100% CPU usuage,help please (RESOLVED)

deathman91 · #1 (**permalink**) 22-04-2007, 03:16 AM

Greetings fellow helpers out there

I had this annoying problem.My Computer recently had a problem that is,after I switched on the com for about 1hr or so,The CPU usuage just instantly jump to 100% and back to the normal again.The "jumpings"of 100% and to normal just keep on repeating and led me to no choice but to press the reset the button to restart my com.
The 100% usuage dont stay there forever,it will like,somewhat,"lag for a few sec as it was 100% usuage and back to normal speed again when it was back on the normal cpu usuage"

I found that that process that is using up my CPU Usuage
The process is "WINLOGON.EXE"
When I tried to end this process,it says," that it was a critical system process.Task Manager cannot end this process""

I tried scanning for virus using
Ad-Aware SE Professional
Spybot - Search & Destroy

Those progarms found some virus and I cleared them all but the problem is not sloved.

Anyone who can help me on this?

My System:
AMD Athlon(tm)XP 2400+
2.00 GHZ,512 MB of RAM

My Hijackthis log,

Quote:

Logfile of HijackThis v1.99.1
Scan saved at 11:13:34 PM, on 4/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\{273018EE-07CE-1033-0910-031118030001}\Update.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hamachi\hamachi.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.maplesea.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\JETCAR.EXE
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\JETCAR.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\gct.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gct.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gct.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gct.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gct.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gct.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.co...p/PhtPkMSN.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DL L
O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\system32\mszsrn32.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

Thanks

VopThis · #2 (**permalink**) 22-04-2007, 04:29 AM

You have acquired an email worm. Many worms can be prevented if you are running a real-time (always on) antivirus tool - recommendations later.

Read over the following directions. Ask if anything appears unclear to you.

Clean out TEMPORARY FILES procedures:
To clean your temp folder, recycle bin, etc..please download this free tool:

CCleaner http://www.ccleaner.com/downloadbuilds.asp

Install Options:

Don't install any Toolbars, or other programs, should it ask you!
Just uncheck the option of installing the Yahoo toolbar.

It will put a shortcut on your Desktop.

Do not run CCleaner until requested later.

We will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Accordingly, it is probably a good idea to print out the following directions or copy them to a text file on your desktop using NOTEPAD. Read these instructions carefully and feel free to ask if you're unsure about anything.

SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

O20 - Winlogon Notify: mszsrn32 - C:\WINDOWS\system32\mszsrn32.dll

Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.

HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here

SAFEMODE: Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' menu option (explained here if needed).

Delete TEMPORARY FILES: Now, use CCleaner to hunt down the most common temporary file locations and the temporary file clutter contained therein (and of possible malware hiding places):

Run CCleaner .

FIRST-TIME USE:
Select the ‘Options’ BUTTON option (top LEFT), ‘Advanced’ BUTTON, and then UNCHECK the ‘Only delete files in Windows Temp Folders older than 48 hours’.

Select the ‘Cleaner’ BUTTON option (top LEFT), if not already selected. Use the ’Windows’ TAB up front by default.

Uncheck ‘Cookies’ option (advisable)
Optionally, Uncheck ‘Recently Typed URLs’ option (potentially still useful)
Click the ‘Analyse’ button.
Thereafter, click ‘Run Cleaner’ after you have reviewed what it proposes to clean.

***** Clean out the Recycle Bin for items removed below, ONLY once you have regained the full functional use of your PC.

Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if present):

DELETE FILES:

C:\WINDOWS\system32\mszsrn32.dll

POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.

deathman91 · #3 (**permalink**) 22-04-2007, 05:51 AM

Quote:

Logfile of HijackThis v1.99.1
Scan saved at 12:49:14 PM, on 4/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\{273018EE-07CE-1033-0910-031118030001}\Update.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hamachi\hamachi.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.maplesea.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - Startup: Hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\JETCAR.EXE
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\JETCAR.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\gct.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gct.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gct.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gct.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gct.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\gct.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.co...p/PhtPkMSN.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DL L
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

I just did what you guided me to.
As the problem only occurs after I booted my com for 1hr,I will keep you updated later on

deathman91 · #4 (**permalink**) 24-04-2007, 01:53 PM

The Freezeing of com is sloved but I get slight lag still...

VopThis · #5 (**permalink**) 24-04-2007, 03:20 PM

The lack of a real-time (always on) antivirus tool probably allowed the worm to invade your PC - you need such a tool to be running. Here are some good free Antivirus programs that are decent, including AVG and Avast!.
AVG: http://free.grisoft.com/doc/1
Avast: http://www.avast.com/eng/avast_4_home.html

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

deathman91 · #6 (**permalink**) 25-04-2007, 09:09 AM

It deleted my Internet Explorer shortcut at my desktop =.=

Anyway,heres the ComboFix log

Quote:

"KyoSuke" - 07-04-25 16:01:14 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Program Files\FlashGet\"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\inst.exe.exe
C:\WINDOWS\system32\zup.exe.exe
C:\WINDOWS\system32\pdp.exe.exe
C:\Program Files\Common Files\{37301~1\Bar888.dll
C:\Program Files\Common Files\{37301~1\UnInstall.exe
C:\Program Files\Common Files\{27301~1\Update.exe
C:\Program Files\Common Files\{37301~2\UnInstall.exe
C:\DOCUME~1\KyoSuke\Desktop.\internet explorer.lnk
C:\WINDOWS\system32\wincom32.ini
C:\WINDOWS\system32\winsub.xml
C:\Program Files\inetget2
C:\Program Files\Common Files\{37301~1
C:\Program Files\Common Files\{27301~1
C:\Program Files\Common Files\{37301~2
C:\Program Files\Common Files\{27301~2
C:\WINDOWS\system32\lzx32.sys
C:\cp1041.nls

Infected copy of C:\WINDOWS\system32\drivers\ndis.sys was found & disinfected
Restored copy from - "C:\WINDOWS\system32\dllcache\ndis.sys"

((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\ntldr
-------\LEGACY_CLIENT_IP-IPX
-------\LEGACY_NTLDR

((((((((((((((((((((((((((((((( Files Created from 2007-03-25 to 2007-04-25 ))))))))))))))))))))))))))))))))))

2007-04-24 14:57 <DIR> d--hs---- C:\FOUND.005
2007-04-23 23:06 <DIR> d--h----- C:\WINDOWS\HUL
2007-04-23 22:56 <DIR> d-------- C:\DOCUME~1\KyoSuke\APPLIC~1\InstallShield
2007-04-23 22:01 <DIR> d-------- C:\ijji
2007-04-22 12:26 <DIR> d-------- C:\Program Files\CCleaner
2007-04-21 15:30 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-04-21 15:19 <DIR> d--hs---- C:\FOUND.004
2007-04-21 15:14 <DIR> d-------- C:\WINDOWS\pss
2007-04-20 16:20 <DIR> d-------- C:\Program Files\Hamachi
2007-04-20 16:14 <DIR> d--hs---- C:\FOUND.003
2007-04-16 20:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Messenger Plus!
2007-04-16 19:27 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2007-04-15 17:16 <DIR> d-------- C:\Program Files\MSN Messenger
2007-04-15 12:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-15 00:00 <DIR> d--hs---- C:\FOUND.002
2007-04-14 22:23 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-04-14 19:43 <DIR> d--hs---- C:\FOUND.001
2007-04-13 19:30 91,849 --a------ C:\WINDOWS\system32\3ti.exe
2007-04-12 19:59 91,849 --a------ C:\WINDOWS\system32\inst.exe
2007-04-12 19:57 21,504 --a------ C:\WINDOWS\system32\gct.dll
2007-04-12 19:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-04-12 19:38 561,152 --a------ C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-04-12 19:06 21,504 --a------ C:\WINDOWS\system32\eintztm.dll
2007-04-12 18:54 <DIR> d--hs---- C:\FOUND.000
2007-04-12 18:50 21,504 --a------ C:\WINDOWS\system32\wjvvn.dll
2007-04-12 18:49 8,704 --a------ C:\WINDOWS\system32\sporder.dll
2007-04-08 10:16 <DIR> d-------- C:\DOCUME~1\KyoSuke\APPLIC~1\Google
2007-04-08 10:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-04-08 10:15 <DIR> d-------- C:\Program Files\Google
2007-04-03 22:00 <DIR> d-------- C:\Program Files\Real Alternative
2007-04-03 22:00 <DIR> d-------- C:\Program Files\Media Player Classic
2007-04-03 22:00 <DIR> d-------- C:\DOCUME~1\KyoSuke\APPLIC~1\Real
2007-04-03 22:00 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Real
2007-03-31 12:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\GRETECH
2007-03-31 12:55 <DIR> d-------- C:\DOCUME~1\KyoSuke\APPLIC~1\GRETECH
2007-03-26 21:25 <DIR> d-------- C:\Program Files\QuickTime
2007-03-25 00:48 36,624 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-03-25 00:48 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-03-25 00:48 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-03-25 00:48 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-03-25 00:48 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-03-25 00:48 116,472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-03-25 00:48 <DIR> d-------- C:\Program Files\DivX
2007-03-25 00:46 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-03-25 00:46 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-03-25 00:46 <DIR> d-------- C:\Program Files\Xvid

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))

Rootkit driver pe386 is present. ... attempting disinfection
pe386 ...... driver unloaded successfully.

2007-04-20 16:20 26056 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2007-03-17 18:36 62508 --ah----- C:\WINDOWS\system32\mlfcache.dat
2007-03-15 23:14 -------- d-------- C:\Program Files\skype
2007-03-15 18:46 -------- d-------- C:\DOCUME~1\KyoSuke\APPLIC~1\screenshot sender
2007-03-11 22:42 -------- d-------- C:\Program Files\gamepot
2007-03-10 21:38 -------- d-------- C:\Program Files\utorrent
2007-03-10 21:38 -------- d-------- C:\DOCUME~1\KyoSuke\APPLIC~1\utorrent
2007-03-10 11:28 -------- d-------- C:\Program Files\bittorrent
2007-03-07 18:58 -------- d-------- C:\Program Files\auditionsea
2007-02-25 02:22 -------- d-------- C:\Program Files\mirc
2007-02-22 20:30 524288 --a------ C:\WINDOWS\system32\divxsm.exe
2007-02-22 20:29 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-02-22 20:29 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-02-22 20:29 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-02-22 20:25 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-02-22 20:25 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-02-22 20:25 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-02-22 20:25 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-02-22 20:25 639066 --a------ C:\WINDOWS\system32\divx.dll
2007-02-22 20:25 593920 --a------ C:\WINDOWS\system32\dpugui11.dll
2007-02-22 20:25 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-02-22 20:25 53248 --a------ C:\WINDOWS\system32\dpugui10.dll
2007-02-22 20:25 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-02-22 20:25 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-02-22 20:25 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-02-22 20:25 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-02-15 17:40 124472 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe
2007-01-26 23:43 86114 --a------ C:\WINDOWS\war3unin.dat

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects]
{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
{A5366673-E8CA-11D3-9CD9-0090271D075B} C:\PROGRA~1\FLASHGET\jccatch.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run]
"SoundMan"="SOUNDMAN.EXE"
"GrooveMonitor"="\"C:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"nwiz"="nwiz.exe /install"

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.ex e"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="Groove GFS Stub Execution Hook"

HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnph ost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0

************************************************** ******************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-25 16:05:06
Windows 5.1.2600 Service Pack 2 FAT

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

************************************************** ******************

Completion time: 07-04-25 16:06:15 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-04-25 16:06

And the hijackthis log

Quote:

Logfile of HijackThis v1.99.1
Scan saved at 4:09:35 PM, on 4/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hamachi\hamachi.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.maplesea.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\JETCAR.EXE
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\JETCAR.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.co...p/PhtPkMSN.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DL L
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

deathman91 · #7 (**permalink**) 25-04-2007, 11:07 AM

May I know where does IE7 installs to?The directory,i mean.
I re-installed my IE7 and it did not create a shortcut for me.
I searched my C drive,progarm files/internet explorer but its not there...
And the WINDOWS folder "IE7"theres a shortcut file for IE but its an older version not IE7...
Im sure IE7 is install as I can open it throught the MSN mail box button
SOrry if you dont use msn but IE7 is installed

Edit:Found it,I forgotten to turn on show system files xD

VopThis · #8 (**permalink**) 25-04-2007, 01:02 PM

How is your PC now behaving?

The lack of a real-time antivirus checking tool continues to put your PC at serious risk. Another alternative that I use and recommend is NOD32 ( www.eset.com ) - you will almost forget it is there (30 day free trial).

deathman91 · #9 (**permalink**) 25-04-2007, 01:34 PM

Quote:

Originally Posted by VopThis

How is your PC now behaving?

The lack of a real-time antivirus checking tool continues to put your PC at serious risk. Another alternative that I use and recommend is NOD32 ( www.eset.com ) - you will almost forget it is there (30 day free trial).

The "lag" has gone now,I will post a reply if something happens again,if not I think the problem is sloved.
Thanks

And those free anti-virus software are all trial version?
Do you know of any those free and not trial version?

VopThis · #10 (**permalink**) 26-04-2007, 03:27 PM

Quote:

And those free anti-virus software are all trial version?

AVG and AVAST have FREE versions.