Thread: explorer.exe using 99% of cpu time
View Single Post
Old 10-03-2006, 03:57 PM   #5 (permalink)
jadsim
Registered User
 
Join Date: Sep 2006
Posts: 23
OS: Windows XP


Here is the new combofix log. The ewido log and panda log are in the last posting between combofix and highjack this logs.

Cingle - 06-10-03 15:45:02.84 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Cingle\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-03 to 2006-10-03 ))))))))))))))))))))))))))))))))))


2006-10-02 20:50 45,525 --a------ C:\WINDOWS\system32\ddxsiaox.dll
2006-09-30 23:34 45,525 --a------ C:\WINDOWS\system32\kgrsiwej.dll
2006-09-30 18:49 1,094,605 ---hs---- C:\WINDOWS\system32\nmllm.ini2
2006-09-30 18:19 86,068 --a------ C:\WINDOWS\system32\natibgtk.dll
2006-09-30 18:19 45,525 --a------ C:\WINDOWS\system32\reoqkche.dll
2006-09-30 15:17 <DIR> d-------- C:\WINDOWS\McAfee.com


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-03 08:52 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-10-02 21:12 -------- d-------- C:\Program Files\QuickTime
2006-10-02 21:11 -------- d-------- C:\Program Files\Norton Internet Security
2006-10-02 21:08 -------- d-------- C:\Program Files\Internet Explorer
2006-10-02 21:06 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-10-02 21:06 -------- d-------- C:\Program Files\DISC
2006-10-02 21:05 -------- d-a------ C:\Program Files\Common Files\LightScribe
2006-10-02 20:50 1098143 ---hs---- C:\WINDOWS\system32\nmllm.bak2
2006-10-02 20:50 -------- d-------- C:\Program Files\Common Files
2006-10-01 12:27 -------- d-------- C:\Program Files\CleanUp!
2006-10-01 11:44 -------- d-------- C:\Program Files\Virtools Web Player 3.5
2006-09-30 18:58 -------- d-------- C:\Program Files\VSToolbar
2006-09-28 17:08 -------- d-------- C:\Program Files\Common Files\Designer
2006-09-28 17:07 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-28 17:06 -------- d-------- C:\Program Files\Microsoft Office
2006-09-28 17:06 -------- d-------- C:\Program Files\microsoft frontpage
2006-09-28 17:06 -------- d-------- C:\Documents and Settings\Cingle\Application Data\Microsoft Web Folders
2006-09-28 16:59 -------- d-------- C:\Program Files\Common Files\System
2006-09-09 13:42 -------- d-------- C:\Documents and Settings\Cingle\Application Data\Adobe
2006-09-07 20:45 -------- d-------- C:\Program Files\TruePoker
2006-08-28 20:05 -------- d-------- C:\Program Files\Disney Interactive
2006-08-26 14:12 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-26 14:05 -------- d-------- C:\Program Files\Creative
2006-08-23 20:41 -------- d-------- C:\Program Files\PCPitstop
2006-08-21 06:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 03:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 03:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-14 09:40 -------- d-------- C:\Documents and Settings\Cingle\Application Data\AdobeUM
2006-08-08 20:21 -------- d-------- C:\Documents and Settings\Cingle\Application Data\muvee Technologies
2006-07-27 07:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 02:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-20 16:33 136 --a------ C:\Documents and Settings\Cingle\Application Data\wklnhst.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7 -reboot 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"HPBootOp"="\"C:\\Program Files\\Hewlett-Packard\\HP Boot Optimizer\\HPBootOp.exe\" /run"
"SsAAD.exe"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
"ccApp"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"PCDrProfiler"=""
"HPHUPD08"="c:\\Program Files\\HP\\Digital Imaging\\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\\hphupd08.exe"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPwuSchd2.exe"
"DiscUpdateManager"="C:\\Program Files\\DISC\\DiscUpdateMgr.exe"
"DISCover"="C:\\Program Files\\DISC\\DISCover.exe"
"AlwaysReady Power Message APP"="ARPWRMSG.EXE"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonceex]
@=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mllmn

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061001-114455-263
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave.com/content/bej...ploader_v6.cab
backup-20061001-114454-750
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
backup-20061001-114453-237
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
backup-20061001-114453-568
O15 - Trusted IP range: http://85.12.25.95
backup-20061001-114453-369
O15 - Trusted IP range: http://85.12.25.90
backup-20061001-114453-915
O15 - Trusted IP range: http://82.98.235.58
backup-20061001-114453-279
O15 - Trusted IP range: http://62.4.84.53
backup-20061001-114453-946
O15 - Trusted IP range: http://59.148.220.121
backup-20061001-114453-127
O4 - HKLM\..\Run: [NI.USYP_0001_N85M2606] "C:\WINDOWS\Downloaded Program Files\USYP_0001_N85M2606NetInstaller.exe" -nag
backup-20061001-114453-166
O15 - Trusted Zone: http://locator1.cdn.imagesrvr.com
backup-20060913-221045-407
O2 - BHO: InfoDocReader Object - {A5B00A5B-073E-4246-AFF0-CCAE0D5BF6D1} - C:\WINDOWS\system32\mllmn.dll
backup-20060913-220941-447
O2 - BHO: InfoDocReader Object - {A5B00A5B-073E-4246-AFF0-CCAE0D5BF6D1} - C:\WINDOWS\system32\mllmn.dll
backup-20060911-202233-220
O15 - Trusted Zone: http://www.winantivirus.com
backup-20060911-202233-898
O15 - Trusted Zone: http://www.winantiviruspro.com
backup-20060911-202233-721
O15 - Trusted Zone: http://download.cdn.winsoftware.com
backup-20060911-202233-988
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
backup-20060911-202233-971
O15 - Trusted Zone: http://*.systemdoctor.com
backup-20060911-202233-585
O15 - Trusted Zone: http://scanner.sysprotect.com

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1144627571.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - Cingle.job
C:\WINDOWS\tasks\Symantec NetDetect.job
C:\WINDOWS\tasks\Warranty Reminder 11 Months.job
C:\WINDOWS\tasks\WebReg HP psc 1200 Series.job
C:\WINDOWS\tasks\XoftSpy.job

Completion time: 03/10/2006 15:49:33.25
ComboFix.txt
jadsim is offline