explorer.exe taking CPU usage to 100%

Discussion in 'adware, spyware & hijack cleaning' started by Ha3el, Mar 9, 2004.

Thread Status:
Not open for further replies.
  1. Ha3el

    Ha3el Registered Member

    Joined:
    Mar 9, 2004
    Posts:
    6
    Location:
    Sheffield
    Hi, I am having this problem as of last few days. As soon as I start up my CPU usage shoots upto 100% and its explorer.exe using it. This obviously causes system to be sooo slow that i cant do anything and several things either fail to load at all or it crashes before i can get to something. Also whenever i put mouse over taskbar timer appears so i cant get thru start menu, only way i can get to anything is thru items saved on desktop (if 'puter dont crash first!). However it seems to run ok if in Safe Mode.

    I have tried several diff progs to find viruses/spyware etc which maybe causing it but nothing has helped and i'm really frustrated! I have run Norton AV 2004, Spybot S&D, Spykiller, PC Doctor Oncall, webroot Spysweeper, HijackThis, and have also scanned computer online at
    housecall.antivirus.com. I have even tried uninstalling ZoneLabs Zone Alarm after reading that some people had similar sorts of probs caused by that, but not helped.

    I have also tried a Symantec removal tool for MyDoom virus incase that was the cause (disabling system restore first). This seemed to solve the prob, restoring my taskbar and systray incons etc but then taskmanger shows that its the MyDoom fix using all CPU instead. When restart problem is back to beginning again. After running another tool it said i didnt have Mydoom virus, but strange that it
    had this efftect?

    When running HijackThis (v1.97.7)my logfile showed some things that shouldnt be there. I deleted all the 02s and 010s as instructed by a post on another forum but this has not worked and am still having the prob.

    The info i found was here:- www.computercops.biz/modules.php?name=Forums&file=viewtopic&p=91900 which instructs you among other things to check in C:\windows\system32 to find whether you have msg118.dll or msguard.dll and provides a link to something called 118kill if they are present. Unfortunately this obviously isnt the cause of my probs as these files are not in my sys32.

    Are there any other avenues anyone could suggest?

    Here is logfile which was run while computer in normal mode.

    Logfile of HijackThis v1.97.7
    Scan saved at 09:50:25, on 09/03/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Documents and Settings\Administrator\Desktop\FxMydoom.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\System32\taskmgr.exe
    C:\WINDOWS\System32\dumprep.exe
    C:\WINDOWS\System32\dwwin.exe
    C:\Documents and settings\Administrator\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext =
    http://go.microsoft.com/fwlink/?LinkId=488
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Messenger\ycomp.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O8 - Extra context menu item: E&xport to Microsoft Excel -
    res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
    http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
    http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
    http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
    http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38017.2502777778
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
    http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6FDD5D4C-D747-422F-BC1A-2417E6C2A010}: NameServer = 192.168.0.1

    Please please please help before i go insane!
    :'( o_O

    Thanx,
    Hazel
     
  2. Shadowwar

    Shadowwar Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    305
    Ok its strange that the fxmydoom is still running. Can you ctrl alt del and end it in task manager. Reboot and post a new Hijackthis log.
    You did download this directly from symantec correct?
     
  3. Ha3el

    Ha3el Registered Member

    Joined:
    Mar 9, 2004
    Posts:
    6
    Location:
    Sheffield
    Hi, thanks for reply. i couldnt end process as wouldnt let me and was running at 99%. I have restarted now and here is my new log:


    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\taskmgr.exe
    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://go.microsoft.com/fwlink/?LinkId=488
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Messenger\ycomp.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38017.2502777778
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6FDD5D4C-D747-422F-BC1A-2417E6C2A010}: NameServer = 192.168.0.1
     
  4. Shadowwar

    Shadowwar Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    305
    Also o10's should not be fixed with hijackthis. which ones did you remove? Can you restore them?
    How is it running now?

    Recommend uninstalling spykiller and going with Spybot or adaware. They are much better and have free versions available.
     
  5. Ha3el

    Ha3el Registered Member

    Joined:
    Mar 9, 2004
    Posts:
    6
    Location:
    Sheffield
    I didnt actually need to remove 010s as there werent any there. i deleted 2 or 3 02s (no name...etc) and made sure that there werent any 010s as someone else had said to delete 02s and 010s.

    Its still running bad, same as to start with - explorer.exe taking all CPU and i'm starting to think i may have to format, ive exuasted google!

    I already have Spybot and it found nothing. Ive had an earlier version of Adaware in past and didnt find it as efficient as Spysweeper (Webroot). But ANYTHING is worth trying so i have downloaded it, but all it has found is cookies.
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Hazel,

    Can you please restore all the O2's you fixed?
    You at least booted one Norton and one Yahoo BHO.

    Then copy and paste the command in bold into your IE address bar and post the result.

    javascript:navigator.userAgent

    Regards,

    Pieter
     
  7. Ha3el

    Ha3el Registered Member

    Joined:
    Mar 9, 2004
    Posts:
    6
    Location:
    Sheffield
    I'm not sure how to restore these, although they mage no mention of NAV or Yahoo. They were just 02 - BHO: (no name){and then loads letters etc}.

    I am about to uninstall everything that runs on startup which includes NAV and yahoo msgr so do i still need to restore the 02s??

    also i deleted an 03 - search hook is missing (summat like that!) should this be restored too?

    Ive tried the javascript:navigator.userAgent anyway and all i got was blank screen with: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) what is it for?

    Thanks,
    Hazel
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Not what I feared.

    It is hard to tell what you broke. I also notice you are using SpyKiller, which is known to have the occasional false positive.

    Click Start > Run > type or copy&paste sfc /scannow >OK
    Windows will check for missing, corrupted or outdated system files and prompt you if any need to be replaced.

    Keep us posted,

    Pieter
     
  9. Ha3el

    Ha3el Registered Member

    Joined:
    Mar 9, 2004
    Posts:
    6
    Location:
    Sheffield
    I tried the scannow, promted me to input xp cd and wanted to reinstall/restore but i have read several posts on net where ppl with same prob have tried to restore and its not worked.

    I decided just to format C: instead (if in doubt - give up!!) as was too much hastle and need 'puter running. Anyway problem solved, my babys all fixed now! :D

    Many thanks to both of you for your help
    Hazel
     
Thread Status:
Not open for further replies.