100%CPU Bog with services.exe XP/SP2 [Archive]

View Full Version : 100%CPU Bog with services.exe XP/SP2

Obyenba

2007-10-08, 14:37

Problems:
1) services.exe (the valid one for EventLog & Plug&Play) consumes all remaining CPU time so

it's at 100%CPU usage and system slows to a crawl. Starts immediately or shortly after

establishing an internet connection; if system is booted but not used for internet, it does

not appear to occur.
2) After deleting a number of "O1-Hosts" entries using HijackThis, the system provides what

appears to be a clean log (see 1st log below); however, the entries return to the HJT log

(and remain until deleted again) after the 100%CPU issue starts up (see 2nd log below).

Virus Scan: Ran the latest versions (as of 10/07/07) of Spybot-S&D, Microsoft Malicious

Software Tool, TrendMicro Housecall, TrendMicro Sysclean, McAfee Stinger and AdAware. These

all failed to find ANY viruses or issues on the system.

System Clean: Cleaned each user acct with CCleaner. Eliminated all unnecessary services and

startup items. Installed MS Hotfix 903737.

Questions:
1) What is causing the standard services.exe to hog the CPU?
2) Are the "O1-Hosts" entries in HJT normal or do they indicate a specific issue?
3) Are these two conditions related?
4) And, of course, how do I fix it?

Thanks,
Bo

HijackThis log after cleanup:
-----------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:17:13 AM, on 10/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\admin\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/HomePage.htm
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111

Configuration Utility\wlancfg.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?119

1806457793
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) -

http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program

Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company -

C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company -

C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 3241 bytes

HijackThis log 8min later (100%CPU issue triggered):
----------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:40 AM, on 10/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\Documents and Settings\admin\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/HomePage.htm
O1 - Hosts: 69.25.74.36 MAIL006 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.37 MAIL007 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.38 BE008 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.39 BE009 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.40 BE010 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.41 BE011 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.42 BE012 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.43 BE013 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.44 BE014 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.75.222 BE015 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.46 BE016 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.47 BE017 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.48 BE018 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.49 BE019 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.50 BE020 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.51 BE021 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.52 BE022 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.53 BE023 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.54 BE024 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.55 BE025 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.56 BE026 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.57 BE027 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.58 BE028 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 64.95.72.199 BE029 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 64.95.72.200 BE030 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 64.95.72.201 BE031 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 64.95.72.202 BE032 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 64.95.72.203 BE033 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 64.95.72.204 BE034 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 64.95.72.205 BE035 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 64.95.72.206 BE036 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 64.95.72.207 BE037 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 64.95.72.208 BE038 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 64.95.72.209 BE039 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 64.95.72.210 BE040 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 64.95.72.211 BE041 #Exchange Hosting 10/08/07 08:27:07
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111

Configuration Utility\wlancfg.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?119

1806457793
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) -

http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program

Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company -

C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company -

C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5638 bytes

pskelley

2007-10-17, 13:29

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Are you telling me that you have no idea why your Hosts file is like that? This is not a work computer is it?
Look at this information: http://www.google.com/search?hl=en&q=%23Exchange+Hosting+&btnG=Google+Search
I do not want to reset your Hosts file and create a problem if it is supposed to be this way. If it is your computer, you should know. If it is a work computer, you should be contacting your IT deptartment, not us.

If we are to proceed, please read and follow all directions posted above and at the top of the forum, including:

Note: In notepad under Format, uncheck "Word Wrap" Produce all HJT logs like this, single spaced.
single-spaced - (of type or print) not having a blank space between lines.
I need to see an antivirus scan results, but post just a HJT log that is not formatted for now, and the answers to any questions I asked.

Thanks

Obyenba

2007-10-22, 20:07

This Dell C400 laptop was previously my work computer a year ago....bought it cheap when I got an upgraded laptop. The IT guys tried to strip off all the old network and VPN stuff, but, I know they struggled (and failed) to get the password security profiles off the machine. However, I've used it on my home network for almost with no issues....this 100% CPU bog started about a month ago.

I followed all the directions provided. Kaspersky did ID several viruses (see log below) that all the other scans failed to pick up. The Spybot-S&D picked up 4 suspicious cookie items (BlueStreak / CasaleMedia / DoubleClick / FastClick) that it removed...following scan was clean.

Ran HJT (see log below Kaspersky log) which shows the host entries...I have no clue where the exchange host entries are coming from.

Thanks!

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, October 21, 2007 8:02:24 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/10/2007
Kaspersky Anti-Virus database records: 442145
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\

Scan Statistics:
Total number of scanned objects: 85246
Number of viruses found: 5
Number of infected objects: 13
Number of suspicious objects: 0
Duration of the scan process: 08:40:39

Infected Object Name / Virus Name / Last Action
C:\ABC\Anywhere.exe Infected: not-a-virus:RemoteAdmin.Win32.RA.371 skipped
C:\Documents and Settings\admin\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\admin\Desktop\backups\backup-20071004-181712-808.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\admin\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Temp\~DFDD3E.tmp Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Temp\~DFDD5B.tmp Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\admin\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\admin\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\ba\.housecall\Quarantine\bpkhk.dll.bac_a01796 Infected: Trojan-Spy.Win32.Perfloger.u skipped
C:\Documents and Settings\ba\Local Settings\Temp\RarSFX0\bpk163xp.exe/data.rar/bpkhk.dll Infected: Trojan-Spy.Win32.Perfloger.u skipped
C:\Documents and Settings\ba\Local Settings\Temp\RarSFX0\bpk163xp.exe/data.rar/bpk.exe Infected: not-a-virus:Monitor.Win32.Perflogger.bq skipped
C:\Documents and Settings\ba\Local Settings\Temp\RarSFX0\bpk163xp.exe/data.rar/bpkvw.exe Infected: not-a-virus:Monitor.Win32.Perflogger.be skipped
C:\Documents and Settings\ba\Local Settings\Temp\RarSFX0\bpk163xp.exe/data.rar Infected: not-a-virus:Monitor.Win32.Perflogger.be skipped
C:\Documents and Settings\ba\Local Settings\Temp\RarSFX0\bpk163xp.exe RarSFX: infected - 4 skipped
C:\Documents and Settings\ba\Local Settings\Temp\RarSFX2\bpk163xp.exe/data.rar/bpkhk.dll Infected: Trojan-Spy.Win32.Perfloger.u skipped
C:\Documents and Settings\ba\Local Settings\Temp\RarSFX2\bpk163xp.exe/data.rar/bpk.exe Infected: not-a-virus:Monitor.Win32.Perflogger.bq skipped
C:\Documents and Settings\ba\Local Settings\Temp\RarSFX2\bpk163xp.exe/data.rar/bpkvw.exe Infected: not-a-virus:Monitor.Win32.Perflogger.be skipped
C:\Documents and Settings\ba\Local Settings\Temp\RarSFX2\bpk163xp.exe/data.rar Infected: not-a-virus:Monitor.Win32.Perflogger.be skipped
C:\Documents and Settings\ba\Local Settings\Temp\RarSFX2\bpk163xp.exe RarSFX: infected - 4 skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\dxmasf.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\httpod51.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\sfcfiles.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\ssinc51.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ314862$\qmgr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ314862$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ314862$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ323172$\reg00003 Object is locked skipped
C:\WINDOWS\$NtUninstallQ323172$\reg00005 Object is locked skipped
C:\WINDOWS\$NtUninstallQ323172$\reg00008 Object is locked skipped
C:\WINDOWS\$NtUninstallQ323172$\reg00009 Object is locked skipped
C:\WINDOWS\$NtUninstallQ323172$\reg00010 Object is locked skipped
C:\WINDOWS\$NtUninstallQ323172$\reg00011 Object is locked skipped
C:\WINDOWS\$NtUninstallQ329048$\reg00001 Object is locked skipped
C:\WINDOWS\$NtUninstallQ329390$\reg00001 Object is locked skipped
C:\WINDOWS\$NtUninstallQ329834$\reg00001 Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\novell\nici\SYSTEM\XMGRCFG.KS2 Object is locked skipped
C:\WINDOWS\SYSTEM32\novell\nici\SYSTEM\XMGRCFG.KS3 Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:51:36 PM, on 10/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\Documents and Settings\admin\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/HomePage.htm
O1 - Hosts: 69.25.74.36 MAIL006 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.37 MAIL007 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.38 BE008 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.39 BE009 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.40 BE010 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.41 BE011 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.42 BE012 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.43 BE013 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.44 BE014 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.75.222 BE015 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.46 BE016 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.47 BE017 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.48 BE018 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.49 BE019 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.50 BE020 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.51 BE021 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.52 BE022 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.53 BE023 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.54 BE024 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.55 BE025 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.56 BE026 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.57 BE027 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 69.25.74.58 BE028 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 64.95.72.199 BE029 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 64.95.72.200 BE030 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 64.95.72.201 BE031 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 64.95.72.202 BE032 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 64.95.72.203 BE033 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 64.95.72.204 BE034 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 64.95.72.205 BE035 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 64.95.72.206 BE036 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 64.95.72.207 BE037 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 64.95.72.208 BE038 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 64.95.72.209 BE039 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 64.95.72.210 BE040 #Exchange Hosting 10/08/07 08:27:07
O1 - Hosts: 64.95.72.211 BE041 #Exchange Hosting 10/08/07 08:27:07
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191806457793
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5773 bytes

pskelley

2007-10-22, 20:51

Ran HJT (see log below Kaspersky log) which shows the host entries...I have no clue where the exchange host entries are coming from.I am operating under ths assumption you know nothing about the reason the Hosts file is set like that, so we are going to return the Hosts file to Microsoft's original Hosts file for starters. If you do know anything about why the Hosts file is like that, stop and make me aware.

1) Download HostsXpert v4.1 - Hosts File Manager.
http://www.funkytoad.com/download/HostsXpert.zip
Unzip HostsXpert 4.1 - Hosts File Manager to a convenient folder such as C:\HostsXpert
Click HostsXpert.exe to Run HostsXpert 4.1 - Hosts File Manager from its new home
Click "Make Hosts Writable?" in the upper right corner (If available).
Click Restore Microsoft's Hosts file and then click OK.
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

2) (this is important, you will not see the bad junk if you do not do this)
How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

4) C:\Documents and Settings\admin\Desktop\backups\ <<< Delete that folder in red

C:\Documents and Settings\ba\.housecall\Quarantine\ <<< delete the contents of that folder in red

C:\Documents and Settings\ba\Local Settings\Temp\ <<< delete the contents of the Temp folder (NOT the folder)

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(if you set the Start Page like this you may leave it, if not check and delete it)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/HomePage.htm

All 01's should be gone, if they are there, check and remove them.

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post a new Kaspersky scan along with a new HJT log.

Thanks

Obyenba

2007-10-24, 03:23

OK. Ran HostsXpert to restore MS hosts file. Deleted the recommended folder/files. Ran HJT and there were no 01 host entries (the R0 is my homepage entry). Ran ATF cleaner and then rebooted.

Ran Kaspersky (see log below).....9 hours. It ID'd one item that appears to be related to a program used by my ABC flowcharting software.

Ran a new HJT log (see below) and all the 01 host entries have returned.

What now?

Thanks!

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, October 23, 2007 9:04:21 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/10/2007
Kaspersky Anti-Virus database records: 443283
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\

Scan Statistics:
Total number of scanned objects: 77300
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 10:48:34

Infected Object Name / Virus Name / Last Action
C:\ABC\Anywhere.exe Infected: not-a-virus:RemoteAdmin.Win32.RA.371 skipped
C:\Documents and Settings\admin\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\admin\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\admin\Local Settings\History\History.IE5\MSHist012007102320071024\index.dat Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Temp\~DF47CB.tmp Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Temp\~DF47FE.tmp Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\admin\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\admin\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\dxmasf.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\httpod51.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\sfcfiles.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ309521$\ssinc51.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ314862$\qmgr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ314862$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ314862$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ323172$\reg00003 Object is locked skipped
C:\WINDOWS\$NtUninstallQ323172$\reg00005 Object is locked skipped
C:\WINDOWS\$NtUninstallQ323172$\reg00008 Object is locked skipped
C:\WINDOWS\$NtUninstallQ323172$\reg00009 Object is locked skipped
C:\WINDOWS\$NtUninstallQ323172$\reg00010 Object is locked skipped
C:\WINDOWS\$NtUninstallQ323172$\reg00011 Object is locked skipped
C:\WINDOWS\$NtUninstallQ329048$\reg00001 Object is locked skipped
C:\WINDOWS\$NtUninstallQ329390$\reg00001 Object is locked skipped
C:\WINDOWS\$NtUninstallQ329834$\reg00001 Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\novell\nici\SYSTEM\XMGRCFG.KS2 Object is locked skipped
C:\WINDOWS\SYSTEM32\novell\nici\SYSTEM\XMGRCFG.KS3 Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:08:15 PM, on 10/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\admin\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/HomePage.htm
O1 - Hosts: 69.25.74.36 MAIL006 #Exchange Hosting 10/23/07 09:50:41
O1 - Hosts: 69.25.74.37 MAIL007 #Exchange Hosting 10/23/07 09:50:41
O1 - Hosts: 69.25.74.38 BE008 #Exchange Hosting 10/23/07 09:50:41
O1 - Hosts: 69.25.74.39 BE009 #Exchange Hosting 10/23/07 09:50:41
O1 - Hosts: 69.25.74.40 BE010 #Exchange Hosting 10/23/07 09:50:41
O1 - Hosts: 69.25.74.41 BE011 #Exchange Hosting 10/23/07 09:50:41
O1 - Hosts: 69.25.74.42 BE012 #Exchange Hosting 10/23/07 09:50:41
O1 - Hosts: 69.25.74.43 BE013 #Exchange Hosting 10/23/07 09:50:41
O1 - Hosts: 69.25.74.44 BE014 #Exchange Hosting 10/23/07 09:50:41
O1 - Hosts: 69.25.75.222 BE015 #Exchange Hosting 10/23/07 09:50:41
O1 - Hosts: 69.25.74.46 BE016 #Exchange Hosting 10/23/07 09:50:41
O1 - Hosts: 69.25.74.47 BE017 #Exchange Hosting 10/23/07 09:50:41
O1 - Hosts: 69.25.74.48 BE018 #Exchange Hosting 10/23/07 09:50:41
O1 - Hosts: 69.25.74.49 BE019 #Exchange Hosting 10/23/07 09:50:41
O1 - Hosts: 69.25.74.50 BE020 #Exchange Hosting 10/23/07 09:50:41
O1 - Hosts: 69.25.74.51 BE021 #Exchange Hosting 10/23/07 09:50:41
O1 - Hosts: 69.25.74.52 BE022 #Exchange Hosting 10/23/07 09:50:41
O1 - Hosts: 69.25.74.53 BE023 #Exchange Hosting 10/23/07 09:50:41
O1 - Hosts: 69.25.74.54 BE024 #Exchange Hosting 10/23/07 09:50:41
O1 - Hosts: 69.25.74.55 BE025 #Exchange Hosting 10/23/07 09:50:41
O1 - Hosts: 69.25.74.56 BE026 #Exchange Hosting 10/23/07 09:50:41
O1 - Hosts: 69.25.74.57 BE027 #Exchange Hosting 10/23/07 09:50:41
O1 - Hosts: 69.25.74.58 BE028 #Exchange Hosting 10/23/07 09:50:41
O1 - Hosts: 64.95.72.199 BE029 #Exchange Hosting 10/23/07 09:50:41
O1 - Hosts: 64.95.72.200 BE030 #Exchange Hosting 10/23/07 09:50:41
O1 - Hosts: 64.95.72.201 BE031 #Exchange Hosting 10/23/07 09:50:41
O1 - Hosts: 64.95.72.202 BE032 #Exchange Hosting 10/23/07 09:50:41
O1 - Hosts: 64.95.72.203 BE033 #Exchange Hosting 10/23/07 09:50:41
O1 - Hosts: 64.95.72.204 BE034 #Exchange Hosting 10/23/07 09:50:41
O1 - Hosts: 64.95.72.205 BE035 #Exchange Hosting 10/23/07 09:50:41
O1 - Hosts: 64.95.72.206 BE036 #Exchange Hosting 10/23/07 09:50:41
O1 - Hosts: 64.95.72.207 BE037 #Exchange Hosting 10/23/07 09:50:41
O1 - Hosts: 64.95.72.208 BE038 #Exchange Hosting 10/23/07 09:50:41
O1 - Hosts: 64.95.72.209 BE039 #Exchange Hosting 10/23/07 09:50:41
O1 - Hosts: 64.95.72.210 BE040 #Exchange Hosting 10/23/07 09:50:41
O1 - Hosts: 64.95.72.211 BE041 #Exchange Hosting 10/23/07 09:50:41
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191806457793
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/cab/x86/i486/NTANSI/retail/DASAct.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5806 bytes

Obyenba

2007-10-24, 04:18

I tried this sequence to see if the hosts issue was related to the CPU bog:

1) Ran HJT and confirmed 01 host entries existed. (CPU@100%)
2) Ran HostsXpert and reset to MS hosts file. (CPU@100%)
3) Ran HJT and confirmed all 01 entries were gone. (CPU@100%)
4) Restarted windows.
5) Ran HJT and confirmed all 01 entries were gone.
6) Ran PERFMON and confirmed CPU at 16% (normal CPU level since I got it). Monitored until CPU flatlined at 100% (had to surf with IE to get it going...msnbc.com always seems to trigger it while cnn.com doesn't...???).
7) Ran HJT and the 01 host entries are NOT there. (CPU@100%)
8) Opened Outlook 2003.
9) Ran HJT and 01 host entries have reappeared. Closed Outlook.
10) Ran HostsXpert and reset to MS hosts file.
11) Ran HJT and confirmed all 01 entries were gone.
12) Opened Outlook again.
13) Immediately ran HJT and all 01 entries exist.

Looks like the host entries are not causing the CPU problem. I assume the host entries are something left over from when the laptop would access the exchange server for email.

Is there some bizarre script used on msnbc.com that could trigger the event. I know it's not just that website but I know it will trigger the CPU bog.

Thanks!

Obyenba

2007-10-24, 05:28

I used Sysinternals Process Explorer to ID the thredas consuming CPU and found three (3) threads under the services.exe that are consuming similar levels. All 3 have the start address "kernal32.dll!CreateThread+0x22". Below are the stacks for each thread:

Thread 620:
ntoskrnl.exe!ExReleaseResourceLite+0x1a3
ntoskrnl.exe!IoGetStackLimits+0x74
ntoskrnl.exe!ObOpenObjectByName+0x2f6
ntoskrnl.exe!ObOpenObjectByName+0xdb
ntoskrnl.exe!ObOpenObjectByName+0xa3e
ntoskrnl.exe!ZwYieldExecution+0xb78
ntdll.dll!KiFastSystemCallRet
ADVAPI32.dll!RegOpenKeyExW+0xe6
umpnpmgr.dll!PNP_GetDeviceRegProp+0xccc
umpnpmgr.dll!PNP_GetDeviceRegProp+0xe62
umpnpmgr.dll!PNP_GetDeviceRegProp+0xeed
umpnpmgr.dll!PNP_GetDeviceRegProp+0xc23
RPCRT4.dll!CheckVerificationTrailer+0x75
RPCRT4.dll!NdrStubCall2+0x215
RPCRT4.dll!NdrServerCall2+0x19
RPCRT4.dll!NdrGetTypeFlags+0x1c9
RPCRT4.dll!NdrGetTypeFlags+0x12e
RPCRT4.dll!NdrGetTypeFlags+0x5a
RPCRT4.dll!NdrConformantArrayFree+0x42e
RPCRT4.dll!NdrConformantArrayFree+0x28b
RPCRT4.dll!I_RpcBCacheFree+0x14c
RPCRT4.dll!I_RpcBCacheFree+0x5ea
RPCRT4.dll!I_RpcBCacheFree+0x403
RPCRT4.dll!I_RpcBCacheFree+0x5d2
kernel32.dll!GetModuleFileNameA+0x1b4

Thread 1144:
ntoskrnl.exe!ExReleaseResourceLite+0x206
ntoskrnl.exe!CcUnpinDataForThread+0x338
ntoskrnl.exe!ZwYieldExecution+0xb78
ntdll.dll!KiFastSystemCallRet
RPCRT4.dll!I_RpcBCacheFree+0x5ea
RPCRT4.dll!I_RpcBCacheFree+0x403
RPCRT4.dll!I_RpcBCacheFree+0x5d2
kernel32.dll!GetModuleFileNameA+0x1b4

Thread 1220:
ntoskrnl.exe!ExReleaseResourceLite+0x206
ntoskrnl.exe!CcUnpinDataForThread+0x338
ntoskrnl.exe!ZwYieldExecution+0xb78
ntdll.dll!KiFastSystemCallRet
RPCRT4.dll!I_RpcBCacheFree+0x5ea
RPCRT4.dll!I_RpcBCacheFree+0x403
RPCRT4.dll!I_RpcBCacheFree+0x5d2
kernel32.dll!GetModuleFileNameA+0x1b4

pskelley

2007-10-24, 12:02

Thanks for returning your information and the feedback. Are you on dialup? Kaspersky should take an hour or two and your report is not especially long.

Here is the Google on Exchange Hosting, I have not run into this issue before since we rarely deal with business computers. You may have to remove the program, I will take a look at the uninstall list to see if I spot anything.
http://www.google.com/search?hl=en&q=Exchange+Hosting+&btnG=Google+Search

KASPERSKY ONLINE SCANNER REPORT Tuesday, October 23, 2007 9:04:21 PM
C:\ABC\Anywhere.exe Infected: not-a-virus:RemoteAdmin.Win32.RA.371 skipped

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:08:15 PM, on 10/23/2007
No malware in the HJT log.

My guess is this is not a malware issue, may be an old drive causing it? Could be many things. I will only respond to the numbered item you posted if I question what you said or your question requires an answer.

6) Open Task Manager, then the Processes Tab. Click on Mem Usage to bring the big users up to the top of the list so you can see what is using all of the resources. On my Dell with XPPro it is MSN.exe (I use MSN Explorer) then antivirus, firewall, svchost and IE.

It does not look like you will remove the Hosts items without getting rid of the Program causing it and I have no idea how to do that. You might consider a reformat but not without having the Windows CD to reinstall the operating system.

I personally know of no reason navigating to MSNBC should result in a spike of CPU Useage.

Here is a troubleshooting site that may help: http://kadaitcha.cx/high_cpu.html

Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix to shorten the list)

You also might consider a diagnostic here:
http://www.pcpitstop.com/pcpitstop/
Tutorial: http://www.pcpitstop.com/techexpress/howto1.asp
Help with results: http://pcpitstop.invisionzone.com/index.php?showforum=6

It is free and if you register (also free) you will be able to save your reports and post a link to it in this topic.

Post that uninstall list and let me know what Task Manager is showing.

Thanks

Obyenba

2007-10-25, 02:22

No, broadband...it's the fully-consumed CPU that slows it down. I ran the Kaspersky on our gaming PC and it took less than an hour.

Thanks for the recommendations for other troubleshooting. I'll give those a try...it's just annoying when it runs at dial-up speed.

I'm going to try to decipher the thread info but it is currently Greek to me...just seems something linked to the items running in services.exe is the culprit

Below is the info you asked for.

Thanks for your help!

Top 5 Mem Users
1. IE (29232K)
2. svchost (11752K)
3. explorer (10668K)
4. helpsvc (8372K)
5. taskmgr (4860K)

Top 5 CPU Users
1. services.exe (70-80%)
2. wlancfg4.exe (10-20%)
3. taskmgr.exe (<10%)
4. explorer.exe (<5%)
5. lsass.exe (<5%)

HJT Uninstall List (MS stuff removed):
Ad-Aware 2007
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
Adobe Photoshop Elements 2.0
Adobe Reader 8.1.0
Adobe Shockwave Player
Adobe SVG Viewer 3.0
Autodesk Volo View
AVS DVDMenu Editor 1.0.0.5
AVS Video Converter 5.5
CCleaner (remove only)
Dell AccessDirect
Dell Printer Software Uninstall
Dell Solution Center
Dell TrueMobile 1300 WLAN Mini-PCI Card
Discover Visio 2000 Interactive Sample
EDS Viewer
ExpertGPS
Google Earth
HijackThis 2.0.2
HP Imaging Device Functions 7.0
HP Photosmart and Deskjet 7.0.A
HP Photosmart, Officejet and Deskjet 7.0.A
Intel(R) Extreme Graphics Driver
JMP 4
Kaspersky Online Scanner
MA111 Configuration Utility
MA521 Device Driver
MetaFrame Presentation Server Client
Micrografx Instant 3D 1.2
Micrografx PhotoMagic 6
Micrografx Windows Draw 6
Modem Helper
Monarch 5.02
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
NICI (Shared) U.S./Worldwide (128 bit) (2.6.4-5)
NoLimits Coasters 1.6 (remove only)
Palm Desktop
PCTEL 2304WT V.92 MDC Modem Drivers
Porta
PowerDVD
Quicken 2007
QuickTime
RollerCoaster Tycoon Deluxe
Sandlot Games Client Services
Sierra Home Architect
Sierra Utilities
Spybot - Search & Destroy
SUPER © Version 2007.bld.22 (Mar 14, 2007)
Synaptics TouchPad
Visual Applications, Inc.
Windows Internet Explorer 7
Windows Support Tools
Windows XP Service Pack 2
WinRAR archiver
WinZip

pskelley

2007-10-25, 02:50

Taking a look at the services you have running:

I run adaware but not the new program that runs as a service like this. Try disabling the service to see if that makes a difference.
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

This one: http://www.bleepingcomputer.com/startups/crypserv.exe-7633.html
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe

Next two probably have to do with an HP printer
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE

http://www.liutilities.com/products/wintaskspro/processlibrary/hpzipm12/
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Really nothing there that looks strange unless something is running and not showing.

Have a look at your services to see if you can spot anything that should not be there:
Click Start > Run and type services.msc
Here are a few links to help identify different service, I think they are current.

http://vlaurie.com/computers2/Articles/services.htm
http://www.onecomputerguy.com/windowsxp_tips.htm#services_disable
http://www.jasonn.com/turning_off_unnecessary_services_on_windows_xp/
http://www.mvps.org/winhelp2002/services.htm

I am afraid something is occuring not related to malware, so it is probably not going to be anything I can help you with. I'll stick with you a bit longer though.

I really see nothing in the uninstall list that should be causing these problems.

I would like a look at the PCPitStop diagnostic report.

Thanks

tashi

2007-11-05, 23:19

This topic has been moved to archives.

If you need the thread re-opened, please send me a private message (pm) and provide a link.

Applies only to the original poster, anyone else with similar problems please start your own topic.