# 100 % CPU usage! All the time



## tinker

This old pc of mine has been creating lot of issues for me. 

Its a 
p4, 512 DDR 1 ram, 80 GB HD.

I see the cpu usage is always 100% even when no programs are running. I have original Antivirus software, and I have checked for spyware etc, its clean. Then to I am facing this problem. 

Can these situations lead to 100 % cpu usage all the time

1] Bad sectors in HD
2] Low ram
3] 5 yrs old cpu

 You know how frustrating situation can get when you see the words u r typing appear after 2 secs on the screen
I feel like ripping off the cpu and flinging it out of the window. Probably then I can RIP.


----------



## johnb35

If you have the original antivirus software that came with the computer, then its most likely out of date.  Please do the following so we can see whats running on your system.

 Please download Malwarebytes' Anti-Malware from *here* or *here* and save it to your desktop.

Double-click *mbam-setup.exe* and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
*Update Malwarebytes' Anti-Malware*
and *Launch Malwarebytes' Anti-Malware*
 
then click *Finish*.
If an update is found, it will download and install the latest version.  *Please keep updating until it says you have the latest version.*
Once the program has loaded, select *Perform quick scan*, then click *Scan*.
When the scan is complete, click *OK*, then *Show Results* to view the results.
Be sure that everything is checked, and click *Remove Selected*.
A log will be saved automatically which you can access by clicking on the *Logs* tab within Malwarebytes' Anti-Malware

If for some reason Malwarebytes will not install or run please download and run Rkill.scr,  Rkill.exe, or Rkill.com  but *DO NOT *reboot the system and then try installing or running Malwarebytes.  If Rkill (which is a black box) appears and then disappears right away or you get a message saying rkill is infected, keep trying to run rkill until it over powers the infection and temporarily kills it.  Once a log appears on the screen, you can try running malwarebytes or downloading other programs.



Download the HijackThis installer from *here*.  
Run the installer and choose *Install*, indicating that you accept the licence agreement.  The installer will place a shortcut on your desktop and launch HijackThis.

Click *Do a system scan and save a logfile*

_Most of what HijackThis lists will be harmless or even essential, don't fix anything yet._

Post the logfile that HijackThis produces along with the Malwarebytes Anti-Malware log


----------



## tinker

Can you take control of my pc right now? through net meeting or something like that.


----------



## voyagerfan99

tinker said:


> Can you take control of my pc right now? through net meeting or something like that.



Why don't you just do it? It's not hard.


----------



## johnb35

tinker said:


> Can you take control of my pc right now? through net meeting or something like that.



Only as a last resort.  The procedure I asked you to do is really simple as voyagerfan as said.


----------



## tinker

johnb35 said:


> Only as a last resort.  The procedure I asked you to do is really simple as voyagerfan as said.



Going through the procedure

completed Malware installation ...going ahead


----------



## tinker

process got hung.


----------



## tinker

I thinkMalwarebyte  got back running and scanning


----------



## johnb35

tinker said:


> process got hung.



You can't post images from your hard drive, they must be saved to a file hosting site first. 

Open task manager, click on the processes tab, find the process that is using up your cpu and let us know what it is.


----------



## tinker

johnb35 said:


> You can't post images from your hard drive, they must be saved to a file hosting site first.
> 
> Open task manager, click on the processes tab, find the process that is using up your cpu and let us know what it is.



Trying to upload the image of task manager -cpu usage and file runnig -  on file hosting sites.

photobucket = too slow
easy share = complicated
istock = in process but don`t know if it will give error on using the link on a   forum. It did give me an error earlier.

 malwarebyte still scanning after 25 mins (37366 objects scanned - zero infected still progressing)


----------



## tinker




----------



## tinker

deleted this image.


----------



## johnb35

That doesn't help me when the processes tab isn't the one showing.  click on the processes tab and then do another screen shot.  End malwarebytes first and any unnecessary programs.


----------



## tinker




----------



## johnb35

You have the process rscmpt.exe using up 91 percent of the cpu.  That process is related to your nvidia graphics card.  What video card do you have?

Also looks like you have a process active that is malware.  Process1.exe.  

Boot to safe mode and malwarebytes.


----------



## tinker




----------



## johnb35

Good, it looks like its gonna complete.  When its done, finish the process that I posted and post the malwarebytes log along with the hijackthis log.


----------



## tinker




----------



## tinker

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5981

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

08/03/2011 1:10:21 AM
mbam-log-2011-03-08 (01-10-13).txt

Scan type: Quick scan
Objects scanned: 138372
Time elapsed: 50 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antiviruspro_2010.exe (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSA.EXE (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMSS32.EXE (Security.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SVCHOSTS.EXE (Security.Hijack) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (C:\PROGRA~1\NETPRO~1\ZVScan\ExecScan.exe "%1" %*) Good: ("%1" %*) -> No action taken.
HKEY_CLASSES_ROOT\batfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (C:\PROGRA~1\NETPRO~1\ZVScan\ExecScan.exe "%1" %*) Good: ("%1" %*) -> No action taken.
HKEY_CLASSES_ROOT\comfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (C:\PROGRA~1\NETPRO~1\ZVScan\ExecScan.exe "%1" %*) Good: ("%1" %*) -> No action taken.
HKEY_CLASSES_ROOT\piffile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (C:\PROGRA~1\NETPRO~1\ZVScan\ExecScan.exe "%1" %*) Good: ("%1" %*) -> No action taken.
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (C:\PROGRA~1\NETPRO~1\ZVScan\ExecScan.exe "%1" /S) Good: ("%1" /S) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


----------



## johnb35

Did you click on the remove selected button to delete the infections?


----------



## tinker

starting with the Hijackthis installer process now


----------



## tinker

starting with the HIjackthis process now


----------



## tinker

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:18:45 AM, on 08/03/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\p\NPProt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\UGS\NX 7.0\UGFLEXLM\lmgrd.exe
C:\Program Files\UGS\NX 7.0\UGFLEXLM\lmgrd.exe
C:\Program Files\Net Protector 2010\zvscan\ZVMonNT.exe
C:\Program Files\Net Protector 2010\ZVRegMon\ZVRegMon.exe
C:\Program Files\UGS\NX 7.0\UGFLEXLM\ugslmd.exe
C:\WINDOWS\system32\Rscmpt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\NETPRO~1\EMAIL SCAN\EMAILSCN.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BSNL 3G Data Card\Resource\MCtlSuc.exe
C:\WINDOWS\system32\CNAB4RPK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BSNL 3G Data Card\BSNL 3G.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\mspaint.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.bsnllive.in/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Rscmpt] C:\WINDOWS\system32\Rscmpt.exe
O4 - HKLM\..\Run: [Zero-V Virus Shield] "C:\PROGRA~1\NETPRO~1\EMAIL SCAN\EMAILSCN.EXE"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MCtlSuc] C:\Program Files\BSNL 3G Data Card\Resource\MCtlSuc.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB8537D3-ACAD-475E-BE79-E9868379D71D}: NameServer = 218.248.240.134 218.248.240.23
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: NPLogon - NPlogon.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NPAV Antivirus Protection (NPVProt) - Biz Secure Labs Pvt Ltd. - C:\Documents and Settings\p\NPProt.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: UG Nx 7.0 - Macrovision Corporation - C:\Program Files\UGS\NX 7.0\UGFLEXLM\lmgrd.exe
O23 - Service: UG Nx-7.0 - Macrovision Corporation - C:\Program Files\UGS\NX 7.0\UGFLEXLM\lmgrd.exe
O23 - Service: Zero-V AntiVirus Protection (ZeroVProtect) - Biz Secure Labs Pvt Ltd. - C:\Program Files\Net Protector 2010\zvscan\ZVMonNT.exe
O23 - Service: Zero-V Registry Monitoring (ZVRegMon) - Message Labs Pvt Ltd. - C:\Program Files\Net Protector 2010\ZVRegMon\ZVRegMon.exe

--
End of file - 5944 bytes


----------



## tinker

Not yet clicked on the remove selected button. I am trying to post replies, but its taking too much time. I had to click Back 3 times by now. I dont know if this gets posted. 

I have completed hijack this scan and trying to post log


----------



## tinker

Oh!...it was already posted. 
See outcomes of a slow pc


----------



## johnb35

You needed to click on remove selected before running hijackthis.  Rerun malwarebytes if you have to and click on remove selected when its done scanning.  Then post a fresh hijackthis log.


----------



## tinker

OOps!

on it


----------



## tinker

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5981

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

08/03/2011 1:27:52 AM
mbam-log-2011-03-08 (01-27-52).txt

Scan type: Quick scan
Objects scanned: 138372
Time elapsed: 50 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antiviruspro_2010.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSA.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMSS32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SVCHOSTS.EXE (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (C:\PROGRA~1\NETPRO~1\ZVScan\ExecScan.exe "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\batfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (C:\PROGRA~1\NETPRO~1\ZVScan\ExecScan.exe "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\comfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (C:\PROGRA~1\NETPRO~1\ZVScan\ExecScan.exe "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\piffile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (C:\PROGRA~1\NETPRO~1\ZVScan\ExecScan.exe "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (C:\PROGRA~1\NETPRO~1\ZVScan\ExecScan.exe "%1" /S) Good: ("%1" /S) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


----------



## tinker

This is a log file after clicking ~Remove Selected~


----------



## johnb35

Now post a new fresh hijackthis log.


----------



## tinker

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:30:19 AM, on 08/03/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\p\NPProt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\UGS\NX 7.0\UGFLEXLM\lmgrd.exe
C:\Program Files\UGS\NX 7.0\UGFLEXLM\lmgrd.exe
C:\Program Files\Net Protector 2010\zvscan\ZVMonNT.exe
C:\Program Files\Net Protector 2010\ZVRegMon\ZVRegMon.exe
C:\Program Files\UGS\NX 7.0\UGFLEXLM\ugslmd.exe
C:\WINDOWS\system32\Rscmpt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\NETPRO~1\EMAIL SCAN\EMAILSCN.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BSNL 3G Data Card\Resource\MCtlSuc.exe
C:\WINDOWS\system32\CNAB4RPK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BSNL 3G Data Card\BSNL 3G.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\NETPRO~1\ZVScan\OSFPopup.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.bsnllive.in/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Rscmpt] C:\WINDOWS\system32\Rscmpt.exe
O4 - HKLM\..\Run: [Zero-V Virus Shield] "C:\PROGRA~1\NETPRO~1\EMAIL SCAN\EMAILSCN.EXE"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MCtlSuc] C:\Program Files\BSNL 3G Data Card\Resource\MCtlSuc.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB8537D3-ACAD-475E-BE79-E9868379D71D}: NameServer = 218.248.240.134 218.248.240.23
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: NPLogon - NPlogon.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NPAV Antivirus Protection (NPVProt) - Biz Secure Labs Pvt Ltd. - C:\Documents and Settings\p\NPProt.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: UG Nx 7.0 - Macrovision Corporation - C:\Program Files\UGS\NX 7.0\UGFLEXLM\lmgrd.exe
O23 - Service: UG Nx-7.0 - Macrovision Corporation - C:\Program Files\UGS\NX 7.0\UGFLEXLM\lmgrd.exe
O23 - Service: Zero-V AntiVirus Protection (ZeroVProtect) - Biz Secure Labs Pvt Ltd. - C:\Program Files\Net Protector 2010\zvscan\ZVMonNT.exe
O23 - Service: Zero-V Registry Monitoring (ZVRegMon) - Message Labs Pvt Ltd. - C:\Program Files\Net Protector 2010\ZVRegMon\ZVRegMon.exe

--
End of file - 6083 bytes


----------



## tinker

_I did not rescan the pc with Malwarebyte  I just clicked remove selected and then run the hijackthis program and posted the log. 

Do you still  insist that I rescan with malwarebyts which too more than an hour to scan. I can again go through that if needed. whats your opinion ?
_
*Hmm..there seems to be a lag in posting replies. I missed one of your post and thats why I questioned the above querry.*


----------



## johnb35

You do not need to rerun malwarebytes.

Please do the following so we can run a deeper scan of your system.  

*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* here :

http://www.bleepingcomputer.com/download/anti-virus/combofix

Then double click *combofix.exe* & follow the prompts.
When finished, it shall produce *a log* for you. *Post that log* in your next reply
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Combofix should never take more that 20 minutes including the reboot if malware is detected.


In your next reply please post:

The ComboFix log
A fresh HiJackThis log
An update on how your computer is running


----------



## tinker

cannot execute combofix.exe


----------



## tinker

I have my OS firewall on. Shall I off it?


----------



## johnb35

No, this just means you are still badly infected.  Please download and run the following then run combofix again.

http://download.bleepingcomputer.com/grinler/iExplore.exe

download this file to your desktop and run it.  it will take a minute or two to run and it will produce a log when its done.  Please copy and paste the log back here and then try running combofix again.

You will have to redownload combofix


----------



## tinker

This log file is located at C:\rkill.log. 
Please post this only if requested to by the person helping you. 
Otherwise you can close this log when you wish. 

Rkill was run on 08/03/2011 at  1:57:05. 
Operating System: Microsoft Windows XP 


Processes terminated by Rkill or while it was running: 

C:\Documents and Settings\p\NPProt.exe


Rkill completed on 08/03/2011 at  1:58:14.


----------



## tinker

Cannot run Combofix. Same error


----------



## tinker

Is the file NPProt.exe from Netprotector? Since Net Protector is my antivirus software. 

Did my anitvirus stop or terminate the Rkill process ?


----------



## johnb35

tinker said:


> Cannot run Combofix. Same error



You need to redownload combofix.  The first one you downloaded is already corrupted.


----------



## tinker

John, if you don`t mind can I come back tomorrow. Its 2:00 am here and I am finding it hard to keep my eyes open.


----------



## tinker

downlaoding combofix


----------



## johnb35

I will be at work this time tomorrow so if it all possible can you come back in like 6 or 7 hours?


----------



## tinker

johnb35 said:


> I will be at work this time tomorrow so if it all possible can you come back in like 6 or 7 hours?



Got the same error again after donloading combofix. 

 7 hours from now, I will be back. 

John, Thanks for helping me out. You are the best :good:

Have a great day ahead. 

signing off....zzzzzzzzzzzz


----------



## tinker

johnb35 said:


> I will be at work this time tomorrow so if it all possible can you come back in like 6 or 7 hours?



 There is a power cut at my home, so replying through a cyber cafe. Any ways cyber cafe won`t help unless I go back home on my pc.


----------



## tinker

Back. 

Problem reduced a bit. 
CPU usage is down to 16% to 22% but overshoots immedialey.
When I move the mouse, the cpu shoots to 100%. When I type fast it shoots to 100%. 
My antivirus detects another antivirus and promts me if it can disable it. I have clicked no till now and wating for your further guidance.


----------



## tinker




----------



## johnb35

Have you downloaded and ran combofix yet?  If not, please do so now as I have to leave for work in an hour and a half.


----------



## tinker

on it immediately


----------



## tinker

Its probably working. 

Combofix prompted me to disable Net Protector, I have exited Net protector and then clicked ok on the promp window by combofix


----------



## tinker

here is the prompt.


----------



## tinker

After I clicked on the Ok promt of combofix, nothings happening. 
Does it make a log somewhere?


----------



## johnb35

I don't need you to post every little detail.  All I need you to post is the log that it creates afterwards along with a fresh hijackthis log.  Copy and paste the whole log that combofix produces and post it back here.


----------



## johnb35

tinker said:


> After I clicked on the Ok promt of combofix, nothings happening.
> Does it make a log somewhere?



Combofix may take some time to run if your machine is heavily infected.


----------



## tinker

last time I missed one of your replies.

My graphics card is a 128 Mb Nvidea. I don`t remember details.


----------



## DaveSi677

just out wondering but did you go check to see what is install in your control panel?  See if you do have another antivirus running...  

Its obvious something is corrupted but I was just being curious about the issue


----------



## tinker

ComboFix 11-03-05.01 - p 08/03/2011  22:03:53.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.511.343 [GMT 5.5:30]
Running from: c:\documents and settings\p\My Documents\Downloads\ComboFix.exe
AV: Net Protector 2010 *Disabled/Updated* {5AE99E99-35D6-47B8-87C2-D8A82C07FB43}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Net Protector\Npbkp\e6d35f3aa51a65eb35c1f2340154a25e_54016.npb
c:\windows\system\MFC42D.DLL
c:\windows\system\MSVCRTD.DLL
.
.
(((((((((((((((((((((((((   Files Created from 2011-02-08 to 2011-03-08  )))))))))))))))))))))))))))))))
.
.
2011-03-01 06:09 . 2011-03-01 06:09	--------	d-----r-	C:\MSOCache
2011-02-23 16:03 . 2011-03-07 19:47	--------	d-----r-	C:\Program Files
2011-02-23 16:00 . 2011-02-23 10:50	--------	d-----w-	C:\Documents and Settings
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-05 16:19 . 2011-03-05 16:19	119808	------w-	c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
------- Sigcheck -------
.
[-] 2008-10-21 . 32272BF10467C8ACF1F83138C61D541E . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\sfcfiles.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-02-26 65024]
"Rscmpt"="c:\windows\system32\Rscmpt.exe" [2002-08-22 481792]
"Zero-V Virus Shield"="c:\progra~1\NETPRO~1\EMAIL SCAN\EMAILSCN.EXE" [2011-03-01 141352]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-04-09 200704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-03-28 4616192]
"nwiz"="nwiz.exe" [2003-03-28 323584]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-10 40048]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-03-05 30192]
"MCtlSuc"="c:\program files\BSNL 3G Data Card\BSNL 3G\Resource\MCtlSuc.exe" [2010-01-13 91136]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-3-5 10872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NPLogon]
2010-09-20 17:37	45056	----a-w-	c:\windows\system32\NPLOGON.DLL
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\UGS\\NX 7.0\\UGII\\ugraf.exe"=
"c:\\WINDOWS\\system32\\CNAB4RPK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
R2 NPVProt;NPAV Antivirus Protection;c:\documents and settings\p\NPProt.exe [23/02/2011 4:43 PM 45056]
R2 UG Nx-7.0;UG Nx-7.0;c:\program files\UGS\NX 7.0\UGFLEXLM\lmgrd.exe [20/07/2009 8:20 AM 1372160]
R2 UG Nx 7.0;UG Nx 7.0;c:\program files\UGS\NX 7.0\UGFLEXLM\lmgrd.exe [20/07/2009 8:20 AM 1372160]
R2 ZVONLINE;ZVONLINE;c:\progra~1\NETPRO~1\zvscan\ZVONLINE.SYS [10/05/2010 6:01 PM 18176]
R2 ZVRegMon;Zero-V Registry Monitoring;c:\program files\Net Protector 2010\ZVRegMon\ZVRegMon.exe [16/07/2010 7:26 PM 73728]
R3 u302bus;HSPADataCard WMC Bus Driver (WDM);c:\windows\system32\drivers\u302bus.sys [30/07/2010 9:23 AM 119112]
R3 u302mdfl;HSPADataCard Modem Filter;c:\windows\system32\drivers\u302mdfl.sys [30/07/2010 9:23 AM 14920]
R3 u302mdm;HSPADataCard Modem Driver;c:\windows\system32\drivers\u302mdm.sys [30/07/2010 9:23 AM 135880]
R3 u302mgmt;HSPADataCard USB Device Management Drivers (WDM);c:\windows\system32\drivers\u302mgmt.sys [30/07/2010 9:23 AM 129992]
S0 jtjqite;jtjqite;c:\windows\system32\drivers\ivdhhva.sys --> c:\windows\system32\drivers\ivdhhva.sys [?]
S2 ZeroVProtect;Zero-V AntiVirus Protection;c:\program files\Net Protector 2010\ZVScan\ZVMonNt.exe [01/06/2010 11:39 AM 208896]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [05/03/2011 9:48 PM 30192]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.bsnllive.in/
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\p\Application Data\Mozilla\Firefox\Profiles\e3t5u5nz.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
------- File Associations -------
.
batfile=c:\progra~1\NETPRO~1\ZVScan\ExecScan.exe "%1" %*
comfile=c:\progra~1\NETPRO~1\ZVScan\ExecScan.exe "%1" %*
exefile=c:\progra~1\NETPRO~1\ZVScan\ExecScan.exe "%1" %*
piffile=c:\progra~1\NETPRO~1\ZVScan\ExecScan.exe "%1" %*
scrfile=c:\progra~1\NETPRO~1\ZVScan\ExecScan.exe "%1" /S
.scr=AutoCADScriptFile
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-08 22:11
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(548)
c:\windows\system32\NPlogon.dll
.
- - - - - - - > 'explorer.exe'(3744)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\UGS\NX 7.0\UGFLEXLM\ugslmd.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\CNAB4RPK.EXE
c:\windows\SOUNDMAN.EXE
.
**************************************************************************
.
Completion time: 2011-03-08  22:15:43 - machine was rebooted
ComboFix-quarantined-files.txt  2011-03-08 16:45
.
Pre-Run: 14,021,447,680 bytes free
Post-Run: 14,084,980,736 bytes free
.
- - End Of File - - BFE3098628CCE22FFDDD7379C5A330F5


----------



## tinker

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:16:24 PM, on 08/03/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\p\NPProt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\UGS\NX 7.0\UGFLEXLM\lmgrd.exe
C:\Program Files\UGS\NX 7.0\UGFLEXLM\lmgrd.exe
C:\Program Files\Net Protector 2010\ZVRegMon\ZVRegMon.exe
C:\Program Files\UGS\NX 7.0\UGFLEXLM\ugslmd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\CNAB4RPK.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\Rscmpt.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\BSNL 3G Data Card\BSNL 3G\Resource\MCtlSuc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.bsnllive.in/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Rscmpt] C:\WINDOWS\system32\Rscmpt.exe
O4 - HKLM\..\Run: [Zero-V Virus Shield] "C:\PROGRA~1\NETPRO~1\EMAIL SCAN\EMAILSCN.EXE"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [MCtlSuc] C:\Program Files\BSNL 3G Data Card\BSNL 3G\Resource\MCtlSuc.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: NPLogon - NPlogon.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NPAV Antivirus Protection (NPVProt) - Biz Secure Labs Pvt Ltd. - C:\Documents and Settings\p\NPProt.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: UG Nx 7.0 - Macrovision Corporation - C:\Program Files\UGS\NX 7.0\UGFLEXLM\lmgrd.exe
O23 - Service: UG Nx-7.0 - Macrovision Corporation - C:\Program Files\UGS\NX 7.0\UGFLEXLM\lmgrd.exe
O23 - Service: Zero-V AntiVirus Protection (ZeroVProtect) - Biz Secure Labs Pvt Ltd. - C:\Program Files\Net Protector 2010\zvscan\ZVMonNT.exe
O23 - Service: Zero-V Registry Monitoring (ZVRegMon) - Message Labs Pvt Ltd. - C:\Program Files\Net Protector 2010\ZVRegMon\ZVRegMon.exe

--
End of file - 5747 bytes


----------



## tinker

DaveSi677 said:


> just out wondering but did you go check to see what is install in your control panel?  See if you do have another antivirus running...
> 
> Its obvious something is corrupted but I was just being curious about the issue



Yes. The only antivirus installed is the Net Protector.

I was so confident about not having a virus or something thinking that I have a original antivirus running. Now that thinking is blown out of my mind. 

 Anivirus softwares too have quality. All are not good enough.

* I hope you know I have installed Malwarebytes, Hijackthis after John started helping me out.That is the only second (antivirus installed ).Before that it was only Net Protector. *


----------



## johnb35

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box



		Code:
	

Driver::
jtjqite

File::
c:\windows\system32\drivers\ivdhhva.sys



3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!







ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Rerun hijackthis and place checks next to the following entries.

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O20 - Winlogon Notify: NPLogon - NPlogon.dll (file missing)

Then click on fix checked at the bottom.

Reboot your system and let me know if you are still having issues.


----------



## tinker

ComboFix 11-03-05.01 - p 08/03/2011  23:01:30.2.1 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.511.342 [GMT 5.5:30]
Running from: c:\documents and settings\p\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\p\Desktop\CFScript.txt
AV: Net Protector 2010 *Disabled/Updated* {5AE99E99-35D6-47B8-87C2-D8A82C07FB43}
.
FILE ::
"c:\windows\system32\drivers\ivdhhva.sys"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system\MFC42D.DLL
c:\windows\system\MSVCRTD.DLL
.
.
(((((((((((((((((((((((((   Files Created from 2011-02-08 to 2011-03-08  )))))))))))))))))))))))))))))))
.
.
2011-03-08 17:14 . 2011-03-08 17:15	--------	d-----r-	C:\32788R22FWJFW
2011-03-01 06:09 . 2011-03-01 06:09	--------	d-----r-	C:\MSOCache
2011-02-23 16:03 . 2011-03-07 19:47	--------	d-----r-	C:\Program Files
2011-02-23 16:00 . 2011-02-23 10:50	--------	d-----w-	C:\Documents and Settings
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-05 16:19 . 2011-03-05 16:19	119808	------w-	c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
------- Sigcheck -------
.
[-] 2008-10-21 . 32272BF10467C8ACF1F83138C61D541E . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\sfcfiles.dll
.
(((((((((((((((((((((((((((((   SnapShot@2011-03-08_16.41.48   )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-08 17:29 . 2011-03-08 17:29	16384              c:\windows\Temp\Perflib_Perfdata_564.dat
+ 2011-03-08 09:00 . 2011-03-08 16:49	53248              c:\windows\Installer\{BF6F1CCB-4666-412B-810E-B6002BC01E33}\ARPPRODUCTICON.exe
- 2011-03-08 09:00 . 2011-03-08 09:00	53248              c:\windows\Installer\{BF6F1CCB-4666-412B-810E-B6002BC01E33}\ARPPRODUCTICON.exe
+ 2011-03-08 09:00 . 2011-03-08 16:49	204800              c:\windows\Installer\{BF6F1CCB-4666-412B-810E-B6002BC01E33}\BSNL_3G.exe_B9F38B60FD474B8A8B1CC66C5BF0015B.exe
- 2011-03-08 09:00 . 2011-03-08 09:00	204800              c:\windows\Installer\{BF6F1CCB-4666-412B-810E-B6002BC01E33}\BSNL_3G.exe_B9F38B60FD474B8A8B1CC66C5BF0015B.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-02-26 65024]
"Rscmpt"="c:\windows\system32\Rscmpt.exe" [2002-08-22 481792]
"Zero-V Virus Shield"="c:\progra~1\NETPRO~1\EMAIL SCAN\EMAILSCN.EXE" [2011-03-01 141352]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-04-09 200704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-03-28 4616192]
"nwiz"="nwiz.exe" [2003-03-28 323584]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-10 40048]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-03-05 30192]
"MCtlSuc"="c:\program files\BSNL 3G Data Card\BSNL 3G\Resource\MCtlSuc.exe" [2010-01-13 91136]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-3-5 10872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NPLogon]
2010-09-20 17:37	45056	----a-w-	c:\windows\system32\NPLOGON.DLL
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\UGS\\NX 7.0\\UGII\\ugraf.exe"=
"c:\\WINDOWS\\system32\\CNAB4RPK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
R2 NPVProt;NPAV Antivirus Protection;c:\documents and settings\p\NPProt.exe [23/02/2011 4:43 PM 45056]
R2 UG Nx 7.0;UG Nx 7.0;c:\program files\UGS\NX 7.0\UGFLEXLM\lmgrd.exe [20/07/2009 8:20 AM 1372160]
R2 ZVONLINE;ZVONLINE;c:\program files\Net Protector 2010\ZVScan\ZVOnline.sys [10/05/2010 6:01 PM 18176]
R2 ZVRegMon;Zero-V Registry Monitoring;c:\program files\Net Protector 2010\ZVRegMon\ZVRegMon.exe [16/07/2010 7:26 PM 73728]
R3 u302bus;HSPADataCard WMC Bus Driver (WDM);c:\windows\system32\drivers\u302bus.sys [30/07/2010 9:23 AM 119112]
R3 u302mdfl;HSPADataCard Modem Filter;c:\windows\system32\drivers\u302mdfl.sys [30/07/2010 9:23 AM 14920]
R3 u302mdm;HSPADataCard Modem Driver;c:\windows\system32\drivers\u302mdm.sys [30/07/2010 9:23 AM 135880]
R3 u302mgmt;HSPADataCard USB Device Management Drivers (WDM);c:\windows\system32\drivers\u302mgmt.sys [30/07/2010 9:23 AM 129992]
S0 jtjqite;jtjqite;c:\windows\system32\drivers\ivdhhva.sys --> c:\windows\system32\drivers\ivdhhva.sys [?]
S2 UG Nx-7.0;UG Nx-7.0;c:\program files\UGS\NX 7.0\UGFLEXLM\lmgrd.exe [20/07/2009 8:20 AM 1372160]
S2 ZeroVProtect;Zero-V AntiVirus Protection;c:\program files\Net Protector 2010\ZVScan\ZVMonNt.exe [01/06/2010 11:39 AM 208896]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [05/03/2011 9:48 PM 30192]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.bsnllive.in/
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\p\Application Data\Mozilla\Firefox\Profiles\e3t5u5nz.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-08 23:06
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(548)
c:\windows\system32\NPlogon.dll
.
Completion time: 2011-03-08  23:08:11
ComboFix-quarantined-files.txt  2011-03-08 17:38
ComboFix2.txt  2011-03-08 16:45
.
Pre-Run: 14,038,716,416 bytes free
Post-Run: 14,036,504,576 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 03885969762E1B6D178CC21866B98D50


----------



## tinker

The pc seems ok.
The cpu usage seems stable around 19 to 35 % if I leave it on its own withut touching anything. 
As soon as I touch the mouse it shoots 100%. 
Typing is fine as before, No signs of lagging.


----------



## tinker

There is this file Rscmpt.exe in TastManager/Process. This file is the most volatile. It fluctuates from 22 % to anywhere upto 95 or so %.


----------



## tinker

John, 
    I think you have solved this problem


----------



## tinker

When I open a CAD software, the cpu runs 100% even though I leave it alone.
The file Rscmpt.exe in TastManager/Process runs 99%.


----------



## tinker

There used to be a file uploading process in the Taskbar/Applications, seems like it has disappeared. 

For John,
I can never forget the way you have helped me. Your invested time in my problem and the consistent follow up is some thing I am seeing for the first time. You are one of the most outstanding moderators I have ever come across on the internet.No wonder the tag says *Super Moderator* I am sincerely thankful to you


----------



## Metal Man 2

:good:


----------



## johnb35

It looks like we still have 2 issues.

1.  Rscmpt.exe is still taking up your cpu usage.
2.  The entry in combofix is still there that needs to be removed. 

Look in device manager and tell me what is listed under display adapters.

If you are running CAD software then I think your aren't running the proper card.  Or you have bad drivers installed.

Lets perform the combofix script again.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box



		Code:
	

Driver::
jtjqite

Service::
jtjqite

File::
c:\windows\system32\drivers\ivdhhva.sys


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!







ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.


----------



## tinker

Under Device manager- Display Adapters > GeForce4 MX440 with AGP8X

Performing combofix advice.

 John, Its 10 am here and probably I think its end of day for you there. Just incase you are leaving , I can come back at your starting time (Night at my place).


----------



## tinker

WHen I tried combofix today as you sugested, the program did not work. My antivirus must have stopped it. 
When I bring the combofix icon to the desktop , it disappears in 2 secs. 
When I run the combofix program message appears saying, Not a valid win 32 application and after that second window saying, Process cannot be executed.

I tried running it with the antivirus closed, but still failed with it. 
Can`t figure out what to do. 
The cpu is back to 100%


----------



## tinker

Double post due to inrternet getting disconnected.


----------



## tinker

I have a hitch that my antivirus is messing things up, because I was not able to connect to the internet for almost half an hour. It was only after I closed it that i got connected properly. 

I am using a 3g internet usb device.


----------



## johnb35

Please post an uninstall list using hijackthis.  Open hijackthis, click on open misc tools section, click on open uninstall manager, click on save list and save it to your desktop.  Then copy and paste the log back here.

Please delete the existing combofix file from your desktop.  Uninstall your current antivirus program, we will install a better one after we get your system cleaned up.   Please download a new combofix file from here and save it to your desktop.

http://www.bleepingcomputer.com/download/anti-virus/combofix

Then run the procedure I last mentioned and post the new log.


----------



## johnb35

Are you still with me or did you give up?


----------

