [dI61ufR] C:\WINDOWS\jjugtejd.exe
    O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
    O4 - HKLM\..\RunServices: [nvsv32.exe] asr_fnt.exe
    O4 - HKLM\..\RunOnce: [NvCplScan] nvsc32.exe
    O4 - HKLM\..\RunOnce: [nvsv32.exe] asr_fnt.exe
    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
    O4 - HKCU\..\Run: [nvsv32.exe] asr_fnt.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\RunOnce: [nvsv32.exe] asr_fnt.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
    O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
    O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
     
  8. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
    Go to control panel, add/remove programs and remove these if they are listed


    Admanager Controller

    Shareaza

    MessengerPlus3

    180Solutions (or 180Search)

    Than

    Run Hijackthis and fix the following itmes. Be sure all windows are closed except for hijackthis.


    The program Shareaza is a P2P and it is up to you if you need it. If you do not want to take off your machine do not fix any line that has the shareaza on it. But if it was my machine I would not have it on it.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.cogwtdstkyb.biz/x80YWnKI...p9lzoI5XGN.html

    R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)

    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"

    O4 - HKLM\..\Run: [nvsv32.exe] asr_fnt.exe

    O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe

    O4 - HKLM\..\Run: [dI61ufR] C:\WINDOWS\jjugtejd.exe

    O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe

    O4 - HKLM\..\RunServices: [nvsv32.exe] asr_fnt.exe

    O4 - HKLM\..\RunServices: [nvsv32.exe] asr_fnt.exe

    O4 - HKLM\..\RunOnce: [NvCplScan] nvsc32.exe

    O4 - HKLM\..\RunOnce: [nvsv32.exe] asr_fnt.exe

    O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray

    O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart

    O4 - HKCU\..\Run: [nvsv32.exe] asr_fnt.exe

    O4 - HKCU\..\RunOnce: [nvsv32.exe] asr_fnt.exe

    O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab

    Reboot in safe mode

    Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"



    Delete this files/folders if they are still there


    C:\WINDOWS\jjugtejd.exe

    c:\program files\180solutions\sais.exe

    C:\Program Files\Shareaza\Shareaza.exe" -tray

    C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart



    In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

    Empty the recycle bin.

    Reboot and post a new hijackthis log
     
  9. minish1

    minish1 Thread Starter

    Joined:
    Apr 7, 2004
    Messages:
    46
    btw, thanks for the quick responses and help, i've done everything you've said to, and so far this boot i've gotten no virus warnings from avast... here is my new hijackthis log:
    Logfile of HijackThis v1.99.1
    Scan saved at 1:32:01 PM, on 2/16/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\runservice.exe
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\mHotkey.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
    C:\Documents and Settings\Tyler\My Documents\hijack\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
    O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
    O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Process eating usage
  1. Wysocki
    Replies:
    19
    Views:
    2,259
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/331154

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice