(XP Pro)100% cpu usage by several apps & freeze at shutd

khoma · Cadet Joined: Mar 15, 2004 Posts: 6 Location: Netherlands

well thats about it...sometimes explorer.exe causes 100% cpu load, sometimes its another app like soulseek; stinger can't find a thing, neither can ad-aware or mcafee...also when i shut down, my laptop freezes at the 'windows is shutting down' screen..

i run Windows XP Pro

irelynnmisses · Posted: Wed Mar 24, 2004 8:30 am Post subject:

First off, Please run Spybot Search & Destroy which can be found at http://security.kolla.de.
Fix all items it finds that are in red. Make sure it is updated or it won't catch everything.
Spybot S&D > Immunize > Recommended miscellaneous protections

Please dowload this tool:
www.zerosrealm.com/downloads/hjt.zip
Unzip, doubleclick HijackThis.exe, and hit "Scan".
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, load it in Notepad, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.

khoma · Cadet Joined: Mar 15, 2004 Posts: 6 Location: Netherlands

Logfile of HijackThis v1.97.7
Scan saved at 15:06:41, on 24-3-2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\DOCUME~1\KHOMA~1.TEC\LOCALS~1\Temp\Rar$EX00.578\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dnbforum.nl/index.php?op=forum
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/sh...wflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by7fd.bay7.hotmail.msn.com/activex/HMAtchmt.ocx

irelynnmisses · Posted: Wed Mar 24, 2004 10:23 am Post subject:

Looks fine to me =)

These ones are optional to remove, but removal will speed up your pc and its performance. You can still access them manually by clicking on the icon. They usually arn't malware, just a resource hogs.

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

There are several other resource hogs,, but you probably need those,,

Have you gotten a trojan scan?
Also, I am learning to read start up logs and we have a boot camp with expets helping us,, if you want to produce one for me i can take it there and have it analized for ya.. =)

if you open Hijackthis and click on MISC tools you will see start up list,, do the same thing with you that you do with your hijack log. If you want.

khoma · Cadet Joined: Mar 15, 2004 Posts: 6 Location: Netherlands

thanks in advance..this is quite a log Smile

StartupList report, 24-3-2004, 16:37:37
StartupList version: 1.52
Started from : C:\DOCUME~1\KHOMA~1.TEC\LOCALS~1\Temp\Rar$EX00.126\HijackThis.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Soulseeknew\slsk.exe
C:\Program Files\Windows NT\Bureau-accessoires\WORDPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\KHOMA~1.TEC\LOCALS~1\Temp\Rar$EX00.126\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SoundMan = SOUNDMAN.EXE
SiS Tray = C:\WINDOWS\System32\sistray.EXE
SiS KHooker = C:\WINDOWS\System32\khooker.exe
LTSMMSG = LTSMMSG.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
McAfee Guardian = "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\System32\ctfmon.exe
MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
McAfee.InstantUpdate.Monitor = "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
AIM = C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[{4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B}]
CODEBASE = http://www.ipswitch.com/_installs/wsftp_le/setup.exe

[CRAVOnline Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ravonline.dll
CODEBASE = http://www.ravantivirus.com/scan/ravonline.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/sh...wflash.cab

[Hotmail Attachments Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\HMAtchmt.ocx
CODEBASE = http://by7fd.bay7.hotmail.msn.com/activex/HMAtchmt.ocx

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 5.251 bytes
Report generated in 0,631 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

irelynnmisses · Posted: Wed Mar 24, 2004 2:02 pm Post subject:

It has been posted and i have asked for help in analyzing it,, in the meantime you should visit your windows update web site and DL all critical updates,, it is vital for the performance and health of your operating system,, and it fixes alot of bugs that leave you vulnerable.

You can do this by clicking here:

http://v4.windowsupdate.microsoft.com/en/default.asp

irelynnmisses · Posted: Wed Mar 31, 2004 4:02 am Post subject:

ok, u still there?


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 755 pages served in previous 5 minutes. Page Generation: 0.401 seconds.