Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspect my computer has been hijacked


  • This topic is locked This topic is locked
4 replies to this topic

#1 tyl604

tyl604

  • Members
  • 373 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta, GA
  • Local time:11:55 PM

Posted 10 March 2009 - 12:04 PM

First post; joined today.

Running Windows XP on a T2698 Emachines with 1.43 gig of RAM and 250 gig hard drive with only 64 gig used. As long as I have the Ativa thumbdrive working so I can connect wirelessly to my wireless router for internet, the CPU always runs 100% use. When I remove the Ativa thumbdrive, CPU goes down to say 15% - but of course I cannot access the internet. From PC Magazine I installed Process Explorer (technet.microsoft.com/en-us/sysinternals/bb896653.aspx) so I could inspect a more informative Task Manager.

I have found that System takes about 65% of the CPU and of this Ativacui.exe takes 25% of the system. Process Explorer warned me to look for things running from a temp file and I found under Ativacui.exe two instances of ~DF4547.tmp running from C:\Documents and Settings\Owner\Local Settings\Temp\~DF4547.tmp.

As a novice I wonder if this (~DF4547.tmp) could indicate a hijacking which uses up my CPU. I also notice under the CPU breakdown that the total processes do not add to 65% by looking at everything under Systems; looks like something which uses a lot of the 65% is hidden.

Can anyone tell me if I correctly identified a hijacker as ~DF4547.tmp and, if so, how to get rid of it? Or can anyone help otherwise. I have run TrendMicro's free housecall several times and it finds nothing.

Thanks.

BC AdBot (Login to Remove)

 


#2 SLIX

SLIX

  • Members
  • 380 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cornwall UK.
  • Local time:04:55 AM

Posted 10 March 2009 - 12:13 PM

Hi

If you think you are infected with something then it's best to post in the Am I Infected? What Should I do? forum.
For further instructions please follow this link. http://www.bleepingcomputer.com/forums/t/182397/am-i-infected-what-do-i-do-how-do-i-get-help-who-is-helping-me/
Steve

#3 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,264 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:08:55 PM

Posted 10 March 2009 - 12:23 PM

I did a quick google for DF4547.tmp, there were three references, and all three were in regards to HJT Logs. You may want to start a HJT Log.

Please read the information and follow the instructions at the page that the link below will take you to.

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#4 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:55 PM

Posted 10 March 2009 - 03:24 PM

Can anyone tell me if I correctly identified a hijacker as ~DF4547.tmp and, if so, how to get rid of it? Or can anyone help otherwise. I have run TrendMicro's free housecall several times and it finds nothing.

Thanks.


Hi, does that ~DF4547.tmp show as actually running in your task manager? If not, do you run ZoneAlarm? If you run ZA and that file is not running in task manager then it is totally harmless and a file with a name similar to that is created everytime you boot your comuter and ZA loads up. I have several instances of temp files that start with ~DF, they all have different numbers after the ~DF but they all have four numbers after the ~DF with an extension of .tmp and are located at C:\Documents and Settings\Owner\Local Settings\Temp\.

Edited by Stang777, 10 March 2009 - 03:34 PM.


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:55 PM

Posted 10 March 2009 - 05:13 PM

Hi I see you have your log here, http://www.bleepingcomputer.com/forums/t/210080/cpu-running-at-100;-could-i-have-a-virus/

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Post in this thread when you haven't received an answer in five days.".

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users