TechSpot

Possible infection causing CPU to constantly max out

By Gazington
Jun 18, 2007
  1. First off, i'm new around here so a big 'hello' to you all.

    Secondly, apologies if after reading this the experts amongst you feel this should be in another part of the forum - I thought I'd start with poss malware / virus infection etc. and go from there.

    My problem - since last Friday my CPU seems to constantly hit 100% no matter what process(es) I'm using.

    I noticed the problem started after upgrading to the latest iTunes update. First off my sound kept skipping and my mouse pointer became sluggish and I thought it was merely an iTunes problem. So, I uninstalled and rolled back to a previous version. However, the same problem was apparent. Then I began to notice all other apps were becoming sluggish and finally my system freezes for several seconds at a time as the CPU hits max. This is why I think I may have malware / virus probs - iTunes update was probably a coincidence.

    So, I've followed the Sticky Thread info on malware, i.e. ran spyware, virus sofware etc. and nothing seems to have changed. I've attached logs so if anyone would be so kind as to cast their eye over them I'd be very, very grateful!

    Cheers,

    G
     
  2. maXimus4444

    maXimus4444 TS Rookie Posts: 118

    First you need to go here and follow the directions exactly.

    After you have completed all of the steps, you need to post your hardware specs: OS, Processor, Ram, HDD, etc....
     
  3. Gazington

    Gazington TS Rookie Topic Starter

    Cheers Maximus. Looks like I need to perform one or two more steps (namely Trend online scan, AVG Anti-Spyware and SS&D).

    Have already ran rootkit and nothing to report. Nothing on Ad-Aware. Nothing on either Norton (which I've now removed as it was annoyingly slow and I've been meaning to do so for a while) and nothing on AVG Anti-Virus which I installed today.

    Also, I'm running Windows XP SP2 on a HP Pavillion t340.uk Desktop using 2.6ghz processor and 512mb RAM.

    Will post back once other processes have been completed.

    G
     
  4. momok

    momok TS Rookie Posts: 2,272

    Hi Gazington and welcome to techspot. =)

    It appears that you hadn't attached your AVG Anti spyware log. Please do so in your next reply.

    You may wish to copy and paste these instructions on notepad for easier reference later.

    Boot into safe mode under your normal user name. See how HERE

    Next turn on "Show all files and folders, including hidden and system". See how HERE

    Go to start > run and type services.msc. Press the enter key.
    Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    AlcxMonitor

    Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

    ALCXMNTR.EXE

    After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
    O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
    O3 - Toolbar: (no name) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)

    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm813XXUS
    O15 - Trusted Zone: http://www.bomis.com
    O15 - Trusted Zone: http://www.xfm.co.uk
    O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) -
    O16 - DPF: {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} - http://67.19.107.18/DGTx.CAB

    Close HJT.


    Navigate in Windows Explorer and delete the following files and folders in bold.

    C:\WINDOWS\ALCXMNTR.EXE
    C:\WINDOWS\system32\TWUNK_16.EXE
    C:\WINDOWS\system32\TWUNK_32.EXE
    C:\WINDOWS\system32\TWAIN_32.DLL
    C:\found.001

    Reboot into normal mode and rehide your protected OS files.

    Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread.


    Regards,
    Your friendly momok =)

    This thread is for the use of Gazington only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. Gazington

    Gazington TS Rookie Topic Starter

    Many, many thanks for the advice Momok! Very much appreciated.

    Ok, so I've actioned everything now from the link Maximus supplied and have also performed the actions Momok suggested. The system is a little better but still very, very sluggish.

    I have attached updated HJT, Combofix and AVG Anti-Spyware logs as requested. One thing I've noted in the AVG log is the items detected are shown as having 'No action' taken against them whereas the app settings are per the instructions on Maximus' link, i.e. set to Quarantine? Not sure if that is relevant or as expected per the log? After running AVG the Aware.RogueSuspect element is listed as Quarantined and the tracking cookies are listed as deleted.

    One other point, which is a sidetrack of sorts, is several items are listed on the HJT log relating to software which I've removed? These are:

    -Evidence Eliminator
    -Epson Printer
    -Daemon Tools
    -iTunes
    -Windows Defender
    -Speedtouch Modem
    -Symantec

    If you've any advice on how to ditch this lot too I'll be singing your praises for ever! I was surprised to see Symantec, for example, as I used the Norton removal utility suggested elsewhere on the forum.

    Anyway, many thanks in advance for any help you can provide. Will check back in the a.m.

    G
     
  6. momok

    momok TS Rookie Posts: 2,272

    Hi,

    Regarding your AVG log displays for 'No Action Taken', please run AVG again and quarantine the files.
    Pictorial instructions HERE.


    You may wish to copy and paste these instructions on notepad for easier reference later.

    Download the attached "Combofix-Do.txt" (from my attachment) and save it to the same folder as Combofix.

    Boot into safe mode under your normal user name. See how HERE

    Next turn on "Show all files and folders, including hidden and system". See how HERE

    Go to start > run and type services.msc. Press the enter key.
    Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    UTLLSTCK.exe
    SpeedTouch USB Diagnostics
    Symantec NetDriver Monitor
    Windows Defender


    Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

    UrlLstCk.exe
    Dragdiag.exe
    SNDMon.exe
    MSASCui.exe


    After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

    Close HJT.

    Drag the Combofix-Do.txt that you downloaded earlire over on to Combofix.exe and release.

    This will ask Combofix to execute the instructions within my file. Let Combofix run normally and do its job. Attach the resultant log in your reply.

    Reboot into normal mode and rehide your protected OS files.

    Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread.


    Regards,
    Your friendly momok =)

    This thread is for the use of Gazington only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. Gazington

    Gazington TS Rookie Topic Starter

    Hi Momok.

    Many thanks again for the advice! I'm very impressed with how helpful people are on this forum.

    One thing:

    Download the attached "Combofix-Do.txt" (from my attachment) and save it to the same folder as Combofix.

    I've looked and I can't see this attachment? Now, it might just be me after only 5 hours sleep being a touch unfocused! If not, would you be able to up it so I can peform your suggested actions?

    Re: the AVG log - my mistake. I did have actions set to Quarantine but saved the report prior to performing the actions! Very daft. I'll run a new log and attach once you up the Combo-Do.txt file.

    Cheers,

    G
     
  8. momok

    momok TS Rookie Posts: 2,272

    Hi,

    I'm sorry about that. I vaguely remember attaching it, though I might really have forgotten. Here it is.

    Regards,
    Your friendly momok =)

    This thread is for the use of Gazington only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. Gazington

    Gazington TS Rookie Topic Starter

    Many thanks, Momok! I'll get to work and post back here with the logs later.

    G
     
  10. CCT

    CCT TS Evangelist Posts: 3,556

  11. Nodsu

    Nodsu TS Rookie Posts: 9,431

    Why not take a look in Task Manager and actually see which process is hogging the CPU? Sort the process list by CPU usage and the hogs will nicely climb to the top.
     
     
  12. Gazington

    Gazington TS Rookie Topic Starter

    Ok, first things first.....

    Momok - have followed your instructions to the tee and have posted the resulting log files. Will await your reply!

    CCT - many thanks for this info! I shall have a good read and see where it takes me.

    Nodsu - many thanks also for taking time out to provide advice. However, I was aware of this little tip and as mentioned above it was initially iTunes which seemed to be messing with the CPU then, even when uninstalled, all other programmes (when used) appeared to be maxing out at 100%.

    Anyway, cheers for all responses!

    G
     
  13. momok

    momok TS Rookie Posts: 2,272

    Hi,

    Your system logs appears to be void of infection and the undesired programs/software you specified. However, I noted a suspicious new entry in your combofix rootkit scan.

    Please run AVG Anti Rootkit via Step 11 of the instructions HERE. Let me know the results of the scan.

    Post a fresh ComboFix log in your next reply. Thanks.


    Regards,
    Your friendly momok =)

    This thread is for the use of Gazington only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  14. Gazington

    Gazington TS Rookie Topic Starter

    Hey momok,

    Have now ran Anti-Rookit again and the results came back clean, which is good news.

    Have also attached an up-to-date Combofix log.

    Will await your reply.

    Thanks in advance,

    G
     
  15. momok

    momok TS Rookie Posts: 2,272

    Hi,

    Your logs look clean now.

    Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)

    You may also delete the C:\VundoFix Backups folder and its contents.

    Turn off system restore (XP/ME only). Learn how to do that HERE.
    This will remove all the remaining nasties from your old restore points.

    After that turn system restore back on.
    This would have created a new safe and clean restore point for your system.

    Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
    May I recommend you to read this article.
    This can help to prevent future infections.

    Should you have any further problems, please post in this thread.


    Regards,
    Your friendly momok =)

    This thread is for the use of Gazington only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  16. Nodsu

    Nodsu TS Rookie Posts: 9,431

    By definition, several processes cannot use 100% of CPU each. If you launch Notepad and the calculator, they can't both be at 100%, can they? Not to mention that at any moment in time you are running dozens of processes anyway and your CPU should be maxed out even when you do absolutely nothing at all.
     
  17. Gazington

    Gazington TS Rookie Topic Starter

    Many thanks for all your help, guys. Things are a lot better. Still not 100% but I can at least use my PC again.

    Btw, I was originally unable to use the Trend Micro online scan but I thought I'd give it another go today.

    It seemed to be going great guns but, unfortunately, it hung after the scan appeared to finish. However, it did highlight several spyware / grayware items which I was about to jot down when iexplorer shut down! These items were not picked up by Norton (prior to the uninstall of said piece of junk) nor by AVG on any of the scans I performed.

    I'm going to try the online scan again so I can hopefully at least ascertain the info and will post back here.

    G
     
  18. momok

    momok TS Rookie Posts: 2,272

    Let us know the results then.

    Regards,
    Your friendly momok =)
     
  19. Gazington

    Gazington TS Rookie Topic Starter

    Well, Trend Micro ran to a point and then hung again. Very annoying. So, I tried Panda's online system scan and it brought up 9 items. I've attached the log. Any ideas?

    Thanks as always!

    G
     
  20. momok

    momok TS Rookie Posts: 2,272

    Hi,

    I would advise you to run the online scan again and fix the first 5 entries. The log is not detailed enough and does not provide which files or values in the registry are infected so I can't instruct you exactly which to remove.

    With regards to the following however, they are actually legit files, not infections, though most likely rarely used. Fixing them is entirely up to your choice.

    These two are related to a software bundle from HP:
    C:\hp\bin\KillIt.exe
    C:\hp\bin\Terminator.exe

    Part of the backweb utility which according to McAfee:
    These two are part of the files we used in helping you fix your infection previously. Retaining them is again up to your choice.
    C:\WINDOWS\nircmd.exe
    C:\WINDOWS\system32\Process.exe


    Regards,
    Your friendly momok =)

    This thread is for the use of Gazington only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  21. Gazington

    Gazington TS Rookie Topic Starter

    Well it's taken me a while to get back to this but I think I have found the answer! Having run various anti-virus scans etc. (and, by the way, a couple of nasties were found including one Trojan) my system was still dragging badly and especially on audio / video files or system hogs like Photoshop (which I need for work).

    Blindly typing into search engines led me to the following site which contained info about the Primary IDE's Direct Memory Access (DMA) possibly being set from Ultra DMA Mode 5 to PIO as a result of any one of a number of system related things (more info within the link):

    http://winhlp.com/WxDMA.htm

    And, guess what? On checking out my Primary IDE's DMA.... VOILA! It was set to a default of PIO! Having followed the advice given in the above link I removed the MasterIdDataChecksum from the relevant key and rebooted and now my system is running like a dream!

    It's only been 24 hours so it's still early days. However, I know that in the short term at least, I have a solution.

    No idea if the Mods have this remedy stickied anywhere else on this Forum but it certainly saved me from going out of my mind and I would recommend it is added maybe to an existing (relevant, i.e. non-Spyware) thread?

    Anyway, I just wanted to let you guys know about this. I also wanted to say a BIG thank you to all those who have helped me along the way. I'll be a frequent visitor here for tips and system advice as the anti-virus info and system tune-up threads are excellent.

    Keep up the good work.

    G
     
  22. momok

    momok TS Rookie Posts: 2,272

    Glad that your system is fine again.
    I have moved this to the CPUs, Chipsets and Mobos section.

    Regards,
    Your friendly momok =)
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.