[tampien]

My resource meter changes from very low to normal high every few seconds. It eventually goes to low of like 10-15% and issues a warning that a fatal exception could occur. I try to delete a running program as it suggests but am not able to do that. System freezes and I have to shut off computer manually. I cannot get the start-shutdown function to work.

This all happens with in a few minutes to at the most a half hour after I have turned the computer on. Got any ideas as to what I might be able to do to fix this?

It's just the System Resource that gets so low.

Sincerely, David Tampien
[email protected]

 

[Rockn]

Sounds like the symptoms of a trojan virus. Do a full scan with the latest virus defs and also download AdAware, update it and run it.

 

[tampien]

Thank you for the advice. It is in fact after just getting rid of a Trojan. I have run my AVG anti virus several times and it says I'm clean. I did download and buy the AdaWare and it found 303 files of spyware or what ever else it finds. I have deleted all those files. Now the computer is lasting longer between lock ups but even as I type this my meter is in the red zone and now yellow.

So I'm guessing there is still more damage that the trojan did that I can't yet find. Also now full page pop ups fly right past my Pop Up Stopper. So that's something new too, but probably connected to the same problem.

Got any more ideas?

David Tampien
[email protected]

 

[flavallee]

Tampien:

Install and run Spybot - Search & Destroy. It works in conjunction with Ad-aware and will find spyware that Ad-aware doesn't find, and vice versa. Delete everything in red that it finds.

Go into the MSCONFIG startup tab and see how many programs you have checked and running in the background. Many of them can be unchecked and disabled. This will increase system resources and will eliminate some computer problems.

 

[tampien]

Okay now I've run Spybot and Adaware and Trojan remover and limited what is on the start up menu. In the process I must have done something else because now my browser (IE) only opens a small (2" x 3") window and has to be maximized to see. It looks like a header only. And still the problem continues. It did start with the presence of the Trojan horse.

Any more things I can do?

Thanks for all the help.

Sincerely, David Tampien

 

[VirtualMe]

Can you drag the lower right corner down and over when it does this?

 

[tampien]

It only has a header with the min (-) the max (+) and the delete (x) So there is no window to do that with.

 

[tampien]

My error. I tried again and found that I could drag it open with the corner. So that part is okay but I still have the System Resource that jumps high and low.

Thanks for your help.

David T.

 

[VirtualMe]

Download Hijack This

Unzip it into a permenant folder. Do not leave it in or put it in a TEMP folder, as this will not let it make backups in case something goes wrong.

Then click HijackThis.exe

Click Scan

The Scan Button changes to a Save Log button.

Click the Save Log button to create a file named Hijackthis.log.

A dialog box will pop up. Use it to select the location where you will save the log. (I save mine to desktop so it is easy to find)

Close the program.

Open the Log in Notepad.

Highlight the entire contents.

Copy and paste the contents of the HijackThis log into your post.

Wait for help! DO NOT FIX ANYTHING WITHOUT SOMEONE HELPING!

IF you get an error saying msvbvm60.dll is missing,
Download and run the MS visual basic 6.0 runtime files

 

[tampien]

Logfile of HijackThis v1.97.7
Scan saved at 1:45:56 PM, on 3/21/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\BROWSER MOUSE\BROWSER MOUSE\1.0\LWBWHEEL.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\ptsnoop.exe
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\SIBER SYSTEMS\AI ROBOFORM\ROBOTASKBARICON.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER PROFESSIONAL\POPUPSTOPPERPROFESSIONAL.EXE
C:\PROGRAM FILES\EFAX MESSENGER PLUS\DLLCMD32.EXE
C:\WINDOWS\RSRCMTR.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\OPYR8LUF\HIJACKTHIS[1].EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.donobi.com/news/portal.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qosi.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Quicksilver Online Service, Inc.
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = about:blank
R3 - Default URLSearchHook is missing
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\ROBOFORM.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER PROFESSIONAL\POPUPSTOPPERPROFESSIONAL.EXE"
O4 - Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: TREND MICRO HouseCall (HKLM)
O9 - Extra button: RoboForm (HKLM)
O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
O9 - Extra button: Fill Forms (HKLM)
O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
O9 - Extra button: Save (HKLM)
O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.qosi.net
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37862.2116435185
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {40289096-9F72-4A04-BCB3-E434ECDCEE33} (AppDLCtrl Class) - http://download.howudodat.com/chatterbox/download/beta/appdl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/319da5df71489d303b17/netzip/RdxIE601.cab
O16 - DPF: {9C4A08D4-0F64-4D51-9422-B01EA9E217F0} (WebDeployer2.ctlLoader) - http://voicecafe.optecs.net/installables/WebDeployer2.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O16 - DPF: {79BB2CA8-6079-462B-B68A-C7AAA588FD8A} (WebDeployerUtil.ctlUtil) - http://voicecafe.optecs.net/installables/WebDeployerUtil.CAB
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {944868EA-9796-4A1C-B1BE-7C21AF553DDD} (Global Communicator Setup) - http://www.pmsistuff.com/gc/gcsetup.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/SmileyCentralInitialSetup1.0.0.6.cab
O16 - DPF: {F5692A44-3746-4CAE-BAEB-10FB33E38DD4} (VMSwitcher Class) - http://www.seeyouagainsoftware.com/shared/cands.cab
O16 - DPF: {1DF36010-E276-11D4-A7C0-00C04F0453DD} (Stamps.com Secure Postal Account Registration) - https://secure.stamps.com/download/us/registration/2_0_0_755/sdcregie.cab
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://download.yahoo.com/dl/bookmarks/ybconvfav030408.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundleware.com/activeX/DS3/DS3.cab

 

[VirtualMe]

REALSCHED.EXE can be a resource hog. If you don't use it try to disable it.

http://www.sysinfo.org/startuplist.php?filter=realsched.exe&count=&type=

RoboTaskBarIcon.exe

Will work without this startup entry...

http://www.sysinfo.org/startuplist.php?filter=RoboTaskBarIcon.exe&count=&type=

You need Hijack This in a permenant folder, before you try and fix some of the other things.

 

[tampien]

I have removed Real Player program from my computer but the system resource is still erratic.

 

[starwaves77]

Here's another one>

O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.

This is going to connect to your system and activate pop ups all the time, it is easily dragging your resources down,

Run Hijack, check it, then click fix,

This is your choice but I think it will help,
start / settings / control panel / add-remove-programs

In the list of programs, find WebSavings, and, or ebates money maker highlight, then select 'remove'
-------

If it still remains, you'll have to dig it out>
Start / Run / Regedit <type

Navigate to this key by clicking the +sign for each successive folder, finally highlighting 'Run':

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In the right pane, look for 'WebSavingsfromEbates' , right click, select DELETE,

Also:
Locate this folder and delete
C:\Program Files\WebSavingsfromEbates

 

[tampien]

I can find websavings in the add/remove file but when I try to remove it says can't find. Also in the HKEY and following I open the Run file but websavings in not there. What am I not doing correctly.

I tried to follow your instructions but when I typed in :
Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0 a window opened and said to type in a correct name. Then I don't know what to do.

I am a novice when it comes to getting deeper into the computer.

 

[NiteHawk]

Run HJT again and put a check in the entry for

O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm

Click the fix button in HJT and have it fix/remove the entry. This should also remove the entry from your registry so you don't have to use regedit.

REBOOT

Go to add/remove programs and you should now be able to remove it since the file is not in use.

IF you still can't remove it, then boot into Safe Mode and remove it from there. To get into Safe Mode, at start up tap the F8 key about 3-4 times a second. You should bet a black screen with 5-6 menu options. Safe Mode is usually #3.

 

[starwaves77]

Hi Tampien,
Let me explain this better than I did before. You don't have to type > >

Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm

anywhere, or into anything. You have to remove it from your Hijack This log, by doing that, the Hijack program will remove it from your system (the registry) automatically. Which also means you won't have to do the 'regedit' I suggested , , as Nighthawk points out it's the same thing as using 'Hijack'.

Even though you removed 'Real Player' you still should remove it's entrie in the Hijack This log.

1. Open your 'Hijack This' program, run it again, now look at the entry's it has listed. Locate these in the list

O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

You will see a box to the left of all entry's, put a check in both of the above using your mouse. After they have been checked, click the FIX button, and they will be deleted from your registry.

After you fix the above, run Hijack again, and check to make sure they have been removed, post back any more concerns you have,

 

[tampien]

Ok now I got it. I found the address in the HJT abd deleted it. But even after reboot I can't remove it from Program remove. It pops up a window that says can't find file.

I'm concerned about safe mode. Is it possible to get into safe mode and then not be able to get out of it?

Also recently, since the trojan, I've been getting this full window pop up that my Pop Up Stopper doesn't catch. It is:
http://www.educationprovider.com/?affil=1918-popup

 

[starwaves77]

Tampien,

Don't worry about 'safe mode', it's a very safe place to be and you exit it the same way you would in normal windows, just click on start / shutdown , go in to it and follow Nighthawks advice, I guarantee you will not have any complications because of it,

One thing, it will look like normal windows but without the high quality display, but everything else will work the same way . . . one other thing, when you go back to normal windows some of your desktop icons may be rearranged .....totally normal,

---------------

While your at this, do a search for these files on your system, and it's best to do this also while in safe mode;

Click start / find / find all files and folders
Now type in these one at a time, if you find them .....DELETE them,

WebSavingsfromEbates.exe
WebSavingsfromEbates1.exe
websearch.exe
couponsandoffers.exe
-------------

Also find this folder>

WebSavingsfromEbates

Double click on 'My Computer' , the desktop icon,
then double click on C: ,
then double click ' Program Files'

Now look for a folder named WebSavingsfromEbates, when you find it, delete it

If you see these folders>
websearch
couponsandoffers

delete them too, actually they should be inside the other one, but check for them,

Remember to 'EMPTY' your recycle bin before you exit the safe mode,

 

[tampien]

I am so appreciating all your help. However, after doing all the things you told me to do my system resource still is erratic. When I first boot up and set the meter in the task bar so I can read it, it has lots of space. But no matter what I'm doing or even not doing anything on the computer soon the meter reads yellow or red and a message pops up that says 90% of the system resource is being used. Close some programs. But even closing any of the few programs running doesn't change anything.

So I'm still in a quandry. Any more ideas? I'd be glad to call someone to talk about it. I am on fiber optics so can use phone and comuter at the same time.

This all started when the trojan appeared and even though it has been removed the problems left behind are real.

Sincerely, David Tampien

 

[NiteHawk]

There are a few versions of the Cool Web Search parasite that evade showing up in HJT. Just to be sure download and run the CWShredder program that can be found at

http://www.spywareinfo.com/~merijn/files/cwshredder.zip
http://spychecker.com/program/coolwebshredder.html
http://www.majorgeeks.com/download4086.html
http://www.sherrylynn.us/CWShredder.exe

I am including several sites because merijn's site has been under a denial of service attack and i don't no if it has ended or not. Merijn is the writer and creator of HJT, CWshredder and several other anti-spyware programs. It just shows you how far these low lifes at Cool Web Search will go to keep their crap from being detected and removed.

If it turns out that you are clean, there is no harm in running CWShredder. It's like running your antivirus program and coming up clean.