HiJackThis log

[ComradeBadger]

Right. I was having problems with my computer using RAM when idle, 580mb to be precise, and someone suggested I should run HJT, so I did.. but what does the log mean

C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\Program Files\Globe Software\StatBar\StatBar.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
Z:\Harry1 stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.halflife2.net/forums
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [mouseElf] C:\Program Files\Genius NetScroll + Series Mouse\mouseElf.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SysInit] wininit32.exe -drivers
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [SysInit] wininit32.exe -drivers
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\System32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [SysInit] wininit32.exe -drivers
O4 - HKCU\..\Run: [StatBar] C:\Program Files\Globe Software\StatBar\StatBar.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'xfire_lsp_7626.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O21 - SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - C:\Program Files\Common Files\Stardock\MCPCore.dll


Thanks

 

[bliink]

I think you have the sasser worm...

EDIT: Removal tool at www.sarc.com

 

[ComradeBadger]

Where what how?

Already scanned my computer with Adaware, Spybot and AVG

 

[bliink]

I might have overreacted...
C:\WINDOWS\system32\lsass.exe and massive ram usage are the sign of the sasser worm (lsass.exe is always present though- its a windows .exe) you might want to try the removal tool anyway.. and see what it finds..
OR
It could be some other crap you have loaded like:
C:\Program Files\TGTSoft\StyleXP\StyleXPS ervice.exe
C:\PROGRA~1\COMMON~1\Stardock\ SDMCP.exe
or C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe (which is running 3 instances)
I don't know what C:\Program Files\Globe Software\StatBar\StatBar.exe is

and... what the hell is "C:\WINDOWS\System32\rundll32.e xe" i think thats a virus too..

EDIT: rundll32.exe is ok.. but its the space there that bugs me...

 

[hax]

rundll32.exe isnt a virus, its a pretty common file (which runs .dlls surprisingly D: )

 

[bliink]

rundll32.exe isnt a virus, its a pretty common file (which runs .dlls surprisingly D: )

but theres stuff like this:
The strange associations of rundll

Anyway.. go CTRL+ALT+DEL and tell us how much memory LSASS.EXE is using..
(and whats taking the most.. to be exact..) -only works if you are using 2000/xp

 

[ComradeBadger]

Righty 1,048k

 

[bliink]

Righty 1,048k

ok, thats normal.. no virus there... what process is taking the most?

 

[ComradeBadger]

In order of usage:

Firefox.exe 43,232k
explorer.exe 21,176k
svchost.exe 15,660k
msnmgr.exe 14,404k



RAM is at 410mb use.

 

[bliink]

In order of usage:

Firefox.exe 43,232k
explorer.exe 21,176k
svchost.exe 15,660k
msnmgr.exe 14,404k



RAM is at 410mb use.

how the hell!?! you must have hundreds of apps running!

 

[ComradeBadger]

Nope.. just MSN, mIRC, Kerio, FireFox, ATi CP, Remote Wonder and Xear 3d.

My RAM usuage has always been like that.. any idea what causes it?

 

[Tinneth]

but theres stuff like this:
The strange associations of rundll

Anyway.. go CTRL+ALT+DEL and tell us how much memory LSASS.EXE is using..
(and whats taking the most.. to be exact..) -only works if you are using 2000/xp

Yeah I had a bit of bother with a virus that was present in the rundll thingy majiggy..so I know what your on about.

 

[bliink]

Yeah I had a bit of bother with a virus that was present in the rundll thingy majiggy..so I know what your on about.

yeah.. viruii are bastards...

 

[Tinneth]

yeah.. viruii are bastards...

Infact I had this on about 3 or 4 occasions...I dont know where it comes from but I seem to sort it out every time... :burp:

 

[ComradeBadger]

Blah, still nothing coming up and my poor RAM's being eaten ;(

 

[bliink]

Infact I had this on about 3 or 4 occasions...I dont know where it comes from but I seem to sort it out every time... :burp:

I had one that kept getting deployed by a game trainer i had... moral: dont cheat

 

[Tinneth]

I had one that kept getting deployed by a game trainer i had... moral: dont cheat

Ill keep that in mind I think I downloaded a file and it gave me the virus but then I made the mistake of downloading it again a couple of weeks later cause I forgot about the virus. Silly old me :x

 

[Dedatorv]

Well looking at the log, and the processes you have running, I am not surprised you would get some RAM usage but not that much. Is that honestly your computer in idle? All those apps running? My computer has only 20 processes running when it idles. Best thing to do is go to www.answersthatwork.com then check each process whether it is ok to run in the background or not.

If its not ok then theres several ways it can be disabled, one is by going Start->Run->Msconfig. Then go to startup, anything that should not be running in the background just uncheck it, save and reset.

If it isn't displayed there then, go Start->Run->Services.msc and look in there, once you find it, right click stop, then right click->properties->Start Up Type->Disabled.

Then the final way is in the registry, Start->Run->Regedit->HKEY_LOCAL_MACHINE->SOFTWARE->MICROSOFT->WINDOWS->Current Version->Run. On the right will be all the values of stuff that is starting up. To stop them, just right click and delete.

Hopefully by the end of it you will have a lot less processes running.


Just looking at your processes I can tell some stuff should be disabled.

C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.e xe
C:\WINDOWS\system32\svchost.ex e
C:\WINDOWS\System32\svchost.ex e
C:\Program Files\TGTSoft\StyleXP\StyleXPS ervice.exe
C:\PROGRA~1\COMMON~1\Stardock\ SDMCP.exe
C:\WINDOWS\system32\Ati2evxx.e xe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.ex e
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\svchost.ex e
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\RunDll32.e xe
C:\WINDOWS\htpatch.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\j2re1.4.2_04\bin\ju sched.exe Really don't need, all it does is check for updates.
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe Just run it when you want to use it
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe Do you really need the ATI icon??
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe Can't you just run this when you want to use the remote?
C:\Program Files\Globe Software\StatBar\StatBar.exe
C:\WINDOWS\System32\rundll32.e xe
C:\Program Files\mIRC\mirc.exe Mirc shouldn't be running when it idles.
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgup svc.exe
C:\PROGRA~1\Grisoft\AVG7\avgam svr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.E XE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
Z:\Harry1 stuff\HijackThis.exe

 

[ComradeBadger]

Yeah, when that was done, mIRC was running, so I wasn't strictly idle.

Anyone know a good method of measuring RAM usage?

 

[babywax]

If you're using Win2k or XP, just use control alt delete and then click task manager. (performance tab)

If you could give a list of your processes with how much ram they're using when you consider the comp "idle," that would help. Start up fresh, don't turn anything off or on. Just press ctrl+alt+delete, go to the processes tab, and press print screen. Then go in to paint and paste the image in, then crop it to only the processes and put it up here or host it on imageshack. That would be immensely helpful.

Also, try snooping around in services.msc (run->services.msc) and see if there's anything in there that shouldn't be running. I like to use www.blackviper.com as a reference to make sure I don't turn anything sensitive off.

 

[ComradeBadger]

There isn't anything running that shouldn't be according to services.msc

I've used regedit to get msconfig running again. Nothing is starting that it shouldn't be.

Doing request

Done. RAM used when idle = 315mb

 

[SidewinderX]

40 processes?! that's more than you need

 

[ComradeBadger]

No terribly helpful Sidey. Well, those proceses don't add up to 315, closer to 200.

 

[poseyjmac]

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

heres what i do to get as much ram as possible and keep it that way. i have a logoff script which executes this regfile. so no matter what piece of spyware or other crap i install wants to start up, i dont let it. then all thats left is common startup(startup folder). i think its BS that windows has 3 startup folders, 2 of which are only accessible in the registry, which is why i clear them when i logoff. but i usually leave the common startup because you can plainly see what goes in that easily, which is why IT should be used for things you want to startup.

anyway from there, msconfig, then id disable all NON-MS services, except nvidia users might need a file called nvcpl if they want to access ctrl panel, not 100% sure on that though.

i would start from here, and put only what you want in common startup so you know EXACTLY what starts up and takes ram.

 

[ComradeBadger]

I've haxed about with help from Snakey^ and now I'm using approx 100mb RAM idle