[Inactive] Explorer running at 90-100% all the time

  • 1 Replies
  • 1777 Views
*

Offline jjelic

  • Bronze Member
  • 1
[Inactive] Explorer running at 90-100% all the time
« on: February 06, 2009, 08:46:33 AM »
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:42:45, on 06.02.2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ActivCard\accoca.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\RAMpage\RAMpage.exe
C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ProcessExplorer\procexp.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\TRIM\Desktop\HiJackThis.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [RAMpage] "C:\Program Files\RAMpage\RAMpage.exe" U=3 M=28 T=4 LG P="C:\Program Files\RAMpage\RAMpageConfig.exe"
O4 - HKLM\..\Run: [QuickPassword] C:\Program Files\ActivCard\ActivCard Gold\agquickp.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [torrent] C:\WINDOWS\torrent.exe
O4 - HKLM\..\RunServices: [torrent] C:\WINDOWS\torrent.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: AutorunsDisabled
O4 - Startup: Shortcut to procexp.exe.lnk = C:\Program Files\ProcessExplorer\procexp.exe
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O17 - HKLM\System\CCS\Services\Tcpip\..\{AEA123DD-5D2A-45E5-A90B-E59323F32845}: NameServer = 192.168.1.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ActivCard Gold service (Accoca) - ActivCard - C:\Program Files\Common Files\ActivCard\accoca.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

--
End of file - 3354 bytes
« Last Edit: February 13, 2009, 04:26:32 PM by mrrockford »

*

Offline grsamf

  • Malware Removal Mentors
  • Ambassador
  • Gold Member
  • 2490
  • Legally Bald
Re: Explorer running at 90-100% all the time
« Reply #1 on: February 07, 2009, 09:27:37 AM »
You are running Hijack This from yout desktop.   Letís move it to a better location.
Please go into Windows Explorer, click on C:\ then click on File > New > Folder and call it HJT, or another name of your choice.
Then move HijackThis.exe from your desktop to this new folder.
The program creates backup files that we may need to use later, so a separate folder is important.
NOTE: You may create a shortcut on your desktop HijackThis.exe after you move it by right-clicking it and choosing Send To>Desktop (create shortcut).  You can then click the shortcut and HJT will run from the folded in which you placed it.

If you have any P2P software on your computer, it must be removed before proceeding.  http://spywarehammer.com/simplemachinesforum/index.php?topic=110.0

FIRST: Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • MBAM will automatically start and you will be asked to update the program before performing a scan.

    If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
     If you encounter any problems while downloading the updates, manually download them from here
    and just double-click on mbam-rules.exe to install.

    • On the Scanner tab:
      • Make sure the "Perform Quick Scan" option is selected.
      • Then click on the Scan button.
      • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
      • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
      • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
      • Click OK to close the message box and continue with the removal process.
      • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
      • Make sure that everything is checked, and click Remove Selected.
      • When removal is completed, a log report will open in Notepad.
      • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
      • Copy and paste the contents of that report in your next reply and exit MBAM.
      Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process.
       Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


      SECOND:  Please download Combofix from one of the following links and save it to your desktop:

      Link 1
      Link 2
      Link 3

          * Double click on combo.exe & follow the prompts.
          * When finished, it will produce a logfile located at C:\ComboFix.txt.
          * Post the contents of that log in your next reply with a new hijackthis log.

      Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

      THIRD:Create an uninstall list with HijackThis:
      Click Open the Miscellaneous Tools section.
      Click Open Uninstall Manager...
      Click Save list...
      Include the uninstall list in your next post.

      Post the MBAM log, the ComboFix log, the uninstall list and a new HJT log in your next post.  If the logs are too long for one post, use two or more post.
      Reading without reflecting is like eating without digesting. -- Edmund Burke

      SpywareHammer is staffed by unpaid volunteers. Assistance is free, but donations help keep us online. Click "Donations" at the top of the page to donate.