Please help - CPU Usage 100%
First, thank you so much for taking your time to help everyone out. It is very generous.
The bottom line is our computer is VERY slow. Upon every mouse click or action, the CPU usage jumps up to near 100% for anywhere from 10-30 seconds. It seems like the "System" (not idle) image name is usually above 50%.
I have run both ad-aware and spybot and that got rid of search bars and random homepages, but it did not help the speed of the computer.
I also used msconfig so so that most programs wouldn't lauch on start-up.
Also, Symantic will occasionally pop-up saying it has found and quarentined Trojan.Bookmarker.Gen. However, no viruses are found when I do a full system scan.
My hijack logs follows. Again, thank you for whatever help you may be able to provide.
Logfile of HijackThis v1.97.7
Scan saved at 8:41:53 PM, on 8/17/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Walter Flaherty.WALTER-GP4JPQSO\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\egf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\egf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\egf.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\egf.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\egf.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\egf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O1 - Hosts: 3466709097 #uto.search.msn.com
O1 - Hosts: 3466709097 sitefinder-idn.verisign.com
O1 - Hosts: 3466709097 www.your.com your.com
O1 - Hosts: 3466690378 ad.doubleclick.net
O1 - Hosts: 3466690378 view.atdmt.com
O1 - Hosts: 3466690378 click.atdmt.com
O1 - Hosts: 3466690378 leader.linkexchange.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\System32\StopzillaBHO.dll
O3 - Toolbar: SuperBar - {99392DFB-419C-484D-9673-50C93C82D1E0} - C:\Program Files\SuperBar\SuperBar.Dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [Ad-Aware-6] WINXP.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\RunServices: [AOL Messenger] aolmsngr.exe
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: PopupDummy! (HKCU)
O9 - Extra 'Tools' menuitem: PopupDummy! (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://C:\ss.MHT!http://213.159.117.236/buka.chm::/hz.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_3_12_0.cab
O19 - User stylesheet: C:\WINDOWS\win32.bmp
The bottom line is our computer is VERY slow. Upon every mouse click or action, the CPU usage jumps up to near 100% for anywhere from 10-30 seconds. It seems like the "System" (not idle) image name is usually above 50%.
I have run both ad-aware and spybot and that got rid of search bars and random homepages, but it did not help the speed of the computer.
I also used msconfig so so that most programs wouldn't lauch on start-up.
Also, Symantic will occasionally pop-up saying it has found and quarentined Trojan.Bookmarker.Gen. However, no viruses are found when I do a full system scan.
My hijack logs follows. Again, thank you for whatever help you may be able to provide.
Logfile of HijackThis v1.97.7
Scan saved at 8:41:53 PM, on 8/17/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Walter Flaherty.WALTER-GP4JPQSO\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\egf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\egf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\egf.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\egf.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\egf.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\egf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O1 - Hosts: 3466709097 #uto.search.msn.com
O1 - Hosts: 3466709097 sitefinder-idn.verisign.com
O1 - Hosts: 3466709097 www.your.com your.com
O1 - Hosts: 3466690378 ad.doubleclick.net
O1 - Hosts: 3466690378 view.atdmt.com
O1 - Hosts: 3466690378 click.atdmt.com
O1 - Hosts: 3466690378 leader.linkexchange.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\System32\StopzillaBHO.dll
O3 - Toolbar: SuperBar - {99392DFB-419C-484D-9673-50C93C82D1E0} - C:\Program Files\SuperBar\SuperBar.Dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [Ad-Aware-6] WINXP.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\RunServices: [AOL Messenger] aolmsngr.exe
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: PopupDummy! (HKCU)
O9 - Extra 'Tools' menuitem: PopupDummy! (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://C:\ss.MHT!http://213.159.117.236/buka.chm::/hz.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_3_12_0.cab
O19 - User stylesheet: C:\WINDOWS\win32.bmp
0
This discussion has been closed.
Comments
First of all, lets do the basics...:
Set your system to show hidden files and folders.
Then, turn off System Restore.
Note that both of those items contain instructions on how to reset these settings to normal after your problem is solved. DO NOT FORGET TO DO THAT LATER.
Next, please move HJT into it's own folder right on your C drive, called HJT. Why? When you use HijackThis to remove unwanted items, it creates backup files. If you ever mistakenly remove an item that you later discover you need, you can recover these items from the backup file. Having HijackThis.exe in its own folder gives these backup files a safe place to reside, and reduces clutter on your Desktop or My Documents folder.
Because you have some different problems here, we may have to do this in several passes, so don't be surprised if this does not work in the first try.
Reboot in SAFE MODE. Run HJT. FIX:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\egf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\egf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\egf.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\egf.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\egf.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\egf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
(That item usually indicates some sort of a trojan virus on your system.)
O1 - Hosts: 3466709097 #uto.search.msn.com
O1 - Hosts: 3466709097 sitefinder-idn.verisign.com
O1 - Hosts: 3466709097 www.your.com your.com
O1 - Hosts: 3466690378 ad.doubleclick.net
O1 - Hosts: 3466690378 view.atdmt.com
O1 - Hosts: 3466690378 click.atdmt.com
O1 - Hosts: 3466690378 leader.linkexchange.com
(Did you add these hosts entries yourself? Did you run a program like Kazaa Lite which installs some good hosts entries? If you do not know where they came from, I would delete them. Although some of these block ads, the first one blocks part of msn.com, which makes me suspicious.)
O3 - Toolbar: SuperBar - {99392DFB-419C-484D-9673-50C93C82D1E0} - C:\Program Files\SuperBar\SuperBar.Dll (file missing)
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
(This is from MyWebSearch, a known adware/spyware app. After fixing this, try to uninstall My Web Search or My Search from your Add/Remove Programs control panel.)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O4 - HKLM\..\Run: [Ad-Aware-6] WINXP.EXE
(This is a bogus entry, as the item winxp.exe usually indicates a virus or trojan, but may also be used to hide adware.)
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
(This is installed as part of a Peer-to-Peer program such as Kazaa, or I suspect in your case, Limewire. This is usually the adware/spyware component. I recommend uninstalling your free P2P app, and using Kazaa Lite which does not contain adware, or cough up a few bucks and puy the Pro version of any P2P app, which do not contain adware. Also, I would guess that much of your spyware problems are coming from not beeing very cautious about what you download from P2P's and run on your computer.)
O4 - HKLM\..\RunServices: [AOL Messenger] aolmsngr.exe
This looks like a possible variant of the bestfriends.scr adware virus. See our removal guide on that for assistance: http://www.short-media.com/forum/showthread.php?t=16748
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
(This is the "shopping" component of Limewire's adware. You should be able to remove it from your Add/Remove Programs control panel.)
O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://C:\ss.MHT!http://213.159.117.236/buka.chm::/hz.exe
(Waaaaay to random looking to be legit. Toast it.)
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
Exit HJT. Stay in Safe Mode, locate the exe and dll files, and quarantine them.
Reboot normally, check things out, and see how it looks. Come back and let us know, post a fresh log for review.
Dexter...
Thanks for the advice. When I ran hjt in safemode the lines that are in red did not come up on the scan (I am pasting your post)
First of all, lets do the basics...:
Set your system to show hidden files and folders.
Then, turn off System Restore.
Note that both of those items contain instructions on how to reset these settings to normal after your problem is solved. DO NOT FORGET TO DO THAT LATER.
Next, please move HJT into it's own folder right on your C drive, called HJT. Why? When you use HijackThis to remove unwanted items, it creates backup files. If you ever mistakenly remove an item that you later discover you need, you can recover these items from the backup file. Having HijackThis.exe in its own folder gives these backup files a safe place to reside, and reduces clutter on your Desktop or My Documents folder.
Because you have some different problems here, we may have to do this in several passes, so don't be surprised if this does not work in the first try.
Reboot in SAFE MODE. Run HJT. FIX:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\egf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\egf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\egf.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\egf.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\egf.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\egf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about_:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
(That item usually indicates some sort of a trojan virus on your system.)
O1 - Hosts: 3466709097 #uto.search.msn.com
O1 - Hosts: 3466709097 sitefinder-idn.verisign.com
O1 - Hosts: 3466709097 www.your.com your.com
O1 - Hosts: 3466690378 ad.doubleclick.net
O1 - Hosts: 3466690378 view.atdmt.com
O1 - Hosts: 3466690378 click.atdmt.com
O1 - Hosts: 3466690378 leader.linkexchange.com
(Did you add these hosts entries yourself? Did you run a program like Kazaa Lite which installs some good hosts entries? If you do not know where they came from, I would delete them. Although some of these block ads, the first one blocks part of msn.com, which makes me suspicious.)
O3 - Toolbar: SuperBar - {99392DFB-419C-484D-9673-50C93C82D1E0} - C:\Program Files\SuperBar\SuperBar.Dll (file missing)
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
(This is from MyWebSearch, a known adware/spyware app. After fixing this, try to uninstall My Web Search or My Search from your Add/Remove Programs control panel.)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - (no file)
O4 - HKLM\..\Run: [Ad-Aware-6] WINXP.EXE
(This is a bogus entry, as the item winxp.exe usually indicates a virus or trojan, but may also be used to hide adware.)
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
(This is installed as part of a Peer-to-Peer program such as Kazaa, or I suspect in your case, Limewire. This is usually the adware/spyware component. I recommend uninstalling your free P2P app, and using Kazaa Lite which does not contain adware, or cough up a few bucks and puy the Pro version of any P2P app, which do not contain adware. Also, I would guess that much of your spyware problems are coming from not beeing very cautious about what you download from P2P's and run on your computer.)
O4 - HKLM\..\RunServices: [AOL Messenger] aolmsngr.exe
This looks like a possible variant of the bestfriends.scr adware virus. See our removal guide on that for assistance: http://www.short-media.com/forum/showthread.php?t=16748
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
(This is the "shopping" component of Limewire's adware. You should be able to remove it from your Add/Remove Programs control panel.)
O16 - DPF: {11111111-1111-1111-1111-111111111123} - ms-its:mhtml:file://C:\ss.MHT!http://213.159.117.236/buka.chm::/hz.exe
(Waaaaay to random looking to be legit. Toast it.)
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
Exit HJT. Stay in Safe Mode, locate the exe and dll files, and quarantine them.
Reboot normally, check things out, and see how it looks. Come back and let us know, post a fresh log for review.
Dexter...
I fixed everything else.
Then, when I went to quarentine the exe and dll files, I couldn't find efg.dll, SuperBar.Dll, or WINXP.EXE (I didn't know the path for this one.)
Then I rebooted in normal mode and was going to remove My Search in the Add/Remove Programs. However, when I click on remove, only a blank white window pops up. Also, when I tried to remove LimeShop, "the specified file could not be found."
Our computer is definately faster than it was yesterday, but still seems sluggish. My new log follows. Again, thank you so much.
When I just hit preview (this post), I got the following popup:
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Bloodhound.Exploit.6
File: C:\Documents and Settings\Walter Flaherty.WALTER-GP4JPQSO\Local Settings\Temporary Internet Files\Content.IE5\I130P0FI\newreply[1].php
Location: C:\Documents and Settings\Walter Flaherty.WALTER-GP4JPQSO\Local Settings\Temporary Internet Files\Content.IE5\I130P0FI
Computer: WALTER-GP4JPQSO
User: Walter Flaherty
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Friday, August 20, 2004 6:04:58 PM
What is this !?!?
Anyway, here is my updated log:
Logfile of HijackThis v1.97.7
Scan saved at 5:43:56 PM, on 8/20/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\AIM95\aim.exe
C:\My Music\Ares.exe
C:\WINDOWS\System32\devldr32.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\egf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\egf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\egf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\System32\StopzillaBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ares] "C:\My Music\Ares.exe" -h
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: PopupDummy! (HKCU)
O9 - Extra 'Tools' menuitem: PopupDummy! (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_3_12_0.cab
O19 - User stylesheet: C:\WINDOWS\win32.bmp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\egf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\egf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\egf.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about_:blank
R3 - Default URLSearchHook is missing
Let me know what that does.
Dexter...
In the last 10 minutes, though, I have gotten the following notitications:
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.Bookmarker.Gen
File: C:\Documents and Settings\Walter Flaherty.WALTER-GP4JPQSO\Local Settings\Temporary Internet Files\Content.IE5\4P2RCXM7\m[1].bin
Location: Quarantine
Computer: WALTER-GP4JPQSO
User: Walter Flaherty
Action taken: Quarantine succeeded : Access denied
Date found: Monday, August 23, 2004 5:57:12 PM
and
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Bloodhound.Exploit.6
File: C:\Documents and Settings\Walter Flaherty.WALTER-GP4JPQSO\Local Settings\Temporary Internet Files\Content.IE5\I130P0FI\newreply[1].php
Location: C:\Documents and Settings\Walter Flaherty.WALTER-GP4JPQSO\Local Settings\Temporary Internet Files\Content.IE5\I130P0FI
Computer: WALTER-GP4JPQSO
User: Walter Flaherty
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Monday, August 23, 2004 6:00:37 PM
Here is my latest log:
Logfile of HijackThis v1.97.7
Scan saved at 5:59:46 PM, on 8/23/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\STOPzilla!\Stopzilla.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
C:\HJT\HijackThis.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\System32\StopzillaBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ares] "C:\My Music\Ares.exe" -h
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: PopupDummy! (HKCU)
O9 - Extra 'Tools' menuitem: PopupDummy! (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_3_12_0.cab
O19 - User stylesheet: C:\WINDOWS\win32.bmp
Thanks again.
Dexter...
It found and quarentined 1 virus:
backup-20040820-172300-983 in my new hijack folder C:\HJT
The virus name is Bloodhound.Exploit.6
However, I am still getting Antivirus popups. Here is one that I just got:
Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Bloodhound.Exploit.6
File: C:\Documents and Settings\Walter Flaherty.WALTER-GP4JPQSO\Local Settings\Temporary Internet Files\Content.IE5\SL2F89QR\newreply[1].php
Location: C:\Documents and Settings\Walter Flaherty.WALTER-GP4JPQSO\Local Settings\Temporary Internet Files\Content.IE5\SL2F89QR
Computer: WALTER-GP4JPQSO
User: Walter Flaherty
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Wednesday, August 25, 2004 6:58:41 AM
I'm beginning to think this is hopeless and I am going to need to bebuild the machine.
Action taken: Clean failed : Quarantine failed : Access denied
is that NAV cannot quarantine this file because it is on the web page's server.
I don't think you need to worry about these, but I am going to check Symantec's site when I get a chance to see if they have more info on it.
Dexter...
http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.exploit.6.html
Summary:
Bloodhound.Exploit.6 is a heuristic detection for exploits of a Microsoft Internet Explorer vulnerability. This vulnerability was discovered in February 2004. The vulnerability results from the incorrect handling of HTML files embedded in CHM files. (CHM is the Microsoft-compiled HTML help format.)
By embedding a specially crafted URL in a Web page and having that URL refer to a CHM file containing an HTML file with scripts in it, an attacker could force the user who views the Web page with a vulnerable version of Internet Explorer to download and execute files.
But, so long as yu have been doing your Windows Updates, this has been addressed in a crtical update. You can read about and manually download the patch here:
http://www.microsoft.com/technet/security/bulletin/ms04-013.mspx
So, as I surmised, this is not a huge issue. You can lower the bloodhund heuristics in your NAV contol panel if you want to stop seeing them, but I would not advise doing that, so I recommend you just live with it if it pops up while web surfing. To make sure you don't see it during regular system scans, clean out your temporary internet folders:
C:\Documents and Settings\Walter Flaherty.WALTER-GP4JPQSO\Local Settings\Temporary Internet Files\Content.IE5
Delete the contents of that folder, and you should be fine.
Dexter...