# Problem with constant heavy CPU usage.



## rdanner3 (Jun 11, 2006)

I've suspicions about what's causing it...however, they're just that: suspicions. Can't confirm anything. Sad thing is that I've had this box less than six weeks! Discovered Auto-Update was hitting my CPU incredibly hard (100% usage every 2-3 seconds for up to three seconds each time) so was forced to disable it.

One of the very first things I took off this box when I plugged it in was AOL 9.0. I despise AOL, and that comes from someone who was an AOL 1.0 beta tester!

Yes, I've run antivirus and anti-malware scans (AVG, Comodo for antivirus; a², AdAware, SpySweeper, Spycatcher for anti-malware) before I resorted to asking this help. (Bit of a note: Free RAM Optimizer cannot run. Whether this is a symptom of the same problem or not, I don't know. It's seriously annoying, though.) Typical free RAM is ~225Mb; current is well under 100.

Response on loading a new program is incredibly sluggish (2 seconds to over a minute before the program appears) and this is absolutely insane.

Last program (suite?) installed was Comodo Firewall and Comodo Antivirus (although I disabled the parts of CAV that would interfere with AVG's mail scanner.) Reverting back to ZoneAlarm Free will be almost a joy compared to what I'm going through right now, if that is what it'll take to fix this.

Logfile of HijackThis v1.99.1
Scan saved at 07:19 ct, on 2006-06-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Security\AVGFRE~1\avgamsvr.exe
C:\Security\AVGFRE~1\avgupsvc.exe
C:\Security\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Comodo\Personal Firewall\cmdagent.exe
C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\LiteStep\litestep.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Predixis\MusicMagic Mixer\mDNSResponder.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Security\AVGFRE~1\avgcc.exe
C:\Program Files\FarStone\VirtualDrive\vdtask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Comodo\Personal Firewall\CPF.exe
C:\Program Files\Comodo\LaunchPad\CLPTray.exe
C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\Internet\Quotes2002\quotes.exe
C:\Program Files\Google\Google Updater\1.1.489.27609\GoogleUpdater.exe
C:\Program Files\Belkin Bulldog Plus\MUPS.exe
C:\Program Files\Robomagic\SocketWatch\swatch.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Comodo\Comodo AntiVirus\Cavaud.exe
C:\Program Files\WinBar\WinBar.exe
C:\Program Files\WinTidy\WinTidy.exe
C:\Program Files\Comodo\Comodo AntiVirus\cavemsrv.exe
C:\mIRC4JPs\mirc.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Internet\Firefox\firefox.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\Internet\TBird\thunderbird.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\WINDOWS\system32\taskmgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.getfirefox.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ;127.0.0.1 adultfriendfinder.com #[McAfee.Cookie-Adultfriend]
O1 - Hosts: ;127.0.0.1 ads.adultfriendfinder.com #[SpySweeper.Spy.Cookie]
O1 - Hosts: ;127.0.0.1 www.adultfriendfinder.com #[Troj/Small-AG][Adware-Adroar.dll]
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\Security\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [RAMDrive] "C:\Program Files\FarStone\VirtualDrive\VHD\RDTask.exe"
O4 - HKLM\..\Run: [VirtualDrive] C:\Program Files\FarStone\VirtualDrive\vdtask.exe /AutoRestore
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Comodo Personal Firewall] C:\Program Files\Comodo\Personal Firewall\CPF.exe sysrestart
O4 - HKLM\..\Run: [Comodo Launch Pad Tray] C:\Program Files\Comodo\LaunchPad\CLPTray.exe
O4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe" " /login"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [µTorrent] "C:\Internet\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [DynDNS Updater] "C:\Program Files\DynDNS Updater\DynDNS.exe"
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [C:\Internet\Quotes2002\quotes.exe] C:\Internet\Quotes2002\quotes.exe
O4 - HKCU\..\Run: [Free Ram Optimizer] C:\Program Files\AceLogix\Free Ram Optimizer\fro.exe
O4 - Startup: DIMES-Agent.lnk = C:\Internet\DIMES\Agent\DimesDelayedLauncher.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Startup: WinBar.lnk = C:\Program Files\WinBar\WinBar.exe
O4 - Startup: WinTidy.lnk = C:\Program Files\WinTidy\WinTidy.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: distributed.net client.lnk = C:\Program Files\distributed.net\dnetc.exe
O4 - Global Startup: Gomez PEER.lnk = C:\Internet\GomezPEER\bin\GomezPEER.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\1.1.489.27609\GoogleUpdater.exe
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe
O4 - Global Startup: SocketWatch.lnk = C:\Program Files\Robomagic\SocketWatch\swatch.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\system32\wweb32.dll/lookup.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - (no file)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\cavemlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cavemlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cavemlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\cavemlsp.dll
O20 - AppInit_DLLs: interceptor.dll,c:\progra~1\google\google~1\goec62~1.dll,c:\progra~1\google\google~1\goec62~1.dll,c:\progra~1\google\google~1\goec62~1.dll c:\progra~1\google\google~1\goec62~1.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Apple mDNSResponder - Apple Computer, Inc. - C:\Program Files\Predixis\MusicMagic Mixer\mDNSResponder.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Security\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Security\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Security\AVGFRE~1\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Personal Firewall\cmdagent.exe
O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
O23 - Service: Media Center Receiver Service (ehRecvr) - Unknown owner - C:\WINDOWS\eHome\ehRecvr.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe


----------



## Rich-M (May 3, 2006)

With all the spyware applications and antivirus programs and toolbars you are running that are all spyware, I am amazed this thing even boots. You need to clean out startup if those programs are not really installed and clean the "danglers" out of the registry with something like jv16 Power Tools.


----------



## rdanner3 (Jun 11, 2006)

Rich-M said:


> With all the spyware applications and antivirus programs and toolbars you are running that are all spyware, I am amazed this thing even boots. You need to clean out startup if those programs are not really installed and clean the "danglers" out of the registry with something like jv16 Power Tools.


Thank you for your so _unhelpful_ response. I came here because I realized I needed help, not to be criticised for needing it.

I am well aware that there are likely to be programs that need killing. Which, is the question. (No, Google Desktop isn't spyware, and I've found it indispensable in my writing, along with WordWeb.)

My suspicion is that the two Comodo apps are two of the culprits, since the problem went critical soon after I installed Comodo Firewall (for a trial run) based on PCMagazine's Editor's Choice rating. Makes me wonder who paid them off, personally. Very alarming business.

I've been a member of the Distributed.Net effort now (on and off) since 1996 or 1997...the program is very graceful in deeding back CPU to other programs. Oddly, I've seen some computers run more smoothly with it running than without! (and no, the two copies of mIRC aren't spyware; they're known to me and run a very minimalistic script that I wrote; I'm a staffer on an IRC network.)

I'm just as busy as many of you are. I'm not the hottest thing behind a computer keyboard, nor am I totally knowledgeable about the darker recesses of computer usage. I would, therefore, appreciate some meaningful answers as to what I need to target.

Thank you for your consideration.


----------



## etaf (Oct 2, 2003)

i have requested a move to secruity - so that a secruity guru can have a look at the log and offer suggestions to clean if required.

entries wiyh {noname} and nofilename are often issues 

but I dont have the expertise to advise


----------



## Rich-M (May 3, 2006)

rdanner3 said:


> Thank you for your so _unhelpful_ response. I came here because I realized I needed help, not to be criticised for needing it.
> 
> I am well aware that there are likely to be programs that need killing. Which, is the question. (No, Google Desktop isn't spyware, and I've found it indispensable in my writing, along with WordWeb.)
> 
> ...


Sensitive aren't we. Well I was not criticizing you as you come on as highly experienced and you do not know what is spyware and what isn't. At the risk of firing your dander up again, and IO am trying real hard to remember it is you seeking help, and me not begginfg to give you help you will only like, you need to start some online scans:
http://www.bitdefender.com/scan8/#

http://www.ewido.net/en/
And also since you evidently know how to unload startup, would you please post here what is checked here after running the scans:
"Run,msconfig,ok,startup" so we can tell you what to remove..oh and the entries for Comodo in hijackthis log, you can highlight and let hijackthis remove.


----------



## MFDnNC (Sep 7, 2004)

You have multiple AV's running - only one should be active

Download Hoster from here:
www.funkytoad.com/download/hoster.zip 
Run the program Hoster and press Restore Original Hosts, OK, and Exit Program.

Download the trial version of Ewido Security Suite http://www.ewido.net/en/download/ (W2K/XP Only)
·	Install ewido.
·	During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
·	Launch ewido
·	It will prompt you to update click the OK button and it will go to the main screen
·	On the left side of the main screen click update
·	Click on Start and let it update.
·	DO NOT run a scan yet. You will do that later in safe mode.

Restart your computer into safe mode now. Perform the following steps in safe mode:
(Start tapping F8 at the first black screen after power up)

Run Ewido:
·	Click on scanner
·	Click Complete System Scan and the scan will begin.
·	During the scan it will prompt you to clean files, click OK
·	When the scan is finished, look at the bottom of the screen and click the Save report button.
·	Save the report to your C: Drive
This will take some time to run!
Boot to normal mode
*Post that log* and a new HiJack log


----------



## rdanner3 (Jun 11, 2006)

Update:
Removing both Comodo products has helped immensely. However, will follow the steps outlined in the latest post and send those requested materials up. (switched back to ZoneAlarm Free until I can manage to update to ZA Pro)

Current CPU usage is back down to where it ought to be (~3-5% average usage, with occasional spikes higher) but again, will doublecheck everything and send that up.

Ewido seems very fond of reporting tracker cookies as criticals, though. (first ewido scan removed > 90, second one less than 10 minutes after the first one removed 10 more)

My HOSTS file is rather large (over 400k) but it seems to do the job at stopping most annoyance ads, especially when combined with AdBlock Pro (extension to Firefox)


----------



## rdanner3 (Jun 11, 2006)

(Scan done in Safe Mode)
ewido first...
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:54:07 AM, 6/13/2006
+ Report-Checksum: BA3560BA

+ Scan result:

No infected objects found.

::Report End

Now, Hijack-This
--- Start HijackThis log ----
Logfile of HijackThis v1.99.1
Scan saved at 12:22 CT, on 2006-06-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Security\AVGFRE~1\avgamsvr.exe
C:\Security\AVGFRE~1\avgupsvc.exe
C:\Security\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\LiteStep\litestep.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Predixis\MusicMagic Mixer\mDNSResponder.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Security\AVGFRE~1\avgcc.exe
C:\Program Files\FarStone\VirtualDrive\vdtask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Internet\Quotes2002\quotes.exe
C:\Program Files\AceLogix\Free Ram Optimizer\fro.exe
C:\Internet\GomezPEER\bin\GomezPEER.exe
C:\Program Files\Google\Google Updater\1.1.514.27546\GoogleUpdater.exe
C:\Program Files\Belkin Bulldog Plus\MUPS.exe
C:\Program Files\Robomagic\SocketWatch\swatch.exe
C:\Internet\GOMEZP~1\jre\bin\java.exe
C:\Program Files\WordWeb\wweb32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\WinBar\WinBar.exe
C:\Program Files\WinTidy\WinTidy.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.getfirefox.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: localhost
O1 - Hosts: ;127.0.0.1 adultfriendfinder.com #[McAfee.Cookie-Adultfriend]
O1 - Hosts: ;127.0.0.1 ads.adultfriendfinder.com #[SpySweeper.Spy.Cookie]
O1 - Hosts: ;127.0.0.1 www.adultfriendfinder.com #[Troj/Small-AG][Adware-Adroar.dll]
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\Security\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [RAMDrive] "C:\Program Files\FarStone\VirtualDrive\VHD\RDTask.exe"
O4 - HKLM\..\Run: [VirtualDrive] C:\Program Files\FarStone\VirtualDrive\vdtask.exe /AutoRestore
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [µTorrent] "C:\Internet\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [DynDNS Updater] "C:\Program Files\DynDNS Updater\DynDNS.exe"
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [C:\Internet\Quotes2002\quotes.exe] C:\Internet\Quotes2002\quotes.exe
O4 - HKCU\..\Run: [Free Ram Optimizer] C:\Program Files\AceLogix\Free Ram Optimizer\fro.exe
O4 - Startup: DIMES-Agent.lnk = C:\Internet\DIMES\Agent\DimesDelayedLauncher.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Startup: WinBar.lnk = C:\Program Files\WinBar\WinBar.exe
O4 - Startup: WinTidy.lnk = C:\Program Files\WinTidy\WinTidy.exe
O4 - Startup: Yahoo! Widget Engine.lnk = C:\Program Files\Yahoo!\Yahoo! Widget Engine\YahooWidgetEngine.exe
O4 - Global Startup: distributed.net client.lnk = C:\Program Files\distributed.net\dnetc.exe
O4 - Global Startup: Gomez PEER.lnk = C:\Internet\GomezPEER\bin\GomezPEER.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\1.1.514.27546\GoogleUpdater.exe
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe
O4 - Global Startup: SocketWatch.lnk = C:\Program Files\Robomagic\SocketWatch\swatch.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\system32\wweb32.dll/lookup.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - (no file)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - AppInit_DLLs: interceptor.dll,c:\progra~1\google\google~1\goec62~1.dll,c:\progra~1\google\google~1\goec62~1.dll,c:\progra~1\google\google~1\goec62~1.dll c:\progra~1\google\google~1\goec62~1.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Apple mDNSResponder - Apple Computer, Inc. - C:\Program Files\Predixis\MusicMagic Mixer\mDNSResponder.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Security\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Security\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Security\AVGFRE~1\avgemc.exe
O23 - Service: Media Center Receiver Service (ehRecvr) - Unknown owner - C:\WINDOWS\eHome\ehRecvr.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--- End HijackThis log ----

Removing Comodo Antivirus and switching back to ZoneAlarm Free seems to have corrected. Current CPU usage varies from 1%-15%, which is more typical. I do have a question about STPD.SYS, which seems to like to lock Safe-Mode if I allow it to run... but that may be altogether unrelated.

Also: SpySweeper (in safe-mode diagnostics mode) also reported no infestations in a safe-mode scan, but the logfile is very long, containing multiple scan results.

If I have malware still on this system, yes, I need to know...


----------



## MFDnNC (Sep 7, 2004)

In firefox - TOOLS - OPTIONS - PRIVACY - COOKIES - Check originating site only

Log is fine


----------



## rdanner3 (Jun 11, 2006)

Ok, here's the thing.  The problem went away...but is now back worse than ever. (right now, CPU is running at 100% usage...) Here are some statistics:

Machine: eMachines T6420
* CPU: Athlon64/3400
* RAM: 1GB; 895Mb available to Windows
* OS: WinXP Media Center Edition 2005 (with all current patches _except_ WGA, which
is nothing but marketing-ware...it serves no purpose, security-wise.)
* LiteStep (alternate Windows Commandshell, which I find more useful
* Built-on video and sound (for the T6420)

Startups (from MSConfig)
zHotkey (Keyboard Driver; very nicely appointed multimedia keyboard here)
avgcc (AVG Control Centre)
vdtask (VirtualDrive systray control)
GoogleDesktop (If this needs explanation...)
zlclient (Zonelabs' ZoneAlarm (Free) client)
NvCpl (nVidia video control)
SpySweeperUI (SpySweeper control)
hm (Hosts Monitor)
ctfmon (?? Reported to be Microsoft speech recognition file)
YahooMessenger
googletalk
quotes (Quotes 2002, a very neat utility for making sigfiles with quotations)
fro (Free RAM Optimizer; despite the hype, XP still needs it occasionally)
HijackThis (HijackThis on-boot scan/save of logfile)
DynDNS (DynDNS Updater; I have several DynDNS vHosts)
Gomez Peer (Distributed-computing app; supposed to track usability of 'Net)
Google Updater (updates Google products)
MUPS (Monitors UPS)
SocketWatch (Far better than XP's own time synchronisation) http://www.robomagic.com/swatch.htm
WordWeb (incredibly useful OS-level thesaurus/dictionary)
Trillian (IM app)
WinBar (for info, http://www.winbar.nl)
distributed.net (DNetC's client... (see http://www.distributed.net)

[UPDATE: Fresh HijackThis logfile below]
Logfile of HijackThis v1.99.1
Scan saved at 13:05 CT, on 2006-07-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Security\AVGFRE~1\avgamsvr.exe
C:\Security\AVGFRE~1\avgupsvc.exe
C:\Security\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\LiteStep\litestep.exe
C:\WINDOWS\zHotkey.exe
C:\Security\AVGFRE~1\avgcc.exe
C:\Program Files\FarStone\VirtualDrive\vdtask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\abelhadigital.com\HostsMan\hm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Internet\Quotes2002\quotes.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\AceLogix\Free Ram Optimizer\fro.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\Program Files\DynDNS Updater\DynDNS.exe
C:\Program Files\distributed.net\dnetc.exe
C:\Internet\GomezPEER\bin\GomezPEER.exe
C:\Program Files\Google\Google Updater\1.1.514.27546\GoogleUpdater.exe
C:\Program Files\Belkin Bulldog Plus\MUPS.exe
C:\Program Files\Robomagic\SocketWatch\swatch.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Internet\Trillian\trillian.exe
C:\Program Files\WinBar\WinBar.exe
C:\Internet\GOMEZP~1\jre\bin\java.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.getfirefox.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\Security\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [VirtualDrive] "C:\Program Files\FarStone\VirtualDrive\vdtask.exe" /AutoRestore
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [HostsMan] "C:\Program Files\abelhadigital.com\HostsMan\hm.exe" -s
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [C:\Internet\Quotes2002\quotes.exe] C:\Internet\Quotes2002\quotes.exe
O4 - HKCU\..\Run: [Free Ram Optimizer] "C:\Program Files\AceLogix\Free Ram Optimizer\fro.exe"
O4 - HKCU\..\Run: [HijackThis startup scan] "C:\Documents and Settings\Owner\Desktop\HijackThis.exe" /startupscan
O4 - HKCU\..\Run: [DynDNS Updater] "C:\Program Files\DynDNS Updater\DynDNS.exe"
O4 - Startup: Trillian.lnk = C:\Internet\Trillian\trillian.exe
O4 - Startup: WinBar.lnk = C:\Program Files\WinBar\WinBar.exe
O4 - Global Startup: distributed.net client.lnk = C:\Program Files\distributed.net\dnetc.exe
O4 - Global Startup: Gomez PEER.lnk = C:\Internet\GomezPEER\bin\GomezPEER.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\1.1.514.27546\GoogleUpdater.exe
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe
O4 - Global Startup: SocketWatch.lnk = C:\Program Files\Robomagic\SocketWatch\swatch.exe
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\system32\wweb32.dll/lookup.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - AppInit_DLLs: interceptor.dll,c:\progra~1\google\google~1\goec62~1.dll,c:\progra~1\google\google~1\goec62~1.dll,c:\progra~1\google\google~1\goec62~1.dll,c:\progra~1\google\google~1\goec62~1.dll,c:\progra~1\google\google~1\goec62~1.dll,c:\progra~1\google\google~1\goec62~1.dll,c:\progra~1\google\google~1\goec62~1.dll c:\progra~1\google\google~1\goec62~1.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Security\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Security\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Security\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


----------

