[Need help imediately (w/hijackthis log)] -
Need help imediately (w/hijackthis log)
Discuss Need help imediately (w/hijackthis log)
Posted by: ilove
I have no idea what happen to my computer, I have norton 2005 and firewall, spyware detector install in my computer.
My problem is everytime I open my text files they close automatic. I did a full virus and spyware scan, after clear up the spyware, it stilll happen, I even unplug my internet connection to see is anybody controling my pc, I need to keep the text file open so I can do my work, I lost my works just because it automatic close and it didn't even save them !
can anyone please help me ?
Posted by: intercodes
ilove,
So, there is still virus/worm hanging around.Can you do an online virus scan from here
[url]http://housecall.trendmicro.com/housecall/start_corp.asp[/url]
And download 'hijackthis', save the files to a folder ,say c:/scan [important] and post a log in here.
Posted by: ilove
I went to the web site you gave me and have a full scan, after scanning my computer I create my hijackthis log
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\install\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\install\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\install\SkyNet\FireWall\pfw.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\install\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\conime.exe
C:\install\Tencent\TT\TTraveler.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Downloads\software\spyware remove\hijackthis\HijackThis.exe
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\install\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C088C334-B86C-344C-0F4B-E6396812E3BB} - C:\WINDOWS\addke32.dll
O3 - Toolbar: 电台(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\install\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdtl.exe
O4 - HKLM\..\Run: [wzfibc] C:\WINDOWS\System32\wzfibc.exe
O4 - HKLM\..\Run: [miwgjnokae] C:\WINDOWS\System32\egtgfkrr.exe
O4 - HKLM\..\Run: [AutoLoaderEnvoloAutoUpdater] " C:\DOCUME~1\Owner\LOCALS~1\Temp\~compoundinst0\aut
o_update_loader.exe"
O4 - HKLM\..\Run: [2E.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\2E.tmp.exe 1 28129
O4 - HKLM\..\Run: [SKYNET Personal FireWall] C:\install\SkyNet\FireWall\pfw.exe
O4 - HKLM\..\Run: [apije32.exe] C:\WINDOWS\apije32.exe
O4 - HKLM\..\Run: [2E.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\2E.tmp.exe 1 28129
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunOnce: [ntyz.exe] C:\WINDOWS\system32\ntyz.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\install\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [Spyware Doctor] "C:\install\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\install\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\installs\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://C:one.MHT![url]http://www.t058.com//inst//x.chm::/open.exe[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (趋势科技在线扫毒程序) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {BAB3E70B-A847-4A88-ACFC-778FCCC00287} (CActSetupObj Object) - [url]http://www.odysseusmarketing.com/actsetup.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{24E9B8ED-8D4E-49E2-9A92-530EB03A204A}: NameServer = 151.197.0.38 151.197.0.39
O17 - HKLM\System\CS1\Services\Tcpip\..\{24E9B8ED-8D4E-49E2-9A92-530EB03A204A}: NameServer = 151.197.0.38 151.197.0.39
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\install\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\install\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\install\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\system32\criv.exe (file missing)
Posted by: DMo224
Hi ilove. I'm looking at your HJT log. While I'm looking, please download [b]CWShredder[/b] (see sig) and run it. It may take care of some of your problems. Make sure that all browser windows are closed.
After that, run HJT and post a new log.
Dave :D
Posted by: DMo224
[i]If you have any questions about items to be fixed and you think they should remain, please let us know.[/i]
Turn off your system restore (can be turned back after fixes) and fix the following:
[b]R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [TkBellExe] \"C:\Program Files\Common Files\Real\Update_OB\realsched.exe\" -osboot
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdtl.exe
O4 - HKLM\..\Run: [AutoLoaderEnvoloAutoUpdater] " C:\DOCUME~1\Owner\LOCALS~1\Temp\~compoundinst0\aut
o_update_loader.exe"
O4 - HKLM\..\Run: [2E.tmp] C:\DOCUME~1\Owner\LOCALS~1\Temp\2E.tmp.exe 1 28129
O4 - HKLM\..\Run: [2E.tmp.exe] C:\DOCUME~1\Owner\LOCALS~1\Temp\2E.tmp.exe 1 28129[/b]
Fix the following hijackers:
[b]O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)[/b]
If you don't recognize the name of the object, or the URL it was downloaded from with the following log items, have HijackThis fix it:
[b]O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://Cne.MHT![url]http://www.t058.com//inst//x.chm::/open.exe[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (趋势科技在线扫毒程序) - [url]http://a840.g.akamai.net/7/840/537/...all/xscan53.cab[/url][/b]
Fix the following if the domain is not from your ISP or company network:
[b]O17 - HKLM\System\CCS\Services\Tcpip\..\{24E9B8ED-8D4E-49E2-9A92-530EB03A204A}: NameServer = 151.197.0.38 151.197.0.39
O17 - HKLM\System\CS1\Services\Tcpip\..\{24E9B8ED-8D4E-49E2-9A92-530EB03A204A}: NameServer = 151.197.0.38 151.197.0.39[/b]
After fixing:[list]
[*]Reboot into safe mode.
[*]Delete the file [b]winupdtl.exe[/b] which resides in C:\WINDOWS\System32\ or C:\WINDOWS\System\
[*]Remove all files from your C:\WINDOWS\TEMP folder and your C:\DOCUMENTS AND SETTINGS\(your username)\LOCAL SETTINGS\Temp\ folder. (Do NOT delete the folders themselves).
[*]Delete the file in the "O4 - [msmc]" entry of your log.
[*]Empty your recycle bin.
[*]You should run [b]Windows Update[/b] and install all critical updates.
[*]Make sure your anti-virus program is up to date and run it.
[*]Reboot one last time. [/list]
Lastly, run HJT again making sure all browser windows are closed and post the log here.
Dave :D
Posted by: ilove
Hi, thanks for the reply, here is the log file I make after reboot my computer from safe mode, I also have some question to ask, first is in my log file it always have trust zone point to some web site, I don't know why but everytime I fix them by suing the fix tool in hijack this, then when i visit some web site and I use it scan again, there are some othe rsites there. Second, when i use the wintask tool and I see there is a service call svchost.exe
local service some time takes up 50% or more cpu usage and I can't cancel it. That is all my question I want to ask, Thank You
Logfile of HijackThis v1.99.0
Scan saved at 23:38:18, on 2004-12-29
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\install\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\install\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\install\SkyNet\FireWall\pfw.exe
C:\install\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\install\Spyware Doctor\swdoctor.exe
C:\Downloads\software\spyware remove\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\install\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\install\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\install\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: 鐢靛彴(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\install\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\install\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [wzfibc] C:\WINDOWS\System32\wzfibc.exe
O4 - HKLM\..\Run: [miwgjnokae] C:\WINDOWS\System32\egtgfkrr.exe
O4 - HKLM\..\Run: [SKYNET Personal FireWall] C:\install\SkyNet\FireWall\pfw.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\install\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\install\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [Spyware Doctor] "C:\install\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O8 - Extra context menu item: 浣跨敤缃戦檯蹇溅涓嬭浇 - C:\install\FlashGet\jc_link.htm
O8 - Extra context menu item: 浣跨敤缃戦檯蹇溅涓嬭浇鍏ㄩ儴閾炬帴 - C:\install\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\install\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java 鎺у埗鍙 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\install\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\install\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\installs\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\install\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\install\FlashGet\flashget.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (瓒嬪娍绉戞妧鍦ㄧ嚎鎵瘨绋嬪簭) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - [url]http://chat.yahoo.com/cab/yacsui.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{24E9B8ED-8D4E-49E2-9A92-530EB03A204A}: NameServer = 151.197.0.38 151.197.0.39
O17 - HKLM\System\CS1\Services\Tcpip\..\{24E9B8ED-8D4E-49E2-9A92-530EB03A204A}: NameServer = 151.197.0.38 151.197.0.39
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\install\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\install\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\install\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Posted by: southernlady
ilove, [quote]there is a service call svchost.exe
local service some time takes up 50% or more cpu usage and I can't cancel it.[/quote]
[URL=http://support.microsoft.com/?kbid=314056]A description of Svchost.exe in Windows XP[/URL]
Run Hijack This again but this time in [URL=http://www.spyware911.net/safemode.htm]Safe Mode[/URL]:and put a check by these. Close ALL windows except HijackThis and click [B]"Fix checked"[/B]
[COLOR=red][B]BECAUSE SAFE MODE IS INACCESSIBLE TO ONLINE, PLEASE PRINT THIS OUT AND HAVE IT ON NOTEPAD TO REFER TO BEFORE DOING THIS AND ASK ANY QUESTIONS BEFORE PROCEEDING.[/B][/COLOR]
[B]O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe[/B]
[B]O4 - HKLM\..\Run: [wzfibc] C:\WINDOWS\System32\wzfibc.exe[/B]
[B]O4 - HKLM\..\Run: [miwgjnokae] C:\WINDOWS\System32\egtgfkrr.exe[/B]
[B]O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe[/B] [B][URL=http://doxdesk.com/parasite/ClientMan.html]msmc/ClientMan[/URL][/B]
[B]IF YOU DO NOT recognize this, fix it:[/B]
[B]O8 - Extra context menu item: 浣跨敤缃戦檯蹇溅涓嬭浇 - C:\install\FlashGet\jc_link.htm[/B]
[B]IF YOU DO NOT recognize this, fix it:[/B]
[B]O8 - Extra context menu item: 浣跨敤缃戦檯蹇溅涓嬭浇鍏ㄩ儴閾炬帴 - C:\install\FlashGet\jc_all.htm[/B]
[B]O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm[/B]
[B]O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm[/B]
[B]O15 - Trusted Zone: *.frame.crazywinnings.com[/B]
[B]O15 - Trusted Zone: *.static.topconverting.com[/B]
[B]O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)[/B]
[B]O15 - Trusted Zone: *.static.topconverting.com (HKLM)[/B]
Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Go to Start > Run and type [B]%temp%[/B]in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.
Reboot
Empty the Recycle Bin
Then post another log. Liz
Posted by: southernlady
Closing this thread due to lack of activity. Liz