Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

need help, 100% cpu usage [RESOLVED]


  • This topic is locked This topic is locked

#16
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
I see that you have Ewido installed.

Run Ewido. Click on Updates and then Start Update.

After the Updates are completed. Close Ewido. Do not run the scan yet.

Reboot the PC in Safe Mode.

Run Ewido and run a full system scan. Save the scan report.

Reboot the PC in normal Mode and then post back the scan report.
  • 0

Advertisements


#17
Vegito1471

Vegito1471

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
Here it is

Edited by Vegito1471, 25 August 2005 - 01:18 PM.

  • 0

#18
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi,

Wanted to do this yesterday, guss it sliped my mind.

Run l2mfix.bat and choose Option #1.

Post the log here
  • 0

#19
Vegito1471

Vegito1471

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
L2MFIX find log 1.04
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"="TrojanHunter Menu Shell Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
azaml3~1.dll Fri Jul 15 2005 8:08:32p ..S.R 0 0.00 K
gccoll~1.dll Tue Jul 12 2005 3:35:14p A.... 126,680 123.71 K
gcunco~1.dll Tue Jul 12 2005 3:35:10p A.... 95,448 93.21 K
hashlib.dll Tue Jul 12 2005 3:35:14p A.... 117,976 115.21 K
legitc~1.dll Wed Aug 3 2005 10:33:42a A.... 520,456 508.26 K

5 items found: 5 files (1 H/S), 0 directories.
Total of file sizes: 860,560 bytes 840.39 K
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is A8C5-27BB

Directory of C:\WINDOWS\System32

08/23/2005 08:33 PM <DIR> dllcache
07/15/2005 08:08 PM 0 azaml3l11.dll
07/19/2004 08:13 PM <DIR> Microsoft
1 File(s) 0 bytes
2 Dir(s) 6,347,620,352 bytes free

Attached Files


  • 0

#20
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
The log is clean.

Please delete the file l2mfix.exe which you downloaded and the l2mfix folder.

Uninstall Ewido. It is a good product but the trial period will expire shortly.

Edited by tampabelle, 25 August 2005 - 01:25 PM.

  • 0

#21
Vegito1471

Vegito1471

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
I still get 100%cpu usage what can the problem be?

Edited by Vegito1471, 25 August 2005 - 01:50 PM.

  • 0

#22
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Please RIGHT-CLICK HERE to download Silent Runner's.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
  • 0

#23
Vegito1471

Vegito1471

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
"Silent Runners.vbs", revision 40, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"FreeRAM XP" = ""C:\Documents and Settings\Vegito1471\Desktop\FreeRAM XP Pro 1.40.exe" -win" ["YourWare Solutions ™"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CARPService" = "carpserv.exe" ["Conexant Systems, Inc."]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"QT4HPOT" = "C:\Program Files\HPQ\One-Touch\OneTouch.EXE" ["Dritek System Inc."]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"Startup Manager Scanner" = "C:\Program Files\Startup Mechanic\StartupMonitor.exe" [null data]
"Zone Labs Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]
"WinampAgent" = ""C:\Program Files\Winamp\winampa.exe"" [null data]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]
{8b15971b-5355-4c82-8c07-7e181ea07608}\(Default) = "Fax"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser" [MS]
{94de52c8-2d59-4f1b-883e-79663d2d9a8c}\(Default) = "Fax Provider"
\StubPath = "rundll32.exe C:\WINDOWS\System32\Setup\FxsOcm.dll,XP_UninstallProvider" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" = "TrojanHunter Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"0aMCPClient" = "{F5DF91F9-15E9-416B-A7C3-7519B11ECBFC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Stardock\MCPCore.dll" ["Stardock"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "AppInit_DLLs" = "wbsys.dll" ["Stardock.Net, Inc"]

HKLM\System\CurrentControlSet\Control\Session Manager\
INFECTION WARNING! "BootExecute" = "autocheck autochk * ntdel.exe mad.dll sprestrt sprestrt sprestrt" [file not found], [MS], [file not found], [null data], [file not found], [MS], [MS], [MS]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! wzcnotif\DLLName = "wzcdlg.dll" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
PKZIP Shell Extension\(Default) = "{248A7248-2D62-4B49-ACFB-0C1B70C04F0D}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\PKWARE\PKZIP7\PKCOM700.dll" ["PKWARE, Inc."]
RapidCRC\(Default) = "{E5A23DE9-6CC4-4f8c-88E9-AF8455B38E06}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\RapidCRC\rcrcshex.dll" [null data]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
RapidCRC\(Default) = "{E5A23DE9-6CC4-4f8c-88E9-AF8455B38E06}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\RapidCRC\rcrcshex.dll" [null data]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
PKZIP Shell Extension\(Default) = "{248A7248-2D62-4B49-ACFB-0C1B70C04F0D}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\PKWARE\PKZIP7\PKCOM700.dll" ["PKWARE, Inc."]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Vegito1471\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssmypics.scr" [MS]


Startup items in "Vegito1471" & "All Users" startup folders:
------------------------------------------------------------

C:\Documents and Settings\Vegito1471\Start Menu\Programs\Startup
"Adobe Gamma" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."]


Enabled Scheduled Tasks:
------------------------

"WebReg 20041005172255" -> launches: "C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe /TaskName 20041005172255 /N "psc 1300 series" /M Q3501A /S MY41UBB06N9F /AP 303 /F /T " ["Hewlett-Packard Co."]
"WebReg 20041011122804" -> launches: "C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe /TaskName 20041011122804 /N "psc 1300 series" /M Q3501A /S MY41UBB06N9F /AP 303 /F /T " ["Hewlett-Packard Co."]
"WebReg 20041207212828" -> launches: "C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe /TaskName 20041207212828 /N "psc 1300 series" /M Q3501A /S MY41UBB06N9F /AP 303 /F /T " ["Hewlett-Packard Co."]
"WebReg 20041213181844" -> launches: "C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe /TaskName 20041213181844 /N "psc 1300 series" /M Q3501A /S MY41UBB06N9F /AP 303 /F /T " ["Hewlett-Packard Co."]
"WebReg 20041214200937" -> launches: "C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe /TaskName 20041214200937 /N "psc 1300 series" /M Q3501A /S MY41UBB06N9F /AP 303 /F /T " ["Hewlett-Packard Co."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll" ["Yahoo! Inc."]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll" ["Yahoo! Inc."]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\msjava.dll" [MS]


HOSTS file
----------

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 53 domain names to IP addresses,
1 of the IP addresses is *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
HP Configuration Interface Service, HPConfig, "C:\WINDOWS\system32\HPConfig.exe" ["Hewlett-Packard"]
HPWirelessMgr, HPWirelessMgr, "C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe" ["Hewlett-Packard Co."]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 182 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 66 seconds.
---------- (total run time: 311 seconds)
done

Edited by Vegito1471, 25 August 2005 - 04:56 PM.

  • 0

#24
Vegito1471

Vegito1471

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
The System process is the one using the most cpu
  • 0

#25
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Which one ???

Please run Hijack This. Click on config ---> Misc Tools. Click on "Generate Startup List". It will generate a startup list.

Post it back here

Edited by tampabelle, 25 August 2005 - 05:17 PM.

  • 0

Advertisements


#26
Vegito1471

Vegito1471

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
SYSTEM not system idle process
  • 0

#27
Vegito1471

Vegito1471

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
StartupList report, 8/25/2005, 7:18:36 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Elizabeth14\Desktop\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Startup Mechanic\StartupMonitor.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Winamp\winampa.exe
C:\Documents and Settings\Vegito1471\Desktop\FreeRAM XP Pro 1.40.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Elizabeth14\Desktop\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Vegito1471\Start Menu\Programs\Startup]
Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CARPService = carpserv.exe
ATIPTA = C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
QT4HPOT = C:\Program Files\HPQ\One-Touch\OneTouch.EXE
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
Startup Manager Scanner = C:\Program Files\Startup Mechanic\StartupMonitor.exe
Zone Labs Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
WinampAgent = "C:\Program Files\Winamp\winampa.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

FreeRAM XP = "C:\Documents and Settings\Vegito1471\Desktop\FreeRAM XP Pro 1.40.exe" -win

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=wbsys.dll

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssmypics.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Task Scheduler jobs:

WebReg 20041005172255.job
WebReg 20041011122804.job
WebReg 20041207212828.job
WebReg 20041213181844.job
WebReg 20041214200937.job

--------------------------------------------------

Enumerating Download Program Files:

[{0000000A-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...0367/wmavax.CAB

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://fpdownload.ma...director/sw.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft....k/?linkid=39204

[iCC Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\pcpConnCheck.dll
CODEBASE = http://pcpitstop.com...cpConnCheck.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB

[FilePlanet Download Control Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\FilePlanetDownloadCtrl.dll
CODEBASE = http://www.fileplane...DC_1_0_0_44.cab

[{56336BCB-3D8A-11D6-A00B-0050DA18DE71}]
CODEBASE = http://software-dl.r...ip/RdxIE601.cab

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\muweb.dll
CODEBASE = http://update.micros...b?1124832287986

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai...all/xscan53.cab

[WebSpyWareKiller Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\WebSWK.dll
CODEBASE = http://download.zone...ctor/WebSWK.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoft...free/asinst.cab

[Crucial cpcScan]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\cpcscan.dll
CODEBASE = http://www.crucial.c.../cpcScanner.cab

[Get_ActiveX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\HPGETD~1.OCX
CODEBASE = https://h17000.www1....loadManager.ocx

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.ma...ash/swflash.cab

[Secure Delivery]
CODEBASE = http://www.gamespot.com/KDX/kdx.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

0aMCPClient: C:\Program Files\Common Files\Stardock\MCPCore.dll
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 8,358 bytes
Report generated in 0.270 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
  • 0

#28
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Cant pinpoint it here also.


Lets do two things -

1) Lets try one more thing -

Open Notepad and copy the following in a new text file -

regedit /e peek.txt "HKey_Local_Machine\System\CurrentControlSet\Control\Session Manager"

Save the file as 1.bat on your desktop (make sure the Save as Type is set to All Files).

Double click on 1.bat. It will generate the file peek.txt.

Attach peek.txt along with your next reply


2) Please download WebRoot SpySweeper from here:
http://www.webroot.c...6d6f87b866d2848
(It's a 2 week trial)

Click the "Free Trial" link on the right - next to "SpySweeper for Home Computers".
On the next page, click the "Free Trial" button.
Download it and install it.
When you open the program, it will prompt you to update to the latest definitions.
Please do so, then click "Sweep Now"
Then click the "Start" button.
When it's done scanning, click the "Next" button.
Remove everything it finds, then save the log - copy the log and paste it here for me.
  • 0

#29
Vegito1471

Vegito1471

    Member

  • Topic Starter
  • Member
  • PipPip
  • 43 posts
********
7:34 PM: |··· Start of Session, Thursday, August 25, 2005 ···|
7:34 PM: Spy Sweeper started
7:34 PM: Sweep initiated using definitions version 522
7:34 PM: Starting Memory Sweep
7:41 PM: Memory Sweep Complete, Elapsed Time: 00:07:12
7:41 PM: Starting Registry Sweep
7:41 PM: Found Trojan Horse: 2nd-thought
7:41 PM: HKU\WRSS_Profile_S-1-5-21-1844237615-1202660629-1060284298-1005\software\bundles\ (13 subtraces) (ID = 101988)
7:41 PM: HKU\WRSS_Profile_S-1-5-21-1844237615-1202660629-1060284298-501\software\bundles\ (14 subtraces) (ID = 101988)
7:41 PM: HKU\WRSS_Profile_S-1-5-21-1844237615-1202660629-1060284298-501\software\stc\ (1 subtraces) (ID = 102020)
7:42 PM: Found Adware: comet cursor
7:42 PM: HKU\WRSS_Profile_S-1-5-21-1844237615-1202660629-1060284298-1005\software\microsoft\internet explorer\toolbar\webbrowser\ || {fe6bc4ef-5676-484b-88ae-883323913256} (ID = 106731)
7:42 PM: Found Adware: crackspider
7:42 PM: HKU\S-1-5-21-1844237615-1202660629-1060284298-1004\software\microsoft\internet explorer\extensions\cmdmapping\ || {10954c80-4f0f-11d3-b17c-00c0dfe39736} (ID = 112560)
7:42 PM: Found Adware: cydoor peer-to-peer dependency
7:42 PM: HKU\WRSS_Profile_S-1-5-21-1844237615-1202660629-1060284298-1005\software\kazaa\promotions\cydoor\ (4059 subtraces) (ID = 124527)
7:42 PM: HKU\WRSS_Profile_S-1-5-21-1844237615-1202660629-1060284298-501\software\kazaa\promotions\cydoor\ (16 subtraces) (ID = 124527)
7:42 PM: Found Adware: ieplugin
7:42 PM: HKU\WRSS_Profile_S-1-5-21-1844237615-1202660629-1060284298-1005\software\intexp\ (9 subtraces) (ID = 128173)
7:42 PM: Found Adware: drsnsrch.com hijack
7:42 PM: HKU\S-1-5-18\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
7:42 PM: HKU\WRSS_Profile_S-1-5-21-1844237615-1202660629-1060284298-1005\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
7:42 PM: Found Adware: keenvalue/perfectnav
7:42 PM: HKU\WRSS_Profile_S-1-5-21-1844237615-1202660629-1060284298-1005\software\intermixmedia\ (2 subtraces) (ID = 129439)
7:42 PM: HKU\WRSS_Profile_S-1-5-21-1844237615-1202660629-1060284298-1005\software\microsoft\internet explorer\menuext\sirsearch\ (3 subtraces) (ID = 129441)
7:42 PM: HKU\WRSS_Profile_S-1-5-21-1844237615-1202660629-1060284298-1005\software\pwrsmnd1\ (6 subtraces) (ID = 129518)
7:43 PM: Found Adware: look2me
7:43 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/ds4.dll\ (2 subtraces) (ID = 129950)
7:43 PM: Found Adware: minigolf
7:43 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/minigolf_affiliate.exe\ (2 subtraces) (ID = 135052)
7:43 PM: Found Adware: 180search assistant/zango
7:43 PM: HKU\WRSS_Profile_S-1-5-21-1844237615-1202660629-1060284298-1005\software\msbb\ (15 subtraces) (ID = 135781)
7:43 PM: Found Adware: roings search enhancment
7:43 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mm20.ocx\ (2 subtraces) (ID = 140171)
7:43 PM: HKLM\software\mm\ (1 subtraces) (ID = 140211)
7:43 PM: Found Adware: screensavers
7:43 PM: HKCR\clsid\{722d2939-a14a-41a9-9eac-ab8f4e295819}\ (2 subtraces) (ID = 140550)
7:43 PM: HKLM\software\classes\clsid\{722d2939-a14a-41a9-9eac-ab8f4e295819}\ (2 subtraces) (ID = 140555)
7:43 PM: HKLM\software\screensavers.com\ (14 subtraces) (ID = 140569)
7:43 PM: Found Adware: search-exe hijacker
7:43 PM: HKU\WRSS_Profile_S-1-5-21-1844237615-1202660629-1060284298-1005\software\microsoft\internet explorer\main\ || search bar (ID = 140927)
7:43 PM: HKU\WRSS_Profile_S-1-5-21-1844237615-1202660629-1060284298-1005\software\microsoft\internet explorer\main\ || search page (ID = 140928)
7:43 PM: HKU\WRSS_Profile_S-1-5-21-1844237615-1202660629-1060284298-1005\software\microsoft\internet explorer\search\ || searchassistant (ID = 140932)
7:43 PM: HKU\WRSS_Profile_S-1-5-21-1844237615-1202660629-1060284298-1005\software\microsoft\internet explorer\searchurl\ (2 subtraces) (ID = 140934)
7:43 PM: Found Adware: ist sidefind
7:43 PM: HKU\WRSS_Profile_S-1-5-21-1844237615-1202660629-1060284298-1005\software\microsoft\internet explorer\explorer bars\{8cba1b49-8144-4721-a7b1-64c578c9eed7}\ (1 subtraces) (ID = 141777)
7:43 PM: HKU\WRSS_Profile_S-1-5-21-1844237615-1202660629-1060284298-1005\software\microsoft\internet explorer\extensions\cmdmapping\ || {10e42047-deb9-4535-a118-b3f6ec39b807} (ID = 141778)
7:43 PM: HKU\WRSS_Profile_S-1-5-21-1844237615-1202660629-1060284298-1009\software\microsoft\internet explorer\extensions\cmdmapping\ || {10e42047-deb9-4535-a118-b3f6ec39b807} (ID = 141778)
7:43 PM: HKU\WRSS_Profile_S-1-5-21-1844237615-1202660629-1060284298-500\software\microsoft\internet explorer\extensions\cmdmapping\ || {10e42047-deb9-4535-a118-b3f6ec39b807} (ID = 141778)
7:43 PM: HKU\WRSS_Profile_S-1-5-21-1844237615-1202660629-1060284298-501\software\microsoft\internet explorer\extensions\cmdmapping\ || {10e42047-deb9-4535-a118-b3f6ec39b807} (ID = 141778)
7:43 PM: Found Adware: startnow startnow hijack
7:43 PM: HKU\S-1-5-21-1844237615-1202660629-1060284298-1004\software\microsoft\internet explorer\search\ || local page (ID = 142622)
7:43 PM: Found System Monitor: system spy
7:43 PM: HKCR\.ssa\ (1 subtraces) (ID = 143523)
7:43 PM: Found Trojan Horse: trojan_backdoor_retro64
7:43 PM: HKCR\interface\{450b9e4d-4014-4de3-b34e-014a81468293}\ (8 subtraces) (ID = 144995)
7:43 PM: HKLM\software\classes\interface\{450b9e4d-4014-4de3-b34e-014a81468293}\ (8 subtraces) (ID = 145000)
7:44 PM: HKLM\software\classes\typelib\{c7f00a9a-f1bc-436e-82c7-e8cae6fd67f7}\ (ID = 145003)
7:44 PM: HKCR\typelib\{c7f00a9a-f1bc-436e-82c7-e8cae6fd67f7}\ (ID = 145004)
7:44 PM: Found Adware: tvmedia
7:44 PM: HKU\WRSS_Profile_S-1-5-21-1844237615-1202660629-1060284298-1005\software\microsoft\internet explorer\urlsearchhooks\ || {20ec3d2d-33c1-4c9d-bc37-c2d500688da2} (ID = 145309)
7:44 PM: HKU\WRSS_Profile_S-1-5-21-1844237615-1202660629-1060284298-501\software\microsoft\internet explorer\urlsearchhooks\ || {20ec3d2d-33c1-4c9d-bc37-c2d500688da2} (ID = 145309)
7:44 PM: HKU\WRSS_Profile_S-1-5-21-1844237615-1202660629-1060284298-1005\software\microsoft\windows\currentversion\run\ || tv media (ID = 145312)
7:44 PM: HKU\WRSS_Profile_S-1-5-21-1844237615-1202660629-1060284298-501\software\microsoft\windows\currentversion\run\ || tv media (ID = 145312)
7:44 PM: Found Adware: winad
7:44 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/winadx.dll\ (2 subtraces) (ID = 147198)
7:44 PM: Found Adware: icannnews
7:44 PM: HKCR\activexctrl\ (3 subtraces) (ID = 169450)
7:44 PM: HKCR\interface\{980ad470-04ea-4d1d-bd26-e178b7bda6d8}\ (8 subtraces) (ID = 169454)
7:44 PM: HKCR\interface\{fd39937a-c583-4aac-9332-8a3e44988a67}\ (8 subtraces) (ID = 169455)
7:44 PM: HKCR\typelib\{ee5ac3d6-6f43-4047-af0a-d66fc2cf8f42}\ (9 subtraces) (ID = 169456)
7:44 PM: HKLM\software\classes\activexctrl\ (3 subtraces) (ID = 169457)
7:44 PM: HKLM\software\classes\interface\{980ad470-04ea-4d1d-bd26-e178b7bda6d8}\ (8 subtraces) (ID = 169461)
7:44 PM: HKLM\software\classes\interface\{fd39937a-c583-4aac-9332-8a3e44988a67}\ (8 subtraces) (ID = 169462)
7:44 PM: HKLM\software\classes\typelib\{ee5ac3d6-6f43-4047-af0a-d66fc2cf8f42}\ (9 subtraces) (ID = 169463)
7:44 PM: Registry Sweep Complete, Elapsed Time:00:02:22
7:44 PM: Starting Cookie Sweep
7:44 PM: Found Spy Cookie: websponsors cookie
7:44 PM: vegito1471@a.websponsors[2].txt (ID = 3665)
7:44 PM: Found Spy Cookie: hbmediapro cookie
7:44 PM: vegito1471@adopt.hbmediapro[2].txt (ID = 2768)
7:44 PM: Found Spy Cookie: ask cookie
7:44 PM: vegito1471@ask[1].txt (ID = 2245)
7:44 PM: Found Spy Cookie: belnk cookie
7:44 PM: vegito1471@ath.belnk[1].txt (ID = 2293)
7:44 PM: Found Spy Cookie: atwola cookie
7:44 PM: vegito1471@atwola[1].txt (ID = 2255)
7:44 PM: Found Spy Cookie: azjmp cookie
7:44 PM: vegito1471@azjmp[2].txt (ID = 2270)
7:44 PM: vegito1471@belnk[2].txt (ID = 2292)
7:44 PM: Found Spy Cookie: com.com cookie
7:44 PM: vegito1471@com[2].txt (ID = 2445)
7:44 PM: vegito1471@dist.belnk[1].txt (ID = 2293)
7:44 PM: Found Spy Cookie: touchclarity cookie
7:44 PM: vegito1471@partypoker.touchclarity[2].txt (ID = 3567)
7:44 PM: Found Spy Cookie: partypoker cookie
7:44 PM: vegito1471@partypoker[1].txt (ID = 3111)
7:44 PM: Found Spy Cookie: reliablestats cookie
7:44 PM: vegito1471@stats1.reliablestats[2].txt (ID = 3254)
7:44 PM: Found Spy Cookie: winantiviruspro cookie
7:44 PM: vegito1471@www.winantiviruspro[2].txt (ID = 3690)
7:44 PM: Found Spy Cookie: zedo cookie
7:44 PM: vegito1471@zedo[2].txt (ID = 3762)
7:44 PM: Found Spy Cookie: webtrendslive cookie
7:44 PM: administrator@dcs8ir0f010000oyioyaka1kl_8j7n[2].txt (ID = 3673)
7:44 PM: Found Spy Cookie: pricegrabber cookie
7:44 PM: administrator@pricegrabber[1].txt (ID = 3185)
7:44 PM: Found Spy Cookie: rightmedia cookie
7:44 PM: administrator@rightmedia[1].txt (ID = 3259)
7:44 PM: Found Spy Cookie: clickxchange adware cookie
7:44 PM: administrator@www.clickxchange[1].txt (ID = 2409)
7:44 PM: Cookie Sweep Complete, Elapsed Time: 00:00:02
7:44 PM: Starting File Sweep
7:47 PM: c:\windows\system32\fleok (ID = -2147480556)
7:47 PM: Found Adware: netpal
7:47 PM: gamehouse games.url (ID = 70891)
7:48 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\lang\pintlcsk.dic". The system cannot find the path specified
7:48 PM: flyordie games.url (ID = 70890)
7:48 PM: big fish games.url (ID = 70885)
7:48 PM: Found Adware: ezula ilookup
7:48 PM: button_small.gif (ID = 60415)
7:48 PM: tvmknwrd.dll (ID = 81726)
7:48 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\susdl.rq0". The system cannot find the file specified
7:49 PM: Warning: Failed to open file "c:\windows\pchealth\errorrep\userdumps\hpwirelessmgr.exe.20041129-201411-00.mdmp". Access is denied
7:49 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\_usedelta_.state". The system cannot find the file specified
7:49 PM: m67m.inf (ID = 74028)
7:49 PM: gamehouse games.url (ID = 70891)
7:49 PM: flyordie games.url (ID = 70890)
7:49 PM: big fish games.url (ID = 70885)
7:49 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\_unpacked_.state". The system cannot find the file specified
7:49 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\_file_to_execute_.txt". The system cannot find the file specified
7:49 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\_downloadprogress_.state". The system cannot find the file specified
7:49 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\update\updatebr.inf". The system cannot find the path specified
7:49 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\update\branches.inf". The system cannot find the path specified
7:49 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\tagfile.1". The system cannot find the file specified
7:49 PM: winadx.inf (ID = 90469)
7:49 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\lang\pintlcsd.dic". The system cannot find the path specified
7:49 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\type.wav". The system cannot find the file specified
7:49 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\new\secupd.sig". The system cannot find the path specified
7:49 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\lvback.gif". The system cannot find the file specified
7:49 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\update\eula.txt". The system cannot find the path specified
7:50 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\update\update.inf". The system cannot find the path specified
7:50 PM: installpreinstall_p1.exe (ID = 70545)
7:50 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\backup\dxdiag.chm". The system cannot find the path specified
7:50 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\update\update.ver". The system cannot find the path specified
7:50 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\backup\desk.cpl". The system cannot find the path specified
7:51 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\update\sp2.cat". The system cannot find the path specified
7:51 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\wuau.adm". The system cannot find the file specified
7:52 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\wuauhelp.chm". The system cannot find the file specified
7:52 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\update\update.url". The system cannot find the path specified
7:52 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\plyr_err.chm". The system cannot find the file specified
7:52 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\pscript.ntf". The system cannot find the file specified
7:52 PM: Warning: Failed to read file "c:\windows\temp\perflib_perfdata_780.dat". System Error. Code: 32.
The process cannot access the file because it is being used by another process
7:52 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\wmplayer.chm". The system cannot find the file specified
7:53 PM: Found Adware: exact cashback/bargain buddy
7:53 PM: adp8028_nps.exe.tcf (ID = 50500)
7:54 PM: Warning: Failed to open file "c:\windows\softwaredistribution\download\\windowsxp-sp2-x86fre-usa-2180.psm". The system cannot find the file specified
7:54 PM: upd204[1].exe (ID = 120946)
7:56 PM: installer_marketing48x.exe (ID = 116175)
7:56 PM: 5af53340-4320-4da6-947f-37fe81.asq (ID = 74756)
7:56 PM: backup-20050823-132003-726.inf (ID = 107202)
7:56 PM: backup-20050823-132007-396.inf (ID = 74756)
7:56 PM: wildapp.inf (ID = 69911)
7:56 PM: File Sweep Complete, Elapsed Time: 00:12:25
7:56 PM: Full Sweep has completed. Elapsed time 00:22:20
7:56 PM: Traces Found: 4327
7:57 PM: Removal process initiated
7:57 PM: Quarantining All Traces: 2nd-thought
7:57 PM: Quarantining All Traces: comet cursor
7:57 PM: Quarantining All Traces: crackspider
7:57 PM: Quarantining All Traces: cydoor peer-to-peer dependency
7:57 PM: Quarantining All Traces: ieplugin
7:57 PM: Quarantining All Traces: drsnsrch.com hijack
7:57 PM: Quarantining All Traces: keenvalue/perfectnav
7:57 PM: Quarantining All Traces: look2me
7:57 PM: Quarantining All Traces: minigolf
7:57 PM: Quarantining All Traces: 180search assistant/zango
7:57 PM: Quarantining All Traces: roings search enhancment
7:57 PM: Quarantining All Traces: screensavers
7:57 PM: Quarantining All Traces: search-exe hijacker
7:57 PM: Quarantining All Traces: ist sidefind
7:57 PM: Quarantining All Traces: startnow startnow hijack
7:57 PM: Quarantining All Traces: system spy
7:57 PM: Quarantining All Traces: trojan_backdoor_retro64
7:57 PM: Quarantining All Traces: tvmedia
7:57 PM: Quarantining All Traces: winad
7:57 PM: Quarantining All Traces: icannnews
7:57 PM: Quarantining All Traces: websponsors cookie
7:57 PM: Quarantining All Traces: hbmediapro cookie
7:57 PM: Quarantining All Traces: ask cookie
7:57 PM: Quarantining All Traces: belnk cookie
7:58 PM: Quarantining All Traces: atwola cookie
7:58 PM: Quarantining All Traces: azjmp cookie
7:58 PM: Quarantining All Traces: com.com cookie
7:58 PM: Quarantining All Traces: touchclarity cookie
7:58 PM: Quarantining All Traces: partypoker cookie
7:58 PM: Quarantining All Traces: reliablestats cookie
7:58 PM: Quarantining All Traces: winantiviruspro cookie
7:58 PM: Quarantining All Traces: zedo cookie
7:58 PM: Quarantining All Traces: webtrendslive cookie
7:58 PM: Quarantining All Traces: pricegrabber cookie
7:58 PM: Quarantining All Traces: rightmedia cookie
7:58 PM: Quarantining All Traces: clickxchange adware cookie
7:58 PM: Quarantining All Traces: netpal
7:58 PM: Quarantining All Traces: ezula ilookup
7:58 PM: Quarantining All Traces: exact cashback/bargain buddy
7:58 PM: Removal process completed. Elapsed time 00:01:03
********
7:33 PM: |··· Start of Session, Thursday, August 25, 2005 ···|
7:33 PM: Spy Sweeper started
7:33 PM: Messenger service has been disabled.
7:34 PM: Processing Hosts File Alerts
7:34 PM: Fixed Hosts File entry: idenupdate.motorola.com
7:34 PM: |··· End of Session, Thursday, August 25, 2005 ···|

Attached Files

  • Attached File  peek.txt   385.69KB   69 downloads

Edited by Vegito1471, 25 August 2005 - 06:02 PM.

  • 0

#30
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Any improvement in your PC performance???
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP