Jump to content


PC CPU Usage High and Memory Constantly Increasing

  • Please log in to reply
1 reply to this topic

#1 SpyWareBlows



  • Full Member
  • Pip
  • 4 posts

Posted 23 June 2004 - 11:10 PM

Ok, system is serious screwed it seems. Got my browser hijacked today. Looks like I deleted the main part, but I have many other problems now. After I followed a bunch of directions I got; windows media player wouldn't work, so I had to reinstall it. Still have the hijack thing where if I type in something like www.fijrijfijrijfijrgfr.com it will take me to a hijacked page, but my home page is mine, and under control. Noticed under task manager that my CPU is running at around 50% with nothing open, and my memory has been increasing...was at almost a gig when I last shut off the comp (needed virtual memory expanded). I've been running adaware and spybot, and they both find less than 30. Thus, I don't really see any excessive spyware, and don't see a significant browser hijack left, so why is my computer so slow and messed up? In addition, took 30 seconds to get from the power on password to the windows is loading screen (it seemed to hang with just a white cursor flashing for a moment). Also, when I am logging onto windows 2000, I type in my password, and it takes like 60 seconds for what I typed to show and for it to log in. Can't get norton live update to find its server. Trying to run the antivirus "trend" but ie is crashing when I try to install it. Don't know what other info to give. I guess I will give my hijack this log file:

Logfile of HijackThis v1.97.7
Scan saved at 12:08:26 AM, on 6/24/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\C4ebreg\isamsmt.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ORiNOCO\WirelessClient\Utility\orinoco.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
O1 - Hosts: eernt1 # Ethernet
O1 - Hosts: eernt4 # legacy ERS e-mail application server
O1 - Hosts: eersnt3 # Ethernet
O1 - Hosts: eersnt4 # Ethernet
O1 - Hosts: eersnt5 # Ethernet
O1 - Hosts: eersweb1 # ERS web central
O1 - Hosts: eersweb1 # Ethernet
O1 - Hosts: gumnotes # Ethernet
O1 - Hosts: snaserver # Ethernet 9/22/03
O1 - Hosts: cwpa0gjm # Ethernet 9/23/03
O1 - Hosts: erscustprod # Ethernet
O1 - Hosts: erscusttest # Ethernet
O1 - Hosts: eersaix0 # Ethernet
O1 - Hosts: eersaix0.sby.ibm.com # Ethernet
O1 - Hosts: eersaix1 # Ethernet
O1 - Hosts: eersaix2 # Ethernet
O1 - Hosts: eersaix3 # Ethernet
O1 - Hosts: eersaix5 # Ethernet
O1 - Hosts: erscrystal # Ethernet 9/23/03
O1 - Hosts: ersorcl8i # Ethernet
O1 - Hosts: ersdb28 # ORCL backup
O1 - Hosts: erswebsrv # UC, new ERS webserver - Ethernet
O1 - Hosts: ersimaging # Cadence background loader and image store DB
O1 - Hosts: ersfaxdev # ERS fax project development workstation - Ethernet
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ISAM SMT Service] "C:\Program Files\C4ebreg\isamsmt.exe"
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [C4EBReg] "C:\progra~1\c4ebreg\c4ebreg.exe" /q
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [proxim_orinoco_11abg] C:\Program Files\ORiNOCO\WirelessClient\Utility\orinoco.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINNT\wt\updater\wcmdmgrl.exe -launch
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Sametime Connect] C:\Program Files\Lotus\Sametime Client\Connect.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1
O4 - Startup: Ad-watch 3.lnk = C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe
O4 - Global Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O16 - DPF: American Express atWork Admin - http://eersaix0.sby....v/atWorkADM.cab
O16 - DPF: American Express atWork CPC - https://qa.amex.iers...m/atWorkCPC.cab
O16 - DPF: IBM EA2000 - https://w3-1.ibm.com...nses/EA2000.cab
O16 - DPF: Sametime Meeting Room Client ST31 - https://www-1.ibm.co...gRoomClient.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.ma...ector/swdir.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...ol_v1-0-3-9.cab
O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) - https://www-1.ibm.co...STJNILoader.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9519B2A2-6592-4E41-8290-D0298459270C} (LNWebAssist Class) - http://w3.ibm.com/bl...lnwebassist.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_3us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{66D81C55-279D-4D13-A4F9-6E3E19D0F231}: Domain = ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{AA534E2E-F787-4FC6-9212-D9A1A26D14C3}: Domain = ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{C934E6F7-7E16-4836-AFB6-91BCB8950CEB}: Domain = ibm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ibm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ibm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ibm.com

Anyhelp would be extremely appreciated.


#2 LoPhatPhuud


    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 29 June 2004 - 06:35 PM

There is very little on your computer that would result in a slowdown as far as spyware is concerned. Two R entries can be removed.

Check the following items in HiJackThis:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search

Close all open windows except HiJackThis and press 'Fix Checked'.

There is also this entry:
O4 - HKLM\..\Run: [wcmdmgr] C:\WINNT\wt\updater\wcmdmgrl.exe -launch

Which is Wildtanget updater. If you do not need it, remove it also and then delete the entire folder.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image

When angry count four; when very angry, swear

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button