# cmd.exe using 90% CPU



## jargonwrites

For some reason my computer started running super slow this week. I haven't installed any new hardware or even used it much except for going online. At first I thought it was just my connection until I tried going online with another computer in the house (which worked fine). I began to suspect I had a virus, but there was nothing quite out of the ordinary popping up when I used my computer. Just yesterday, when I finally had some time to sit down and try to figure things out, I found that "cmd.exe" in the task manager under the "processes" tab was using approximately 90% of my CPU. I ran adaware, spybot, ewido, and symantec, deleted/fixed/quarentined the few things that popped up and restarted, hoping that would fix it. However, even after running all of those "cmd.exe" was still using 90% of my CPU, so I ended the "process tree". After doing so my computer started running smoothly again (now 90% is under the "system idle process" which I've been informed is how much CPU on the computer is free). I have begun to suspect that the "cmd.exe" is corrupt or a virus is hiding really well on my computer. I've tried looking on here for some answers and even tried some of the solutions like:

_"Resolve Windows Corruptions:

Run chkdsk /f. or a sfc /scannow.

To run chkdsk /f:

1.Click the Start Button
2.Type cmd.exe
3.At the command prompt type chkdsk /f
4.If the prompt asks you to schedule at system restart hit 'y' on keyboard and hit enter.
5.Restart computer
6.Windows will fix all disk errors.

*NOTE* This may not solve the problem in all cases.

Run sfc /scannow:

1.Click the Start Button
2.Type cmd.exe
3.At the command prompt type sfc /scannow
4.If the prompt asks you to insert OS install disc, insert and click apply.
5.Restart computer
6.Windows will fix all missing files and corruptions.

*NOTE* This may not solve the problem in all cases."_

But, unfortunately, neither worked (even though I was still able to run "cmd.exe")... I am lost and would greatly appreciate anyones help.

Thanks,
Jargon


----------



## inuyasha320

download hijackthis http://www.majorgeeks.com/download3155.html

You should create a folder for HijackThis. To create one in Program files; right click on C drive and choose explore. Locate program files folder C:\Program Files . Right click on it and choose: New / Folder.
Name this folder HijackThis. Unzip your Hijackthis download and extract it"s contents to:
C:\Program Files\HijackThis
Any of these other options is also acceptable. The key point is that HijackThis should have a permanent folder of its own.
C:\Program Files\HijackThis\HijackThis.exe --is good
C:\My Documents\HijackThis\HijackThis.exe -- Is Good
C:HijackThis\HijackThis.exe -- is Good.
The reason for doing this is when you fix something in HJT, it creates back-ups, so you want the back-up files to be in a folder.

after that, scan and save a log

and post the log here

this will give us a better idea about the problem.


----------



## jargonwrites

Logfile of HijackThis v1.99.1
Scan saved at 7:35:04 PM, on 6/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\MAFWTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\Jez\Start Menu\Programs\Startup\ms.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ati.com/online/registration
O2 - BHO: Nothing - {7a932ed2-1737-4ab8-b84d-c71779958551} - C:\WINDOWS\system32\hpB788.tmp (file missing)
O2 - BHO: (no name) - {da9770d3-26fa-4942-8b45-9333ad52ca13} - C:\WINDOWS\system32:qsep.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Configuration Loader] spoolss.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MAFWTaskbarApp] C:\WINDOWS\system32\MAFWTray.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ms.exe] C:\Documents and Settings\Jez\Start Menu\Programs\Startup\ms.exe
O4 - Startup: ms.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe


----------



## ozrom1e

I noticed that your are not running a firewall. Well you should be and it is very important that you do. Here is a link to some free or free to try firewalls.

http://www.thefreecountry.com/security/firewalls.shtml

One of our HJT team will diagnose your log file just be patient.


----------



## jargonwrites

My Windows Security Center says that my firewalls is "on", does that one not work/do I need another one?

Thanks,
Jargon


----------



## inuyasha320

n't check anything in the hjt log yet, a moderator should be here soon, i am a little suspicious about
O2 - BHO: (no name) - {da9770d3-26fa-4942-8b45-9333ad52ca13} - C:\WINDOWS\system32:qsep.dll

O4 - HKLM\..\Run: [ms.exe] C:\Documents and Settings\Jez\Start Menu\Programs\Startup\ms.exe
O4 - Startup: ms.exe also looks wierd to me because i have seen is as spyware


----------



## ozrom1e

The one that is on is probably the Windows Firewall. If you have to depend on that one you will get burned really bad. It only protects one way and that is not that good and it is supposedly from outside coming in.


----------



## jargonwrites

Yeah, it is the Windows Firewall. If I download a firewall will it keep me from being able to upload/transfer/send files? If not, which firewall would you recommend?


----------



## MFDnNC

Please download *SmitfraudFix* (by *S!Ri*)
Extract the content (a folder named *SmitfraudFix*) to your Desktop.

Open the *SmitfraudFix* folder and double-click *smitfraudfix.cmd*
Select option #1 - *Search* by typing *1* and press "*Enter*"; a text file will appear, which lists infected files (if present). Well get them next step.
Please copy/paste the content of that report into your next reply.

*Note* : *process.exe* is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
=========================

Go to the link below and download the trial version of SpySweeper:

SpySweeper http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129&ac=tsg

* Click the *Free Trial link* under "SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits

o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.
Also post a new Hijack This log.


----------



## Rich-M

Post removed by flrman1.


----------



## cybertech

Hi jargonwrites, Welcome to TSG!!

I've moved your post to the Security Forum.

Please follow through with the instructions provided by *MFDnSC* and post your replies here.


----------



## dvk01

I'm very concerned about this entry 
O2 - BHO: (no name) - {da9770d3-26fa-4942-8b45-9333ad52ca13} - C:\WINDOWS\system32:qsep.dll

it looks like it's using the hidden ads stream to work

please do this 

open hjt/ press config/misc tools/ select ADS spy

make sure the only box selected is ignore safe info streams & press scan 
it will take some time to run & then save its log & post back here 
do not close teh ads spy as we will proabably ask you to fix some or all entries it finds


----------



## jargonwrites

here is the ADS spy log

C:\Documents and Settings\All Users\Application Data\Microsoft : BHzxvXXFMAoMEHVdRRW (786 bytes)
C:\Documents and Settings\All Users\Application Data\Microsoft : hCipSn4Rs1yFTMS9jl6tVjmdAR (923 bytes)
C:\Documents and Settings\All Users\Application Data\Microsoft : BHzxvXXFMAoMEHVdRRW (786 bytes)
C:\Documents and Settings\All Users\Application Data\Microsoft : hCipSn4Rs1yFTMS9jl6tVjmdAR (923 bytes)
C:\Documents and Settings\Jez\Local Settings\Temp : K0D0VuFOamlM1xOKdd (975 bytes)
C:\Documents and Settings\Jez\Local Settings\Temp : K0D0VuFOamlM1xOKdd (975 bytes)
C:\Program Files\Common Files\System\HhQlN5sSegt : x8cSljTNDbPtLgrh5Peh7rt (907 bytes)
C:\Program Files\Common Files\System\HhQlN5sSegt : x8cSljTNDbPtLgrh5Peh7rt (907 bytes)
C:\Program Files\Outlook Express : FkwmVbRJrZibB48Okf5Fv6T15b5e (1006 bytes)
C:\Program Files\Outlook Express : FkwmVbRJrZibB48Okf5Fv6T15b5e (1006 bytes)
C:\Program Files\Outlook Express\bOxBoUxfaEdrq : DylqEC1lfvQC9cBVyxoDCn0Nya (831 bytes)
C:\Program Files\Outlook Express\bOxBoUxfaEdrq : DylqEC1lfvQC9cBVyxoDCn0Nya (831 bytes)
C:\WINDOWS\system32 : qsep.dll (9728 bytes)
C:\WINDOWS\system32 : qsep.dll (9728 bytes)


----------



## jargonwrites

Here is the SmitFraudFix v2.65 log

Scan done at 22:40:19.89, Sun 06/25/2006
Run from C:\Documents and Settings\Jez\Desktop\smitfraudfix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Jez\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Jez\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End


----------



## jargonwrites

Here is the Spy Sweeper log

********
10:47 PM: | Start of Session, Sunday, June 25, 2006 |
10:47 PM: Spy Sweeper started
10:47 PM: Sweep initiated using definitions version 706
10:47 PM: Starting Memory Sweep
10:51 PM: Memory Sweep Complete, Elapsed Time: 00:04:42
10:51 PM: Starting Registry Sweep
10:51 PM: Found Adware: security toolbar
10:51 PM: HKLM\software\microsoft\windows\currentversion\uninstall\security toolbar\ (2 subtraces) (ID = 1035010)
10:51 PM: Found Adware: popuper
10:51 PM: HKCR\clsid\{7a932ed2-1737-4ab8-b84d-c71779958551}\ (4 subtraces) (ID = 1244612)
10:51 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{7a932ed2-1737-4ab8-b84d-c71779958551}\ (1 subtraces) (ID = 1244617)
10:51 PM: HKLM\software\classes\clsid\{7a932ed2-1737-4ab8-b84d-c71779958551}\ (4 subtraces) (ID = 1244618)
10:52 PM: Registry Sweep Complete, Elapsed Time:00:00:15
10:52 PM: Starting Cookie Sweep
10:52 PM: Found Spy Cookie: atwola cookie
10:52 PM: [email protected][1].txt (ID = 2256)
10:52 PM: [email protected][1].txt (ID = 2255)
10:52 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:52 PM: Starting File Sweep
11:18 PM: File Sweep Complete, Elapsed Time: 00:25:58
11:18 PM: Full Sweep has completed. Elapsed time 00:30:56
11:18 PM: Traces Found: 17
11:19 PM: Removal process initiated
11:19 PM: Quarantining All Traces: popuper
11:19 PM: Quarantining All Traces: security toolbar
11:19 PM: Quarantining All Traces: atwola cookie
11:20 PM: Removal process completed. Elapsed time 00:00:22
********
10:44 PM: | Start of Session, Sunday, June 25, 2006 |
10:44 PM: Spy Sweeper started
10:45 PM: Updating spyware definitions
10:45 PM: Your spyware definitions have been updated.
10:47 PM: | End of Session, Sunday, June 25, 2006 |

Thanks guys,
Jargon


----------



## jargonwrites

Heres the new HJT log

Logfile of HijackThis v1.99.1
Scan saved at 11:26:02 PM, on 6/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\MAFWTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\Jez\Start Menu\Programs\Startup\ms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ati.com/online/registration
O2 - BHO: (no name) - {da9770d3-26fa-4942-8b45-9333ad52ca13} - C:\WINDOWS\system32:qsep.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Configuration Loader] spoolss.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MAFWTaskbarApp] C:\WINDOWS\system32\MAFWTray.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ms.exe] C:\Documents and Settings\Jez\Start Menu\Programs\Startup\ms.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Startup: ms.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Thanks again guys,
Jargon


----------



## dvk01

Ok if ads spy is still open select them all and select remove selected 

reboot & post fresh HJT log please


----------



## dvk01

Then

1. Please *download* *The Avenger* by Swandog46 to your *Desktop*.
Click on Avenger.zip to open the file
Extract *avenger.exe* to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (*Ctrl+C*):



> Files to delete:
> C:\WINDOWS\system32\qsep.dll
> C:\WINDOWS\system32\spoolss.exe
> C:\WINDOWS\qsep.dll
> C:\qsep.dll
> C:\Documents and Settings\Jez\Start Menu\Programs\Startup\ms.exe
> 
> Folders to delete
> C:\Program Files\Outlook Express\bOxBoUxfaEdrq
> C:\Program Files\Common Files\System\HhQlN5sSegt


_*
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.*_

3. Now, *start The Avenger program* by clicking on its icon on your desktop.
 Under "*Script file to execute*" choose "*Input Script Manually*".
Now click on the *Magnifying Glass icon* which will open a new window titled "*View/edit script*" 
 Paste the text copied to clipboard into this window by pressing (*Ctrl+V*).
 Click *Done* 
 Now click on the *Green Light* to begin execution of the script 
 Answer "*Yes*" twice when prompted.
4. *The Avenger will automatically do the following*:
It will *Restart your computer*. ( In cases where the code to execute contains "*Drivers to Unload*", The Avenger will actually *restart your system twice.*) 
On reboot, it will briefly *open a black command window* on your desktop, this is normal.
After the restart, it *creates a log file* that should open with the results of Avenger's actions. This log file will be located at *C:\avenger.txt*
 The Avenger will also have *backed up all the files, etc., that you asked it to delete*, and will have zipped them and moved the zip archives to *C:\avenger\backup.zip*.
5. Please *copy/paste* the content of *c:\avenger.txt* into your reply.

once it has rebooted

Run hijackthis, put a tick in the box beside these entries listed below and *ONLY these entries*, double check to make sure, then make sure all browser & email windows are closed and press fix checked

O2 - BHO: (no name) - {da9770d3-26fa-4942-8b45-9333ad52ca13} - C:\WINDOWS\system32:qsep.dll

O4 - HKLM\..\Run: [Configuration Loader] spoolss.exe

O4 - HKLM\..\Run: [ms.exe] C:\Documents and Settings\Jez\Start Menu\Programs\Startup\ms.exe
O4 - Startup: ms.exe

then

please go to http://www.thespykiller.co.uk/forum/index.php?board=1.0 and upload these files so I can examine them and distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:

C:\avenger\backup.zip


----------



## dvk01

I would also like to see some logs from other tools as I suspect quite a deep rooted problem here & I real;ly get a bad feeling about this one


Download *WinPFind*
*Right Click* the Zip Folder and Select "*Extract All*"
Extract it somewhere you will remember like the *Desktop*
Dont do anything with it yet!

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick *WinPFind.exe*
Click "* Configure Scan Options*"
Select " *Run Add ONs*" and then select *ALL* the options in the box below it, Press Apply 
Now Click "*Start Scan*"
*It will scan the entire System, so please be patient!*
Once the Scan is Complete
Reboot back to Normal Mode!
Go to the *WinPFind folder*
Locate *WinPFind.txt*
Place those results in the next post!. It will be too big to post so you will need to attach it to your reply


and

download filesearch.bat to your desktop from http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item11

double click it and it will make a list of ALL files and folders in both C:\windows & c:\windows\system32 and a list of all folders in C:\program files so we can plough through them and spot anything dodgy, hopefully

it will only pop up for a quick flash

a file search.txt should pop up, save it to desktop as it makes it easier to find 
If it doesn't pop up then a copy will be in C:\filesearch.txt

It will be too big to upload here so go to http://www.thespykiller.co.uk/forum/index.php?board=1.0 and upload there
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the file on your computer, when the file is listed in the windows press send to upload the files

repeat with appdata.bat from http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item12

and then repeat again with all user_appdata.bat http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item13

so you will have 3 files to upload

filesearch.txt
appdata.txt
au_appdata.txt


----------



## jargonwrites

heres the fresh HJT log (sorry for the delay)

Logfile of HijackThis v1.99.1
Scan saved at 8:40:34 PM, on 6/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\system32\MAFWTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\Jez\Start Menu\Programs\Startup\ms.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ati.com/online/registration
O2 - BHO: (no name) - {da9770d3-26fa-4942-8b45-9333ad52ca13} - C:\WINDOWS\system32:qsep.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Configuration Loader] spoolss.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MAFWTaskbarApp] C:\WINDOWS\system32\MAFWTray.exe
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ms.exe] C:\Documents and Settings\Jez\Start Menu\Programs\Startup\ms.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Startup: ms.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


----------



## jargonwrites

Here is the Avenger text

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\kssqqghj

*******************

Script file located at: kljeathv

Could not open script file! Error

Could not open script file! Status: 0xc000003b Abort!


----------



## jargonwrites

Hey Derek, here is that winpfind file you requested. I think my computer might be fixed. It isn't lagging anymore and the cmd.exe process isn't automatically starting up anymore, but I am still able to "run" cmd.exe... Anyways, let me know if I should still continue to download and post those other three things.

Thanks,
Jargon


----------



## dvk01

please repeat the avenger steps again as that didn't work for some reason

and yes we will need the other logs


----------



## jargonwrites

Going out of town, I'll try and post it when I get back...

Thanks,
Jargon


----------

