100% cpu usage. Please help

Hello guys. I am having such a hard time trying to clean up my computer. I know i have let this go way to far. Im not sure if its even worth trying to fix this or if I should format and start from scratch. Anyways, my system is running really slow, and when i check my cpu usage histroy, it flys to 100% and stays there. I think i narrowed it down to a mstasks2.exe by trial and error by ending processes and when i kill this it goes back to normal.

I have tried everything on the sticky to try to repair my computer and get it back to normal, i used msconfig and unchecked the mstasks2.exe from the start up but if it isnt used for anything i would like to get rid of it. I have used ad-aware, trojan remover, trojan hunter, sw shredder, everthing i can find on this forum and others.

The thing is i can not run housecall to check for other viruses because my stuipid IE likes to crash after 2 mins of use so i switched over to firefox to try to run it and it needs a java plug in that doesnt want to install because of a nice shell.dll error. Soooo I then d/l AVG anti virus and tried to install that and got the same stupid error.

Well as you can probaly tell, im a bit of a noob when it comes to this and i know now that i should of been more carefull. I also know i should of stayed on top of the windows updates and actualy doing a virus scann once in a while.

Any help or suggestions whould be greatly appreciated, Thank you in advance.

here is my hijackthis log

Logfile of HijackThis v1.97.7
Scan saved at 9:15:37 PM, on 6/9/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System\user32.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\mark.MARK-IGX5LZDRCR\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System\user32.exe
F1 - win.ini: run=C:\WINDOWS\system32\services\exploit.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System\user32.exe
O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\Documents and Settings\mark.MARK-IGX5LZDRCR\Application Data\sysyt\sysyt32.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [xufgb] C:\WINDOWS\xufgb.exe
O4 - HKLM\..\Run: [kelreskdtkyio] C:\WINDOWS\System32\lvuqcvcx.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe
O4 - HKCU\..\Run: [Hcon] C:\Documents and Settings\mark.MARK-IGX5LZDRCR\Application Data\eeah.exe
O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscptr.exe
O9 - Extra button: Add to Web list (HKLM)
O9 - Extra 'Tools' menuitem: &Popup XP - Add to Web list (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - URL
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!URL
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - URL
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - URL
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - URL
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - URL
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - URL
O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} - URL
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - URL
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - URL
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - URL
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - URL

Alright, I gave IE another shot and it let me run a full housecall scan, found 11 viruses :gack:

Anyways i still would like to clean up my reg files, not sure if you guys need to see a fresh log or not.

Also i do not know how i messed up my shell.dlll file......
When trying to install avg its still giving me a error and wont install.
"File Error
Can not find SHELL.DLL" is the exact error


Thanks again to anyone that replys


Luckyme

Hi luckyme6969,

Yes, an updated log would be a good idea. Your last log showed at least two dialers and possibly other malware.

Tom

Hi Tom Myboy

Since last log i have done a Norton Scan and a Housecall scan.


Anyways heres the new log.


Thanks for taking a look Tom Myboy


Logfile of HijackThis v1.97.7
Scan saved at 2:17:55 AM, on 6/11/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\mark.MARK-IGX5LZDRCR\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System\user32.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System\user32.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\Documents and Settings\mark.MARK-IGX5LZDRCR\Application Data\sysyt\sysyt32.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [xufgb] C:\WINDOWS\xufgb.exe
O4 - HKLM\..\Run: [kelreskdtkyio] C:\WINDOWS\System32\lvuqcvcx.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe
O4 - HKCU\..\Run: [Hcon] C:\Documents and Settings\mark.MARK-IGX5LZDRCR\Application Data\eeah.exe
O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscptr.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O9 - Extra button: Add to Web list (HKLM)
O9 - Extra 'Tools' menuitem: &Popup XP - Add to Web list (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - URL
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!URL
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - URL
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - URL
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - URL
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - URL
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - URL
O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} - URL
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - URL
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - URL
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - URL
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - URL

Please move or extract HijackThis to a permanent folder such as C:\HJT as it makes important backups of what we fix.

Open Task manager and end the following processes if running:
user32.exe
xufgb.exe
lvuqcvcx.exe
Sync.exe
wnscptr.exe

Run HijackThis, place a checkmark next to the following items. Close ALL other windows and browsers except HijackThis. Click "fix checked".

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
F0 - system.ini: Shell=explorer.exe C:\WINDOWS\System\user32.exe
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System\user32.exe
O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\Documents and Settings\mark.MARK-IGX5LZDRCR\Application Data\sysyt\sysyt32.dll (file missing)
O4 - HKLM\..\Run: [xufgb] C:\WINDOWS\xufgb.exe
O4 - HKLM\..\Run: [kelreskdtkyio] C:\WINDOWS\System32\lvuqcvcx.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe
O4 - HKCU\..\Run: [WNSI] C:\WINDOWS\System32\wnscptr.exe
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://cashsearch.biz/legal/x.chm::/load.exe
O16 - DPF: {841A9192-5690-11D4-A258-0040954A01BE} - http://dialxs.nl/install/dialxs.ocx
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab

Any idea what this is? If not, can you right click the file and tell me it's properties and version info?
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe

Show hidden files:
How to Show hidden files and folders.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Boot into Safe Mode. Here's instructions:
http://service1.symantec.com/SUPPOR...01052409420406/

Delete the following files:
C:\WINDOWS\System\user32.exe
C:\WINDOWS\xufgb.exe
C:\WINDOWS\System32\lvuqcvcx.exe
C:\WINDOWS\System32\wnscptr.exe

Delete the following folders:
C:\PROGRA~1\CLOCKS~1\

Reboot normally and Update Windows and Internet Explorer. Download each critical update one by one, rebooting when necessary.. Repeat this until you get the message "no critical updates available"
http://v4.windowsupdate.microsoft.com/

Consider installing Spywareblaster and Spywareguard (links below).

Post an updated log.

Tom