Inactive CPU usage spikes and game lag

[Benzz]

Ok well this issue just started happening recently, my CPU usage would spike to about 30-100% on some occasions and I can't play any games due to having around 1000 ping. I ran a scan with Avast a few days ago and it found a worm which I got rid of straight away but the lag and spikes won't go away and I can't find any processes that are hogging up the usage, I've also done a few more Avast scans and spybot scans. I hope someone can help, thanks!

 

[Bobbye]

but the lag and spikes won't go away and I can't find any processes that are hogging up the usage,

1. How much installed RAM do you have?
2. Prepare the system for shutdown, but don't shut down yet.
3. Open the Task Manager: Double click on the top frame of the CPU column to sort. 3 processes should show CPU usage and add up to 100%> taskmgr, System and System Idle. Any other process running now over 1-2 in the CPU column needs to be identified
=============================================
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

===============================================
Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
=====================================
Please disable or uninstall this P2P program while I am helping you: LimeWire 5.4.6

You may have resource and/or malware problems with this: mIRC

Important!
Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[Benzz]

I have 2 gig ram and I opened up task manager and no other processes were at 1 or 2 other then those 3. other then a few important system files spiking to 1 occasionally. I also uninstalled limewire. Today the spikes and lag stopped for an hr or two, never happened before, but the spikes are happening again. These are the ESET logs:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=75e5b150288d10499144770e295c45db
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-11-09 05:23:40
# local_time=2010-11-09 04:23:40 (+1000, AUS Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7600 NT
# compatibility_mode=769 16775165 100 98 0 225569901 0 0
# compatibility_mode=5893 16776573 100 94 0 40912738 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=9217 16777214 75 70 6359763 11182825 0 0
# scanned=93311
# found=0
# cleaned=0
# scan_time=2273

The are the Combofix logs in next post

 

[Benzz]

ComboFix 10-11-07.A2 - Benji 11/09/2010 16:38:27.1.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2047.1305 [GMT 11:00]
Running from: c:\users\Benji\Documents\Downloads\Programs\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Benji\AppData\Roaming\.#
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf

.
((((((((((((((((((((((((( Files Created from 2010-10-09 to 2010-11-09 )))))))))))))))))))))))))))))))
.

2010-11-09 05:51 . 2010-11-09 05:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-09 04:39 . 2010-11-09 04:39 -------- d-----w- c:\program files\ESET
2010-11-08 11:19 . 2010-11-08 11:19 -------- d-----w- c:\users\Benji\AppData\Roaming\Malwarebytes
2010-11-08 11:19 . 2010-04-29 04:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-08 11:19 . 2010-11-08 11:19 -------- d-----w- c:\programdata\Malwarebytes
2010-11-08 11:19 . 2010-04-29 04:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-08 11:18 . 2010-11-08 11:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-08 11:12 . 2009-10-10 02:57 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2010-11-08 11:01 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{85DF73D4-2E6C-4219-9256-A1DC84A7ED9B}\mpengine.dll
2010-11-08 10:57 . 2010-08-04 06:18 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-11-08 10:57 . 2010-08-04 06:17 417792 ----a-w- c:\windows\system32\msdri.dll
2010-11-08 10:57 . 2010-08-04 06:15 204288 ----a-w- c:\windows\system32\MSNP.ax
2010-11-08 10:57 . 2010-08-04 06:15 199680 ----a-w- c:\windows\system32\mpg2splt.ax
2010-11-08 10:57 . 2010-08-21 05:33 530432 ----a-w- c:\windows\system32\comctl32.dll
2010-11-08 10:57 . 2010-07-13 05:22 26504 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2010-11-08 10:57 . 2010-08-21 05:36 224256 ----a-w- c:\windows\system32\schannel.dll
2010-11-08 10:57 . 2010-08-21 05:36 738816 ----a-w- c:\windows\system32\wmpmde.dll
2010-11-08 10:57 . 2010-08-27 05:46 168448 ----a-w- c:\windows\system32\srvsvc.dll
2010-11-08 10:57 . 2010-08-27 03:31 310784 ----a-w- c:\windows\system32\drivers\srv.sys
2010-11-08 10:57 . 2010-08-27 03:30 308736 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-11-08 10:57 . 2010-08-27 03:30 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-11-08 10:56 . 2010-05-05 06:46 363520 ----a-w- c:\windows\system32\StructuredQuery.dll
2010-10-12 13:21 . 2010-10-12 13:21 -------- d-----w- c:\program files\Microsoft SQL Server
2010-10-12 13:21 . 2010-10-12 13:21 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-10-12 13:21 . 2010-10-12 13:21 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-10-12 13:19 . 2010-10-12 13:23 -------- d-----w- c:\users\Benji\AppData\Local\Microsoft Help
2010-10-12 13:17 . 2010-10-12 13:21 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0
2010-10-12 13:17 . 2010-10-12 13:21 -------- d-----w- c:\programdata\Microsoft Help
2010-10-12 13:17 . 2010-10-12 13:17 -------- d-----w- c:\program files\Microsoft SDKs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 00:41 . 2010-01-02 04:13 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-14 17:50 . 2010-05-11 02:52 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-21 05:32 . 2010-09-15 04:26 316928 ----a-w- c:\windows\system32\spoolsv.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2010-03-04 3179952]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-03-06 2937528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\program files\Alwil Software\Avast4\ashDisp.exe" [2009-11-24 81000]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-24 98304]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2009-06-14 307200]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-01 1164584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 GarenaPEngine;GarenaPEngine;c:\users\Benji\AppData\Local\Temp\ENY887.tmp [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2008-11-08 1343400]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-04 691696]
S1 aswSP;avast! Self Protection; [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-08-03 176128]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-11-24 20560]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-11-24 53328]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-08-03 6096384]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-08-03 214016]
S3 Atc002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;c:\windows\system32\DRIVERS\l260x86.sys [2009-07-13 29184]

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
FF - ProfilePath - c:\users\Benji\AppData\Roaming\Mozilla\Firefox\Profiles\rt3imv0i.default\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\users\Benji\AppData\Roaming\IDM\idmmzcc3\components\idmmzcc.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\windows\system32\Wat\npWatWeb.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
.
- - - - ORPHANS REMOVED - - - -

BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
HKCU-Run-PlayNC Launcher - (no file)
HKCU-Run-ProxyCap - c:\progra~1\PROXYL~1\ProxyCap\ProxyCap.exe



[HKEY_LOCAL_MACHINE\system\ControlSet001\services\GarenaPEngine]
"ImagePath"="\??\c:\users\Benji\AppData\Local\Temp\ENY887.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2127609539-2610553817-2303972375-1001_Classes\CLSID\{2d098ab0-0640-4ae7-8126-660c6eebc0d4}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:000000ba
"Therad"=dword:0000001c
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\

[HKEY_USERS\S-1-5-21-2127609539-2610553817-2303972375-1001_Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"scansk"=hex(0):52,28,05,13,db,f1,d5,9e,1e,81,f5,cc,ce,bb,16,9f,c2,46,ea,2b,ae,
61,cd,3b,fb,63,db,05,6f,de,48,97,9f,98,61,03,4a,33,2a,5e,00,00,00,00,00,00,\

[HKEY_USERS\S-1-5-21-2127609539-2610553817-2303972375-1001_Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):0b,2a,e1,f9,a7,57,45,98,9f,3d,cd,ed,fe,6c,95,76,60,0f,c7,f2,7d,
30,9d,ce,c7,86,33,4c,1a,97,b4,79,b8,b1,29,81,6f,44,3f,1b,00,00,00,00,00,00,\

[HKEY_USERS\S-1-5-21-2127609539-2610553817-2303972375-1001_Classes\CLSID\{ec3cca14-9b1c-4e1d-9cae-e1ca9c7a957a}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:00000024
"Therad"=dword:0000001d

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2010-11-09 16:52:56
ComboFix-quarantined-files.txt 2010-11-09 05:52

Pre-Run: 13,416,325,120 bytes free
Post-Run: 17,252,876,288 bytes free

- - End Of File - - 12EC228FE1C28E740816FFCFAA072E87

 

[Bobbye]

Okay, Eset is clean. What are you using to determine the CPU spike? Do you have the Task Manager set to stay on top of the Window? IF so, you should be able to see what process is currently spiking.

I note you have Direct Show processes loaded. Is it possible that this could occasionally run in the background for video data streams?
I would also ask if the ProxyCap server you run might also have intermittent usage?

Description: ProxyCap enables you to redirect applications through a SOCKS or HTTP proxy server. You can tell ProxyCap which applications will connect to the Internet through a proxy and under what circumstances. This is done through a user friendly interface, without the need to reconfigure any of your Internet clients. ProxyCap provides flexible rule system and allows you to define your own routing rules. You can add a new rule with just a few mouse clicks.

Since you don't show any background processes running when you are prepared for shutdown, see if you can spot the cause of a spike while you are active.

Please run this Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\users\Benji\AppData\Local\Temp\ENY887.tmp

RegLock::
[HKEY_USERS\S-1-5-21-2127609539-2610553817-2303972375-1001_Classes\CLSID\{2d098ab0-0640-4ae7-8126-660c6eebc0d4}]
[HKEY_USERS\S-1-5-21-2127609539-2610553817-2303972375-1001_Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
[HKEY_USERS\S-1-5-21-2127609539-2610553817-2303972375-1001_Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
[HKEY_USERS\S-1-5-21-2127609539-2610553817-2303972375-1001_Classes\CLSID\{ec3cca14-9b1c-4e1d-9cae-e1ca9c7a957a}]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]

DDS::
uURLSearchHooks: H - No File

Driver::
GarenaPEngin
aswSP

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Then this to see if there are any bad entries running:

Download the HijackThis Installer and save to the desktop:

1. Double-click on HJTInstall.exe to run the program.
2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
3. Accept the license agreement by clicking the "I Accept" button.
4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
5. Click "Save log" to save the log file and then the log will open in notepad.
6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

 

[Benzz]

Yeah I have the task manager open and even when I'm using program the only thing using a lot of CPU is firefox (When I have it open) and the task manager itself uses about 0.3-0.5 and then there's just about 2-3 other program that I have that occasionally go to 0.1, but then I go into the performance tab and my CPU is at a constant 25-30% (When Firefox is opened) and spikes quite high occasionally and I don't know what the Direct Show or Proxycap thing is I'm sorry, but here is the CFScript,

ComboFix 10-11-07.A2 - Benji 11/13/2010 15:30:47.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2047.1391 [GMT 11:00]
Running from: c:\users\Benji\Documents\Downloads\Programs\ComboFix.exe
Command switches used :: c:\users\Benji\Documents\Downloads\Programs\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
* Created a new restore point

FILE ::
"c:\users\Benji\AppData\Local\Temp\ENY887.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASWSP
-------\Service_aswSP


((((((((((((((((((((((((( Files Created from 2010-10-13 to 2010-11-13 )))))))))))))))))))))))))))))))
.

2010-11-13 04:36 . 2010-11-13 04:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-13 04:07 . 2010-11-13 04:07 -------- d-----w- c:\programdata\IObit
2010-11-13 04:07 . 2010-11-13 04:07 -------- d-----w- c:\program files\IObit
2010-11-09 16:26 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{08C0E21F-6969-4BB8-9504-79D2FE564D36}\mpengine.dll
2010-11-09 06:04 . 2010-11-09 06:04 -------- d-----w- c:\windows\Sun
2010-11-09 05:57 . 2010-11-09 05:57 0 ----a-r- C:\logwmemory.bin
2010-11-08 11:19 . 2010-11-08 11:19 -------- d-----w- c:\users\Benji\AppData\Roaming\Malwarebytes
2010-11-08 11:19 . 2010-04-29 04:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-08 11:19 . 2010-11-08 11:19 -------- d-----w- c:\programdata\Malwarebytes
2010-11-08 11:19 . 2010-04-29 04:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-08 11:18 . 2010-11-08 11:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-08 11:12 . 2009-10-10 02:57 12800 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2010-11-08 10:57 . 2010-08-04 06:18 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-11-08 10:57 . 2010-08-04 06:17 417792 ----a-w- c:\windows\system32\msdri.dll
2010-11-08 10:57 . 2010-08-04 06:15 204288 ----a-w- c:\windows\system32\MSNP.ax
2010-11-08 10:57 . 2010-08-04 06:15 199680 ----a-w- c:\windows\system32\mpg2splt.ax
2010-11-08 10:57 . 2010-08-21 05:33 530432 ----a-w- c:\windows\system32\comctl32.dll
2010-11-08 10:57 . 2010-07-13 05:22 26504 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2010-11-08 10:57 . 2010-08-21 05:36 224256 ----a-w- c:\windows\system32\schannel.dll
2010-11-08 10:57 . 2010-08-21 05:36 738816 ----a-w- c:\windows\system32\wmpmde.dll
2010-11-08 10:57 . 2010-08-27 05:46 168448 ----a-w- c:\windows\system32\srvsvc.dll
2010-11-08 10:57 . 2010-08-27 03:31 310784 ----a-w- c:\windows\system32\drivers\srv.sys
2010-11-08 10:57 . 2010-08-27 03:30 308736 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-11-08 10:57 . 2010-08-27 03:30 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-11-08 10:56 . 2010-05-05 06:46 363520 ----a-w- c:\windows\system32\StructuredQuery.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-19 00:41 . 2010-01-02 04:13 222080 ------w- c:\windows\system32\MpSigStub.exe
2010-09-14 17:50 . 2010-05-11 02:52 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-21 05:32 . 2010-09-15 04:26 316928 ----a-w- c:\windows\system32\spoolsv.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2010-03-04 3179952]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2010-03-06 2937528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-11-24 98304]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2009-06-14 307200]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-01 1164584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-11-24 20560]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 GarenaPEngine;GarenaPEngine;c:\users\Benji\AppData\Local\Temp\ENY887.tmp [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2008-11-08 1343400]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2010-01-04 691696]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-08-03 176128]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-11-24 53328]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-08-03 6096384]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-08-03 214016]
S3 Atc002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;c:\windows\system32\DRIVERS\l260x86.sys [2009-07-13 29184]

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\Internet Download Manager\IEGetVL.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
FF - ProfilePath - c:\users\Benji\AppData\Roaming\Mozilla\Firefox\Profiles\rt3imv0i.default\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\users\Benji\AppData\Roaming\IDM\idmmzcc3\components\idmmzcc.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\windows\system32\Wat\npWatWeb.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
.

[HKEY_LOCAL_MACHINE\system\ControlSet001\services\GarenaPEngine]
"ImagePath"="\??\c:\users\Benji\AppData\Local\Temp\ENY887.tmp"
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\atieclxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\taskhost.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\IObit\Game Booster\GameBox.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\system32\conhost.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Internet Download Manager\IEMonitor.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\sppsvc.exe
.
**************************************************************************
.
Completion time: 2010-11-13 15:41:59 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-13 04:41
ComboFix2.txt 2010-11-09 05:52

Pre-Run: 9,376,710,656 bytes free
Post-Run: 9,075,507,200 bytes free

- - End Of File - - F36147BCCB876698CD31504AAA88414A

 

[Benzz]

And here is the Hijack log,

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:31:56 PM, on 11/13/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16671)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\IObit\Game Booster\GameBox.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Windows\Explorer.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/isan/default/popcaploader_v6.cab
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

--
End of file - 5197 bytes

 

[Bobbye]

Okay- here are my numbers. I have Windows XP Home, using Firefox browser with 6 tabs loaded. Outlook Express is minimized in the Taskbar, Notepad is open:
CPU Usage 2-20 %. Processes running are: System Idle 77-98% taskmgr 02%, Firefox 2%, Notepad 2%. Memory for Firefox is 172,000k, Nod32 AV 57,900k explorer 33,000k.

I do not do any auto updates except for the AV and it's done for the day. Now I'm not having any problem with those numbers. But if I left the TaskManager opened and watched the numbers, it would drive me crazy! So what I'm saying here is unless you can identify a process that is running and should note be running, then I suggest you close the TaskManager.
============================================
Please reopen HijackThis to 'do system scan only.' Check each of the following, if present:

C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

Close all Windows Except HijackThis and click on "Fix All."
=========================================
Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER

.

Click on Start> Run> type in services.msc> double click on each of the following Services and change the startup type to Manual:
Bonjour
iPod
Steam
Exit Services
=========================================
Using the directions here: [B]http://netsquirrel.com/msconfig/msconfig_win7.html[/B] Take the following off of Startup:
NOTE: In Step 4, where the screen shows Normal Startup> uncheck that and check Selective Startup
Uncheck each of the following as directed and continue with directions to stop:
ITUNES Big resource user!
iTunesHelper.exe
Background task installed by Apple's iTunes music player and also by version 7 of QuickTime which now comes inseparably bundled with iTunes. It is thought that this task used to be a 3rd party add-on program in the early days of Apple's iPod when its iTunes software was incompatible with many CD-Writers. This task does not need to be installed as a startup since iTunes starts it up anyway when it needs it.
UNCHECK on Startup menu using msconfig. It uses nearly 6MB of memory.

QUICK TIME

1. Use msconfig to UNCHECK any QuickTime entries on Startup> Apply> OK
2. Disable tray icon: Right-click on the icon and select QuickTime Preferences > Browser Plugin. Clear the check box next to "QuickTime system tray icon," and then close the settings box. The icon won't appear anymore.
3. Rename the qttask.exe file:
   Right click on Start> Explore> Programs> QuickTime directory> right click on qttask.exe> rename to qttask.exeold.

Disable QuickTime:

1. Open QuickTime.
2. Click Edit> Preferences> click QuickTime Preferences.
3. Now use the dropdown box to adjust Preferences.
4. You need to disable (usually uncheck) all boxes related to Auto Updates,Tray Icon, other Automatic features, etc.
5. Close the window when you are done.
6. Close QuickTime.

JAVA:

1. UNCHECK all Java entries on the Startup menu: Start> Run> msconfig> enter> Selective Startup Startup tab.
2. Open IE> Tools> Manage add-ons> right click on Java (tm) Plug-In 2 SSV Helper' (jp2ssv.dll> Click on and Disable Java Plugin2 and Java Quick Start.
3. Start> Run> services.msc> right click on JavaQuickStarterService)> Properties> Change Startup Type to Disabled> Stop the Service
4. Stop auto update:. Control Panel> Java> Update tab> UNCHECK 'check automatically for updates'> Apply> Click YES when asked to confirm> OK
5. Make sure only the current version of Java v6u11 is in Add/Remove Programs in the Control Panel. Uninstall any other versions.

Reboot into Normal Mode.
Note: The first time you reboot after using msconfig to make changes, you will get a nag messsage. Ignire the nag messsage, check 'don't show this message again', Close. Stay in Selective Startup.

 

[Benzz]

Okay before I do those things, my Avast for some reason doesn't open up automatically when I boot (I have to manually do it). But it actually fixed all the problems, It's strange because I was exiting it during the scans and stuff before but the lag didn't stop, but now it has. It's fully updated I don't know why it's causing spikes.

 

[Bobbye]

Make sure Avast is still on the Startup Menu. If it is and still isn't starting automatically, download the Avast setup again and save to your desktop. Then go offline to work> Open IE> File> Check 'Work Offline.'

Uninstall the Avast that is currently on the system, then double click on the new setup and reinstall Avast. Reboot> go back online and update Avast.

 

[Benzz]

Okay all is good, something must of been wrong with Avast, but I have now reinstalled and all is good, really appreciate the help, thanks!

 

[Bobbye]

Okay, good.
Removing all of the tools we used and the files and folders they created

• Uninstall ComboFix and all Backups of the files it deleted
• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

• Download OTCleanIt by OldTimer and save it to your Desktop.
• Double click OTCleanIt.exe.
• Click the CleanUp! button.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

• You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
• Go to Start > All Programs > Accessories > System Tools
• Click "System Restore".
• Choose "Create a Restore Point" on the first screen then click "Next".
• Give the Restore Point a name> click "Create".
  
• Go back and follow the path to > System Tools.
  [*]Choose Disc Cleanup
  [*]Click "OK" to select the partition or drive you want.
  [*]Click the "More Options" Tab.
  [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin

Let me know if you have any more questions.