I have a huge problem. My computer is practically unusable because I have two winmgmt.exe processes running that take up almost 100% of my CPU all the time. It’s almost as bad in safe mode, only slightly better. I ran Avast through BART, it came up with a couple infected files that I was able to delete. It also showed the pagefile.sys infected, which I deleted but it still keeps coming back on subsequent scans. I also used the registry cleaner, which wasn’t able to do much. If I boot into windows, it literally takes hours for me to open dialog boxes, etc. A couple weeks ago, my computer was running fine, except for the odd spontaneous reboot every once and a while.
I’m looking for any suggestions on how to attack this!
Please post a hijackthis log: http://www.bleepingcomputer.com/tutorials/tutorial42.html#HowToUse
Combofix could be usefull too: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
Double click combofix.exe & follow the prompts. When finished, it will produce a log for you. Post that log in your next reply please.
Do you know, what Avast already deleted?
It only took two hours, but here is my HijackThis log. The only thing I can see that looks odd, other than the WinMgmt.exe is the SpyDoctor (Antivirus). I’m trying to run the ComboFix, but it will probably take a couple more hours at this rate. Do you think I should boot into a Dos prompt and delete the SpyDoctor program? I know I should have written down what I was deleting using Avast, but they weren’t system files, so I didn’t think to. They were just a couple of net meeting type programs.
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 5:34:17 PM, on 4/12/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
Boot mode: Safe mode
Running processes:
F:\WINNT\System32\smss.exe
F:\WINNT\system32\csrss.exe
F:\WINNT\system32\winlogon.exe
F:\WINNT\system32\services.exe
F:\WINNT\system32\lsass.exe
F:\WINNT\system32\svchost.exe
F:\Program Files\Spyware Doctor\svcntaux.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
F:\WINNT\System32\WBEM\WinMgmt.exe
F:\WINNT\Explorer.EXE
F:\Program Files\Spyware Doctor\swdsvc.exe
H:\HiJackThis_v2.exe
F:\Program Files\Spyware Doctor\update.exe
See attached and next post (wouldn’t all fit)
Here is the rest of the log:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - F:\Program Files\NetZero\SearchEnh1.dll
F2 - REG:system.ini: UserInit=F:\WINNT\system32\Userinit.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - F:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - F:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - F:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - F:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - F:\Program Files\NetZero\Toolbar.dll
O4 - HKLM..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NeroCheck] F:\WINNT\system32\NeroCheck.exe
O4 - HKLM..\Run: [CloneCDElbyCDFL] “F:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe” /L ElbyCDFL
O4 - HKLM..\Run: [Omnipage] F:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM..\Run: [AdaptecDirectCD] “F:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe”
O4 - HKLM..\Run: [EM_EXEC] F:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM..\Run: [LoadQM] loadqm.exe
O4 - HKLM..\Run: [WinVNC] “F:\Program Files\ORL\VNC\WinVNC.exe” -servicehelper
O4 - HKLM..\Run: [iTunesHelper] “F:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [QuickTime Task] “F:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [SunJavaUpdateSched] “F:\Program Files\Java\jre1.5.0_11\bin\jusched.exe”
O4 - HKLM..\Run: [ccApp] “F:\Program Files\Common Files\Symantec Shared\ccApp.exe”
O4 - HKLM..\Run: [vptray] F:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM..\Run: [DAEMON Tools] “F:\Program Files\DAEMON Tools\daemon.exe” -lang 1033 -noicon
O4 - HKLM..\Run: [TkBellExe] “F:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKCU..\Run: [Tray Temperature] F:\Program Files\AWS\WeatherBug\WeatherBug.exe 1
O4 - HKCU..\Run: [Skype] “F:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - HKCU..\Run: [NetZero_uoltray] F:\Program Files\NetZero\exec.exe regrun
O4 - HKUS.DEFAULT..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User ‘Default user’)
O8 - Extra context menu item: &AOL Toolbar Search - res://f:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Yahoo! Search - file:///F:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///F:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///F:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - F:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - F:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1139697347796
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4021/ftp.coupons.com/v3123/cpbrkpie.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - F:\WINNT\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - F:\WINNT\System32\browseui.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ccXgui - [XC]D-Ice - F:\Program Files\ccxgui\ccXservice.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - F:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - F:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - F:\WINNT\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - F:\WINNT\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - F:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - F:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - F:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - F:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - F:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - F:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: VNC Server (winvnc) - AT&T Research Labs Cambridge - F:\Program Files\ORL\VNC\WinVNC.exe
End of file - 9895 bytes
What happens, if you kill the WinMgmt.exe Processes using the Taskmanager, or start your PC in safe mode and create the log there?
Safe mode= http://www.computerhope.com/issues/chsafe.htm (only use the “F8” method!)
Hi Karien,
I’d like to see these fixed. It is Spyware:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzer*.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzer*.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzer*.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzer*.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzer*.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzer*.net/s/search?r=minisearch
O3 - Toolbar: Zer*Bar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - F:\Program Files\NetZero\Toolbar.dll
polonus
Why do you think its spyware? It is netzero Toolbar, as far as i can see.
Can you double check your log and make sure nothing got lost when you split it up. It seems like we should see some Symantec programs, WinVNC, etc in the running processes, so maybe other things are missing as well.
I also wonder if you have WinVNC loading at startup on purpose?
I’m not sure why two instances of WinMgmt.exe are running but it would be worth at least checking this in relation to high CPU usage
http://support.microsoft.com/kb/830075
RESOLUTION To resolve this issue, change the WMI logging level to "errors only". To do so, follow these steps: 1. Click Start, click Run, type wmimgmt.msc, and then click OK. 2. Right-click WMI Control (Local), and then click Properties. 3. Click the Logging tab, and then click Errors only under Logging level. 4. Click OK.
I would also vote in favor of fixing this line at some point (though I doubt its the cause of the high CPU problem)
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4021/ftp.coupons.com/v3123/cpbrkpie.cab
There’s a little info here: http://www.castlecops.com/atxlist-1173.html
Hi raman,
Ok, some do not consider NetZero toolbar as adware, some see it differently. It is not a spyware infestation as such. So if you want to keep it on, it is up to you.
polonus
Hi Karien :
There is no indication in the HijackThis log you posted that you have
Avast Antivirus, but it does show you have Symantec Antivirus and the
antiSPYWARE program called "Spyware Doctor" . It also shows you have
the adware-producting "Weatherbug" . Symantec Antivirus is most easily
removed from a computer by using the info at
http://uts.cc.utexas.edu/~lee99/NoNav/NoNav.pdf .
A HijackThis Scan run in "Safe" Mode is almost useless; it does NOT
show all or almost all of the "Running Processes".
F2 - REG:system.ini: UserInit=F:\WINNT\system32\Userinit.exe
This one definitely needs deleting
Before deletion of any malware undetected by avast, ensure you send a sample to avast to help improve detection.
Send the sample to virus@avast.com zipped and password protected with password in email body and undetected malware in the subject. Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest.
Why? Maybe its a bug in the (Hijackthis)Beta…
Hi Karien,
Would be interesting to see when you go to the old Dos-promt and give in the command: chkdsk and post the read outs for that on some consequent moments. Just to see what the hardware gives away. If the OS is cleansed, and the problem remains then we gonna think in that direction.
First things first so download startdreck from http://www.niksoft.at/download/startdreck.htm Fire up this nice German proggie ((406.585 Bytes) md5: cf15b20807e52446503ab2742e5acf55 ) and post the findings here. Download Crap Scanner also from here: http://www.niksoft.at/download/crap.htm, but do not fire it yet.
polonus
Scanning the file at Virus Total could answer this question.
Kerien, if you find your way back to this thread please upload F:\WINNT\system32\Userinit.exe for analysis
http://www.virustotal.com/en/indexf.html
Use the Browse button at the top of the web page to navigate to the file and click Send.
Also, what version of VNC are you running?
No it is the line in the HJT needs to be deleted as it is a hijack point and references win.ini which is not used or required in XP the file is probably OK as it is legitimate and in the right place. So it is just the entry that needs deleting. But a full look at the registry key may disclose a subfile being started using the legitimate file
Wow! Lots of questions. I’ll try to fill-in the gaps. Since I posted, I’ve deleted any Antivirus software off my system (Symantec & SpyDoctor). It Hijackthis log was run in safemode, since that was the only way I could get programs to run. I also deleted Net Zero, as I also saw those processes running. The computer is still running at 100% according to the task manager, but I can actually boot into normal W2K mode and run programs without too much difficulty. I don’t have Avast Antivirus installed, as I came upon it after my computer came to a grinding halt. I ran it from the BART cd at boot (as described in my post). I pasted the whole Hijack this log in the two posts, nothing got left out. My WinVNC version is old: 3.3.3 R9. I’m going to uninstall it, since I rarely use it, and it could be a security risk.
Update: When I went to add remove programs, my computer slowed to a crawl, so I rebooted, only to blue screen and then now Windows says I should try repairing it. I’ve tried repairing it with the disk, but it doesn’t work. It says it needs an emergency disk, which I don’t have. All I have is the install disk. I thought I was doing better, but I seem to have gone from really bad to even worse. It didn’t think that was possible.
My WinVNC version is old: 3.3.3 R9. I’m going to uninstall it, since I rarely use it, and it could be a security risk.
Good idea. If you can boot this computer at all now uninstall WinVNC and then open hijackthis again. Click Do A System Scan Only and, when the scan is finished, place a check next to these lines
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4021/ftp.coupons.com/v3123/cpbrkpie.cab
F2 - REG:system.ini: UserInit=F:\WINNT\system32\Userinit.exe
Click the button labled Fix Checked. Reboot.
If you are able to run hijackthis in normal mode please do so now and post a fresh log.