WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] CPU is Pegged (100%) most of the time

Started by cave , Jan 21 2009 02:42 PM

This topic is locked

8 replies to this topic

#1 cave

New Member

New Member
4 posts

Posted 21 January 2009 - 02:42 PM

My CPU is pegged out all of the time, and I can't find the problem. If I disable most of the services it will run normally, but I can’t do anything that way either. My antivirus didn't find anything, and neither did a Safety.live.com scan. I’ve run HijackThis, but it doesn’t mean much to me. Can someone look at it and see if something stands out?

Thanks
CAVE

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00:13 PM, on 1/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Hirschmann\Industrial HiVision 2.0\services\HiMasterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\Kepware Technologies\IndustrialSNMP\bin\INSOPCServerSvc.exe
C:\Program Files\Hirschmann\Industrial HiVision 2.0\services\HiVisionKernelDb.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Patchlink\Update Agent\GRAVITIXSERVICE.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\mqsvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\TEMP\NC6974.EXE
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotf...ount_id=1001732
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 170.221.52.249:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.94patchlink.ferro.com (HKLM)
O15 - ESC Trusted Zone: *.94patchlink.ferro.com (HKLM)
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://virus94.ferro...ll/WinNTChk.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://virus94.ferro...stall/setup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {304171C0-65EA-4B51-B5D9-93A311E26EB1} (MxPEG_ActiveX Control) - http://192.168.0.170...b?dummy=9393992
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - http://virus94.ferro...html/AtxEnc.cab
O16 - DPF: {57802C16-9A15-11D4-B2A8-0090272E599B} (SetServer2 Class) - http://fw-control/We...coSetServer.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase6662.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1230345318648
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1230345204563
O16 - DPF: {91B29AFF-E4FF-11D6-8C88-00A0C9D7BBEB} (RADriveWebUpdateCtrl Class) - http://abweb.rockwel...veWebUpdate.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = foe.ferrocorp.net
O17 - HKLM\Software\..\Telephony: DomainName = foe.ferrocorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = foe.ferrocorp.net
O23 - Service: 1784-PCIDS DeviceNet - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\PcidsService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: dnWhoDisp - Unknown owner - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe
O23 - Service: ICONICS License Server (GenRegistrar) (GenRegistrar) - ICONICS, Inc. - C:\Program Files\ICONICS\GENESIS-32\Bin\GenRegistrarServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Harmony - Rockwell Software Inc. - C:\PROGRA~1\ROCKWE~1\RSCOMMON\RSOBSERV.EXE
O23 - Service: Hirschmann Industrial HiVision 2.00 Master Service (HiMasterService 2.00) - Unknown owner - C:\Program Files\Hirschmann\Industrial HiVision 2.0\services\HiMasterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IndustrialSNMP Service (ISNMPSVC) - Kepware - C:\Program Files\Kepware Technologies\IndustrialSNMP\bin\INSOPCServerSvc.exe
O23 - Service: Symantec Ghost Win32 Client Agent (NGClient) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PatchLink Update - Novell, Inc. - C:\Program Files\Patchlink\Update Agent\GRAVITIXSERVICE.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: RSLinx - Rockwell Software, Inc. - C:\PROGRA~1\ROCKWE~1\RSLINX\RSLINX.EXE
O23 - Service: 1789-SIM Simulator Module (SimModuleService) - Unknown owner - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\SimModuleService.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
O24 - Desktop Component 0: (no name) - http://192.168.0.171...jpg?rand=986945

--
End of file - 10579 bytes

StartupList report, 1/21/2009, 2:23:12 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Hirschmann\Industrial HiVision 2.0\services\HiMasterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\Kepware Technologies\IndustrialSNMP\bin\INSOPCServerSvc.exe
C:\Program Files\Hirschmann\Industrial HiVision 2.0\services\HiVisionKernelDb.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Patchlink\Update Agent\GRAVITIXSERVICE.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\mqsvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\TEMP\NC6974.EXE
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

OfficeScanNT Monitor = "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
NWTRAY = NWTRAY.EXE
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
nwiz = nwiz.exe /installquiet
NGClient = C:\Program Files\Symantec\Ghost\ngctw32.exe
NeroFilterCheck = C:\WINDOWS\system32\NeroCheck.exe
MsmqIntCert = regsvr32 /s mqrt.dll
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
DVDSentry = C:\WINDOWS\System32\DSentry.exe
DVDLauncher = "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
Dell QuickSet = C:\Program Files\Dell\QuickSet\quickset.exe
BluetoothAuthenticationAgent = rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
Apoint = C:\Program Files\Apoint\Apoint.exe
AdaptecDirectCD = "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

NBJ = "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\scrnsave.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}

--------------------------------------------------

Enumerating Download Program Files:

[ObjWinNTCheck Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\WinNTChk.dll
CODEBASE = http://virus94.ferro...ll/WinNTChk.cab

[Microsoft Office Template and Media Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\IEAWSDC.DLL
CODEBASE = http://office.micros...tes/ieawsdc.cab

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com...ex/qtplugin.cab

[OfficeScan Corp Edition Web-Deployment SetupCtrl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\OfficeScanSetup.dll
CODEBASE = http://virus94.ferro...stall/setup.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE = http://go.microsoft....k/?linkid=39204

[MxPEG_ActiveX Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\MXPEG_~1.OCX
CODEBASE = http://192.168.0.170...b?dummy=9393992

[{33564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...D0C/wmv9dmo.cab

[Encrypt Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\AtxEnc.dll
CODEBASE = http://virus94.ferro...html/AtxEnc.cab

[SetServer2 Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\IcoSetServer.dll
CODEBASE = http://fw-control/We...coSetServer.cab

[Windows Live Safety Center Base Module]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\wlscBase.dll
CODEBASE = http://cdn.scan.onec...lscbase6662.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.micros...b?1230345318648

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\muweb.dll
CODEBASE = http://update.micros...b?1230345204563

[RADriveWebUpdateCtrl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RADriveWebUpdate.dll
CODEBASE = http://abweb.rockwel...veWebUpdate.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9e.ocx
CODEBASE = http://download.macr...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #7: C:\WINDOWS\system32\wshbth.dll
NameSpace #8: C:\Program Files\Bonjour\mdnsNSP.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 9,136 bytes
Report generated in 0.581 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Advertisements

Register to Remove

#2 Tomk

Beguilement Monitor

Global Moderator
20,451 posts

Posted 29 January 2009 - 01:38 PM

Hi cave,

My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for the issues on this machine.
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

Then

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot (shut down your computer then restart it).

Also "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014

#3 cave

New Member

New Member
4 posts

Posted 29 January 2009 - 03:10 PM

Thank you TomK. Here are the logs.

Malwarebytes' Anti-Malware 1.33
Database version: 1705
Windows 5.1.2600 Service Pack 2

1/29/2009 2:48:52 PM
mbam-log-2009-01-29 (14-48-52).txt

Scan type: Quick Scan
Objects scanned: 78618
Time elapsed: 39 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:50:44 PM, on 1/29/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\Kepware Technologies\IndustrialSNMP\bin\INSOPCServerSvc.exe
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Patchlink\Update Agent\GRAVITIXSERVICE.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\mqsvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\TEMP\ET84DE.EXE
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\ICONICS\GENESIS-32\Bin\GenRegistrarServer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Rockwell Software\RSLinx\RSLinx.exe
C:\PROGRA~1\ROCKWE~1\RSCOMMON\RSOBSERV.EXE
C:\PROGRA~1\ICONICS\GENESI~1\Bin\GASCLI~1.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 170.221.52.249:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.94patchlink.ferro.com (HKLM)
O15 - ESC Trusted Zone: *.94patchlink.ferro.com (HKLM)
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://virus94.ferro...ll/WinNTChk.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://virus94.ferro...stall/setup.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {304171C0-65EA-4B51-B5D9-93A311E26EB1} (MxPEG_ActiveX Control) - http://192.168.0.170...b?dummy=9393992
O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - http://virus94.ferro...html/AtxEnc.cab
O16 - DPF: {57802C16-9A15-11D4-B2A8-0090272E599B} (SetServer2 Class) - http://fw-control/We...coSetServer.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase6662.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1230345318648
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1230345204563
O16 - DPF: {91B29AFF-E4FF-11D6-8C88-00A0C9D7BBEB} (RADriveWebUpdateCtrl Class) - http://abweb.rockwel...veWebUpdate.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = foe.ferrocorp.net
O17 - HKLM\Software\..\Telephony: DomainName = foe.ferrocorp.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = foe.ferrocorp.net
O23 - Service: 1784-PCIDS DeviceNet - Rockwell Automation - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\PcidsService.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: dnWhoDisp - Unknown owner - C:\Program Files\Rockwell Software\RSLINX\dnwhodisp.exe
O23 - Service: ICONICS License Server (GenRegistrar) (GenRegistrar) - ICONICS, Inc. - C:\Program Files\ICONICS\GENESIS-32\Bin\GenRegistrarServer.exe
O23 - Service: Harmony - Rockwell Software Inc. - C:\PROGRA~1\ROCKWE~1\RSCOMMON\RSOBSERV.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IndustrialSNMP Service (ISNMPSVC) - Kepware - C:\Program Files\Kepware Technologies\IndustrialSNMP\bin\INSOPCServerSvc.exe
O23 - Service: Symantec Ghost Win32 Client Agent (NGClient) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PatchLink Update - Novell, Inc. - C:\Program Files\Patchlink\Update Agent\GRAVITIXSERVICE.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: RSLinx - Rockwell Software, Inc. - C:\PROGRA~1\ROCKWE~1\RSLINX\RSLINX.EXE
O23 - Service: 1789-SIM Simulator Module (SimModuleService) - Unknown owner - C:\Program Files\Rockwell Software\RSLogix Emulate 5000\SimModuleService.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
O24 - Desktop Component 0: (no name) - http://192.168.0.171...jpg?rand=986945

--
End of file - 10387 bytes

#4 Tomk

Beguilement Monitor

Global Moderator
20,451 posts

Posted 29 January 2009 - 03:35 PM

cave, Well that didn't do much. :wacko:

I'm not finding any malware. However, based upon the programs you're running, this appears to be a corporate computer. Is this true?

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014

#5 cave

New Member

New Member
4 posts

Posted 29 January 2009 - 03:39 PM

You're good. It is a company computer. I do industrial programming, but I can't seem to find my problem. I should have also told you that I discovered my Kernel Times to be high last week. I've updated/reloaded all of my drivers and disabled the IR port because I don't use it. The problem is better, but not cured. The CPU stays pegged when I try to run apps, and it jumps up and down when idle. Let me know if you think of anything else to try. I was realy hoping to find some type of virus... Thanks, CAVE

Edited by cave, 29 January 2009 - 03:47 PM.

#6 Tomk

Beguilement Monitor

Global Moderator
20,451 posts

Posted 29 January 2009 - 04:59 PM

cave,

I am completely unfamiliar with the Rockwell Software, ICONICS, and Kepware software. I also haven't got any clue what C:\WINDOWS\TEMP\ET84DE.EXE. An executable running from a Temp file is often bad news.

If I were continuing with you, I'd probably have you submit that file to Jotti for review at http://virusscan.jotti.org. Then I'd tell you that your Java is over a year out of date and therefore vulnerable. You need to `go to Java Runtime Environment (JRE) Version 6 and download JRE6 update 11. Then uninstall all other versions of java. Install the new one, and empty the Java Cache. Then I'd probably refer you to the tech team for help.

Unfortunately, per this forums Terms of Use, we don't work with corporate computers.

If you have any questions about this, let me know. Otherwise this thread will be closed.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014

#7 cave

New Member

New Member
4 posts

Posted 29 January 2009 - 06:52 PM

TomK, Rockwell Software, ICONICS, and Kepware software are apps used in industrial programming. I'll look into your suggestions. I'm sorry about the Terms of Use - Maybe I should have actually read them... Thanks for your help. CAVE

#8 Tomk

Beguilement Monitor

Global Moderator
20,451 posts

Posted 29 January 2009 - 06:58 PM

cave, No worries. The real risk is "specialized" programs like you have, may or may not co-operate with the tools and techniques we use. We would all really hate to make things worse for you. I wish you the best of luck. :thumbup:

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014

#9 Tomk

Beguilement Monitor

Global Moderator
20,451 posts

Posted 01 February 2009 - 10:19 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014

Body Background

skin color theme