1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Win 2k: 100% CPU usage and large System 32 folder

Discussion in 'Windows XP' started by Kin$layer, Nov 2, 2002.

Thread Status:
Not open for further replies.
Advertisement
  1. Kin$layer

    Kin$layer Thread Starter

    Joined:
    Nov 2, 2002
    Messages:
    12
    These are my problems:
    1) My CPU usage is constantly 100%, then when I go into task manager it is at 100% but quickly jumps down to 2% - 6%, made me think virus
    2) My c:\WinNT\system32 folder is 10gb
     
  2. Sponsor

  3. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    First, what Windows version is this? NT?

    Can you do an advanced file search in that folder and determine how many, and what files are, say greater than 1mb?

    Have you done an updated antivirus scan?

    You can do an online one here

    http://www.pandasoftware.com/activescan/

    or here...

    http://housecall.antivirus.com/housecall/start_corp.asp

    Does your taskmanager break down the cpu usage to individual processes? If you can get a quick look, which one is hogging the cpu?

    You can also run a taskmanager from your Quicklaunch bar, such as System Internal's Process Explorer, which will also breakdown cpu usage per process.

    http://www.sysinternals.com/
     
  4. Kin$layer

    Kin$layer Thread Starter

    Joined:
    Nov 2, 2002
    Messages:
    12
    I was in the middle of pandascan earlier (b4 your msg) when i went to work and I think my mom closed it :mad:, and i will run it again. My usage is 99% System Idle Processes... and when i look at it with process explorer it says access denied for owner...
    I'm running Windows 2000 btw, I can't do that how many files bigger than 1mb thingie, but I locked the problem down to that individual folder, and inside it I looked at all the subfolders and the biggest one being ~150mbs and then the next biggest being ~50, so I think it's hidden?
     
  5. coorrel

    coorrel

    Joined:
    Aug 26, 2002
    Messages:
    250
    Hi,
    Same problem here but not at 100% usage all the time... sys. gets all laggy especially when iexplore is runnin (major mem usage), lookin through all the processes, 43 processes running and around 50% cpu usage...

    I suspect that only when certain programs are running will slow down the computer... but do not know which processes that i can safley "end process"... is there a guide of something to this kind of problem???

    P4
    OS: win2k
    Clock: 2gig

    Greatful to all the help that i get....
    Thank yOu...
     
  6. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    99% "System Idle" is great! That means that only 1% of your cpu time is currently being consumed and 99% is idle. As soon as you start to do something, such as using Task Manager itself, you will see that figure start changing dynamically.

    If 99% were actually being contstantly used, you would see an incredible slowdown and a constant houglass "busy" icon.

    If there are hidden folders, you need to go to Folder Options > View and check "show all files"; if there is also a separate option for "system files", check that too.

    Are you sure you are reading the file size of the folder correctly?

    This link applies to startup programs and not System Services generally, but it will help you learn more about what you see running and whether they are required. A startup manager such as msconfig can uncheck unneeded startups without uninstalling them.

    http://www.lafn.org/webconnect/mentor/startup/PENINDEX.HTM
     
  7. Kin$layer

    Kin$layer Thread Starter

    Joined:
    Nov 2, 2002
    Messages:
    12
    I'm pretty sure I'm reading the folder size correctly and also the problem has just started in the past week or so because I had ~13 gigs of space left on my drive, I've installed nothing and now I have 6gigs.
     
  8. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    The ZoneAlarm log won't be helpful, you should click on Edit in that post and delete it to reduce thread clutter.

    Are you sure you have no option to do an "Advanced" file search in Win2k?

    Are you using any kind of file sharing utility, or networking? One thing I do see from that ZA log are many references to port137. This is a NetBios file sharing port. It appears to be "from" that port, rather than "to" it though.

    I really have no personal familiarity with Win2k, but it might be helpful to see a list of your startup programs and running processes.

    To show this best, download, unzip and run the Startuplist application from the site below. Then copy/paste the results to a reply.

    http://www.lurkhere.com/~nicefiles/
     
  9. Kin$layer

    Kin$layer Thread Starter

    Joined:
    Nov 2, 2002
    Messages:
    12
    StartupList report, 03/11/2002, 1:43:35 PM
    StartupList version: 1.34.0
    Started from : C:\StartupList\StartupList.EXE
    Detected: Windows 2000 (WinNT 5.00.2195)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\CTsvcCDA.EXE
    C:\WINNT\System32\svchost.exe
    c:\winnt\system32\comm.dll\fire\netlog.exe
    C:\winnt\system32\comm.dll\bnc\probnc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\nvsvc32.exe
    c:\WINNT\system32\FireDaemon.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\Slave.exe
    C:\WINNT\system32\stisvc.exe
    c:\winnt\system32\comm.dll\fire\netlog.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    c:\winnt\system32\comm.dll\servu\sysbk.exe
    C:\WINNT\System32\MsPMSPSv.exe
    c:\WINNT\system32\reg32dll.exe
    C:\WINNT\Explorer.exe
    C:\WINNT\System32\devldr32.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\ahead\InCD\InCD.exe
    C:\WINNT\System32\qttask.exe
    C:\WINNT\loadqm.exe
    C:\WINNT\System32\internat.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Winamp\winamp.exe
    C:\StartupList\StartupList.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINNT\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    Synchronization Manager = mobsync.exe /logon
    NAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe
    IntelliType = "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    POINTER = point32.exe
    NeroCheck = C:\WINNT\System32\NeroCheck.exe
    InCD = C:\Program Files\ahead\InCD\InCD.exe
    QuickTime Task = C:\WINNT\System32\qttask.exe
    b3dUpdate = C:\WINNT\BDE\Update\Zupdate.EXE -silent -p "C:\WINNT\BDE\Update" -s setup.cab
    HPDJ Taskbar Utility = C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
    LoadQM = loadqm.exe
    NvCplDaemon = RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    nwiz = nwiz.exe /install
    Pop-Up Stopper = "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
    UpdReg = C:\WINNT\Updreg.exe
    AHQInit = C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe
    Creative Launcher = C:\Program Files\Creative\SBLive2k\Launcher\CTLauncher.exe
    AudioHQ = C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE
    XupiterStartup = C:\Program Files\Xupiter\XupiterStartup.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    internat.exe = internat.exe
    Mirabilis ICQ = C:\Program Files\ICQ\ICQ.exe -minimize
    MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}]
    StubPath = %SystemRoot%\System32\ie4uinit.exe

    [{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
    StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINNT\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINNT\Explorer\Explorer.exe: not present
    C:\WINNT\System\Explorer.exe: not present
    C:\WINNT\System32\Explorer.exe: not present
    C:\WINNT\Command\Explorer.exe: not present

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (disabled by BHODemon) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\Program Files\Xupiter\Updates\XTUpdate.dll (disabled by BHODemon) (file missing) - {2662BDD7-05D6-408F-B241-FF98FACE6054}
    NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Norton AntiVirus - Scan my computer.job
    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [{00000012-890E-4AAC-AFD9-000000000000}]
    CODEBASE = http://lop.com/global/dialers/ca.exe

    [{018B7EC3-EECA-11D3-8E71-0000E82C6C0D}]
    CODEBASE = http://205.252.89.9/Software_Plugin.exe

    [QuickTime Object]
    InProcServer32 = C:\WINNT\System32\QTPlugin.ocx
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [MetaStreamCtl Class]
    InProcServer32 = C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
    CODEBASE = https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=www.viewpoint.com

    [CFForm Runtime]
    InProcServer32 = C:\WINNT\System32\MSJAVA.DLL
    CODEBASE = http://www.clan69.org/CFIDE/classes/CFJava.cab

    [{15589FA1-C456-11CE-BF01-00AA0055595A}]
    CODEBASE = http://www.netsource101.com/files/source11/NetInstall11.exe

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINNT\system32\Macromed\Director\SwDir.dll
    CODEBASE = http://activex.microsoft.com/activex/controls/macromedia/Swdir.cab

    [Symantec AntiVirus scanner]
    InProcServer32 = C:\WINNT\Downloaded Program Files\avsniff.dll
    CODEBASE = http://security2.norton.com/SSC/SharedContent/vc/bin/AvSniff.cab

    [{3717DF55-0396-463D-98B7-647C7DC6898A}]
    CODEBASE = http://www.search-explorer.net/toolbar/srchexpl.cab

    [GSDACtl Class]
    InProcServer32 = C:\WINNT\Downloaded Program Files\gsda.dll
    CODEBASE = http://launch.gamespyarcade.com/software/launch/alaunch.cab

    [MSN Chat Control 4.2]
    InProcServer32 = C:\WINNT\Downloaded Program Files\MSNChat42.ocx
    CODEBASE = http://fdl.msn.com/public/chat/msnchat42.cab

    [ActiveScan Installer Class]
    InProcServer32 = C:\WINNT\Downloaded Program Files\asinst.dll
    CODEBASE = http://www.pandasoftware.com/activescan/as/asinst.cab

    [Update Class]
    InProcServer32 = C:\WINNT\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37458.8134606481

    [{A27CFCAE-9351-4D74-BFFC-21EB19693D8C}]
    CODEBASE = http://www.xupiter.com/search2/install/XupiterToolbarLoader.cab

    [Pulse V5 ActiveX Control]
    InProcServer32 = C:\WINNT\Downloaded Program Files\AxPulse5.dll
    CODEBASE = http://a320.g.akamai.net/7/320/1456...players/english/5.0/win/PulsePlayer5AxWin.cab

    [{BD11A280-2E73-11CF-B6CF-00AA00A74DAF}]
    CODEBASE = http://images.bonzi.com/freebuddy/wd/bbsetupkaa.exe

    [Symantec RuFSI Registry Information Class]
    InProcServer32 = C:\WINNT\Downloaded Program Files\rufsi.dll
    CODEBASE = http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [{DCF0768D-BA7A-101A-B57A-0000C0C3ED5F}]
    CODEBASE = http://deardrocher.com/dialers/plugin-212-0.cab

    [Measurement Service Client]
    InProcServer32 = C:\WINNT\DOWNLO~1\MSC.ocx
    CODEBASE = http://ccon.madonion.com/global/msc.cab

    [{FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75}]
    CODEBASE = http://download.redswoosh.com/Installer/rsinstaller.cab
     
  10. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Ok, I'm seeing an absolute ton of spy, ad and dialer programs there that do not belong.

    I would install and run BOTH Spybot and Ad-aware following the directions in my post below. Afterwards, give me another post of the startups and I'll see what's left and try to provide specific removal instructions for anything else.

    http://forums.techguy.org/showthread.php?s=&threadid=97657

    Just a brief look shows me

    b3deupdate
    upd.reg
    xupter

    lop.com dialer entries in the Downloaded programs folder; bonzi buddy; unknown "dialer"

    Unknown process:

    c:\WINNT\system32\reg32dll.exe

    Also, see this regading "Firedaemon.exe":

    http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q294728&

    http://www.unm.edu/cirt/security/win2k1.html

    These two starting processes may also be trojan related and need to be investigated:

    c:\winnt\system32\comm.dll\fire\netlog.exe
    C:\winnt\system32\comm.dll\bnc\probnc.exe

    If you can find the exe's, right click on them and select "properties" > version to check for copyright info
     
  11. Kin$layer

    Kin$layer Thread Starter

    Joined:
    Nov 2, 2002
    Messages:
    12
    I ran ad-aware updated and backed up and deleted all the stuff it found. I am trying to run spybot, but after finishing the search it gives this error: Datei: "C:\WINNT\System32\drivers\etc\hosts" kann nicht erstellt werden. Access is denied. Datei = File, kann nicht erstellt werden = cannot be provided.

    I found both .exes after using the advice from the one page there, that says Uncheck Hide file extensions for know file types.
    Uncheck Hide protected operating system files. But I don't know where to find the versions inside properties.
     
  12. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I don't understand German too well, you might want to click on the "Language" tab in Spybot and select English. If necessary, try running it in Safe Mode and see if the same error occurs.

    Does the error prevent you from continuing and using the "fix selected" entries option to remove what it preselects?

    When you find a file and right click on it and select "Properties". The properties page should have a "version" tab which gives copyright info.

    Have you looked into the Firedameon issue? This seems to be the most serious, and conceivably could require a reinstall or format.

    The Symantec article seems to suggest it can be removed without doing that:

    http://www.symantec.com/avcenter/venc/data/backdoor.nthack.html
     
  13. Kin$layer

    Kin$layer Thread Starter

    Joined:
    Nov 2, 2002
    Messages:
    12
    It prevents me from finishing the fix selected, how do i run in safe mode?
     
  14. mtbird

    mtbird

    Joined:
    Dec 10, 2001
    Messages:
    3,687
    When you boot and see the progress bar at the bottom of the screen, press your F8 key.
    Select safe mode from the options.


    Debe
     
  15. Kin$layer

    Kin$layer Thread Starter

    Joined:
    Nov 2, 2002
    Messages:
    12
    Well, here's an update on the situation. My CPU usage is now almost permanently 100%, my internet is laggy and my memory usage is also near 100%. I have an AMD Athlon XP 1800+, 512 mb DDR PC-2100 RAM and Cable internet. It is no longer possible to play games. On the plus side, I found the files that were being distributed, x-box games, I deleted them. All of the CPU, Memory and internet are evidently being used by reg32dll.exe.

    I'm wondering what my next course of action should be? I want to avoid a reformat for as long as possible.

    My startup list now:

    Running processes:

    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\CTsvcCDA.EXE
    C:\WINNT\System32\svchost.exe
    c:\winnt\system32\comm.dll\fire\netlog.exe
    C:\winnt\system32\comm.dll\bnc\probnc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\System32\nvsvc32.exe
    c:\WINNT\system32\FireDaemon.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\Slave.exe
    C:\WINNT\system32\stisvc.exe
    c:\winnt\system32\comm.dll\fire\netlog.exe
    c:\winnt\system32\comm.dll\servu\sysbk.exe
    C:\WINNT\system32\ZoneLabs\vsmon.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\MsPMSPSv.exe
    c:\WINNT\system32\reg32dll.exe
    C:\WINNT\Explorer.exe
    C:\WINNT\System32\devldr32.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\ahead\InCD\InCD.exe
    C:\WINNT\System32\qttask.exe
    C:\WINNT\loadqm.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
    C:\WINNT\System32\internat.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\Program Files\Lavasoft Ad-aware\Ad-aware.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\mozilla.org\Mozilla\mozilla.exe
    C:\StartupList\StartupList.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    gwum.lnk = C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINNT\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    Synchronization Manager = mobsync.exe /logon
    NAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe
    IntelliType = "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    POINTER = point32.exe
    NeroCheck = C:\WINNT\System32\NeroCheck.exe
    InCD = C:\Program Files\ahead\InCD\InCD.exe
    QuickTime Task = C:\WINNT\System32\qttask.exe
    HPDJ Taskbar Utility = C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
    LoadQM = loadqm.exe
    NvCplDaemon = RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    nwiz = nwiz.exe /install
    Pop-Up Stopper = "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
    UpdReg = C:\WINNT\Updreg.exe
    AHQInit = C:\Program Files\Creative\SBLive2k\Program\AHQInit.exe
    Creative Launcher = C:\Program Files\Creative\SBLive2k\Launcher\CTLauncher.exe
    AudioHQ = C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    internat.exe = internat.exe
    Mirabilis ICQ = C:\Program Files\ICQ\ICQ.exe -minimize
    MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\System32\ie4uinit.exe

    [{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
    StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINNT\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINNT\Explorer\Explorer.exe: not present
    C:\WINNT\System\Explorer.exe: not present
    C:\WINNT\System32\Explorer.exe: not present
    C:\WINNT\Command\Explorer.exe: not present

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx (disabled by BHODemon) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Norton AntiVirus - Scan my computer.job
    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [{018B7EC3-EECA-11D3-8E71-0000E82C6C0D}]
    CODEBASE = http://205.252.89.9/Software_Plugin.exe

    [QuickTime Object]
    InProcServer32 = C:\WINNT\System32\QTPlugin.ocx
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [MetaStreamCtl Class]
    InProcServer32 = C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
    CODEBASE = https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=www.viewpoint.com

    [CFForm Runtime]
    InProcServer32 = C:\WINNT\System32\MSJAVA.DLL
    CODEBASE = http://www.clan69.org/CFIDE/classes/CFJava.cab

    [{15589FA1-C456-11CE-BF01-00AA0055595A}]
    CODEBASE = http://www.netsource101.com/files/source11/NetInstall11.exe

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINNT\system32\Macromed\Director\SwDir.dll
    CODEBASE = http://activex.microsoft.com/activex/controls/macromedia/Swdir.cab

    [Symantec AntiVirus scanner]
    InProcServer32 = C:\WINNT\Downloaded Program Files\avsniff.dll
    CODEBASE = http://security2.norton.com/SSC/SharedContent/vc/bin/AvSniff.cab

    [{3717DF55-0396-463D-98B7-647C7DC6898A}]
    CODEBASE = http://www.search-explorer.net/toolbar/srchexpl.cab

    [GSDACtl Class]
    InProcServer32 = C:\WINNT\Downloaded Program Files\gsda.dll
    CODEBASE = http://launch.gamespyarcade.com/software/launch/alaunch.cab

    [MSN Chat Control 4.2]
    InProcServer32 = C:\WINNT\Downloaded Program Files\MSNChat42.ocx
    CODEBASE = http://fdl.msn.com/public/chat/msnchat42.cab

    [ActiveScan Installer Class]
    InProcServer32 = C:\WINNT\Downloaded Program Files\asinst.dll
    CODEBASE = http://www.pandasoftware.com/activescan/as/asinst.cab

    [Update Class]
    InProcServer32 = C:\WINNT\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37458.8134606481

    [Pulse V5 ActiveX Control]
    InProcServer32 = C:\WINNT\Downloaded Program Files\AxPulse5.dll
    CODEBASE = http://a320.g.akamai.net/7/320/1456...players/english/5.0/win/PulsePlayer5AxWin.cab

    [{BD11A280-2E73-11CF-B6CF-00AA00A74DAF}]
    CODEBASE = http://images.bonzi.com/freebuddy/wd/bbsetupkaa.exe

    [Symantec RuFSI Registry Information Class]
    InProcServer32 = C:\WINNT\Downloaded Program Files\rufsi.dll
    CODEBASE = http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [{DCF0768D-BA7A-101A-B57A-0000C0C3ED5F}]
    CODEBASE = http://deardrocher.com/dialers/plugin-212-0.cab

    [Measurement Service Client]
    InProcServer32 = C:\WINNT\DOWNLO~1\MSC.ocx
    CODEBASE = http://ccon.madonion.com/global/msc.cab

    [{FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75}]
    CODEBASE = http://download.redswoosh.com/Installer/rsinstaller.cab
     
  16. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    We need to focus on the Firedaemon/Nthack trojan and the reg32.dll problem; we can return to the spyware later.

    I see I gave you the wrong Symantec link in a previous post, I've changed it now. Here it is again:

    http://www.symantec.com/avcenter/venc/data/backdoor.nthack.html

    Do a full scan with NAV in Safe Mode if you can.

    Follow the instructions to find and delete the registry entry for NewGina, if present, and any others they list which may be present.

    In Safe Mode see if you can find and rename reg32.dll to reg32.bak

    Find and rename Firedaemon as well. This should keep them from loading. We just don't know exactly what process is calling them and this may either force an error message, or resolve the problem. They can be completely deleted later

    While you're in the registry, navigate to:

    Hkey_Local_Machine\Software\Microsoft\Windows\CurrentVersion\RUN

    With the RUN folder highlighted look in the Right Hand pane for:

    UpdReg = C:\WINNT\Updreg.exe

    .... and Right click on that and delete it.

    I am also concerned about slave.exe and think we should try to rename that as well.

    http://www.avp.ch/avpve/trojan/backdoor/ra.stm

    I don't see where this is loading from either.

    When you open your registry editor (run regedit), navigate to this key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

    Look in the Right hand pane for a shell entry. The data value should ONLY be Explorer.exe

    If anything else is there, right click on it and modify it so that the value is just that.
     
  17. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/102284