Vin. Posted September 20, 2005 Share Posted September 20, 2005 Motherboard: CPU Type Intel Celeron 4A, 2400 MHz (24 x 100) Motherboard Name Asus P4S533-MX (3 PCI, 1 AGP, 4 DIMM, Audio, Video) Motherboard Chipset SiS 651 System Memory 512 MB (DDR SDRAM) Display: Video Adapter ATI RADEON 9550 Secondary (256 MB) Video Adapter RADEON 9550 (256 MB) 3D Accelerator ATI Radeon 9550 (RV350) Now, thats my computer specs, now I'll explain what the problem is. For the last few months I've been playing World of Warcraft, It's been going fine, a bit laggy some days, etc. But yesterday, when I switched on my computer, I noticed it was a bit slow and laggy, without the game being open. I thought nothing of it, and opened Warcraft, it got into the game, and I could barely move, if I moved, it would be stuttering the whole time. Now I know it isn't the games server, because I went into a server with a low population, and it was just as bad as the server that was full. It's not just Warcraft that's slow now, It's the entire computer, take this for example; I start my computer, it automatically opens up MSN, it opens it up, I close it, and restart it, it takes about a minute to load MSN, just on It's own. This is the same with FireFox, or any other program I open. Now, I've done a complete spyware check on my computer, it found 5 files, and it deleted them, I also did a complete scan of my computer using my anti-virus software, it found a couple of things, and also deleted them. But It's still not made any changes since I did this. Can anyone please help me, as I really don't want to have to re-format the entire computer or anything. I want to buy a new computer, but this one is only a year or two old, and I don't really want to spend all the money on buying a computer. I mean, I could most likely find the money around the place, but I'm saving up for a vacation, anywho, completely off topic. Also, one more question. When I start my computer, my internet starts up also, I'm on DSL. When the computer used to start up, the internet would already be connected so I could go straight into doing what I wanted over the net. Now since It's been going slow, I've needed to start the computer up, unplug the DSL Modem power cord from the modem itself, and plug it back in, just so my internet will work, I'm not sure if these are somehow related, but maybe they are. Any help on this would be excellent. Thank you for taking the time to read this. Link to comment Share on other sites More sharing options...
SIP YEK NOD Posted September 20, 2005 Share Posted September 20, 2005 post your Hijack This log Link to comment Share on other sites More sharing options...
Forfit Posted September 20, 2005 Share Posted September 20, 2005 Have you tried Ctrl Alt Del and checked your processes to see if theres something hogging the CPU Usage? i had this happen a few days ago....in my case it was explorer.exe (system restore fixed it) Link to comment Share on other sites More sharing options...
Vin. Posted September 20, 2005 Author Share Posted September 20, 2005 Logfile of HijackThis v1.99.1Scan saved at 12:49:50 PM, on 20/09/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe c:\windows\system32\dllcache\win32\winlogon.exe c:\windows\system32\dllcache\win32\csrss.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\htpatch.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\MessengerPlus! 3\MsgPlus.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\LOCALS~1\Temp\Rar$EX00.438\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://***.***.***.***/index.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iprimus.com.au/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://***.***.***.***/index.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://***.***.***.***/index.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://***.***.***.***/index.php R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local., O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [Microsoft Update Machine] servicz.exe O4 - HKLM\..\Run: [ati control panel] atiphexx.exe O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe O4 - HKLM\..\Run: [siS KHooker] C:\WINDOWS\System32\khooker.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe O4 - HKLM\..\Run: [uStorage] c:\program files\u-storage tools2.1\ustorage.exe sys_auto_run C:\Program Files\U-Storage Tools2.1 O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s O4 - HKLM\..\Run: [Lexmark 2200 Series] "C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe" O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" O4 - HKLM\..\RunServices: [Microsoft Update Machine] servicz.exe O4 - HKLM\..\RunServices: [ati control panel] atiphexx.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [ati control panel] atiphexx.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O15 - Trusted Zone: *.blazefind.com O15 - Trusted Zone: *.clickspring.net O15 - Trusted Zone: *.flingstone.com O15 - Trusted Zone: *.mt-download.com O15 - Trusted Zone: *.my-internet.info O15 - Trusted Zone: *.searchbarcash.com O15 - Trusted Zone: *.searchmiracle.com O15 - Trusted Zone: *.skoobidoo.com O15 - Trusted Zone: *.slotch.com O15 - Trusted Zone: *.slotchbar.com O15 - Trusted Zone: *.windupdates.com O15 - Trusted Zone: *.xxxtoolbar.com O15 - Trusted Zone: *.ysbweb.com O15 - Trusted Zone: *.blazefind.com (HKLM) O15 - Trusted Zone: *.clickspring.net (HKLM) O15 - Trusted Zone: *.flingstone.com (HKLM) O15 - Trusted Zone: *.mt-download.com (HKLM) O15 - Trusted Zone: *.my-internet.info (HKLM) O15 - Trusted Zone: *.searchbarcash.com (HKLM) O15 - Trusted Zone: *.searchmiracle.com (HKLM) O15 - Trusted Zone: *.skoobidoo.com (HKLM) O15 - Trusted Zone: *.slotch.com (HKLM) O15 - Trusted Zone: *.slotchbar.com (HKLM) O15 - Trusted Zone: *.windupdates.com (HKLM) O15 - Trusted Zone: *.xxxtoolbar.com (HKLM) O15 - Trusted Zone: *.ysbweb.com (HKLM) O15 - Trusted IP range: 67.19.178.84 O15 - Trusted IP range: 67.19.178.84 (HKLM) O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c400.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by106fd.bay106.hotmail.msn.com/activex/HMAtchmt.ocx O23 - Service: Apache - Unknown owner - c:\PROGRA~1\AppServ\Apache\Apache.exe" --ntservice (file missing) O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: MySQL - Unknown owner - c:\PROGRA~1\AppServ\mysql\bin\mysqld-nt.exe (file missing) O23 - Service: NTLOAD - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe O23 - Service: NTSVCMGR - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe Well, that's the big ass log. I blurred my IP, just cause I'm leet like that. Link to comment Share on other sites More sharing options...
Vin. Posted September 20, 2005 Author Share Posted September 20, 2005 Have you tried Ctrl Alt Del and checked your processes to see if theres something hogging the CPU Usage? i had this happen a few days ago....in my case it was explorer.exe (system restore fixed it) I just did what you said, and I found something called; mDSNResponder It's using between 70-95 CPU. I think that's what the problem is. Sorry for the double post Link to comment Share on other sites More sharing options...
SIP YEK NOD Posted September 20, 2005 Share Posted September 20, 2005 OMGDOUBLEPOSTINGSPAMMAR!!!! nothing seems out of the ordinary with your log, try disabling the bonjour thing, and restart, see if that fixes it an apple program f*cking with windows, what are the chances Link to comment Share on other sites More sharing options...
Vin. Posted September 20, 2005 Author Share Posted September 20, 2005 How do I disable it? Sorry, I'm stupid. Link to comment Share on other sites More sharing options...
SIP YEK NOD Posted September 20, 2005 Share Posted September 20, 2005 go to start>run and type msconfig click the "startup" tab, and disable "mDNSResponder.exe", then click services, and disable "C:\Program Files\Bonjour\mDNSResponder.exe" click ok, then restart Link to comment Share on other sites More sharing options...
Vin. Posted September 20, 2005 Author Share Posted September 20, 2005 I couldn't find the "mDNSResponder.exe" in the startup tab, but I did find the second bit, I disabled that, and I think it seems to be going faster. But it isn't in the 'Process' tab in the WTM anymore. So I'm guessing it's gone. Thanks dude. +1 karma for SYN Link to comment Share on other sites More sharing options...
Wolf68k Posted September 20, 2005 Share Posted September 20, 2005 nothing seems out of the ordinary with your log, try disabling the bonjour thing, and restart, see if that fixes it WRONG!!!!!!!!!!!!!!!!!!!!!! There are a few things that bother me Running Processes: c:\windows\system32\dllcache\win32\winlogon.exe c:\windows\system32\dllcache\win32\csrss.exe Why are these 2 running from there? It should be just c:\windows\system32\ These can be disabled from start up. First check each one to see if it has a setting for or remove it from the Registry manually O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe [there is a setting] O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" [manual removal only] O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [manual removal only] O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [i have no clue since I refuse to install RealPlayer any more] O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe [hell I forget, I did it manually because I can, but I do think there is a setting within Nero] VIRUS ALERT W32/Rbot-HU O4 - HKLM\..\Run: [Microsoft Update Machine] servicz.exe O4 - HKLM\..\RunServices: [Microsoft Update Machine] servicz.exe Read: http://www.sophos.com/virusinfo/analyses/w32rbothu.html POSSIBLE VIRUS ALERT O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe While normally the ctfmon.exe is safe (part of MS Office), it's not normally found to be running as a startup item. I would check out very deeply if I was you just to be safe. Do you really trust any of these sites: O15 - Trusted Zone: *.blazefind.com O15 - Trusted Zone: *.clickspring.net O15 - Trusted Zone: *.flingstone.com O15 - Trusted Zone: *.mt-download.com O15 - Trusted Zone: *.my-internet.info O15 - Trusted Zone: *.searchbarcash.com O15 - Trusted Zone: *.searchmiracle.com O15 - Trusted Zone: *.skoobidoo.com O15 - Trusted Zone: *.slotch.com O15 - Trusted Zone: *.slotchbar.com O15 - Trusted Zone: *.windupdates.com O15 - Trusted Zone: *.xxxtoolbar.com [some how I doubt you put that in which makes me think you didn't do any of the others either O15 - Trusted Zone: *.ysbweb.com O15 - Trusted Zone: *.blazefind.com (HKLM) O15 - Trusted Zone: *.clickspring.net (HKLM) O15 - Trusted Zone: *.flingstone.com (HKLM) O15 - Trusted Zone: *.mt-download.com (HKLM) O15 - Trusted Zone: *.my-internet.info (HKLM) O15 - Trusted Zone: *.searchbarcash.com (HKLM) O15 - Trusted Zone: *.searchmiracle.com (HKLM) O15 - Trusted Zone: *.skoobidoo.com (HKLM) O15 - Trusted Zone: *.slotch.com (HKLM) O15 - Trusted Zone: *.slotchbar.com (HKLM) O15 - Trusted Zone: *.windupdates.com (HKLM) O15 - Trusted Zone: *.xxxtoolbar.com (HKLM) [some how I doubt you put that in which makes me think you didn't do any of the others either] O15 - Trusted Zone: *.ysbweb.com (HKLM) O15 - Trusted IP range: 67.19.178.84 O15 - Trusted IP range: 67.19.178.84 (HKLM) Past spyware O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c400.cab Kill it. Ad-Aware and/or Spybot should see it, I can't say for sure. Also check "C:\WINDOWS\Downloaded Program Files" manually for anything that relates to Windupates The Bonjour Service (mDNSResponder.exe) is safe. It's part of iTunes. If you don't use iTunes ever, they set the service to disable. If you do use it, set it to manual this way if it's needed it can still be called on. Link to comment Share on other sites More sharing options...
SIP YEK NOD Posted September 20, 2005 Share Posted September 20, 2005 POSSIBLE VIRUS ALERTO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe While normally the ctfmon.exe is safe (part of MS Office), it's not normally found to be running as a startup item. I would check out very deeply if I was you just to be safe. WRONG!!!!!!!!(doesn't feels so good, does it ) its part of the language bar, and is running from the correct windows folder. you would have to find out if he has the language bar on before assuming its a virus as for the virus, yeah, i missed that Link to comment Share on other sites More sharing options...
Vin. Posted September 20, 2005 Author Share Posted September 20, 2005 Don't fight over my viruses Wolf, be a darl and go on IRC would ya, so you can explain exactly how to do what you said. Cause I don't understand sh*t. Link to comment Share on other sites More sharing options...
Cran. Posted September 20, 2005 Share Posted September 20, 2005 O15 - Trusted Zone: *.blazefind.comO15 - Trusted Zone: *.clickspring.net O15 - Trusted Zone: *.flingstone.com O15 - Trusted Zone: *.mt-download.com O15 - Trusted Zone: *.my-internet.info O15 - Trusted Zone: *.searchbarcash.com O15 - Trusted Zone: *.searchmiracle.com O15 - Trusted Zone: *.skoobidoo.com O15 - Trusted Zone: *.slotch.com O15 - Trusted Zone: *.slotchbar.com O15 - Trusted Zone: *.windupdates.com O15 - Trusted Zone: *.xxxtoolbar.com O15 - Trusted Zone: *.ysbweb.com O15 - Trusted Zone: *.blazefind.com (HKLM) O15 - Trusted Zone: *.clickspring.net (HKLM) O15 - Trusted Zone: *.flingstone.com (HKLM) O15 - Trusted Zone: *.mt-download.com (HKLM) O15 - Trusted Zone: *.my-internet.info (HKLM) O15 - Trusted Zone: *.searchbarcash.com (HKLM) O15 - Trusted Zone: *.searchmiracle.com (HKLM) O15 - Trusted Zone: *.skoobidoo.com (HKLM) O15 - Trusted Zone: *.slotch.com (HKLM) O15 - Trusted Zone: *.slotchbar.com (HKLM) O15 - Trusted Zone: *.windupdates.com (HKLM) O15 - Trusted Zone: *.xxxtoolbar.com (HKLM) O15 - Trusted Zone: *.ysbweb.com (HKLM) I wouldn't trust these site if I were you So I guess something like a virus has got your computer. Link to comment Share on other sites More sharing options...
Vin. Posted September 20, 2005 Author Share Posted September 20, 2005 One other thing also, when I leave my computer on at night, it usually ends up freezing. I mean, I restart the computer before I go to bed, I leave MSN and mIRC open sometimes, and occasionally AIM while I'm sleeping. I wake up in the morning, and It's frozen, the mouse won't move, the time down the bottom right corner won't work etc. Any idea why this is? I'm guessing something is eating at the CPU causing it to crash. This also happens sometimes when I go to school and leave my computer on during the day. Link to comment Share on other sites More sharing options...
vALKYR Posted September 20, 2005 Share Posted September 20, 2005 (edited) Running Processes:c:\windows\system32\dllcache\win32\winlogon.exe c:\windows\system32\dllcache\win32\csrss.exe Why are these 2 running from there? It should be just c:\windows\system32\ Exactly, that's very strange, normaly they should run from system32. Check whether the files are also present in system32. Any idea why this is? I'm guessing something is eating at the CPU causing it to crash. This also happens sometimes when I go to school and leave my computer on during the day. I heard of several windows spyware and viruses that ask a lot from the CPU with no particular reason. Also I heard of several viruses that try to stress the CPU so much that it gives a overflow error (happens when the CPU cannot calculate several things anymore because it was greater than the ability of calculating (32bit) Correct me if I'm wrong. Edited September 20, 2005 by vALKYR Link to comment Share on other sites More sharing options...
Vin. Posted September 20, 2005 Author Share Posted September 20, 2005 Running Processes:c:\windows\system32\dllcache\win32\winlogon.exe c:\windows\system32\dllcache\win32\csrss.exe Why are these 2 running from there? It should be just c:\windows\system32\ Exactly' date=' that's very strange, normaly they should run from system32. Check whether the files are also present in system32. [/quote'] Yes, those two files are present in the c:\windows\system32\ folder. Is this a good or a bad thing? I don't want to deete something that could destroy my computer, I have some important things on here. Link to comment Share on other sites More sharing options...
vALKYR Posted September 20, 2005 Share Posted September 20, 2005 Running Processes:c:\windows\system32\dllcache\win32\winlogon.exe c:\windows\system32\dllcache\win32\csrss.exe Why are these 2 running from there? It should be just c:\windows\system32\ Exactly' date=' that's very strange, normaly they should run from system32. Check whether the files are also present in system32. [/quote'] Yes, those two files are present in the c:\windows\system32\ folder. Is this a good or a bad thing? I don't want to deete something that could destroy my computer, I have some important things on here. I wouldn't suggest deleting those in /system32 nor would I try to delete the files in /dllcache as they're running anyway and seem to be part of the active windows session. Link to comment Share on other sites More sharing options...
Vin. Posted September 20, 2005 Author Share Posted September 20, 2005 I thought that I would post my second "HiJack This" log, now that I've done a spyware scan using 'SpyBot' and 'AdAware', and also after disabling the stuff that SYN said. Anywho, here it is; Logfile of HijackThis v1.99.1Scan saved at 3:40:43 AM, on 21/09/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\htpatch.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\MessengerPlus! 3\MsgPlus.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe c:\windows\system32\dllcache\win32\winlogon.exe c:\windows\system32\dllcache\win32\csrss.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\DOCUME~1\LOCALS~1\Temp\Rar$EX01.640\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iprimus.com.au/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.iprimus.com.au:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local., O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [Microsoft Update Machine] servicz.exe O4 - HKLM\..\Run: [ati control panel] atiphexx.exe O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe O4 - HKLM\..\Run: [siS KHooker] C:\WINDOWS\System32\khooker.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe O4 - HKLM\..\Run: [uStorage] c:\program files\u-storage tools2.1\ustorage.exe sys_auto_run C:\Program Files\U-Storage Tools2.1 O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s O4 - HKLM\..\Run: [Lexmark 2200 Series] "C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe" O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" O4 - HKLM\..\RunServices: [Microsoft Update Machine] servicz.exe O4 - HKLM\..\RunServices: [ati control panel] atiphexx.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [ati control panel] atiphexx.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O15 - Trusted Zone: *.skoobidoo.com O15 - Trusted Zone: *.slotchbar.com O15 - Trusted Zone: *.windupdates.com O15 - Trusted Zone: *.skoobidoo.com (HKLM) O15 - Trusted Zone: *.slotchbar.com (HKLM) O15 - Trusted Zone: *.windupdates.com (HKLM) O15 - Trusted IP range: 67.19.178.84 O15 - Trusted IP range: 67.19.178.84 (HKLM) O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by106fd.bay106.hotmail.msn.com/activex/HMAtchmt.ocx O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: Apache - Unknown owner - c:\PROGRA~1\AppServ\Apache\Apache.exe" --ntservice (file missing) O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: MySQL - Unknown owner - c:\PROGRA~1\AppServ\mysql\bin\mysqld-nt.exe (file missing) O23 - Service: NTLOAD - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe O23 - Service: NTSVCMGR - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe Maybe you guys can see a difference, maybe It's improved, I don't know, but it seems to be running better than when I made the thread. Link to comment Share on other sites More sharing options...
Wolf68k Posted September 20, 2005 Share Posted September 20, 2005 POSSIBLE VIRUS ALERTO4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe While normally the ctfmon.exe is safe (part of MS Office), it's not normally found to be running as a startup item. I would check out very deeply if I was you just to be safe. WRONG!!!!!!!!(doesn't feels so good, does it ) its part of the language bar, and is running from the correct windows folder. you would have to find out if he has the language bar on before assuming its a virus as for the virus, yeah, i missed that I didn't mean to do the wrong part that way...sorry I was a little punchy last night falling asleep while typing will do that to you. As for you tell me I'm wrong, you're right and your wrong. What part of the "possible virus alert" don't you get. CTFmon.exe is part of a language bar, I mentioned that. However ctfmon.exe is also the filename of 2 known viruses and 1 spyware. Hense the reason to check it out to be on the safe side. But hey we can clear this up easily. Vinny, did you install MS Office XP? If yes, then you should be ok and if you want you can disable this if you don't use it. If not, bad news. @Vinny Sorry I wasn't on too much longer after writing this, so IRC wasn't possible. Now for you updated HJT log. Running Processes: C:\WINDOWS\system32\winlogon.exe [ok this is normal, but the 2 below still aren't] c:\windows\system32\dllcache\win32\winlogon.exe c:\windows\system32\dllcache\win32\csrss.exe Both winlogon.exe and csrss.exe should be found in Windows\System32\ as well as Windows\System32\dllcache\ but it should be running from the Windows\System32\ it's the addition of \win32\ that really confuses me only because I don't have that folder but that could be the fact you're using Home SP2 (just a guess) while I'm running Pro SP1. After further research I now think I know why these are there...take note of the above 2 running processes I' still worried about O23 - Service: NTLOAD - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe O23 - Service: NTSVCMGR - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe These are possible malware (ad/spyware) The only thing I can really find, and it isn't much, is to give this a crack at it http://www.kaspersky.com/ These are said to be part of Win32.Iroffer.b which is detected by Kaspersky They have a single file virus scanner here http://www.viruslist.com/en/ They also have a 30day trial version of their anti virus. You've still got the virus O4 - HKLM\..\Run: [Microsoft Update Machine] servicz.exe Read the link I gave you before. Print out the manual removal steps if need be and then boot into Safe Mode and follwo those removal steps. Still don't need these running at start up O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [this is what makes me think it's Home SP2] O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background Start->Run type: services.msc 1. Find Bonjour Service right -click and select Properties. Stop the service and set it to either Manual (if you use iTunes) or Disable (if you do not use iTunes) 2. Find iPodService right-click and select Properties. If you DO NOT have an iPod (or anything in the iPod line), stop the service and set it to Disable. If you do have an iPod (or anything in the iPod line) then leave this alone. You still have some trusted sites I still don't trust O15 - Trusted Zone: *.skoobidoo.com O15 - Trusted Zone: *.slotchbar.com O15 - Trusted Zone: *.windupdates.com O15 - Trusted Zone: *.skoobidoo.com (HKLM) O15 - Trusted Zone: *.slotchbar.com (HKLM) O15 - Trusted Zone: *.windupdates.com (HKLM) O15 - Trusted IP range: 67.19.178.84 O15 - Trusted IP range: 67.19.178.84 (HKLM) Link to comment Share on other sites More sharing options...
Vin. Posted September 21, 2005 Author Share Posted September 21, 2005 I don't believe I have SP1 or SP2, I the only time I would have them was when I was making the computer and that was a couple years ago, and I don't remember intalling either I'll give what you said a go in a couple. Thanks wolf. Link to comment Share on other sites More sharing options...
Wolf68k Posted September 21, 2005 Share Posted September 21, 2005 I knew there was something else buggy me O4 - HKLM\..\Run: [ati control panel] atiphexx.exe O4 - HKLM\..\RunServices: [ati control panel] atiphexx.exe O4 - HKCU\..\Run: [ati control panel] atiphexx.exe These are part of another worm/virus http://www.sophos.com/virusinfo/analyses/w32agobotnv.html Remove these the same why I showed you last night. The last one though is a bit different. The CU means CURRENT_USER, but the path to get to the Run part is still the same; Software\Microsoft\Windows\CurrentVersion\Run Then don't forget to check C:\Windows\ and C:\Windows\System32\ for the file 'atiphexx.exe' Link to comment Share on other sites More sharing options...
Vin. Posted September 22, 2005 Author Share Posted September 22, 2005 Done. I removed those things how you told me to do them on googletalk. I just hope my Radeon drivers are the same etc. Link to comment Share on other sites More sharing options...
Wolf68k Posted September 24, 2005 Share Posted September 24, 2005 atiphexx.exe has nothing to do with ATI cards. It's part of a virus. I'm sorry I didn't look further into like I should have. If the file itself wasn't found like that other one, then you should be ok. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now