Possible Spyware CPU running at 100%

Hi,
This may be slightly lenghty but I will do my best to trim what I can that won't be essential in solving the problem(s)...I am trying to assist a friend who basically has had no protection on their Windows Xp computer (approx 3 to 4 yrs old) with the exception of Virus Protection...The owner before calling me did a system restore back to day one, in doing that a few other problems were inherited, one of them being it took approx 15 hrs while trying to remove infections, to reinstall 40 Microsoft Updates...Anyways, here's what I have done:
(1) Downloaded AVG (because theirs had expired)= found one trojan.
(2) Downloaded Spyware Blaster.
(3) Downloaded Spyware Guard.
(4) Ran XCleaner = found 10 & removed all.
(5) Downloaded AdawareSE(2007) = found 80 and removed them.
(6) Ran ATF Cleaner = free'd up 206,293 MB's of space.
(7) Ran SFC = no problems.
(8) Downloaded Spybot = found 47 and removed them all.
(9) Downloaded AVG Anti-Spyware = found 451 and removed them all.
(10) Downloaded AVG = found none.
(11) Downloaded Spy Hunter = found 7 and removed them.
Note: From the start to now, the CPU kept running at 100%.
(12) TaskManager = end process for several which lowered the CPU some thing would raise it back up...To the best of my knowledge, this is an indication of something running most likely spyware, etc...
(13) Process Explorer = could not find or pick out anything that appeared suspicious.
(14) Found and removed more temps, temp internet and cookies.
(15) Checked and unchecked programs in startup (msconfig).
(16) Checked Add/Remove and after finding nothing suspicious, I uninstalled Norton and McAfee.
Note: One of tricks to removing multiple infections is to keep re-running the scans but despite the reduction each one was presenting after it was done the CPU keep running and at times would fluctuate to lower percentages but climb and hold steady at 100%.
(17) Downloaded VundoFix = found nothing
(18) Downloaded Rootkit Revealer = found 4 discrepancies (but I could not decipher them).

I am exhausted and would appreciate any assistance and/or suggestions. Please note I am able to access the Internet still but the CPU problem is causing the computer to run slow and at certain times very slow...I have had to uninstall and reinstall some of the above because of the CPU issue...

 

Hi,
Okay I will do but won't be able to do so till this afternoon...I also wanted to mention that I checked inside the tower and there was a considerable amount of dust around the CPU, power supply and fan...It also did not make a difference after I cleaned it out...Thanks

 

Hi,
While I can't post a HijackLog till this afternoon, I wanted to add two more things I inadvertently forgot to add:
(1) This particular computer does not have the SP2, it may have at one point and I'm guessing it was removed when the system restore was done ? It has been to my understanding not to reinstall it when there are pending infections.
(2) Also, one of the scans that were done "Trojan Vundo" was found and that is why I ran the Vundofix...
(3) The owner of the computer (plus myself), cannot access their yahoo mail account, this page cannot be displayed keeps coming up after clicking on "mail" and even when trying to "sign in "...Not sure what's up there other than I suspect some type of corrupt file as the cause...

 

Logfile of HijackThis v1.99.1
Scan saved at 11:58:29 AM, on 7/24/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe "
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1184528203343
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

 

Hi,
When I went to save the previous HijackThis lof to the c:drive I noticed it was saved to temp file so I am re-submitting it...

Logfile of HijackThis v1.99.1
Scan saved at 12:04:42 PM, on 7/24/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\System32\hkcmd.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,1,1,0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe "
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1184528203343
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

 

Hi,
I tried saving the log from the rootkit xcan but for some reason it disappeared, will try it again later...I also will try the safe mode suggestion and post back later...What should I consider if all is well while in safe mode with the CPU and if all is not well ??? Thanks for your assistance.

 

Hi,
I booted the computer to safe mode and the CPU started at 50% and worked it's way down to 0%...I am going to uninstall the printer and camera thing the owner has and see if by chance they are playing a part in this issue and post back soon...

 

Hi Master Green

Just wanted to point out something.

C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

You have run HijackThis from a temp folder, without unzipping it first as well. With the number of logs you've posted in the past, you should know better.

Download and save Process Explorer.

http://www.microsoft.com/technet/sysinternals/Utilities/ProcessExplorer.mspx

Extract and run it to see if you can home in on whatever is using CPU cycles. Once you find it, click to select the process. Then click View from the menu, make sure Show Lower Pane is checked, point to Lower Pane view and select DLLs. Wait for the lower pane to populate, then click File>Save As. Save the text file to the desktop and post it please.

 

Hi TonyT
Attn: Noahdfear

I agree I should know better, what happen is when I saved it first to the Crive it appeared to have did the same thing so I re-did it but this time to my documents and once again it happened...I realize my mistake afterwards and for that I apologize...In the mean time I have uninstalled the following:
(1) hp photosmart
(2) photo record
(3) lexmark
(4) photo stitch
(5) power shot WIA Driver
(6) coupon.com
(7) comcast phot show deluxe
(8) spam subtract
(9) bounce out
(10) magic ball
(11) raw image converter
(12) cannon remote capture
(13) zoom browser
(14) hp image zone
(15) hp deskjet pre-loaded drivers
(16) photo smart 140,240,7200,7600,7700,7900 series
Note: The CPU is now running normal and even thou that might be good news I still have the problem of trying to figure out why I keep getting "page cannot be displayed" page problem every time I click on yahoo mail ???

 

Hi,
Just a little update...I have uninstalled the following in addition to the previous uninstalled programs:
(1) python
(2) zone.com (games)
(3) hp photo & imaging - hp devices
(4) hp psc - office jet 3.0
(5) pc doctor (after this was uninstalled the cpu stopped starting at 100% and working it's way down to 0%)..
(6) text twist deluxe

It appears we have solved the CPU problem but now I need help or advice on the yahoo mail situation...

 

Glad you got the cpu issue worked out.

RE: the Yahoo mail issue.

First, close Internet Explorer, then open Internet options in the Control Panel. Clear all Temporary Internet Files, including offline content, then delete the cookies.

If the problem persists, check to see that you can access Yahoo Mail from IE. If so, check the properties of the Yahoo Mail shortcut. What is the Target value?

 

Attn:Noahdfear

My thoughts are entertaining the possiblity of a corrupted file because I have cleared what is all the recommended items by using the manual methods along with ATF Cleaner and still unable to access yahoo mail...

Their default browser is Internet Explorer, Home page is set to Yahoo web site and when I type in www.yahoo.com I get the same page and the same problem...I have tried sigining in and logging in and still get "page cannot be displayed "...Getting in and checking accounts, prefrences, etc is not an option at this point because of the access issue...

I am able to access other web sites so the winsock and other connection issues can be safely ruled out and that is one reason I felt there was a possibility of a corrupt file that may or may not be related to Outlook Express that resulted from the infections and system restore that rolled everything back to day one...Thoughts I am only pondering at this time...

 

I don't see any HOSTS file entries in the HJT log, so check IE's restricted zone to see if yahoo is being blocked.

 

Hi Noahdfear,

I checked the CPU and it's running around 10% which is good news, then I did as you suggested with the cookies and offline, etc and that unfortunately did not make a difference...Nothing was listed in the restricted zone...

When I checked the target value, this is what was listed:
penURL http://mail.yahoo.com/?redir+ymmapi9

Ithen clicked on find target and it now has:
C:/WINDOWS/system32/rundll32.exe CROG

The mystery remains...

 

What you originally saw in the target field was part of the correct string, it just wasn't all visible, and now all you see is the first part of it. The following would be the proper string, and if you click in the target section then use the arrow keys to move the cursor position, you should see it all.

Code:

C:/WINDOWS/system32/rundll32.exe C:PROGRA~1\Yahoo!\Common\ymmapi.dll,OpenURL http://mail.yahoo.com/?redir+ymmapi9

Give Tony's recommendation a shot, and if that doesn't help, set Windows to show hidden files and folders, then do a search of the entire drive for HOSTS. Let us know what all paths are found.

You might also want to run DelDomains.inf

http://www.mvps.org/winhelp2002/DelDomains.inf

Right click and select Save Target As, then save it to the desktop. Right click the file and select Install. Reboot.

 

Hi,
Thank you TonyT and Noahdfear for that info, will see what I can do...In the mean time, I have tried to ping www.yahoo.com and got "not recognized as internal or external command" for a reply...

I also ran Process Explorer again, and in one of the svchost listing, I right clicked on it and saw under the tab TCP/IP the following listed: your-xb2x7 and to the right under state, it said "Listening "...I could not find any info on it so I clicked on remove...It appears to have caused no additional problems nor did it help any...

In addition to all these headaches, AVG is causing the CPU to run at 100% again...When I click on end process (in task mgr), the CPU runs low...But what ever is going on, accessing the Internet is not always possible...