Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Explorer.exe running at 99% using all available CPU


  • Please log in to reply

#1
w404225

w404225

    New Member

  • Member
  • Pip
  • 2 posts
Hi all from a newbie on this forum, which is great, I have read many of the topics and posts and have been impressed by the responses.

Now its my turn please. My laptop has been infected ove rthe years and was gradually getting slower and slower, and finally succumbed to Spyware and Malware with advert pop ups etc. I have run various antivirus systesm and ccleaner and have removed all tojans and malware etc nothiong shows up on scans on 3 different systems. Ccleaner also fixed 2129 issues inthe registry, all now shows clean, but I still have exporer.exe running at 100% all the time.

I have run hijackthis and the below is the log.

Now it needs to be said that although this is a works laptop and I do not have access to administrator rights, it has been used at home by both the wife and my daughter, so god only knows what has been downloaded and could have infected the machine. I am not a major techie, but can find my way around a PC. I recognise quite a lot of the entries on the log as valid software, but dont know about a lot of it, can anyone out there help me please.....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:39:05, on 12/05/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\comtcb.exe
C:\WINNT\System32\DepEngSvs.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
C:\WINNT\System32\Hummingbird\Connectivity\9.00\Inetd\inetd32.exe
C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
C:\WINNT\System32\SgLogPlayer.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.cwin...nnect/intranet/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.cam4cw.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 146.135.228.11:80
O1 - Hosts: 167.216.153.90 vantive.digisle.com
O1 - Hosts: 140.85.248.139 auohsexod01.oracleoutsourcing.com
O1 - Hosts: 193.9.149.131 exodus.oraclebol.com
O1 - Hosts: 204.71.125.7 ukdhc-t3-nc1 ukdhc-t3-nc1.gdoc.cwintra.com
O1 - Hosts: 204.71.125.12 ukdhc-t3-nc2 ukdhc-t3-nc2.gdoc.cwintra.com
O1 - Hosts: 204.71.125.7 usdhc-t3-nc1 usdhc-t3-nc1.gdoc.cwintra.com
O1 - Hosts: 204.71.125.12 usdhc-t3-nc2 usdhc-t3-nc2.gdoc.cwintra.com
O1 - Hosts: 204.71.125.24 ukdhc-t1-s13
O1 - Hosts: 204.71.125.15 ukdhc-t2-smtl
O1 - Hosts: 204.71.221.15 usdhc-t2-smtl
O1 - Hosts: 167.216.155.230 cwis-sun-1-sj-nms-p cwis-sun-1-sj-nms-p.digisle.com
O1 - Hosts: 167.216.155.230 omnibus01.isc.cw.net omnibus01
O1 - Hosts: 148.185.208.65 wtnhpp15.isops.cwcom.co.uk
O1 - Hosts: 193.194.25.134 SD_ACE_BSH #bham smallheath ACE
O1 - Hosts: 194.6.92.30 hmsds1
O1 - Hosts: 194.6.92.29 hmsds2
O1 - Hosts: 194.6.92.45 dtcds1
O1 - Hosts: 194.6.92.36 dtcds2
O1 - Hosts: 194.6.92.17 gnoc5620sim1
O1 - Hosts: 194.6.92.19 gnoc5620sim2
O1 - Hosts: 146.135.235.196 gnoc-nms1
O1 - Hosts: 146.135.235.198 gsoc-nms1
O1 - Hosts: 146.135.235.132 gnoc-nms2
O1 - Hosts: 146.135.235.156 gsoc-nms2
O1 - Hosts: 146.135.235.204 gsoc-nms3
O1 - Hosts: 148.185.194.103 ibma
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [VerifyStartMenu] RunDLL32 C:\PROGRA~1\NETMANAG.32\NMGOINN.DLL,VerifyStartMenu
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [HumMeteringClient] rundll32.exe "C:\Program Files\Hummingbird\Connectivity\9.00\Accessories\MeteringClient.dll",RegisterProduct
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINNT\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [SgeEcView] "C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe"
O4 - HKLM\..\Run: [EdWizard] "C:\Program Files\Utimaco\SafeGuard Easy\EdWizard.exe" as
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Machine] MachInfo.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINNT\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?e560fd5859b74b4b8afed006c12711f0
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?e560fd5859b74b4b8afed006c12711f0
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O14 - IERESET.INF: START_PAGE_URL=https://www.cam4cw.com
O15 - Trusted Zone: http://lmscontent.cwintra.com
O15 - Trusted Zone: http://www.ebay.co.uk
O15 - Trusted Zone: http://www.pixmania.com
O15 - Trusted Zone: http://www.snapfish.co.uk
O15 - Trusted Zone: http://www.tesco.co.uk
O15 - Trusted Zone: http://www.tesco.com
O15 - Trusted Zone: www.yahoo.co.uk
O15 - Trusted Zone: http://lmscontent.cwintra.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ad.plc.cwintra.com
O17 - HKLM\Software\..\Telephony: DomainName = ad.plc.cwintra.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{16B92243-FAC5-4FF7-9749-10F83C77E723}: NameServer = 212.139.132.11 212.139.132.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ad.plc.cwintra.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{16B92243-FAC5-4FF7-9749-10F83C77E723}: NameServer = 212.139.132.11 212.139.132.10
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ad.plc.cwintra.com
O20 - Winlogon Notify: NotLog - C:\WINNT\SYSTEM32\SGLogEx.dll
O20 - Winlogon Notify: SGLogNotification - C:\WINNT\SYSTEM32\SGLogNotification.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: COMTCB Factory Service for CWDEPeng XP (COMTCB) - Logan IT services LTD - C:\WINNT\system32\comtcb.exe
O23 - Service: Deployment Engine Service (DepEngSvs) - Unknown owner - C:\WINNT\System32\DepEngSvs.exe
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
O23 - Service: Hummingbird InetD (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\9.00\Inetd\inetd32.exe
O23 - Service: Hummingbird Exceed Display Management (HumDisplayServer) - Hummingbird Ltd. - C:\Program Files\Hummingbird\Connectivity\9.00\Exceed\HumDisplayServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\Program Files\orant\BIN\ONRSD80.EXE
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Unknown owner - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe (file missing)
O23 - Service: SafeGuard® Easy Control (SgeCtl) - Utimaco Safeware AG - C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
O23 - Service: SafeGuard SGLOG Player (SgLogPlayer) - Utimaco Safeware AG - C:\WINNT\System32\SgLogPlayer.exe
O23 - Service: SafeGuard® Easy Workstation Server (WksCfgSrv) - Utimaco Safeware AG - C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe

--
End of file - 9633 bytes


Many thanks
  • 0

Advertisements


#2
w404225

w404225

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
I've run Kaspersky and it has identified the following win32.agant.busy rootkit.win32.podnuha.cb
any ideas how to remove them...?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP