Logfile of HijackThis v1.99.1
Scan saved at 5:32:17 PM, on 2/20/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroConfigation.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HiJackThis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [XpDis0Conf] C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroConfigation.exe VEN_14E4&DEV_4320&SUBSYS_70011799 /d
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE


Here is the log file: My guess is "C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroConfigation.exe"

that's taking all the cpu usage, i'm not sure on how to remove this: i hope u guys can help me.

thanks in advance.

Hi marvstar and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

1. We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time. DO NOT UPGRADE TO SP2 AT THIS TIME

• Click HERE for the update.
  
• Apply the update.
• REBOOT YOUR SYSTEM

2. Please post a fresh HJT log once the upgrade is done

Regards,

Trevuren

Hello trevuren thankyou for the quick reply, i have applied the service pack: and executed a new hijack file:

Logfile of HijackThis v1.99.1
Scan saved at 6:47:47 PM, on 2/20/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroConfigation.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HiJackThis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [XpDis0Conf] C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroConfigation.exe VEN_14E4&DEV_4320&SUBSYS_70011799 /d
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

This post has been edited by Marvstar: Feb 20 2006, 12:50 PM

1. Download, install, update, configure, and run Ad-Aware SE Personal 1.06.

1. Download Ad-Aware SE Personal 1.06:
   • Download Ad-Aware SE Personal 1.06.
   • Save aawsepersonal.exe to a convenient location.
2. Install Ad-Aware SE Personal 1.06:
   • Double-click on aawsepersonal.exe to install the program.
   • Follow the default settings for installation.
   • After the program has finished installing uncheck the "Perform a full system scan now", "Update definition file now", and "Open the help file now" boxes.
3. Update Ad-Aware SE Personal 1.06:
   • Double-click the Ad-Aware SE Personal icon on your desktop.
   • Click "Check for updates now" then click "Connect".
   • It will check for any updates. If any are found click "OK" to download and install the updates. Once it has finished click "Finish".
4. Configure Ad-Aware SE Personal 1.06:
   • Click on the Gear button at the top of the window.
   • Click "General" on the left hand side to display the General Settings box.
     • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
       • "Automatically save logfile"
       • "Automatically quarantine objects prior to removal"
       • "Safe Mode (always request confirmation)"
       • "Prompt to update outdated definitions" - change to 7 days from the default 14.
   • Click "Scanning" on the left hand side to display the Scan Settings box.
     • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
       • "Scan within archives"
       • "Select drives & folders to scan" - select your hard drive(s).
       • "Scan active processes"
       • "Scan registry"
       • "Deep-scan registry"
       • "Scan my IE favorites for banned URLs"
       • "Scan my Hosts file"
   • Click "Advanced" on the left hand side to display the Advanced Settings box.
     • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
       • "Move deleted files to Recycle Bin"
       • "Include additional object information"
       • "Include negligible objects information"
       • "Include environment information"
   • Click "Defaults" on the left hand side to display the Default Settings box.
     • Make sure these items have your preferred settings in them.:
       • "Default homepage"
       • "Default searchpage"
   • Click "Tweak" on the left hand side to display the Tweak Settings box.
     • Click the + (plus) sign next to the Log Files section. This will expand the section.
     • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
       • "Include basic Ad-Aware settings in log file"
       • "Include additional Ad-Aware settings in log file"
       • "Include reference summary in log file"
       • "Include alternate data stream details in log file"
     • Click the + (plus) sign next to the Scanning Engine section. This will expand the section.
     • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
       • "Unload recognized processes & modules during scan"
       • "Scan registry for all users instead of current user only"
       • "Obtain command line of scanned processes"
     • Click the + (plus) sign next to the Cleaning Engine section. This will expand the section.
     • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
       • "Always try to unload modules before deletion"
       • "During removal, unload Explorer and IE if necessary"
       • "Let Windows remove files in use at next reboot"
       • "Delete quarantined objects after restoring"
   • Once you are done with these settings, click "Proceed" to save them.
   • This will take you back to the main screen.
5. Run Ad-Aware SE Personal 1.06:
   • Click the "Start" button.
   • Uncheck the "Search for negligible risk entries" entry.
   • Choose the "Use custom scanning options" scan mode.
   • Click the "Next" button.
   • Ad-Aware will begin to scan for malware residing on your computer.
   • Allow the scan to finish.
   • Right-click on any entry in the list and click "Select All" to select the whole list.
   • Click "Next" and choose "OK" at the prompt to quarantine and remove the objects.

2. Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

1. Please download ewido security suite it is a trial version of the program.
   
   • Install ewido security suite
   • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
   • Launch ewido, there should be an icon on your desktop double-click it.
   • The program will prompt you to update click the OK button
   • The program will now go to the main screen
   
   
2. You will need to update ewido to the latest definition files.
   • On the left hand side of the main screen click update
   • Click on Start
   • The update will start and a progress bar will show the updates being installed.
   
   
3. Once the updates are installed do the following:
   • REBOOT into Safe Mode
   • Run EWIDO
   • Click on scanner
   • Click on Start Scan
   • Let the program scan the machine
   • While the scan is in progress you will be prompted to clean files, click OK
   
   
4. Once the scan has completed, there will be a button located on the bottom of the screen named Save report
   • Click Save report
   • Save the report to your desktop
   
   
5. Reboot your machine and post back a new HJT log and the ewido .txt log file you saved by using Add Reply

Regards,

Trevuren

Hey back again, i have followed the instructions as you said, here is the HJT:

Logfile of HijackThis v1.99.1
Scan saved at 8:19:55 PM, on 2/20/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroConfigation.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\HiJackThis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [XpDis0Conf] C:\PROGRA~1\Belkin\BELKIN~1\Tool\WinXPDisableZeroConfigation.exe VEN_14E4&DEV_4320&SUBSYS_70011799 /d
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Please post the Ewido log as requested.

Thanks,

Trevuren

Log right here:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:16:43 PM, 2/20/2006
+ Report-Checksum: 30C7FA82

+ Scan result:

C:\Documents and Settings\Jeff.HOME-HB4QVW6H34\Cookies\jeff@112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Jeff.HOME-HB4QVW6H34\Cookies\jeff@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\Documents and Settings\Jeff.HOME-HB4QVW6H34\Cookies\jeff@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Jeff.HOME-HB4QVW6H34\Cookies\jeff@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Jeff.HOME-HB4QVW6H34\Cookies\jeff@microsoftwga.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Jeff.HOME-HB4QVW6H34\Cookies\jeff@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Jeff.HOME-HB4QVW6H34\Cookies\jeff@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\Jeff.HOME-HB4QVW6H34\Cookies\jeff@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Jeff.HOME-HB4QVW6H34\Cookies\jeff@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Jeff.HOME-HGFF3CSI1R\Cookies\jeff@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Jeff.HOME-HGFF3CSI1R\Cookies\jeff@ads.realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\Documents and Settings\Jeff.HOME-HGFF3CSI1R\Cookies\jeff@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Jeff.HOME-HGFF3CSI1R\Cookies\jeff@microsoftwga.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Jeff.HOME-HGFF3CSI1R\Local Settings\Temporary Internet Files\Content.IE5\93UTUH2C\install[1].htm -> Not-A-Virus.Exploit.HTML.CodeBaseExec : Cleaned with backup
C:\winstall.exe -> Not-A-Virus.Hoax.Win32.Renos.az : Cleaned with backup


::Report End

Your log is clean. What is taking up all the CPU usage is probably related to the Belkin software you are using as there are numerous instances of this phenomenon occurring

Please read this article for a possible solution to your problem:

http://www.xpforum.co.uk/forum/viewtopic.php?p=86430


I would greatly appreciate you keeping me posted of any changes you make to your system as a result of this article.

Regards,

Trevuren

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.