CPU Usage Always High

[GamePhreak]

My CPU Usage load is usually in the 90-100% range. My computer runs ultra-slow, but occasionally when I restart the usage is in the 0-10% range. I think that a virus of sorts is using a high priority hidden process to download spyware to my computer (which is immediately deleted by Norton IS 2005). The suspected culprit is Trojan.StartPage.M. It uses a hidden file (DLL, BAT, or otherwise) to download another DLL with a random name as well as a file called SE. The random DLL and SE are deleted automatically, but I can't find the source DLL despite all my efforts.

Here is my HijackThis log:

Logfile of HijackThis v1.99.0

Scan saved at 12:32:33 AM, on 7/24/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Norton Internet Security\ISSVC.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\cisvc.exe

C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

C:\WINNT\System32\tcpsvcs.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Virtual CD v4\System\vcdsecs.exe

C:\WINNT\system32\SK9910DM.EXE

C:\WINNT\GWMDMMSG.exe

C:\WINNT\System32\hkcmd.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe

C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe

C:\WINNT\SM1BG.EXE

C:\Program Files\PhoneTools\CapFax.EXE

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe

C:\Program Files\Google\Gmail Notifier\gnotify.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE

C:\Program Files\AutoSizer\AutoSizer.exe

C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe

C:\WINNT\system32\taskmgr.exe

C:\WINNT\system32\cidaemon.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe

C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll/sp.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank

O2 - BHO: (no name) - {907785E7-927A-42F7-9A76-039EF053CF23} - (no file)

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {D92DF25A-2D44-42E4-8D6B-2ADDA0310B73} - C:\WINNT\system32\alkccah.dll (file missing)

O3 - Toolbar: (no name) - {5AA06644-BC46-4220-A460-47A6EB47C96D} - (no file)

O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll

O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE

O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINNT\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe

O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe

O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe

O4 - HKLM\..\Run: [EPSON Stylus C62 Series (Copy 1)] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P32 "EPSON Stylus C62 Series (Copy 1)" /O6 "USB002" /M "Stylus C62"

O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"

O4 - HKLM\..\Run: [share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe

O4 - HKLM\..\Run: [sM1BG] C:\WINNT\SM1BG.EXE

O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe

O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [WhatPulse] C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE

O4 - HKCU\..\Run: [AutoSizer] "C:\Program Files\AutoSizer\AutoSizer.exe"

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm

O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O12 - Plugin for .png: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin6.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com

O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/cha...v43/yacscom.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab

O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1....g/GoogleNav.cab

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://gateway.cf1live.com/eSupport/static...h/weblaunch.cab

O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB

O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) -

O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by10fd.bay10.hotmail.msn.com/activex/HMAtchmt.ocx

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

O18 - Filter: text/html - {B007D478-9A44-4FB0-B5DB-887F3A58E29F} - C:\WINNT\system32\alkccah.dll

O18 - Filter: text/plain - {B007D478-9A44-4FB0-B5DB-887F3A58E29F} - C:\WINNT\system32\alkccah.dll

O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: ISSvc - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe

O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe

O23 - Service: Intel® NMS - Intel Corporation - C:\WINNT\System32\NMSSvc.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: system33r - Unknown - C:\Program Files\HHT\bircd.exe (file missing)

O23 - Service: Virtual CD v4 Security service - H+H Software GmbH - C:\Program Files\Virtual CD v4\System\vcdsecs.exe

I have 256MB of RAM. If this is in the wrong forum, please move it. Thank you for any support you may be able to give. :)

[drshdw]

Why don't you tell us which program in the task manager is sucking up all the CPU, unless..it doesn't show up?

[GamePhreak]

It doesn't show up. All the "CPU-suckers" are standard programs and by themselves should not bring my usage higher than 40 or 50%.

[drshdw]

  GamePhreak said:

It doesn't show up. All the "CPU-suckers" are standard programs and by themselves should not bring my usage higher than 40 or 50%.

586261841[/snapback]

Right right..but specifically which ones are they? Like make a list, aka explorer.exe, iexplorer.exe, etc.

[MiG-]

every process running is shown in taskmanager, list em all and i can tell you which one it is..

after that, run a search on that file of your computer, chances are it wont let u delete it...

so end the process and then try it again..

The DLL will always be associated with windows, so you'll have to get a program that deletes files before windows boots, meaning that the file is buggered. lol

Then type regedit in the run command, and look in the software category, looking for all ****, like 180search assistant, and delete all the ****ty folders u dont want.

[GamePhreak]

In order of usage:

iexplore.exe

svchost.exe

CCAPP.EXE

explorer.exe

msnmsgr.exe

NSMdtr.exe

CCPROXY.EXE

ViewMgr_.exe

CCSETMGR.EXE

ISSVC.exe

CCEVTMGR.EXE

gnotify.exe

AutoSizer.exe

taskmgr.exe

csrss.exe

svchost.exe

svchost.exe

svchost.exe

cidaemon.exe

services.exe

lsass.exe

hpgs2wnf.exe

SNDSrvc.exe

svchost.exe

WHATPU~1.EXE

svchost.exe

WkUFind.exe

winlogon.exe

spoolsv.exe

Hpi_monitor.exe

SM1bg.exe

cisvc.exe

hkcmd.exe

tcpsvcs.exe

GWMDMMSG.exe

SK9910DM.EXE

capFax.exe

alg.exe

qttask.exe

NAVAPSVC.EXE

hpgs2wnd.exe

symlcsvc.exe

cisvc.exe

VCDSecS.exe

smss.exe

System

System Idle Process

wdfmgr.exe

Obviously there are some that are not the problem. The tasks that begin with "CC" are Norton AntiVirus/Internet Security 2005. The problem came up before I got it, so I don't think that it is the problem despite its high usage. Again, I think the real problem is with Trojan.StartPage.M, which is a DLL embedded in a Windows process. I'll keep looking for fixes to that and post if I find something that could work.

[nvez]

iexplore.exe:

iexplore.exe is the main executable for Microsoft Internet Explorer. This Microsoft Windows application allows you to surf the web, and local intranets. This program is non-essential process to the running of the system, but should not be terminated unless suspected to be causing problems.

Possible infection of Trojan.Killav.B

svchost.exe:

svchost.exe is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs. This program is important for the stable and secure running of your computer and should not be terminated.

Possible infection of W32.Welchia.Worm

ccapp.exe:

ccapp.exe is a process belonging to Norton AntiVirus 2003. It is responsible for the auto-protect and email checking facilities, both of which will not function correctly if this service is stopped. This program is important for the stable and secure running of your computer and should not be terminated.

Never has been reported with a virus/worm/trojan.

explorer.exe:

explorer.exe is the Windows Program Manager or Windows Explorer. It manages the Windows Graphical Shell including the Start menu, taskbar, desktop, and File Manager. By removing this process the graphical interface for Windows will disappear.

Possible infection of W32.Mydoom.B@mm

msnmsgr.exe:

msnmsgr.exe is the main executable for MSN Messenger, which is bundled with Windows and Microsoft Office. It provides online chat, an file sharing capabilities.

Possible infection of W32.Netsky@mm

nsmdtr.exe:

nsmdtr.exe is a process belonging to Norton Antivirus and assists in protecting your computer from Internet-bound threats such as worms and trojans. This program is important for the stable and secure running of your computer and should not be terminated.

Never has been reported with a virus/worm/trojan.

ccproxy.exe:

ccproxy.exe is a part of the Symantec Internet Security Suite. This process allows you to setup basic Internet sharing, which allows you to share your Internet connection across your home or office. This program is important for the stable and secure running of your computer and should not be terminated.

Never has been reported with a virus/worm/trojan.

viewmgr_.exe:

viewmgr.exe is responsible for managing and updating Viewpoint Media Player’s components. Similar to Flash, Acrobat, Windows, Quicktime, etc., Viewpoint posts updates to its servers and occasionally the Viewpoint Media Player will check to make sure that it's the latest version.

Oddly enough, the reported name for the program is viewmgr.exe and not viewmgr_.exe

ccsetmgr.exe:

ccsetmgr.exe is a process associated with the Symantec Internet Security Suite and is essential to it's functioning. This program is important for the stable and secure running of your computer and should not be terminated.

Never has been reported with a virus/worm/trojan.

issvc.exe:

issvc.exe is a part of Norton Internet Security Suite and is a vital process for informing you about the latest Internet-bound security threats. This program is important for the stable and secure running of your computer and should not be terminated.

Never has been reported with a virus/worm/trojan.

ccevtmgr.exe:

ccevtmgr.exe is a part of the Norton Internet Security Suite. This process acts as a logger for the AntiVirus and firewall application installed. This program is important for the stable and secure running of your computer and should not be terminated.

Never has been reported with a virus/worm/trojan.

gnotify.exe:

gnotify.exe is a process belonging to Google Gmail which notifies you of incoming mails and offers an easy access point. This program is non-essential process to the running of the system, but should not be terminated unless suspected to be causing problems.

Never has been reported with a virus/worm/trojan.

autosizer.exe:

autosizer.exe is a utility that automatically maximizes windows when they're opened.

Never has been reported with a virus/worm/trojan.

taskmgr.exe:

taskmgr.exe is the executable for the Windows Task Manager. It shows you the processes that are currently running on the system. This application is opened by pressing CTRL+ALT+DEL. This program is a non-essential system process, but should not be terminated unless suspected to be causing problems.

Never has been reported with a virus/worm/trojan.

csrss.exe:

csrss.exe is the main executable for the Microsoft Client/Server Runtime Server Subsystem. This process manages most graphical commands in Windows. This program is important for the stable and secure running of your computer and should not be terminated.

Possible infection of W32.Netsky.AB@mm and W32.Dalbug.Worm

svchost.exe:

svchost.exe is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs. This program is important for the stable and secure running of your computer and should not be terminated.

Possible infection of W32.Welchia.Worm

svchost.exe:

svchost.exe is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs. This program is important for the stable and secure running of your computer and should not be terminated.

Possible infection of W32.Welchia.Worm

svchost.exe:

svchost.exe is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs. This program is important for the stable and secure running of your computer and should not be terminated.

Possible infection of W32.Welchia.Worm

cidaemon.exe:

cidaemon.exe is an indexing service which catalogues files on your computer to enable for faster file searches.

Never has been reported with a virus/worm/trojan.

services.exe:

services.exe is a part of the Microsoft Windows Operating System and manages the operation of starting and stopping services. This process also deals with the automatic starting of services during the computers boot-up and the stopping of servicse during shut-down. This program is important for the stable and secure running of your computer and should not be terminated.

Possible infection of W32.Randex.R and W32.Sober.O@mm

lsass.exe:

lsass.exe is a system process of the Microsoft Windows security mechanisms. It specifically deals with local security and login policies.

Possible infection of W32.Nimos.Worm, W32.Randex.AR, W32.Mydoom.L@mm, Trojan.Webus.B

hpgs2wnf.exe:

hpgs2wnf.exe is a part of Hewlett Packard's share-to-web, an application which allows for the transferral of images to Internet communities.

Never has been reported with a virus/worm/trojan.

sndsrvc.exe:

sndsrvc.exe is a process associated with the Norton Antivirus from Symantec. This process should not be removed to ensure that your system security is not breached.

Never has been reported with a virus/worm/trojan.

svchost.exe:

svchost.exe is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs. This program is important for the stable and secure running of your computer and should not be terminated.

Possible infection of W32.Welchia.Worm

whatpulse.exe:

whatpulse.exe is simply to collect statistics about your computer behavior. Some people (Like me) use it to determine how long they've worked on something, like a programming project, a school essay, chatting by all means.

Never has been reported with a virus/worm/trojan.

svchost.exe:

svchost.exe is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs. This program is important for the stable and secure running of your computer and should not be terminated.

Possible infection of W32.Welchia.Worm

wkufind.exe:

wkufind.exe is a process relating to Microsoft Picture-It. This procses will attempt to dial the Internet, if not already connected in order to find an update for this product.

Never has been reported with a virus/worm/trojan.

winlogon.exe:

winlogin.exe is added to the system as a result of the RANDEX.E virus. It is an IRC Trojan horse gives remote access to your computer using IRC. This program is a registered security risk and should be removed immediately. If found on your system make sure that you have downloaded the latest update for your antivirus application.

Infection of W32.RANDEX.E

spoolsv.exe:

spoolsv.exe is a Microsoft Windows system executable which handles the printing process to your local printers.

Possible infection of Backdoor.Ciadoor.B

hpi_monitor.exe:

Autodetects when a HP camera is attached to the computer and launches the "HP Photoimaging Software". Available via Start -> Programs

Never has been reported with a virus/worm/trojan.

sm1bg.exe:

sm1bg.exe is a process belonging to the Cypress USB Mass Storage Adapter. It is installed with iTunes, Napster and USB devices.

Never has been reported with a virus/worm/trojan.

cisvc.exe:

cisvc.exe is a process that belongs to the Microsoft Windows Operating System. It is used to monitor the memory usage in CIDAEMON.exe and prevent low memory problems.

Never has been reported with a virus/worm/trojan.

hkcmd.exe:

hkcmd.exe is installed alongside Intel multimedia devices and allows configuration and diagnostic options for these devices.

Never has been reported with a virus/worm/trojan.

tcpsvcs.exe:

tcpsvcs.exe is a part of Microsoft Windows networking components. This essential system process is initiated when the computer uses special TCP/IP networking services such as DHCP, Simple TCP and print services. This program is important for the stable and secure running of your computer and should not be terminated.

Never has been reported with a virus/worm/trojan.

gwmdmmsg.exe:

gwmdmmsg.exe is installed alongside the modem drivers on Gateway and vprMatrix computers. This is an messaging aplet, but is not essential to the Modem's functioning. This program is a non-essential system process, but should not be terminated unless suspected to be causing problems.

Never has been reported with a virus/worm/trojan.

sk9910dm.exe

sk9910dm.exe is isntalled on mostly Gateway PCs, and allows configurations for the one-touch programmable keys on a gateway keyboard. This program is a non-essential system process, but should not be terminated unless suspected to be causing problems.

Never has been reported with a virus/worm/trojan.

capfax.exe:

capfax.exe is a process authored by BVRP Software, which belongs to Capfax, a piece of software which simplifies phone and fax usage from your computer.

Never has been reported with a virus/worm/trojan.

alg.exe:

alg.exe is a part of the Microsoft Windows operating system. It is a core process for Microsoft Windows Internet Connection sharing and Internet connection firewall.

Never has been reported with a virus/worm/trojan.

qttask.exe:

qttask.exe produced by Apple, installs a tray bar icon which links to the Apple QuickTime video streaming tool.

Never has been reported with a virus/worm/trojan.

navapsvc.exe:

navapsvc.exe is a part of the Norton AntiVirus application. It is running in the background and provides auto-protection features to the system. This process should not be removed to ensure that your system security is not breached.

Never has been reported with a virus/worm/trojan.

hpgs2wnd.exe:

hpgs2wnd.exe is the executable corresponding to Hewlett-Packard's share-to-web software. This application allows a user to share photos to a secure Internet site.

Never has been reported with a virus/worm/trojan.

symlcsvc.exe:

symlcsvc.exe is an application which belongs to Norton's Internet Security Suite, and provides additional security features. This program is important for the stable and secure running of your computer and should not be terminated.

Never has been reported with a virus/worm/trojan.

cisvc.exe:

cisvc.exe is a process that belongs to the Microsoft Windows Operating System. It is used to monitor the memory usage in CIDAEMON.exe and prevent low memory problems. This is an essential system process and should not be removed. This program is an essential system process and should not be removed.

Never has been reported with a virus/worm/trojan.

vcdsecs.exe:

vcdsecs.exe is the Virtual CD security service, I couldn't find any more information about it.

Unkown status of virus/worm/trojan.

smss.exe:

smss.exe is a process which is a part of the Microsoft Windows Operating System. It is called the Session Manager SubSystem and is responsible for handling sessions on your system. This program is important for the stable and secure running of your computer and should not be terminated.

Possible infection of W32.Dalbug.Worm

wdfmgr.exe:

wdfmgr.exe is part of Microsoft Windows media player 10 and above. This process decreases compatibility problems whilst the product is in use. This program is non-essential process to the running of the system, but should not be terminated unless suspected to be causing problems

Unkown status of virus/worm/trojan.

System:

System is obviously the process which belongs to 'windows', as in Control Panel, etc, etc.

System Idle Process:

System Idle Processes doesn't do anything, its just what the cpu does when its not doing anything

-------------------------------------------------------------------------------------------------

This google research should give you some more information/help about finding the virus. :)

That took me nearly a hour, hope I helped. :p

[nvez]

Also, if you say so you think that it is Trojan.StartPage.M.

Read here for more information: http://www.symantec.com/avcenter/venc/data...tartpage.m.html

  Symantec said:

Drops the file %Temp%\se.dll.

Note: %Temp% is a variable that refers to the Windows temporary folder. By default, this is C:\Windows\TEMP (Windows 95/98/Me/XP) or C:\WINNT\Temp (Windows NT/2000).

Registers itself as a Browser Helper Object by creating and populating the following registry subkeys:

HKEY_CLASSES_ROOT\CLSID\{2862736E-7B27-418A-A4E8-F13FB2E8C945}

HKEY_CLASSES_ROOT\CLSID\{5607D0D5-3205-45F2-A125-63666696DDA0}

Adds the value:

"CLSID" = "{2862736E-7B27-418A-A4E8-F13FB2E8C945}"

to the registry subkeys:

HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html

HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain

to register itself as a protocol filter. This enables the Trojan to modify content displayed in Internet Explorer.

Adds the value:

"sp" = "rundll32 %temp%\se.dll,DllInstall"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it is executed every time Windows starts.

Adds the value:

"Search Bar" = "res://%temp%\se.dll/sp.htm;"

to the registry subkeys:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main

to modify the search settings in Internet Explorer.

Displays a Web page contained in se.dll, when Internet Explorer is started.

  Symantec said:

Disable System Restore (Windows Me/XP).

Update the virus definitions.

Run a full system scan and delete all the files detected as Trojan.StartPage.M.

Delete any values added to the registry.

[GamePhreak]

Yes, I'm not a compelte noob. :) I've looked up everything, but nothing works. Thank you for taking time to help me out. It's starting to seem like the only way to stop it is reformat, but there's no way I'm doing that!

[Hum]

:huh: When did this problem start ? Have you tried using System Restore ? Go back to a time when things ran well. Has worked wonders for me.

You may lose a few things, but one of them will be the virus/trojans. ;)

[GamePhreak]

This started way too long ago to be in system restore still. Even if it was, I would lose almost everything else.

[Hankyone]

i recommend you remove these lines:

-------------

-R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\Owner\LOCALS~1\Temp\se.dll/sp.html

-O2 - BHO: (no name) - {907785E7-927A-42F7-9A76-039EF053CF23} - (no file)

-O3 - Toolbar: (no name) - {5AA06644-BC46-4220-A460-47A6EB47C96D} - (no file)

-O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe

-O2 - BHO: (no name) - {D92DF25A-2D44-42E4-8D6B-2ADDA0310B73} - C:\WINNT\system32\alkccah.dll (file missing)

-------------

[GamePhreak]

What exactly is Viewpoint? I've never known if that was good or bad so I never touched it.