Virus Issue

Discussion in 'OT Technology' started by METALLlC BLUE, Nov 21, 2004.

  1. deezil

    deezil Guest

  2. I'm running Win XP, and I was downloading some software over the last few days for popup blockers, and I downloaded Yahoo Blocker, Google Blocker, and then ran AdAware 6 [which I've since removed to get Ad Aware SE].

    Anyway, I'm having very high CPU usage, and High Memory Usage in the Windows Task Manager. I keep closing dostask.exe because it keeps using nearly 90-100% of the CPU, and it keeps maxing out my memory which is 1/2 Gig.

    When I start the machine, the system runs fine, but then it begins to climb. I close it, and it climbs again, and then repeat.

    I also did a search for dostask.exe and found this file: DOSTASK.EXE-25D34F68.pf located in the F:\Windows\Prefetch folder. Any help is appreciated.

    Important Note: F:\ is my main drive.

    Can anyone tell me what I should do? :(
     
  3. I have installed Spywareblaster, Spybot, AVG, McAfee, HijackThis, Ad Aware SE, and I have also installed Firefox. I also deleted the file which the dostask.exe file was located in, however I also see the file showing up here in the "Hijack" program.

    Problem: The dosktask.exe program keeps starting everytime my system begins and continues to hammer my system resources including CPU and memory. However, after running all of the software programs listed in the sticky - it no longer starts up again after I end the process.

    The location of dostask.exe now is: F:\WINDOWS\System32\1033\dostask.exe - when I look in msconfig it says the location is: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    When I go to the location to find the file I do not find dostask.exe
     
  4. I ran Hijack This.

    Here is the log. If anyone would be so kind as to tell me what I can and can't delete that may help too. The dostask.exe issue is obviously the most important. I've placed the dostask.exe entry in bold and red.

    Log from Hijack This:

    Logfile of HijackThis v1.98.2
    Scan saved at 5:31:42 PM, on 11/21/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    F:\WINDOWS\System32\smss.exe
    F:\WINDOWS\System32\winlogon.exe
    F:\WINDOWS\system32\services.exe
    F:\WINDOWS\system32\lsass.exe
    F:\WINDOWS\system32\svchost.exe
    F:\WINDOWS\System32\svchost.exe
    F:\Program Files\Sygate\SPF\smc.exe
    F:\WINDOWS\Explorer.EXE
    F:\WINDOWS\system32\spoolsv.exe
    F:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    F:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
    f:\program files\mcafee.com\agent\mcagent.exe
    F:\WINDOWS\System32\RUNDLL32.EXE
    F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    F:\WINDOWS\system32\tbctray.exe
    F:\WINDOWS\System32\ctfmon.exe
    F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    F:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    F:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    F:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    f:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    F:\WINDOWS\System32\svchost.exe
    f:\PROGRA~1\mcafee.com\vso\mcshield.exe
    F:\Program Files\Mozilla Firefox\firefox.exe
    F:\WINDOWS\System32\taskmgr.exe
    F:\Program Files\Outlook Express\msimn.exe
    F:\Documents and Settings\Michael\My Documents\Mike & Sue's Personal Files\MB58SC\Programs For Extraction\HijackThis.exe
    F:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
    O2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - F:\Program Files\Kontiki\bin\bh309190.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dll
    O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - f:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [VSOCheckTask] "f:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "f:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] f:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] F:\PROGRA~1\mcafee.com\agent\McUpdate.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [SmcService] F:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [TraySantaCruz] F:\WINDOWS\system32\tbctray.exe
    O4 - HKLM\..\Run: [McRegWiz] F:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
    O4 - HKLM\..\Run: [*dostask] F:\WINDOWS\system32\1033\dostask.exe
    O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [WinTools] F:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O8 - Extra context menu item: &Google Search - res://F:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://F:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://F:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Linked Ima&ges - F:\Program Files\IEimage\IEimage.htm
    O8 - Extra context menu item: Similar Pages - res://F:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://F:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\WINDOWS\System32\msjava.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
    O9 - Extra button: Linked Images - {D8980DE8-9D4C-4fb0-8FB4-95B1FA4125AD} - F:\Program Files\IEimage\IEimage.htm
    O9 - Extra 'Tools' menuitem: Linked Ima&ges - {D8980DE8-9D4C-4fb0-8FB4-95B1FA4125AD} - F:\Program Files\IEimage\IEimage.htm
    O9 - Extra button: Support - {9F3EA673-973B-4151-A04D-014A62C2BA46} - http://www.comcastsupport.com (file missing) (HKCU)
    O9 - Extra button: ComcastHSI - {D980738F-A97A-4427-A0A4-DE6837437F82} - http://www.comcast.net (file missing) (HKCU)
    O9 - Extra button: Help - {FF50BD80-103C-4B6D-97D0-A5E0047445D1} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
     
  5. deezil

    deezil Guest

    :dunno: It might just be a time for reformat and reinstall. I can't find anything on google with this. It must be a new virus variant, and with AVG installed, it should find it. I don't know how you have AVG and McAfee running at the same time, but, whateva. You might want to go the registry key that points to dostask.exe and delete it as well.
     
  6. Shaggy007

    Shaggy007 New Member

    Joined:
    Oct 22, 2003
    Messages:
    901
    Likes Received:
    0
    Location:
    In the Springtime of my youth
    Have you tried removing the reg entry and deleting the file yet?
     
  7. I haven't. I was concerned that it would cause problems. However, whenever I close the program in Task Manager it doesn't cause any problems.
     
  8. P07r0457

    P07r0457 New Member

    Joined:
    Sep 20, 2004
    Messages:
    28,491
    Likes Received:
    0
    Location:
    Southern Oregon
    you can remove anything in [HKLM or HKCU]/Microsoft/Windows/CurrentVersion/Run without problems. At most, you'll lose some features that program provided. For example Antivirus programs put an entry there to start. So do all the crappy programs you want gone, like Quicktime Statup. Viri also place entries there.

    I would end-task the program and then remove the entry. Then reboot and delete the file.
     
  9. Keyzs

    Keyzs OT Supporter

    Joined:
    Nov 3, 2003
    Messages:
    814
    Likes Received:
    0
    Location:
    Charlotte, MI
    You have WAY overkill in the anti Spyware/Virus etc. Basically there is NOTHING in that HIJackThis log that is really needed.... They are all toys, spyware/virus protection and addons. A few good programs BEFORE you have a problem are alot better than many programs after its too late.

    The problem is that if you do remove all the items listed the good things are going to go away and the bad ones are just going to come right back. With a few of the 'GOOD' things gone your going to run into issues. (I would not suggest you delete all the lines - your antivirus will not be happy - but your do not need them to run the computer...)

    So in my opinion you need to either

    Reformat/start over
    OR
    Go through the programs and remove the stuff you do not need. You have McAfee and AVG both (get rid of McAfee) , you have Spybot and Adaware, etc (OK they can live together ok). TeaTimer is my opinion is horrible - SP2 setup correctly will do all you need. C-Dilla RTS Service (cdantsrv.exe) is an antipiracy program you do not really want wasting your resources (not that I am advocating piracy but you should not have to waste your CPU clicks guarding against you playing a copy of a cd) This program most likely came with the Comcast install which you really don't need either. (XP has its own PPPoe client).

    If you choose the second route, delete all the redundant and useless junk then post a new Hijackthis (and to make our lifes a little easier please close all programs before running)

    By the way jollyogre virii is not a word, plural of virus is viruses.
     
  10. P07r0457

    P07r0457 New Member

    Joined:
    Sep 20, 2004
    Messages:
    28,491
    Likes Received:
    0
    Location:
    Southern Oregon
    :rofl: You're wrong bro.
     
  11. xheliox

    xheliox It's Good To Be King

    Joined:
    Nov 10, 2003
    Messages:
    120
    Likes Received:
    0
    Location:
    Altamonte Springs, FL
  12. Good advice, especially what my research led me to do. I removed the lines individually as well as the programs individually. All is well now.
     
  13. Can you tell me which files I can delete from my recent Hijackthis log? I'm not looking to remove all of them - I can just check off which ones I do and don't need. Let me know.
     
  14. P07r0457

    P07r0457 New Member

    Joined:
    Sep 20, 2004
    Messages:
    28,491
    Likes Received:
    0
    Location:
    Southern Oregon
    Remove in favor of a better AV, such as AVG:

    O4 - HKLM\..\Run: [VSOCheckTask] "f:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "f:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] f:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] F:\PROGRA~1\mcafee.com\agent\McUpdate.exe

    remove because it's pointless:
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

    remove unless you use nView (part of the nVidia Driver) I remove it to save ram and speed:
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit


    Remove:
    O4 - HKLM\..\Run: [TraySantaCruz] F:\WINDOWS\system32\tbctray.exe
    O4 - HKLM\..\Run: [McRegWiz] F:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
    O4 - HKLM\..\Run: [*dostask] F:\WINDOWS\system32\1033\dostask.exe
    O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [WinTools] F:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

    I don't like teatimer, so I remove it:
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe



    Leave:
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] F:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [SmcService] F:\PROGRA~1\Sygate\SPF\smc.exe -startgui
     

  15. Thanks for your help. This was good. :)
     

Share This Page