100% cpu usage

dmozur · Guest

I am running W2K. On startup I get error message reading "can't run scripts on this page" followed by multiple popups, even tho browser is not open and Popup Stopper Pro is running.

After several minutes either the browser freezes, ad-aware freezes if I am trying a scan. At that time task manager shows 100% cpu usage, with either winlogon or ad-aware showing 99% usage.

Have tried latest Spybot and Ad-Aware without any help. Below is my hyjack this file. Can anyone help??

Dave

Logfile of HijackThis v1.97.7
Scan saved at 2:33:29 PM, on 4/21/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINNT\System32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PopUpStopperProfessional.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\DOCUME~1\DmoZUR\LOCALS~1\Temp\EMESH.EXE
C:\DOCUME~1\DmoZUR\LOCALS~1\Temp\EMESH.EXE
C:\Program Files\Active ShutDown\asd.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Screenshot Utility\ScreenshotUtility.exe
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\msiexec.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://c:\DOCUME~1\DmoZUR\LOCALS~1\Temp\toolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\MTUSpeed\help\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://c:\DOCUME~1\DmoZUR\LOCALS~1\Temp\toolbar.dll/sa
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: FDA Bar - {9595C62C-76C6-49A6-9BDA-3253DD7A34FF} - C:\Program Files\Free Downloads Accelerator\fdabar99.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: StumbleUpon - {22D003CE-6952-46C5-80B9-D19B479620AB} - C:\WINNT\DOWNLO~1\CONFLICT.1\STUMBL~1.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\PopUpStopperProfessional.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Sys] C:\DOCUME~1\DmoZUR\LOCALS~1\Temp\EMESH.EXE
O4 - HKCU\..\Run: [AdwareSys] C:\DOCUME~1\DmoZUR\LOCALS~1\Temp\EMESH.EXE
O4 - Startup: Active ShutDown.lnk = C:\Program Files\Active ShutDown\asd.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: Screenshot Utility.lnk = C:\Program Files\Screenshot Utility\ScreenshotUtility.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download with Free Downloads Accelerator - C:\Program Files\Free Downloads Accelerator\fdaie.htm
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINNT\DOWNLO~1\CONFLICT.1\STUMBL~1.DLL/blogimage
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Add to FireViewer Conduit (HKLM)
O9 - Extra 'Tools' menuitem: Add to FireViewer Conduit (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc.../swdir.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200...taller.exe
O16 - DPF: {4F18FFF5-85B9-4378-A1B4-06743830EC70} (WAPUploaderAX Class) - http://www.web-a-photo.com/WebaphotoUploader.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/12282670893518cc23...xIE601.cab
O16 - DPF: {57BBF06E-D997-11D3-8997-00104BD12D94} (PCPDiskHealth Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupda...t/opuc.cab
O16 - DPF: {6B401179-541E-4BF3-800F-10C39B529DB9} - http://ftp.gurunet.com/pub/cabs/GNInstallerFree.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {95844941-7934-4693-92D9-8202EA7B20ED} - http://www.stumbleupon.com/stumble.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...3310185185
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/Shar.../cabsa.cab
O16 - DPF: {C6AB80BC-7E87-11D4-8BBB-0001025F438B} (MP3.com DirectToDevice Control) - http://filedownloads.mp3.com/filedownlo...Device.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?312
O17 - HKLM\System\CCS\Services\Tcpip\..\{019E5125-6C29-4C0F-B065-AE45CED12008}: NameServer = 167.206.3.222,167.206.112.138
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D18AFE5-F1DA-47D6-85E4-4C7F9856D79C}: NameServer = 10.0.16.2,10.0.16.17
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC7AA1E6-7D97-4A4C-B1B6-AC988FE6B3E4}: NameServer = 167.206.3.222,167.206.112.138
O17 - HKLM\System\CS1\Services\Tcpip\..\{019E5125-6C29-4C0F-B065-AE45CED12008}: NameServer = 167.206.3.222,167.206.112.138
O17 - HKLM\System\CS2\Services\Tcpip\..\{019E5125-6C29-4C0F-B065-AE45CED12008}: NameServer = 167.206.3.222,167.206.112.138

football · Guest

google about this and the two temp toolbar issues in your r lines.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\MTUSpeed\help\blank.htm

Fix these three:
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe

google on the O16 clsid's to see whether they're kept or removed in other threads. Tony Klein's bho list is another good help here.

Also check out the toolbar clsid's in your O3 lines.

Joruas · Guest

Just for grinns,

http://download.broadbandmedic.com/

there is a vx2.betterinternet finder program at the above link.

curious if it identifies vx2. . . on your machine.

dmozur · Guest

dmozur · Guest

Here is vx2 log showing awd.dll and awd.cpy.dll files.Log for VX2.BetterInternet File Finder

Files Found---
C:\WINNT\system32\awd.cpy.dll
C:\WINNT\system32\awd.dll

Guardian Key---
Asynchronous 000
DllName C:\WINNT\system32\awd.dll
Impersonate 000
Logon WinLogon
Version 122
ID {FF43583A-4D08-474E-A47D-408812A4035F}
IDex CS3

User Agent String---
{FF43583A-4D08-474E-A47D-408812A4035F}

Can't get rid of these files with killbox. Previously i tried regedit with no luck. Any suggestions?Thanx for your help
Dave

Joruas · Guest

With regedit, navigate to:

Hkey_Local_Machine\Software\Microsoft\Windows NT\Current Version\Winlogon\Notify\Guardian

Right click on the guardian key [then] select privleges.

remove the check in the box for inherit privleges [and] click apply.

When asked about existing privleges, select delete to remove all privleges from that key.

reboot

delete the two dll files

navigate back to the guardian key and check the inherit privleges box [then] apply

delete the guardian key

dmozur · Guest

When I right click on Guardian, the drop-down menu does not include properties--just "new-find-delete-rename-copy key name". I'm running win2k not XP. Is that the reason? And what do I do about it?

Guest · Posted: Thu Apr 22, 2004 8:05 pm Post subject:

Guest · Posted: Thu Apr 22, 2004 8:42 pm Post subject:

With Win2K run regedt32 rather than the (also present) regedit

dmozur · Guest

Guest · Posted: Thu Apr 22, 2004 10:38 pm Post subject:

Here's the error message. It didn't show up in the last message

NedKali · Guest

locate and delete this file to start with
C:\DOCUME~1\DmoZUR\LOCALS~1\Temp\EMESH.EXE

i am having same problems as you
adaware has identified a dll file which i am am working on deleting which i believe is responsible for the popups.

the website popularscreensavers.com is where i got this wretched thing from.

good luck


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 1283 pages served in previous 5 minutes. Page Rendered: 0.444 seconds.