Task Manager>CPU Usage 100% all the time!

boom2709 · 08-04-2009, 08:40 PM

My CPU Usage listed under Performance in the Task Manager is at 99-100% all the time! and my comp runs awfully slow

I'ev formatted my comp thrice, i installed and updated the latest ESET NOD32 antivirus and scanned my computer and found no virus, is there anything im missing.

Please let me know if there is any solution to this!?!

mad_max · 09-04-2009, 01:06 AM

see what's the process thats eating up ur cpu cycles

maybe its the antivirus cuz i used to get that problem occasionally with kis 8,uhh what an awesome[NOT] upgrade that was:S

Gowt1ham · 10-04-2009, 01:04 AM

Try using NIS 2009 trial, its good and consumes less memory

boom2709 · 10-04-2009, 10:48 AM

i have attached a screenshot here, now u see there are about 10 of these chrome processes and thats when i have opened only 6 tabs in chrome.
and i have done tabbed browsing before but it never was so resource intensive!

i guess theres a virus on my comp that NOD32 cannot detect, can anyone suggest me a better anti-virus ?!

alexanderthegreat · 10-04-2009, 11:33 AM

But there is no "Google Chrome" written on the taskbar.
This might be the fabled chrome.exe virus.Disable the autorun feature on all drives using the group policy editor. Try running a full system boot time scan with avast antivirus. Run a Hijackthis scan and post the log here.

If you can, go for an online scan.

One more thing, that "ekrn.exe" may be a malware. The legit version of that file collects and sends info over a network, but some malwares have been caught masquerading as "ekrn.exe". Do run that scan quickly.

dheeraj_kumar · 10-04-2009, 12:45 PM

^^ Look carefully, Chrome is running.

regsvr.exe, two instances of it, taking up 80% cpu time, thats a virus, mostly.

furious_gamer · 10-04-2009, 12:47 PM

Quote:

Originally Posted by dheeraj_kumar

^^ Look carefully, Chrome is running.

regsvr.exe, two instances of it, taking up 80% cpu time, thats a virus, mostly.

Confirmed. Virus.

. Try installing ur fav AV and do a complete scan. If still the problem persists, get replaced the HDD...

boom2709 · 10-04-2009, 12:51 PM

Quote:

Originally Posted by alexanderthegreat

But there is no "Google Chrome" written on the taskbar.

its right there, the gree-yellow-red circle saying Digit's Technology..

Quote:

Originally Posted by alexanderthegreat

This might be the fabled chrome.exe virus.

i really dont think so because they appear only when i start chrome and if i terminate any of these chrom.exe processes google chrome window crashes

Quote:

Originally Posted by alexanderthegreat

Disable the autorun feature on all drives using the group policy editor.

can u please explain briefly how im supposed to do that.

Quote:

Originally Posted by alexanderthegreat

If you can, go for an online scan.

which is the best online scan ?

Disc_Junkie · 10-04-2009, 12:58 PM

The best option is to download Noob Killer and do a 8-X Kill. You can try it once, it can clear out all the malware.

Link: http://www.freewarefiles.com/Noob-Ki...ram_42299.html

boom2709 · 10-04-2009, 01:03 PM

@Gowt1ham heres the log file that u asked for

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:02:12 PM, on 4/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\regsvr.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\regsvr.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Shantanu\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Shantanu\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Shantanu\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Shantanu\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Shantanu\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Shantanu\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Shantanu\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Shantanu\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe regsvr.exe
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Microsoft WinUpdate] C:\WINDOWS\system32\msupdte.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [Msn Messsenger] C:\WINDOWS\system32\regsvr.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE2B7EB1-2B10-49B5-9B72-0C35D3BCBD6F}: NameServer = 59.144.127.16,59.144.127.17
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4549 bytes
-----------------------------------------
Posted again:
-----------------------------------------
@Gowt1ham heres the log file that u asked for

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:02:12 PM, on 4/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\regsvr.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\regsvr.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Shantanu\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Shantanu\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Shantanu\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Shantanu\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Shantanu\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Shantanu\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Shantanu\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Shantanu\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe regsvr.exe
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Microsoft WinUpdate] C:\WINDOWS\system32\msupdte.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [Msn Messsenger] C:\WINDOWS\system32\regsvr.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE2B7EB1-2B10-49B5-9B72-0C35D3BCBD6F}: NameServer = 59.144.127.16,59.144.127.17
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4549 bytes

boom2709 · 10-04-2009, 01:15 PM

thanks for all the help guys, specially
Disc_Junkie
rajkumar_pb
dheeraj_kumar
alexanderthegreat

.. just one last question, im using ESET NOD32 4 and clearly its not good enough so which is the best anti-virus then?

a few of my friends have suggested Avast, how good is it ? and can i use it along side NOD32 and if can run only one then which one should i go for.

furious_gamer · 10-04-2009, 01:22 PM

^^IMO KIS2009....I am using it currently and not yet faced any threats, it just wipe them off...

boom2709 · 10-04-2009, 01:29 PM

@rajkumar is it very resource intensive coz i got a pretty slow computer!

furious_gamer · 10-04-2009, 01:32 PM

^^ All AV's were Resource Hoggers... I find it better than others..But still wait to see what other suggest?

boom2709 · 10-04-2009, 01:37 PM

how good do u think are Avast and BitDefender ?

and now that i have ur attention, i have another small problem

when i type msonfig in run and execute it the msconfig window opens fr like a fraction of a second and then just vanishes!

.. its this also because of the same virus ??

furious_gamer · 10-04-2009, 01:52 PM

IMO Avast isn't that good. Dunno abt BitDefender as i never used it before.

Will u plz tell me some other popular AVs name? I got one in my mind but forgot the name..

And yes, thatz a problem with the virus.I experienced it before.Mine was even worst. When i type msconfig and enter, system gets restarted...

Disc_Junkie · 10-04-2009, 03:03 PM

Avast is good in detecting but poor is deleting the virus. And Bit Defender is not that good.

Download Noob-Killer, it is a small file only used for deleting viruses and malware forcibly. You may find it useful. Once my computer was infected by a boot.com virus, when I downloaded a exe file from dailykeys.com. As soon as it got executed my whole computer was shut down. After I restarted, I could find an Autoplay option when I right-click a drive. I had asked the question in Tech. QnA in this site, they told me delete the autorun.inf from the root of the drives. I searched them but could find them. I could see a folder named 'resycled' where the file was stored but neither the folder could be opened nor could it be deleted. Then I learnt about Noob Killer from a site. I downloaded it....There I could find a lot of options to wipe out the virus...
I tried to manually remove the folder from within there and it worked...
The folder was deleted and my computer was free from the Autorun virus. I could have used the 8-X kill option but I didn't use it coz I knew where the virus was located.

Therefore as you see, Noob-Killer is the best. Otherwise you could block the worm from getting started. Install a firewall such as Comodo or Zone Alarm and block it. I personally suggest Zone Alarm Internet Security Suite because it has also got Integrated Antivirus and Antispyware which are a boon for a firewall......

alexanderthegreat · 10-04-2009, 03:14 PM

First things first! Your Hijackthis log clearly shows presence of a virus. Your registry editor is disabled.
Your log shows presence of two instances of regsvr.exe. I agree with dheeraj. It appears to be the culprit. What's put me in a right state is that you are able to use the task manager without problems.

Nevertheless, locate the following entries in the log in Hijackthis. Place a check next to them and click on fix checked:-

Quote:

O4 - HKLM\..\Run: [Microsoft WinUpdate] C:\WINDOWS\system32\msupdte.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1 //this one is weird. If you've disabled regedit intentionally, leave it.

To disable autorun in order to prevent spreading of viruses, do this:-
1>Go to Start>Run> type in "gpedit.msc" without the quotes and press enter.
2>Expand Administrative templates by clicking on the little plus/arrow next to it.
3>In the bunch of folders that dropped down, find out "System" and click on it.
4>In the right side pane, find out the entry called Turn off Autoplay and double click it.
5>Check the "Enabled" radio button. Select "All drives" from the drop down list below the radio button. Click on OK.
6>Reboot the PC.

Regarding Bitdefender: I reckon Avast is better than bitdefender. Simply run a full system boot time scan using avast home edition and see if it detects anything. If you DO want to go for an online scan, try: http://www.mcafee.com/freescan.
Also, try Malwarebytes' Antimalware or the noob killer suggested by Disc Junkie.

One more thing, that ekrn.exe appears to be from NOD32.

@Disc_Junkie, OFFTOPIC: Man, you speak of noob killer just like those hair growing/ height increasing/floor cleaning/Impact Tool kit-like ads.

. No offence meant, mate!

Disc_Junkie · 10-04-2009, 04:06 PM

Quote:

Originally Posted by alexanderthegreat

@Disc_Junkie, OFFTOPIC: Man, you speak of noob killer just like those hair growing/ height increasing ads.

. No offence meant, mate!

lolwut?...........

dheeraj_kumar · 11-04-2009, 12:13 AM

heh, i agree with alexie. disk junkie recommends noob killer for almost anything!!! last week someone asked for a good washing machine and i thought he was gonna recommend it there too!!!

mad_max · 11-04-2009, 01:05 AM

Quote:

Originally Posted by alexanderthegreat

@Disc_Junkie, OFFTOPIC: Man, you speak of noob killer just like those hair growing/ height increasing/floor cleaning/Impact Tool kit-like ads.

. No offence meant, mate!

heh once you're hooked on to something its hard to resist promoting it

like i always go kaspersky or mbam when i get a virus related question lol

and for a antivirus,kaspersky 7 FTW

,but yea i haven't to this date seen an antivirus which is effective at removing trojans from an infected system.market forces can be an ugly thing*sigh*

boom2709 · 11-04-2009, 04:52 PM

@Disc_Junkie

is this the right one ?
http://www.freewarefiles.com/Noob-Ki...ram_42299.html

@alexanderthegreat

my computer hangs everytime i click the little plus/arrow next to Administrative templates..

i found another tut on how to get rid of this virus
http://amiworks.co.in/talk/how-to-re...oruninf-virus/

but here too im at a loss coz my msconfig wont run!

Is there any way out for me ?!?!

furious_gamer · 11-04-2009, 04:58 PM

Try KIS7...

Or try Avast and AVG and check whether they detect the virus. If they do so, then try to delete it or heal it. Whatever you want..

Or google hard to find any solution...

You had no options left again?

boom2709 · 11-04-2009, 05:48 PM

@alexanderthegreat

as u pointed out, there are two instances of regsvr.exe, would it help if i fixed one of them with hijack-this ??
if so, then which one should it be ?

boom2709 · 11-04-2009, 06:02 PM

@Disc_Junkie

i installed the noob killer and ran the 8XKill thing, now im left with only one instance of regsvr.exe but everything else is the same..
my CPU usage is still 100%
msconfig or regedit wont run

mittyr · 11-04-2009, 06:27 PM

@boom2709

Get "Trojan Remover" with full updated pack (Trial version has full options) & do the boot-time scan.

Also, in Contorl Panel>Scheduled Tasks. Check if any entires are there & delete it before the boot-up.

This should help

rajhot · 11-04-2009, 07:11 PM

That "regsvr.exe" comes b'coz of virus(mostly thru USB). Try googling for the solution
-----------------------------------------
Posted again:
-----------------------------------------
http://www.file.net/process/regsvr.exe.html
-----------------------------------------
Posted again:
-----------------------------------------
http://techsalsa.com/steps-to-remove-regsvrexe-virus/

alexanderthegreat · 11-04-2009, 09:25 PM

@boom2709: Try doing what I said in Safe mode. If it still doesn't work or if the safe mode has been assassinated by the virus, proceed with the following:-
Step 1> Try running "msconfig.exe" and not just msconfig. doesn't work? move on!
Step 2> Try running msconfig.exe manually from X:\Windows\pchealth\helpctr\binaries\. Doesn't work? move on!
Step 3> Press [Windows]+R and type in "sfc /scannow" without the quotes. Windows will try to repair all system files and may ask you to enter the Windows CD. Pop it in if it does so. Wait till the PC is repaired. If nothing is repaired, go for an online scan!

One more thing, did you fix those two lines from Hijackthis???

boom2709 · 12-04-2009, 01:58 AM

@rajhot

u wont believe this, my comp has acquired some kinda AI, when ever i open any web page that offers any kinda on-line scan to remove this virus my browser immediately chrashes! and it never crashes otherwise and iev tried this with chrome,firefox and IE.

samething happens when i open this link -> Identify regsvr.exe related errors
on this web page -> http://www.file.net/process/regsvr.exe.html

boom2709 · 12-04-2009, 02:24 AM

@mittyr

i tried trojan remover, i believe the problem is fixed!

the CPU usage is down
msconfig is working

heres the scan log..

***** THE SYSTEM HAS BEEN RESTARTED *****
4/12/2009 2:20:19 AM: Trojan Remover has been restarted
================================================== =====
Deleting the following registry value(s):
HKCU\Software\Microsoft\Windows\CurrentVersion\Run \[Msn Messsenger] - already deleted
================================================== =====
4/12/2009 2:20:19 AM: Trojan Remover closed
************************************************** **********

***** NORMAL SCAN FOR ACTIVE MALWARE *****
Trojan Remover Ver 6.7.6.2565. For information, email support@simplysup.com
[Unregistered version]
Scan started at: 2:16:16 AM 12 Apr 2009
Using Database v7291
Operating System: Windows XP Professional (SP3) [Build: 5.1.2600]
File System: NTFS
UserData directory: C:\Documents and Settings\Shantanu\Application Data\Simply Super Software\Trojan Remover\
Database directory: C:\Program Files\Trojan Remover\
Logfile directory: C:\Documents and Settings\Shantanu\My Documents\Simply Super Software\Trojan Remover Logfiles\
Program directory: C:\Program Files\Trojan Remover\
Running with Administrator privileges

************************************************** **********
The following Anti-Malware program(s) are loaded:
ESET NOD32 Antivirus

************************************************** **********

************************************************** **********
2:16:16 AM: ----- SCANNING FOR ROOTKIT SERVICES -----
No hidden Services were detected.

************************************************** **********
2:16:16 AM: Scanning -----WINDOWS REGISTRY-----
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
This key's "Shell" value calls the following program(s):
Key value: [Explorer.exe regsvr.exe]
File: Explorer.exe
C:\WINDOWS\Explorer.exe
1033728 bytes
Created: 4/14/2008 10:12 AM
Modified: 4/14/2008 10:12 AM
Company: Microsoft Corporation
----------
File: regsvr.exe
C:\WINDOWS\system32\regsvr.exe
-RHS- 1078945 bytes
Created: 4/7/2009 11:53 AM
Modified: 11/27/2008 8:21 PM
Company: [no info]
C:\WINDOWS\system32\regsvr.exe - running process located and terminated
C:\WINDOWS\system32\regsvr.exe - READ-ONLY, HIDDEN and SYSTEM file attributes removed
regsvr.exe - file renamed to: regsvr.exe.vir
----------
This key's "Userinit" value calls the following program(s):
Key value: [C:\WINDOWS\system32\userinit.exe,]
File: C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\userinit.exe
26112 bytes
Created: 4/14/2008 10:12 AM
Modified: 4/14/2008 10:12 AM
Company: Microsoft Corporation
----------
This key's "System" value appears to be blank
----------
This key's "UIHost" value calls the following program:
Key value: [logonui.exe]
File: logonui.exe
C:\WINDOWS\system32\logonui.exe
514560 bytes
Created: 4/14/2008 10:12 AM
Modified: 4/14/2008 10:12 AM
Company: Microsoft Corporation
----------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Value Name: load
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value Name: egui
Value Data: "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
2021400 bytes
Created: 2/6/2009 2:23 PM
Modified: 2/6/2009 2:23 PM
Company: ESET
--------------------
Value Name: NvCplDaemon
Value Data: RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
C:\WINDOWS\system32\NvCpl.dll
-R- 3756032 bytes
Created: 4/7/2009 11:49 AM
Modified: 4/23/2004 9:54 AM
Company: NVIDIA Corporation
--------------------
Value Name: UnlockerAssistant
Value Data: "C:\Program Files\Unlocker\UnlockerAssistant.exe"
C:\Program Files\Unlocker\UnlockerAssistant.exe
15872 bytes
Created: 5/2/2008 9:45 AM
Modified: 5/2/2008 9:45 AM
Company: [no info]
--------------------
Value Name: TrojanScanner
Value Data: C:\Program Files\Trojan Remover\Trjscan.exe /boot
C:\Program Files\Trojan Remover\Trjscan.exe
1211784 bytes
Created: 4/12/2009 2:09 AM
Modified: 2/21/2009 6:30 PM
Company: Simply Super Software
--------------------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Once
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value Name: uTorrent
Value Data: "C:\Program Files\uTorrent\uTorrent.exe"
C:\Program Files\uTorrent\uTorrent.exe
281904 bytes
Created: 4/7/2009 12:20 PM
Modified: 4/9/2009 10:58 AM
Company: BitTorrent, Inc.
--------------------
Value Name: Msn Messsenger
Value Data: C:\WINDOWS\system32\regsvr.exe
C:\WINDOWS\system32\regsvr.exe - this registry value has been removed [file not found to scan]
--------------------

************************************************** **********
2:18:38 AM: Scanning -----SHELLEXECUTEHOOKS-----
ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972}
File: shell32.dll - this file is expected and has been left in place
----------

************************************************** **********
2:18:38 AM: Scanning -----HIDDEN REGISTRY ENTRIES-----
Taskdir check completed
----------
No Hidden File-loading Registry Entries found
----------

************************************************** **********
2:18:38 AM: Scanning -----ACTIVE SCREENSAVER-----
ScreenSaver: C:\WINDOWS\System32\logon.scr
C:\WINDOWS\System32\logon.scr
220672 bytes
Created: 4/14/2008 10:12 AM
Modified: 4/14/2008 10:12 AM
Company: Microsoft Corporation
--------------------

************************************************** **********
2:18:38 AM: Scanning ----- REGISTRY ACTIVE SETUP KEYS -----

************************************************** **********
2:18:38 AM: Scanning ----- SERVICEDLL REGISTRY KEYS -----
Key: HidServ
%SystemRoot%\System32\hidserv.dll - file is globally excluded (file cannot be found)
--------------------

************************************************** **********
2:18:39 AM: Scanning ----- SERVICES REGISTRY KEYS -----
Key: .EsetTrialReset
ImagePath: C:\WINDOWS\system32\regedt32.exe /s C:\WINDOWS\esettrialreset.reg
C:\WINDOWS\system32\regedt32.exe
3584 bytes
Created: 8/23/2001 4:30 PM
Modified: 8/23/2001 4:30 PM
Company: Microsoft Corporation
----------
Key: AN983
ImagePath: system32\DRIVERS\AN983.sys
C:\WINDOWS\system32\DRIVERS\AN983.sys
36224 bytes
Created: 4/7/2009 5:01 PM
Modified: 4/14/2008 3:35 AM
Company: ADMtek Incorporated.
----------
Key: AsIO
ImagePath: system32\drivers\AsIO.sys
C:\WINDOWS\system32\drivers\AsIO.sys
12400 bytes
Created: 4/7/2009 11:52 AM
Modified: 12/17/2007 5:14 PM
Company: [no info]
----------
Key: AtcL002
ImagePath: system32\DRIVERS\l251x86.sys
C:\WINDOWS\system32\DRIVERS\l251x86.sys
30720 bytes
Created: 4/7/2009 11:03 AM
Modified: 10/17/2007 8:12 PM
Company: Atheros Communications, Inc.
----------
Key: d347bus
ImagePath: system32\DRIVERS\d347bus.sys
C:\WINDOWS\system32\DRIVERS\d347bus.sys
155136 bytes
Created: 4/7/2009 12:19 PM
Modified: 8/22/2004 4:31 PM
Company:
----------
Key: d347prt
ImagePath: System32\Drivers\d347prt.sys
C:\WINDOWS\System32\Drivers\d347prt.sys
5248 bytes
Created: 4/7/2009 12:19 PM
Modified: 8/22/2004 4:31 PM
Company:
----------
Key: eamon
ImagePath: system32\DRIVERS\eamon.sys
C:\WINDOWS\system32\DRIVERS\eamon.sys
113448 bytes
Created: 2/6/2009 2:19 PM
Modified: 2/6/2009 2:19 PM
Company: ESET
----------
Key: ehdrv
ImagePath: system32\DRIVERS\ehdrv.sys
C:\WINDOWS\system32\DRIVERS\ehdrv.sys
106208 bytes
Created: 2/6/2009 2:23 PM
Modified: 2/6/2009 2:23 PM
Company: ESET
----------
Key: EhttpSrv
ImagePath: "C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe"
C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
20680 bytes
Created: 2/6/2009 2:27 PM
Modified: 2/6/2009 2:27 PM
Company: ESET
----------
Key: ekrn
ImagePath: "C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe"
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
727720 bytes
Created: 2/6/2009 2:23 PM
Modified: 2/6/2009 2:23 PM
Company: ESET
----------
Key: epfwtdir
ImagePath: system32\DRIVERS\epfwtdir.sys
C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
93336 bytes
Created: 2/6/2009 2:24 PM
Modified: 2/6/2009 2:24 PM
Company: ESET
----------
Key: MTsensor
ImagePath: system32\DRIVERS\ASACPI.sys
C:\WINDOWS\system32\DRIVERS\ASACPI.sys
5810 bytes
Created: 4/7/2009 11:03 AM
Modified: 8/13/2004 10:56 AM
Company:
----------
Key: nvcap
ImagePath: system32\DRIVERS\nvcap.sys
C:\WINDOWS\system32\DRIVERS\nvcap.sys
120780 bytes
Created: 4/7/2009 11:50 AM
Modified: 4/9/2003 2:17 PM
Company: NVIDIA Corporation
----------
Key: nvTUNEP
ImagePath: system32\DRIVERS\nvtunep.sys
C:\WINDOWS\system32\DRIVERS\nvtunep.sys
20480 bytes
Created: 4/7/2009 11:50 AM
Modified: 4/9/2003 2:17 PM
Company: NVIDIA Corporation
----------
Key: nvtvSND
ImagePath: system32\DRIVERS\nvtvsnd.sys
C:\WINDOWS\system32\DRIVERS\nvtvsnd.sys
20224 bytes
Created: 4/7/2009 11:50 AM
Modified: 4/9/2003 2:17 PM
Company: NVIDIA Corporation
----------
Key: NVXBAR
ImagePath: system32\DRIVERS\NVxbar.sys
C:\WINDOWS\system32\DRIVERS\NVxbar.sys
13070 bytes
Created: 4/7/2009 11:50 AM
Modified: 4/9/2003 2:17 PM
Company: NVIDIA Corporation
----------
Key: sr
ImagePath: \SystemRoot\system32\DRIVERS\sr.sys
C:\WINDOWS\system32\DRIVERS\sr.sys
73472 bytes
Created: 4/7/2009 11:36 AM
Modified: 4/14/2008 4:36 AM
Company: Microsoft Corporation
----------
Key: SwPrv
ImagePath: C:\WINDOWS\system32\dllhost.exe /Processid:{7FF81429-F5E5-4E50-8F94-7DA1CF4CCCA0}
C:\WINDOWS\system32\dllhost.exe
5120 bytes
Created: 4/14/2008 10:12 AM
Modified: 4/14/2008 10:12 AM
Company: Microsoft Corporation
----------
Key: UnlockerDriver5
ImagePath: \??\C:\Program Files\Unlocker\UnlockerDriver5.sys
C:\Program Files\Unlocker\UnlockerDriver5.sys
4096 bytes
Created: 5/2/2008 9:45 AM
Modified: 5/2/2008 9:45 AM
Company: [no info]
----------

************************************************** **********
2:18:43 AM: Scanning -----VXD ENTRIES-----

************************************************** **********
2:18:43 AM: Scanning ----- WINLOGON\NOTIFY DLLS -----

************************************************** **********
2:18:43 AM: Scanning ----- CONTEXTMENUHANDLERS -----
Key: ESET Smart Security - Context Menu Shell Extension
CLSID: {B089FE88-FB52-11D3-BDF1-0050DA34150D}
Path: C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll
C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll
183880 bytes
Created: 2/6/2009 2:28 PM
Modified: 2/6/2009 2:28 PM
Company: ESET
----------

************************************************** **********
2:18:43 AM: Scanning ----- FOLDER\COLUMNHANDLERS -----

************************************************** **********
2:18:43 AM: Scanning ----- BROWSER HELPER OBJECTS -----
Key: {18DF081C-E8AD-4283-A596-FA578C2EBDC3}
BHO: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
75128 bytes
Created: 6/11/2008 10:33 PM
Modified: 6/11/2008 10:33 PM
Company: Adobe Systems Incorporated
----------
Key: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7}
BHO: C:\Program Files\FlashGet\jccatch.dll
C:\Program Files\FlashGet\jccatch.dll
94308 bytes
Created: 8/6/2007 2:41 PM
Modified: 8/6/2007 2:41 PM
Company: www.flashget.com
----------
Key: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
BHO: C:\Program Files\Java\jre6\bin\ssv.dll
C:\Program Files\Java\jre6\bin\ssv.dll
320920 bytes
Created: 4/7/2009 12:54 PM
Modified: 4/7/2009 12:54 PM
Company: Sun Microsystems, Inc.
----------
Key: {DBC80044-A445-435b-BC74-9C25C1C588A9}
BHO: C:\Program Files\Java\jre6\bin\jp2ssv.dll
C:\Program Files\Java\jre6\bin\jp2ssv.dll
34816 bytes
Created: 4/7/2009 12:54 PM
Modified: 4/7/2009 12:54 PM
Company: Sun Microsystems, Inc.
----------
Key: {F156768E-81EF-470C-9057-481BA8380DBA}
BHO: C:\Program Files\FlashGet\getflash.dll
C:\Program Files\FlashGet\getflash.dll
163840 bytes
Created: 5/18/2007 9:43 PM
Modified: 5/18/2007 9:43 PM
Company: www.flashget.com
----------

************************************************** **********
2:18:43 AM: Scanning ----- SHELLSERVICEOBJECTS -----

************************************************** **********
2:18:43 AM: Scanning ----- SHAREDTASKSCHEDULER ENTRIES -----

************************************************** **********
2:18:43 AM: Scanning ----- IMAGEFILE DEBUGGERS -----
No "Debugger" entries found.

************************************************** **********
2:18:43 AM: Scanning ----- APPINIT_DLLS -----
The AppInit_DLLs value is blank or does not exist

************************************************** **********
2:18:44 AM: Scanning ----- SECURITY PROVIDER DLLS -----

************************************************** **********
2:18:44 AM: Scanning ------ COMMON STARTUP GROUP ------
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
The Common Startup Group attempts to load the following file(s) at boot time:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
-HS- 84 bytes
Created: 4/7/2009 4:58 PM
Modified: 4/7/2009 11:39 AM
Company: [no info]
--------------------

************************************************** **********
2:18:44 AM: Scanning ------ USER STARTUP GROUPS ------
--------------------
Checking Startup Group for: Shantanu
[C:\Documents and Settings\Shantanu\START MENU\PROGRAMS\STARTUP]
The Startup Group for Shantanu attempts to load the following file(s):
C:\Documents and Settings\Shantanu\START MENU\PROGRAMS\STARTUP\desktop.ini
-HS- 84 bytes
Created: 4/7/2009 11:44 AM
Modified: 4/7/2009 11:39 AM
Company: [no info]
----------

************************************************** **********
2:18:44 AM: Scanning ----- SCHEDULED TASKS -----
Taskname: GoogleUpdateTaskUserS-1-5-21-1123561945-115176313-1644491937-1003.job
File: C:\Documents and Settings\Shantanu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\Shantanu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
133104 bytes
Created: 4/7/2009 1:14 PM
Modified: 4/7/2009 1:14 PM
Company: Google Inc.
Parameters: /c
Next Run Time: Never
Status: The task is currently running
Creator: Shantanu
Comments: Keeps your Google software up to date. If this task is disabled or stopped, your Google software will not be kept up to date, meaning security vulnerabilities that may arise cannot be fixed and features may not work. This task uninstalls itself when there is no Google software using it.
----------

************************************************** **********
2:18:44 AM: Scanning ----- SHELLICONOVERLAYIDENTIFIERS -----

************************************************** **********
2:18:44 AM: ----- ADDITIONAL CHECKS -----
PE386 rootkit checks completed
----------
Winlogon registry rootkit checks completed
----------
Heuristic checks for hidden files/drivers completed
----------
Layered Service Provider entries checks completed
----------
==============================
Restrictive Windows Explorer Policies found in force on this computer:
HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System
Value: DisableRegistryTools
All Policy Values listed have been removed or reset
==============================
Windows Explorer Policies checks completed
----------
Desktop Wallpaper: C:\Documents and Settings\Shantanu\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
C:\Documents and Settings\Shantanu\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
5760054 bytes
Created: 4/7/2009 12:08 PM
Modified: 4/7/2009 4:02 PM
Company: [no info]
----------
Web Desktop Wallpaper: %USERPROFILE%\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
C:\Documents and Settings\Shantanu\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
5760054 bytes
Created: 4/7/2009 12:08 PM
Modified: 4/7/2009 4:02 PM
Company: [no info]
----------
DNS Server information:
Interface: ADMtek AN983 10/100 PCI Adapter
NameServers: 59.144.127.16,59.144.127.17
Checks for rogue DNS NameServers completed
----------
----------
Additional checks completed

************************************************** **********
2:18:58 AM: Scanning ----- RUNNING PROCESSES -----

C:\WINDOWS\System32\smss.exe
50688 bytes
Created: 4/14/2008 10:12 AM
Modified: 4/14/2008 10:12 AM
Company: Microsoft Corporation
--------------------
C:\WINDOWS\system32\csrss.exe
6144 bytes
Created: 4/14/2008 10:12 AM
Modified: 4/14/2008 10:12 AM
Company: Microsoft Corporation
--------------------
C:\WINDOWS\system32\winlogon.exe
507904 bytes
Created: 4/14/2008 10:12 AM
Modified: 4/14/2008 10:12 AM
Company: Microsoft Corporation
--------------------
C:\WINDOWS\system32\services.exe
108544 bytes
Created: 4/14/2008 10:12 AM
Modified: 4/14/2008 10:12 AM
Company: Microsoft Corporation
--------------------
C:\WINDOWS\system32\lsass.exe
13312 bytes
Created: 4/14/2008 10:12 AM
Modified: 4/14/2008 10:12 AM
Company: Microsoft Corporation
--------------------
C:\WINDOWS\system32\svchost.exe
14336 bytes
Created: 4/14/2008 10:12 AM
Modified: 4/14/2008 10:12 AM
Company: Microsoft Corporation
--------------------
C:\WINDOWS\system32\svchost.exe - file already scanned
--------------------
C:\WINDOWS\System32\svchost.exe - file already scanned
--------------------
C:\WINDOWS\system32\svchost.exe - file already scanned
--------------------
C:\WINDOWS\system32\svchost.exe - file already scanned
--------------------
C:\WINDOWS\system32\spoolsv.exe
57856 bytes
Created: 4/14/2008 10:12 AM
Modified: 4/14/2008 10:12 AM
Company: Microsoft Corporation
--------------------
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe - file already scanned
--------------------
C:\Program Files\Unlocker\UnlockerAssistant.exe - file already scanned
--------------------
C:\Program Files\uTorrent\uTorrent.exe - file already scanned
--------------------
C:\WINDOWS\system32\nvsvc32.exe
-R- 114755 bytes
Created: 4/7/2009 11:49 AM
Modified: 4/23/2004 9:54 AM
Company: NVIDIA Corporation
--------------------
C:\WINDOWS\System32\alg.exe
44544 bytes
Created: 4/14/2008 10:12 AM
Modified: 4/14/2008 10:12 AM
Company: Microsoft Corporation
--------------------
C:\WINDOWS\System32\svchost.exe - file already scanned
--------------------
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe - file already scanned
--------------------
C:\WINDOWS\system32\svchost.exe - file already scanned
--------------------
C:\WINDOWS\system32\DllHost.exe
5120 bytes
Created: 4/14/2008 10:12 AM
Modified: 4/14/2008 10:12 AM
Company: Microsoft Corporation
--------------------
C:\Documents and Settings\Shantanu\Local Settings\Application Data\Google\Update\GoogleUpdate.exe - file already scanned
--------------------
C:\WINDOWS\explorer.exe - file already scanned
--------------------
C:\Documents and Settings\Shantanu\Application Data\Simply Super Software\Trojan Remover\xurB61.exe
FileSize: 2933624
[This is a Trojan Remover component]
--------------------

************************************************** **********
2:19:00 AM: Checking HOSTS file
No malicious entries were found in the HOSTS file

************************************************** **********
------ INTERNET EXPLORER HOME/START/SEARCH SETTINGS ------
HKLM\Software\Microsoft\Internet Explorer\Main\"Start Page":
about:blank
HKLM\Software\Microsoft\Internet Explorer\Main\"Local Page":
%SystemRoot%\system32\blank.htm
HKLM\Software\Microsoft\Internet Explorer\Main\"Search Page":
http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Main\"Default_Page_URL":
http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
HKLM\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL":
http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKLM\Software\Microsoft\Internet Explorer\Search\"CustomizeSearch":
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKLM\Software\Microsoft\Internet Explorer\Search\"SearchAssistant":
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKCU\Software\Microsoft\Internet Explorer\Main\"Start Page":
about:blank
HKCU\Software\Microsoft\Internet Explorer\Main\"Local Page":
C:\WINDOWS\system32\blank.htm
HKCU\Software\Microsoft\Internet Explorer\Main\"Search Page":
http://www.microsoft.com/isapi/redir...ie&ar=iesearch

************************************************** **********
=== CHANGES WERE MADE TO THE WINDOWS REGISTRY ===
=== ONE OR MORE FILES WERE RENAMED OR REMOVED ===
Scan completed at: 2:19:00 AM 12 Apr 2009
Total Scan time: 00:02:44
-------------------------------------------------------------------------
One or more files could not be moved or renamed as requested.
They may be in use by Windows, so Trojan Remover needs
to restart the system in order to deal with these files.
4/12/2009 2:19:06 AM: restart commenced
************************************************** **********

thanks alot all u guys..

Popular Categories

Popular Articles

Content Categories

Sister Sites

Follow Us

Facebook Channels

Digit Magazine