Memory And Cpu Being Hogged Running Ie, Memory and CPU resources used 100% IE Options

[MFLucky7]

Here's my HJT log...can someone help? Thanks!

Logfile of HijackThis v1.98.2
Scan saved at 11:20:01 PM, on 8/27/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\msdtc.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINNT\System32\xtyoroiv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINNT\System32\wtaz.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\taskmgr.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\regedit.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\iasads.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINNT\localNRD.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {35FD605D-BA31-01BE-8E00-60550BA97361} - C:\WINNT\System32\ocbnuqks.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2K0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [qcpofl] C:\WINNT\System32\xtyoroiv.exe
O4 - HKLM\..\Run: [conscorr] C:\WINNT\conscorr.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe"
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINNT\System32\pc32.exe bg
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Radio@Netscape] C:\Program Files\Radio@Netscape\Radio@Netscape.exe
O4 - HKCU\..\Run: [Teda] C:\Documents and Settings\Administrator\Application Data\odpe.exe
O4 - HKCU\..\Run: [iasads] C:\WINNT\System32\iasads.exe
O4 - HKCU\..\Run: [Kdlhellk] C:\WINNT\System32\wtaz.exe
O4 - HKCU\..\Run: [wgsvja] C:\Documents and Settings\Administrator\Local Settings\Temp\wgsvja.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\dbywbla.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O20 - AppInit_DLLs: C:\WINNT\System32\log.dll

[daveai]

MFLucky7 -- Your logfile is being analyzed now, and a response will be posted shortly.

Thanks
daveai

[MFLucky7]

thanks....seems I have solved some of the problems but welcome more advice

thx
mark

[daveai]

MFLucky7 --- Thanks for sending your HijackThis logfile. Your system has several infections, which we will require two or three posts.

Please keep me informed of what you are doing to fix things. That way we won't end up duplicating effort.

The first thing I'd like for you to do is run VX2Finder, per the following:

[MFLucky7]

Log for VX2.BetterInternet File Finder

Files Found---


Guardian Key--- is called:

User Agent String---

[MFLucky7]

looks VX2 found nothing

[daveai]

MFLucky7 -- Thanks for sending you HijackThis log.

Good news about VX2 The following is based on your last HJT log, so some of the entries may have already been removed by your other cleaning efforts.

Go ahead and print these instructions, or save them to your desktop, to help keep track of the steps.

To start, allow yourself to view "Hidden files". Open Windows Explorer and go to "Tools" => "Folder Options" => "View" then click on the "Show Hidden Files and Folders" option, and un-check "Hide extensions for known file types" and "Hide protected operating system files" options. Then click the "Apply To All Folders" button.

1 -- Reboot into Safe Mode (How do I boot into "Safe" mode?).

2 -- Run HijackThis, and press Scan, and put a check against the following entries, if they still show up. Make sure all browsers and program windows are closed except for HijackThis.

O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINNT\localNRD.dll
O2 - BHO: (no name) - {35FD605D-BA31-01BE-8E00-60550BA97361} - C:\WINNT\System32\ocbnuqks.dll

O4 - HKLM\..\Run: [qcpofl] C:\WINNT\System32\xtyoroiv.exe
O4 - HKLM\..\Run: [conscorr] C:\WINNT\conscorr.exe
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINNT\System32\pc32.exe bg
O4 - HKCU\..\Run: [Teda] C:\Documents and Settings\Administrator\Application Data\odpe.exe
O4 - HKCU\..\Run: [iasads] C:\WINNT\System32\iasads.exe
O4 - HKCU\..\Run: [Kdlhellk] C:\WINNT\System32\wtaz.exe
O4 - HKCU\..\Run: [wgsvja] C:\Documents and Settings\Administrator\Local Settings\Temp\wgsvja.exe

O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\dbywbla.exe

O20 - AppInit_DLLs: C:\WINNT\System32\log.dll

This is an optional fix:

Office Startup Asistant is an optional item that if checked, will eliminate a known resource hog. You will still be able to start Office components from the Start menu. This is the item to fix in HJT:
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Once you have selected all the items for HJT to fix, make sure all browsers and program windows are closed except for HijackThis, and click fix checked.

3 -- While still in safe mode, use Windows Explorer to delete the following lists of program files and folders, if they still exist.

C:\WINNT\localNRD.dll <-- this file (may already be gone)

C:\WINNT\System32\log.dll <-- this file (may already be gone)
C:\WINNT\System32\ocbnuqks.dll <-- this file (may already be gone)

C:\WINNT\conscorr.exe <-- this file

C:\WINNT\System32\pc32.exe <-- this file
C:\WINNT\System32\xtyoroiv.exe <-- this file
C:\WINNT\System32\iasads.exe <-- this file
C:\WINNT\System32\wtaz.exe <-- this file

C:\Program Files\Internet Explorer\dbywbla.exe <-- this file

C:\Documents and Settings\Administrator\Application Data\odpe.exe <-- this file

Please let me know about any problems with the file/folder deletes.

4 -- Next, use "Start > Run" and type in "%temp%" (without the quotes). Delete the entire contents of that "temp" folder (use "Edit > Select All", press "Delete", click "Yes").

Then, Empty your Temporary Internet Cache completely. Close all instances of Outlook and and Internet Explorer, then use "Control Panel > Internet Options > General tab" and click the "Delete File" button. When prompted place a check in: "Delete all offline content", then click OK.

Then, use Windows Explorer to clean out ALL the other temp folders on your system (navigate to the folder, use "Edit > Select All", press "Delete", click "Yes"):

* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
* Empty your "Recycle Bin".

Please let me know about any problems with the temp file deletes.

5 -- Then reboot normally, and let's run a battery of general scans to give your system a "good scrubbing".

1. Run Spybot S&D 1.3 (Suggested Setup Tutorial Here), then reboot.
   
2. Run Adaware SE (Suggested Setup Tutorial Here), the reboot.
   
3. And run either of these two Online virus scans: Panda Active Scan or TrendMicro Housecall and put on Auto Clean.

Please let me know if anything can not be cleaned by these utilities.

Now, reboot normally, and we'll take another look at your system.

Please run HijackThis to create a new logfile. Repost it here, and if you had any problems with the steps outlined above, please let us know what they were. Your response and the new logfile will determine the next steps for this fix.

Thanks
daveai

[MFLucky7]

did all that you instructed ...here is my latest HJT log...
computer is running much faster... thanks


Logfile of HijackThis v1.98.2
Scan saved at 8:39:11 PM, on 8/28/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\msdtc.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe
C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2K0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe"
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~2\VetTray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Radio@Netscape] C:\Program Files\Radio@Netscape\Radio@Netscape.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

[daveai]

MFLucky7 -- Congratulations, based on your last HijackThis logfile, no malware was found. Good job!

Please allow me to suggest some prevention steps to keep your computer clean and secure going forward. You may have already taken a few of the steps, but it never hurts to take a quick look

1 -- Use an AntiVirus Software, and be sure you update it at least once a week. There are several very good free programs available. Grinler offers an outstanding overview at Virus, Spyware, and Malware Protection and Removal Resources

2 -- To reduce re-infection potential for malware in the future, I strongly recommend installing three free programs: SpywareBlaster, SpywareGuard, and IE/Spyad.

3 -- Use AdAware SE and Spybot S&D to regularly to scan your system.

4 -- It is very important to make sure that both Internet Explorer and XP are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

5 -- Consider using a Firewall. Just by using a Firewall in its default configuration can lower your risk greatly. Check out what Lawrence Abrams has to say at Understanding and Using Firewalls

An excellent overview is: So how did I get infected in the first place?. Be sure to visit the browser test link at the end of the article to really see how secure your system is!!

Thanks
daveai

[ChrisRLG]

Glad we could be of assistance. This topic is now closed. If you wish it
reopened, please send us an email (Click here to email) with a link to your thread.

Donations in support of this Web Site are always appreciated

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.