CPU and RAM being hogged?

  • Gearu
  • Novice
  • Novice
  • User avatar
  • Posts: 24

Post 3+ Months Ago

My computer still seems slow, and freezes on occasion, it was never like this before the virus problem, Spybot, Ad-Aware and AVG have found nothing, page file usage is constantly around the 349MB mark, and the CPU seems to go up to high percentages all the time, when I run a game or a couple of applications it is at 100% most of the time, I have 3.07ghz, not overclocked or anything.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:42:45 PM, on 22/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\3 Mobile\3 Mobile Broadband\3 Mobile Broadband.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Absolute Poker\mainclient.exe
C:\Program Files\Absolute Poker\aphh.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\system32\inetsrv\DavCData.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ozzu.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AcerNotebookManager] C:\Program Files\Acer\Notebook Manager\almxptray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\computer user\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\computer user\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (HKCU)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/ ... leId=21871
O17 - HKLM\System\CCS\Services\Tcpip\..\{6218E1F1-F84E-49AD-AABF-51F729BFC251}: NameServer = 202.124.81.2 202.124.68.130
O20 - AppInit_DLLs: gfcfg.dll,drthte.dll,yjrfe.dll,uksuk.dll,thrtgth.dll,hujfgt.dll,rhdhj.dll,jmkcgt.dll,hfther.dll,segtrgh.dll,frntrn.dll,qrhhb.dll,drghszd.dll,fngn.dll,gnfctt.dll,xgnfn.dll,xfgnhcgfm.dll,serger.dll,bnxnb.dll,fxgnfx.dll,jzijj.dll,xfgnfx.dll,serghjm.dll,thsddh.dll,xbcvxb.dll,zfdzb.dll,xdndn.dll,xdfntt.dll,hgfhk.dll,dnteh.dll,xfng.dll,njritc.dll,chmfcmh.dll,jwlah.dll,gmnait.dll,hfjg.dll,thurh.dll,mgmgmm.dll,oqrthc.dll,gfhynrth.dll,jyjlt.dll,ijatnaw.dll,sehhter.dll,fhjfg.dll,zdbdb.dll,ydgn.dll,dbfb.dll,fjnbv.dll,rthderr.dll,setrhes.dll,cdxbfxdb.dll,xfgnxfn.dll,gjkhj.dll,xdhdg.dll,rhs.dll,mrjhtjd.dll,zdbfbd.dll,fjyjy.dll,fxnfnh.dll,bjrvm.dll,ektvm.dll,rdthr.dll,rgfjj.dll,dscef.dll,crugd.dll,lariytrz.dll,hjaiq.dll,kduy.dll,hkfgh.dll,awef.dll,dfhsh.dll,ethsh.dll,stehs.dll,sthth.dll,wfhyt.dll,rgghjj.dll,ghjkdr.dll,hnfgs.dll,
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 7052 bytes
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

O20 - AppInit_DLLs: gfcfg.dll,drthte.dll,yjrfe.dll,uksuk.dll,thrtgth.dll,hujfgt.dll,rhdhj.dll,jmkcgt.dll,hfther.dll,segtrgh.dll,frntrn.dll,qrhhb.dll,drghszd.dll,fngn.dll,gnfctt.dll,xgnfn.dll,xfgnhcgfm.dll,serger.dll,bnxnb.dll,fxgnfx.dll,jzijj.dll,xfgnfx.dll,serghjm.dll,thsddh.dll,xbcvxb.dll,zfdzb.dll,xdndn.dll,xdfntt.dll,hgfhk.dll,dnteh.dll,xfng.dll,njritc.dll,chmfcmh.dll,jwlah.dll,gmnait.dll,hfjg.dll,thurh.dll,mgmgmm.dll,oqrthc.dll,gfhynrth.dll,jyjlt.dll,ijatnaw.dll,sehhter.dll,fhjfg.dll,zdbdb.dll,ydgn.dll,dbfb.dll,fjnbv.dll,rthderr.dll,setrhes.dll,cdxbfxdb.dll,xfgnxfn.dll,gjkhj.dll,xdhdg.dll,rhs.dll,mrjhtjd.dll,zdbfbd.dll,fjyjy.dll,fxnfnh.dll,bjrvm.dll,ektvm.dll,rdthr.dll,rgfjj.dll,dscef.dll,crugd.dll,lariytrz.dll,hjaiq.dll,kduy.dll,hkfgh.dll,awef.dll,dfhsh.dll,ethsh.dll,stehs.dll,sthth.dll,wfhyt.dll,rgghjj.dll,ghjkdr.dll,hnfgs.dll,
  • Gearu
  • Novice
  • Novice
  • User avatar
  • Posts: 24

Post 3+ Months Ago

Do you know how I can delete it?
Hijack does not delete that successfully, and neither does deleting all relations to AppInit_DLLs and the listed dlls in the registry (2 results), the dlls dont exist, as a search doesnt find them and same for anything AppInit_DLLs, and since it doesnt seem to be a file i cannot delete on reboot.
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

Try to find them in msconfig or the registry. They have to be starting from somewhere.
  • Gearu
  • Novice
  • Novice
  • User avatar
  • Posts: 24

Post 3+ Months Ago

The problem is how to delete a registry key upon startup/reboot.
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

Registry keys can be deleted any time, not just at reboot. If there is a problem where something can't be deleted while the system is running, I use a USB external HD enclosure to connect it to another PC. In your case, I don't think it's necessary.
  • Gearu
  • Novice
  • Novice
  • User avatar
  • Posts: 24

Post 3+ Months Ago

Sorry, I guess I should have said those registry entries regenerate after deletion.
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

If they are regenerating after deletion, then there is another registry setting that you're missing. It's starting from somewhere. Run msconfig and go to the startup tab. That might give you a clue as to what it is. Disable any strange items and reboot.
  • casablanca
  • Proficient
  • Proficient
  • User avatar
  • Posts: 481

Post 3+ Months Ago

Modern malware isn't that easy to get rid of. The problem is that when the process is still running, disabling it in msconfig won't help much - it'll regenerate just as quickly. It might help to find the offending process and kill it using Task Manager, then delete the actual file and registry entries.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

casablanca wrote:
Modern malware isn't that easy to get rid of. The problem is that when the process is still running, disabling it in msconfig won't help much - it'll regenerate just as quickly. It might help to find the offending process and kill it using Task Manager, then delete the actual file and registry entries.


And you'll need to do that in safe mode. Those dll's are already initiallized and in use when Windows is running in Normal mode.
  • spork
  • Brewmaster
  • Silver Member
  • User avatar
  • Posts: 6241
  • Loc: Seattle, WA

Post 3+ Months Ago

ATNO/TW wrote:
And you'll need to do that in safe mode. Those dll's are already initiallized and in use when Windows is running in Normal mode.

And if you still can't remove them in safe mode, then this nice utility can be of great help.
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

I mentioned msconfig more so for identifying than stopping the malware. That brings me back to my recommendation of MJRegWatcher or any utility that locks the registry.
  • Gearu
  • Novice
  • Novice
  • User avatar
  • Posts: 24

Post 3+ Months Ago

The registry key is:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

And the entry is:
AppInit_DLLs

Data is:
gfcfg.dll,drthte.dll,yjrfe.dll,uksuk.dll,thrtgth.dll,hujfgt.dll,rhdhj.dll,jmkcgt.dll,hfther.dll,segtrgh.dll,frntrn.dll,qrhhb.dll,drghszd.dll,fngn.dll,gnfctt.dll,xgnfn.dll,xfgnhcgfm.dll,serger.dll,bnxnb.dll,fxgnfx.dll,jzijj.dll,xfgnfx.dll,serghjm.dll,thsddh.dll,xbcvxb.dll,zfdzb.dll,xdndn.dll,xdfntt.dll,hgfhk.dll,dnteh.dll,xfng.dll,njritc.dll,chmfcmh.dll,jwlah.dll,gmnait.dll,hfjg.dll,thurh.dll,mgmgmm.dll,oqrthc.dll,gfhynrth.dll,jyjlt.dll,ijatnaw.dll,sehhter.dll,fhjfg.dll,zdbdb.dll,ydgn.dll,dbfb.dll,fjnbv.dll,rthderr.dll,setrhes.dll,cdxbfxdb.dll,xfgnxfn.dll,gjkhj.dll,xdhdg.dll,rhs.dll,mrjhtjd.dll,zdbfbd.dll,fjyjy.dll,fxnfnh.dll,bjrvm.dll,ektvm.dll,rdthr.dll,rgfjj.dll,dscef.dll,crugd.dll,lariytrz.dll,hjaiq.dll,kduy.dll,hkfgh.dll,awef.dll,dfhsh.dll,ethsh.dll,stehs.dll,sthth.dll,wfhyt.dll,rgghjj.dll,ghjkdr.dll,hnfgs.dll,

There isn't a regular process causing it to run, I decided to disabled a bunch of startup processes anyway because I always end them when I log in, and under the effect of this virus type thing, they take longer to load, and it's because of this virus that sometimes, doing simple tasks can cause the computer to freeze, one example being moving a desktop icon to another area on it just after I log in.

This is the only remaining enrty that comes up when I search the registry for AppInit_DLLs, and modifying or deleting it will just see it go back to normal when u go to another folder and back, as if nothing had happened.

I have also noticed a 'dllhost.exe' coming up in the task manager recently though, it seems to start randomly at any time 10 minutes after logging on, plus in the task manager, in the username column it says 'IWAM_COMPUTER_something'
I kill this process immediately because it looks a bit suspicious, I just looked it up with windows search and it appears to be a normal system account used for synchronisation "between the COM+ data store and IIS or the SAM"

In the single file that came up in the search for IWAM (synciwam.vbs) it says that the IWAM username is what is "is the identity under which out of process IIS applications run", so the virus entity which I am trying to get rid of may be linked to this.

Where do I go from here?
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

Try the following paths. They are the 2 basic places where malware hides. Keep in mind that the process can have a completely different name than what was in the log.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run

and follow the same path in HKEY_CCURRENT_USER


BTW, are those the correct name servers for your ISP? If not, delete them too.

HKLM\System\CCS\Services\Tcpip\..\{6218E1F1-F84E-49AD-AABF-51F729BFC251}: NameServer = 202.124.81.2 202.124.68.130
  • Gearu
  • Novice
  • Novice
  • User avatar
  • Posts: 24

Post 3+ Months Ago

In:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
I found a folder within called 'OptionalComponents' and from there, 3 more folders: IMAIL, MAPI and MSFS, they all contain the 'default' thread, plus an 'Installed' Thread with value '1', and the MAPI contains an additional thread 'NoChange' with value '1'.

The HKEY_CCURRENT_USER version of that path only contains:
ctfmon.exe
SpybotSD TeaTimer

(I removed all the other startups as above)
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

No, you're looking in the wrong place. Don't click on the + sign next to run, just open the run folder in both paths.
  • Gearu
  • Novice
  • Novice
  • User avatar
  • Posts: 24

Post 3+ Months Ago

Nothing in there
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

Nothing as in nothing or as in nothing bad? There has to be something in there.
  • Gearu
  • Novice
  • Novice
  • User avatar
  • Posts: 24

Post 3+ Months Ago

Nothing there, unless ctfmon.exe and teatimer are viruses

ok and the complete username for that IWAM thing is
IWAM_COMPUTER-QGW14FCOMPUTER-QGW14F

edit: it also seems the registry cannot access the folder where the AppInit_DLLs thread is while the IWAM thing shows up in the taskmanager

something I also noticed while editing this
I used process explorer to check out the dllhost.exe which was running under the IWAM undername and it showed the .dll type name code 02D4B3F1-FD88-11D1-960D-00805FC79235, i'd seen this there before but thought nothing of it and didnt want to mess with it, but given that I've tried everything else, searching the registry for this brought up 2 results, I deleted them both and now searching for the appinit thread brings no results, and the problem doesnt show up in hijack this anymore, so I believe this is solved!
  • Don2007
  • Web Master
  • Web Master
  • Don2007
  • Posts: 4924
  • Loc: NY

Post 3+ Months Ago

Glad to hear it.

Post Information

  • Total Posts in this topic: 20 posts
  • Users browsing this forum: No registered users and 56 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
cron
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.