Tech Support Forum - View Single Post - Help!! CPU running slow, yellow triangle w/ exclamation pt and constant pop-ups

**TheBruce1** · 04-30-2007, 05:27 PM

Hello again

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.
--------------------------------------------------------------------------------------------

Please follow all instructions and in which order they come,if you have any questions,please ask before proceeding.

---------------------------------------------------------------------------------------------
Please download the Suspicious File Packer http://www.safer-networking.org/files/sfp.zip

Unzip it to the desktop and run it.
Paste the following list of bad files into the Suspicious File Packer window:

C:\WINDOWS\system32\mmhgssdc.exe
C:\WINDOWS\system32\ceofmyyt.exe
C:\WINDOWS\system32\jwrvpfsk.exe
C:\WINDOWS\system32\vgqvkxjj.exe
C:\WINDOWS\system32\ctgidxii.exe
C:\WINDOWS\system32\gdgawoss.exe
C:\WINDOWS\system32\nfwjbqfj.exe
C:\WINDOWS\retadpu2000340.exe
C:\WINDOWS\system32\iwkhtqfn.exe
C:\WINDOWS\system32\jbwwgvfq.exe
C:\WINDOWS\system32\glcpyjca.exe
C:\WINDOWS\system32\uxeynipk.dll
C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\system32\ddcyy.dll
c:\windows\fonts\pcreg.dll
C:\WINDOWS\system32\rsnujvrb.exe

Allow SFP to pack the files. This will generate a CAB archive on your desktop.
Please submit it to this site http://www.bleepingcomputer.com/subm....php?channel=4
Please include a link to this topic in the message.
---------------------------------------------------------------------------------------------

I see you have Ewido anti-spyware 4.0 installed. Ewido has recently been purchased by Grisoft, makers of AVG Antivirus, and the program is now known as AVG Anti-Spyware. It is essentially the same program with a new paintjob; Ewido currently can still be updated to the newest definitions, but this support will likely not last forever. I recommend you uninstall Ewido 4.0, restart your system, then download and install AVG Anti-Spyware. Update it's definitions as directed below, and run a scan where I have it placed in this fix.

--------------------------------------------------------------------------------------------------

Downloads

Download AVG Anti-Spyware from HERE

Install AVG Anti-Spyware
Double-click the icon on Desktop to launch AVG Anti-Spyware

You will need to update AVG Anti-Spyware to the latest definition files.

On the top of the main screen click Shield
Click the word active to change it to inactive
On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.

Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

When you have finished updating, EXIT AVG Anti-Spyware. Do Not run a scan just yet, we will shortly.

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click smitfraudfix.exe to start the tool.
Select option #1 - Search by typing 1 and press "Enter"
and a text file will appear which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!
-------------------------------------------------------------------------------------------------

Spywareguard

Please disable Spywareguard, as it may hinder the removal of some entries. You can re-enable it after you're clean.

Right click the running icon of Spywareguard located in the system tray
Go to Menu > File > Exit and confirm the programs close.

-------------------------------------------------------------------------------------------------------
Run Combofix

Go to <<Start>> then <<Run>> then paste in the single line command then click OK

"%userprofile%\desktop\combofix.exe" /v pmkjj ddcyy jwrvpfsk uxeynipk jkhhg user_32 WER8274 MSIXU

When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

-------------------------------------------------------------------------------------------------------------
Safe mode

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

-------------------------------------------------------------------------------------------------------------

Safe Mode scans & fixes

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {0CD71CA8-C5A8-4C77-9CB0-106EC6AD70B1} - C:\WINDOWS\system32\ddcyy.dll
O2 - BHO: PsapiAnalyzer Object - {125399A6-E13D-42CE-A021-7F9069A79440} - c:\windows\fonts\pcreg.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {c2dace2d-f27f-4591-97be-10c379cef2e6} - C:\WINDOWS\system32\lprcmd.dll (file missing)
O2 - BHO: (no name) - {C3F16958-9601-43E3-AC3C-6E89762079Ec} - C:\WINDOWS\system32\lbymhjxa.dll (file missing)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\qbyprbfn.dll (file missing)
O2 - BHO: msnhlp32.msn_hlp - {EEFBE5D6-FEFF-4CB4-AA26-6A464090CB89} - C:\WINDOWS\system32\msnhlp32.dll
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\uxeynipk.dll",realset
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: ddcyy - C:\WINDOWS\system32\ddcyy.dll
O20 - Winlogon Notify: lprcmd - lprcmd.dll (file missing)
O20 - Winlogon Notify: pcreg - c:\windows\fonts\pcreg.dll

Please remember to close all other windows, including browsers then click Fix checked.

----------------------------------------------------------------------------------------------------------------------

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\system32\rsnujvrb.exe
C:\WINDOWS\system32\tmrsrv32.exe
C:\WINDOWS\system32\idleserv.exe
C:\WINDOWS\system32\glcpyjca.exe
C:\WINDOWS\system32\jbwwgvfq.exe
C:\WINDOWS\system32\iwkhtqfn.exe
C:\WINDOWS\retadpu2000340.exe
C:\WINDOWS\system32\nfwjbqfj.exe
C:\WINDOWS\system32\gdgawoss.exe
C:\WINDOWS\system32\ctgidxii.exe
C:\WINDOWS\system32\yycdd.bak1
C:\WINDOWS\system32\yycdd.bak2
C:\WINDOWS\system32\vgqvkxjj.exe
C:\WINDOWS\system32\jwrvpfsk.exe
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\sysrlb32.exe
C:\WINDOWS\system32\ceofmyyt.exe
C:\WINDOWS\system32\mmhgssdc.exe
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\sl.bin
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\SUSP.exe
C:\WINDOWS\satmat.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\7search.dll
C:\WINDOWS\764.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\pbar.dll
C:\WINDOWS\voiceip.dll
C:\WINDOWS\swin32.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\mspphe.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\180ax.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\salm.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\1.exe
C:\WINDOWS\checkip.dat
C:\WINDOWS\b122.exe
c:\windows\fonts\pcreg.dll

-----------------------------------------------------------------------------------------------------------------------

Close ALL open Windows / Programs / Folders. Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

Close AVG Anti-Spyware and Reboot in Normal Mode.

-------------------------------------------------------------------------------------------------------------------------

Reboot into normal mode

-------------------------------------------------------------------------------------------------------------------------
Online Scan

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on located at the bottom of the page.
A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Paste the Panda Scan report into your next reply.

-----------------------------------------------------------------------------------------------------------------------------
Free Firewalls
A good firewall will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall does not monitor outgoing traffic. If you do not have a firewall, here are 3 free ones available for personal use:
Comodo Personal Firewall
Sygate Personal Firewall
ZoneAlarm

Please install One of the above as it will give you greater protection than Windows Firewall.

---------------------------------------------------------------------------------------------------------------------------------

Please run Deckard System Scanner again.

------------------------------------------------------------------------------------------------------------------------------
Logs Required
C:\Combofix.txt
C:\rapport.txt
Avg scan report
Panda scan report
C:\Deckard\System Scanner\main.txt

Let me know how you system is behaving,thanks.

04-30-2007, 05:27 PM	#9 (permalink)
TheBruce1 Moderator, Analyst, Security Team Join Date: Oct 2006 Location: Dùn Èideann,Scotland. Posts: 5,093 OS: XP	Re: Help!! CPU running slow, yellow triangle w/ exclamation pt and constant pop-ups Hello again Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. -------------------------------------------------------------------------------------------- Please follow all instructions and in which order they come,if you have any questions,please ask before proceeding. --------------------------------------------------------------------------------------------- Please download the Suspicious File Packer http://www.safer-networking.org/files/sfp.zip Unzip it to the desktop and run it. Paste the following list of bad files into the Suspicious File Packer window: C:\WINDOWS\system32\mmhgssdc.exe C:\WINDOWS\system32\ceofmyyt.exe C:\WINDOWS\system32\jwrvpfsk.exe C:\WINDOWS\system32\vgqvkxjj.exe C:\WINDOWS\system32\ctgidxii.exe C:\WINDOWS\system32\gdgawoss.exe C:\WINDOWS\system32\nfwjbqfj.exe C:\WINDOWS\retadpu2000340.exe C:\WINDOWS\system32\iwkhtqfn.exe C:\WINDOWS\system32\jbwwgvfq.exe C:\WINDOWS\system32\glcpyjca.exe C:\WINDOWS\system32\uxeynipk.dll C:\WINDOWS\system32\jkhhg.dll C:\WINDOWS\system32\ddcyy.dll c:\windows\fonts\pcreg.dll C:\WINDOWS\system32\rsnujvrb.exe Allow SFP to pack the files. This will generate a CAB archive on your desktop. Please submit it to this site http://www.bleepingcomputer.com/subm....php?channel=4 Please include a link to this topic in the message. --------------------------------------------------------------------------------------------- I see you have Ewido anti-spyware 4.0 installed. Ewido has recently been purchased by Grisoft, makers of AVG Antivirus, and the program is now known as AVG Anti-Spyware. It is essentially the same program with a new paintjob; Ewido currently can still be updated to the newest definitions, but this support will likely not last forever. I recommend you uninstall Ewido 4.0, restart your system, then download and install AVG Anti-Spyware. Update it's definitions as directed below, and run a scan where I have it placed in this fix. -------------------------------------------------------------------------------------------------- Downloads Download AVG Anti-Spyware from HERE Install AVG Anti-Spyware Double-click the icon on Desktop to launch AVG Anti-Spyware You will need to update AVG Anti-Spyware to the latest definition files. On the top of the main screen click Shield Click the word active to change it to inactive On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab. Once in the Settings screen click on "Recommended actions" and then select "Quarantine". Under "Reports" Select "Automatically generate report after every scan" Un-Select "Only if threats were found" When you have finished updating, EXIT AVG Anti-Spyware. Do Not run a scan just yet, we will shortly. Please download SmitfraudFix (by S!Ri) to your Desktop. Double-click smitfraudfix.exe to start the tool. Select option #1 - Search by typing 1 and press "Enter" and a text file will appear which lists infected files (if present). Please copy/paste the content of that report into your next reply. IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so! ------------------------------------------------------------------------------------------------- Spywareguard Please disable Spywareguard, as it may hinder the removal of some entries. You can re-enable it after you're clean. Right click the running icon of Spywareguard located in the system tray Go to Menu > File > Exit and confirm the programs close. ------------------------------------------------------------------------------------------------------- Run Combofix Go to <<Start>> then <<Run>> then paste in the single line command then click OK "%userprofile%\desktop\combofix.exe" /v pmkjj ddcyy jwrvpfsk uxeynipk jkhhg user_32 WER8274 MSIXU When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. ------------------------------------------------------------------------------------------------------------- Safe mode Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers. ------------------------------------------------------------------------------------------------------------- Safe Mode scans & fixes Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any) O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file) O2 - BHO: (no name) - {0CD71CA8-C5A8-4C77-9CB0-106EC6AD70B1} - C:\WINDOWS\system32\ddcyy.dll O2 - BHO: PsapiAnalyzer Object - {125399A6-E13D-42CE-A021-7F9069A79440} - c:\windows\fonts\pcreg.dll O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file) O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file) O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file) O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file) O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file) O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file) O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file) O2 - BHO: (no name) - {c2dace2d-f27f-4591-97be-10c379cef2e6} - C:\WINDOWS\system32\lprcmd.dll (file missing) O2 - BHO: (no name) - {C3F16958-9601-43E3-AC3C-6E89762079Ec} - C:\WINDOWS\system32\lbymhjxa.dll (file missing) O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file) O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file) O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\qbyprbfn.dll (file missing) O2 - BHO: msnhlp32.msn_hlp - {EEFBE5D6-FEFF-4CB4-AA26-6A464090CB89} - C:\WINDOWS\system32\msnhlp32.dll O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\uxeynipk.dll",realset O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O20 - AppInit_DLLs: O20 - Winlogon Notify: ddcyy - C:\WINDOWS\system32\ddcyy.dll O20 - Winlogon Notify: lprcmd - lprcmd.dll (file missing) O20 - Winlogon Notify: pcreg - c:\windows\fonts\pcreg.dll *Please remember to close all other windows, including browsers then click Fix checked.* ---------------------------------------------------------------------------------------------------------------------- Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\WINDOWS\system32\rsnujvrb.exe C:\WINDOWS\system32\tmrsrv32.exe C:\WINDOWS\system32\idleserv.exe C:\WINDOWS\system32\glcpyjca.exe C:\WINDOWS\system32\jbwwgvfq.exe C:\WINDOWS\system32\iwkhtqfn.exe C:\WINDOWS\retadpu2000340.exe C:\WINDOWS\system32\nfwjbqfj.exe C:\WINDOWS\system32\gdgawoss.exe C:\WINDOWS\system32\ctgidxii.exe C:\WINDOWS\system32\yycdd.bak1 C:\WINDOWS\system32\yycdd.bak2 C:\WINDOWS\system32\vgqvkxjj.exe C:\WINDOWS\system32\jwrvpfsk.exe C:\WINDOWS\system32\gtv_sd.bin C:\WINDOWS\sysrlb32.exe C:\WINDOWS\system32\ceofmyyt.exe C:\WINDOWS\system32\mmhgssdc.exe C:\WINDOWS\system32\stfv.bin C:\WINDOWS\system32\sl.bin C:\WINDOWS\vxddsk.exe C:\WINDOWS\system32\wml.exe C:\WINDOWS\SUSP.exe C:\WINDOWS\satmat.exe C:\WINDOWS\flt.dll C:\WINDOWS\7search.dll C:\WINDOWS\764.exe C:\WINDOWS\stcloader.exe C:\WINDOWS\pbar.dll C:\WINDOWS\voiceip.dll C:\WINDOWS\swin32.dll C:\WINDOWS\cdsm32.dll C:\WINDOWS\bokja.exe C:\WINDOWS\mspphe.dll C:\WINDOWS\bjam.dll C:\WINDOWS\180ax.exe C:\WINDOWS\updatetc.exe C:\WINDOWS\salm.exe C:\WINDOWS\saiemod.dll C:\WINDOWS\1.exe C:\WINDOWS\checkip.dat C:\WINDOWS\b122.exe c:\windows\fonts\pcreg.dll ----------------------------------------------------------------------------------------------------------------------- Close ALL open Windows / Programs / Folders. Run AVG Anti-Spyware with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click on the Scan tab Click Complete System Scan to begin scanning. Once the scan is complete do the following: If you have any infections you will prompted, then select "Apply all actions" Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important). Close AVG Anti-Spyware and Reboot in Normal Mode. ------------------------------------------------------------------------------------------------------------------------- Reboot into normal mode ------------------------------------------------------------------------------------------------------------------------- Online Scan Perform an online scan with Internet Explorer with Panda ActiveScan Click on located at the bottom of the page. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it * Enter your e-mail address, country, and state & click "Free Online Scan" The download of the 8 MB Panda's ActiveX control will take place Begin the scan by selecting If it finds any malware, it will offer you a report. Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later. Click on then click * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. * Turn off the real time scanner of any existing antivirus program while performing the online scan Paste the Panda Scan report into your next reply. ----------------------------------------------------------------------------------------------------------------------------- Free Firewalls A good firewall will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall does not monitor outgoing traffic. If you do not have a firewall, here are 3 free ones available for personal use: Comodo Personal Firewall Sygate Personal Firewall ZoneAlarm Please install One of the above as it will give you greater protection than Windows Firewall. --------------------------------------------------------------------------------------------------------------------------------- Please run Deckard System Scanner again. ------------------------------------------------------------------------------------------------------------------------------ Logs Required C:\Combofix.txt C:\rapport.txt Avg scan report Panda scan report C:\Deckard\System Scanner\main.txt Let me know how you system is behaving,thanks. __________________ Member of ASAP since 2007 Member of UNITE since 2008 Notice to BT customers BT to dump Phorm, see Here for more information. No DPI If we have helped you in anyway, please consider Donating