[Egotist]

So, someone recently gave me this computer and I boot it to find this most unpleasant little bugger WinFixer/Trojan.vundo seems to have invaded her system! EEP~ Thanks a lot, so-called-friend. =X

Annnnyway, after reading a whole bunch (Google is your friend!) I think/hope I got rid of the WinFixer.. But I notice, every so often seemingly randomly (I've been here, fixing this thing for 11 hours and noticed this twice) it hogs up system resources! I am running 300mb of ram (out of 2014) in programs and I can't even create a tool menu? That's just grr! At one point all I had open was the anti virus guard and I couldn't open My Computer! ::Huff:: I was reading about how spoolsv.exe is infamous for causing resource hogging shenanigans. I don't even have a printer on this computer. (The person who owned it before me did.)

Maybe I should stop talking and get to business, hm?



Logfile of HijackThis v1.99.1
Scan saved at 8:47:01 AM, on 4/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [D-Color] C:\Documents and Settings\Owner\Desktop\Ego\dcolor.exe
O4 - Global Startup: UltraMon.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Blocking access to the document address by AliveProxy - C:\Program Files\AiS AliveProxy Server\aisBlockDocument.html
O8 - Extra context menu item: Blocking access to the image address by AliveProxy - C:\Program Files\AiS AliveProxy Server\aisBlockImage.html
O8 - Extra context menu item: Blocking access to the link address by AliveProxy - C:\Program Files\AiS AliveProxy Server\aisBlockLink.html
O8 - Extra context menu item: Cut proxy addresses from selected text by AliveProxy - C:\Program Files\AiS AliveProxy Server\aisCutProxyFromSelectedTåxt.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - https://objects.aol....83/mcinsctl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1136249142953
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol....,20/McGDMgr.cab
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: WARSVR - Unknown owner - C:\Program Files\War-ftpd\war-ftpd.exe" -tag WARSVR (file missing)


Alrighty then, some of these things quite confuse me.. Such as
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
I was thinking of deleting it, as I have put Firefox on here instead of I.E., but I was afraid it'd break the program. And I was way too lazy to reinstall it for something so silly.

O8 - Extra context menu item: Blocking access to the document address by AliveProxy - C:\Program Files\AiS AliveProxy Server\aisBlockDocument.html
O8 - Extra context menu item: Blocking access to the image address by AliveProxy - C:\Program Files\AiS AliveProxy Server\aisBlockImage.html
O8 - Extra context menu item: Blocking access to the link address by AliveProxy - C:\Program Files\AiS AliveProxy Server\aisBlockLink.html
O8 - Extra context menu item: Cut proxy addresses from selected text by AliveProxy - C:\Program Files\AiS AliveProxy Server\aisCutProxyFromSelectedTåxt.html
These were me, AliveProxy made a program that you could use to "easily" connect to the internet via a proxy.. I found it to be more tedius than the integrated proxy feature with Firefox.. All this managed to do for me was list the proxies from their website into this program.. I promptly deleted the program but.. Now these are in my HiJack This log and I am not entirely sure why these remnants are there or how to get rid of them.

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
I have no idea what that even is.. But there's no file!.. ::Shrug::


O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
There's that no-longer-existant printer again.

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol....,20/McGDMgr.cab
I don't use AOL or Mcafee, please get away from my computer you evil corporate jerkheads.

O23 - Service: WARSVR - Unknown owner - C:\Program Files\War-ftpd\war-ftpd.exe" -tag WARSVR (file missing)
I used to run an FTPD.. Another program I deleted and am now finding fragments of.

So basically that is after scrubbing and polishing, of all that the only logical explanation for my resource hogging would seem to be that Spoolsv.. I turned it off and I am not yet out with a verdict of how it goes with my problem, but I figured I'd post my log anyway to ask how to keep my computer spic-and-span as I'd like!


Edit: Also, this computer takes 48 seconds (I counted) to shut down when restarting, that seems like a considerable amount of time. Maybe I'm just being paranoid.

Thank you in advance for any and all help,
~Ego

Edited by Egotist, 25 April 2006 - 08:32 AM.

[Advertisements]

Dear Egotist,

Welcome to the Geeks to Go forums.

We are currently studying your log.
*************************************

You are currently running HijackThis from your desktop. Since HijackThis makes backups of any entries you fix, you should create a folder just to hold the HijackThis program and its backups, so the backups and the program are not accidentally deleted. Go to "My Computer", click on c:\ and then go to the "File" menu, choose New -> Folder. Name the folder "HJT" or "HijackThis" and then please move the "HijackThis.exe" executable there.
*************************************************

Dear Egoist, I first want to see if you have any traces of WinFixer/Trojan.vundo still on your computer. Therefore do the following:

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Put a check next to Run VundoFix as a task.
• You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
• When VundoFix re-opens, click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will shutdown your computer, click OK.
• Turn your computer back on.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.

In addition, let me know in detail how your computer system is running after performing the above steps.

Edited by rambro, 25 April 2006 - 03:15 PM.

[rambro]

Dear Egotist,

Welcome to the Geeks to Go forums.

We are currently studying your log.
*************************************

You are currently running HijackThis from your desktop. Since HijackThis makes backups of any entries you fix, you should create a folder just to hold the HijackThis program and its backups, so the backups and the program are not accidentally deleted. Go to "My Computer", click on c:\ and then go to the "File" menu, choose New -> Folder. Name the folder "HJT" or "HijackThis" and then please move the "HijackThis.exe" executable there.
*************************************************

Dear Egoist, I first want to see if you have any traces of WinFixer/Trojan.vundo still on your computer. Therefore do the following:

Please download VundoFix.exe to your desktop.

• Double-click VundoFix.exe to run it.
• Put a check next to Run VundoFix as a task.
• You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
• When VundoFix re-opens, click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will shutdown your computer, click OK.
• Turn your computer back on.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log.

In addition, let me know in detail how your computer system is running after performing the above steps.

Edited by rambro, 25 April 2006 - 03:15 PM.

[rambro]

Dear Egotist,

I was reading your comments in your first post, Hold off on doing any major fixes on the lines in the HijackThis log that you mentioned. We will address these issues in a later post. Some of the Hijackthis lines you mentioned in the first post are legitimate.

Here are my observations.

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

This is part of adobe acrobat reader, it is legit and good to have on your computer.

I was thinking of deleting it, as I have put Firefox on here instead of I.E., but I was afraid it'd break the program. And I was way too lazy to reinstall it for something so silly.

Don't get rid of your Internet Explorer, use it as a back up browser, because it has things called "Active X" controls that Mozilla's FireFox browser does not have. Yes, use Mozilla's FireFox browser as your main browser, but keep you IE browser as a backup, since this browser is integrated into the windows XP operating system, Internet Explorer is hard to uninstall.
Keep this browser!!!!

O8 - Extra context menu item: Blocking access to the document address by AliveProxy - C:\Program Files\AiS AliveProxy Server\aisBlockDocument.html
O8 - Extra context menu item: Blocking access to the image address by AliveProxy - C:\Program Files\AiS AliveProxy Server\aisBlockImage.html
O8 - Extra context menu item: Blocking access to the link address by AliveProxy - C:\Program Files\AiS AliveProxy Server\aisBlockLink.html
O8 - Extra context menu item: Cut proxy addresses from selected text by AliveProxy - C:\Program Files\AiS AliveProxy Server\aisCutProxyFromSelectedTåxt.html

We will fix these lines through HijackThis in a later post.

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
I have no idea what that even is.. But there's no file!.. ::Shrug::

This is part of McAfee antivirus software. We will fix this line through HijackThis in a later post.

O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
There's that no-longer-existant printer again.

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - https://objects.aol....,20/McGDMgr.cab
I don't use AOL or Mcafee, please get away from my computer you evil corporate jerkheads.

O23 - Service: WARSVR - Unknown owner - C:\Program Files\War-ftpd\war-ftpd.exe" -tag WARSVR (file missing)
I used to run an FTPD.. Another program I deleted and am now finding fragments of.

We will fix these lines through HijackThis in a later post.

So basically that is after scrubbing and polishing, of all that the only logical explanation for my resource hogging would seem to be that Spoolsv.. I turned it off and I am not yet out with a verdict of how it goes with my problem,

Please put "spoolsv.exe" back on, this is not your problem, it is an important executable and is needed by your computer system.

Edited by rambro, 25 April 2006 - 03:15 PM.

[Egotist]

Rambro, thank you for your reply!

Well, I ran VundoFix and it said no infected files were found, so I guess that's good!

Don't get rid of your Internet Explorer, use it as a back up browser, because it has things called "Active X" controls that Mozilla's FireFox browser does not have. Yes, use Mozilla's FireFox browser as your main browser, but keep you IE browser as a backup, since this browser is integrated into the windows XP operating system, Internet Explorer is hard to uninstall.
Keep this browser!!!!

I was referring to the potential deleting of that particular dll, as it's an I.E. helper, and I am well aware of the problems computers cause when deleting Internet Explorer! I've tried it in the past, hehe. And I question as to whether I would even require Adobe.. Mozilla has stable PDF readers now-a-days.

Please put "spoolsv.exe" back on, this is not your problem, it is an important executable and is needed by your computer system[/b].

It seems I don't have to, when I went to services I noticed it was on again anyway.. Nice to see I am the master of this good ship here~ However I disagree of this being needed by the computer system.. Of everything I've ever read on it it is simply a printer spooler.. I guess it could come handy for those wishing to install a future printer.. But for those without a printer, it seems to be fluff. ::Shrug::!

Thank you for assisting me.
~Ego

Edited by Egotist, 25 April 2006 - 06:28 PM.

[rambro]

Dear Egotist,

Do you think I can see this information:

Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Dear Egotist, I know you have an opinion, but do you think maybe you can follow my suggestions/instructions, lets not have a "tug of war" here. Thank you for your cooperation.

rambro

[Egotist]

VundoFix V4.2.72

Checking Java version...

Java version is 1.5.0.6

Scan started at 8:15:53 PM 4/25/2006

Listing files found while scanning....


No infected files were found.


VundoFix V4.2.72

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Java version is 1.5.0.6

Scan started at 8:17:06 PM 4/25/2006

Listing files found while scanning....


No infected files were found.



Sorry, I hadn't realized the thing even made a VundoFix.txt
My java is sort of silly, now that it comes to mind.. I had to reload it 4 times in order to be able to play java games without it blinking and lagging on me.. I also cannot run LimeWire.. But I can run Azureus quite fine (and java games now, too!)

I apologize is my opinion input seemed hostile, I was not trying to come off as sardonic.

Edited by Egotist, 25 April 2006 - 07:28 PM.

[rambro]

Dear Egotist,

May I also see this:

Please restart your computer and post a new HiJackThis log.

Remembering this from my first post....

You are currently running HijackThis from your desktop. Since HijackThis makes backups of any entries you fix, you should create a folder just to hold the HijackThis program and its backups, so the backups and the program are not accidentally deleted. Go to "My Computer", click on c:\ and then go to the "File" menu, choose New -> Folder. Name the folder "HJT" or "HijackThis" and then please move the "HijackThis.exe" executable there.

rambro