TechSpot

so slow .... no go .... oh woe

By 2kg4u
Jul 4, 2007
  1. Now that Howard has helped me get rid of the nasties on my laptop (thanks Howard), I turn to my old desktop. Something is sucking up my CPU memory. I started with 256 Mb of RAM (don't laugh, I am old and slow so I figure my computer should be too) and at system idle the system was running at 40% to 50% CPU memory. Open up even a small program and it immediately ran up to 100%. I swapped the RAM out for 2 x 1Gb chips, thinking that would solve the problem, but the CPU usage did not improve. Still 40% at idle, and immediately up to 100% when I open anything. By the way, the CPU memory usage runs at 0% to 1% at idle in safe mode.

    XP SP2
    Pentium 4 1.8 Ghz
    2 Gb RAM

    Oh yeah, what ever is slowing down my system is also affecting my internet connection. I am plugged directly into a 100 Mbs router and when I ran that online virus detector (house call) it kept telling me I have an extremely slow internet connection. I know its not a problem with the service because our other computers have good connentions.

    I ran Howard's full virus/spyware/malware preliminary removal routine.

    - AVG antiroot detected no problems

    - AVG anti spyware detected no problems, so there was no report to attach

    - ComboFix and HJT logs are attached

    Any and all help would be much appreciated.

    Roy
     
  2. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Good thing you followed the instructions. Your system is definitely infected.

    You may wish to copy and paste these instructions on notepad for easier reference later.

    Boot into safe mode under your normal user name. See how HERE

    Next turn on "Show all files and folders, including hidden and system". See how HERE

    Go to start > run and type services.msc. Press the enter key.
    Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Security Center

    After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

    O23 - Service: Security Center (wscsvc) - Unknown owner - C:\WINDOWS\C:\WINDOWS\System32\svchost.exe (file missing)

    Close HJT.

    Navigate in Windows Explorer and delete the following files and folders in bold.

    C:\WINDOWS\system32\edccdbf_r.dll
    C:\WINDOWS\C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\C:

    Reboot into normal mode and rehide your protected OS files.

    Thereafter, please post fresh HJT and ComboFix logs from normal mode as attachments into this thread.


    Regards,
    Your friendly momok =)

    This thread is for the use of 2kg4u only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. tomrca

    tomrca TS Rookie Posts: 1,000

    hi 2kg4u.
    you need to rename 'hijackthis v_2.exe', to 'analysethis v_2.exe', or similar. the reason being that there are some bugs that are able to hide from it under its original name.
     
  4. momok

    momok TS Rookie Posts: 2,265

    Ah yes good point tomrca. Thanks for reminding us on that.
    2kg4u: Please rename your executable file as suggested.

    Regards,
    Your friendly momok =)

    This thread is for the use of 2kg4u only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. 2kg4u

    2kg4u TS Rookie Topic Starter Posts: 46

    followed instructions - now what?

    Thanks momok (and tomrca).

    - SECURITY CENTER service observed and disabled
    - 023 - Service: Security Center (WSCSVC) etc.... HJT run, not observed
    - C:\WINDOWS\system32\edccdbf_r.dll .... observed and deleted
    - C:\WINDOWS\C:\WINDOWS\System32\svchost.exe ... did not observe C:\ directory in the c:\WINDOWS directory .... found svchost in C:\WINDOWS\system32\svchost.exe and did not touch it
    - C:\WINDOWS\C: ... did not observe C:\ directory in the C:\WINDOWS directory
    - HJT renamed to "AnalyzeTHis"

    Fresh ComboFix and HJT logs are attached. I am still experencing the high CPU usage issue.

    Roy

    Roy
     
  6. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Your logs appear to be clean. Could you provide some details on which processes takes up the most CPU usage in your task manager? Press ctrl+alt+del to bring it up.

    Regards,
    Your friendly momok =)

    This thread is for the use of 2kg4u only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. 2kg4u

    2kg4u TS Rookie Topic Starter Posts: 46

    list of processes using CPU memory

    iexplore.exe 35232
    svchost.exe 17668
    explorer.exe 16220
    spoolsv.exe 5188
    taskmgr 4068
    svchost.exe 3972
    svchost.exe 3916
    services.exe 3912
    csrss.exe 3552
    alg.exe 3360
    svchost.exe 3360
    svchost.exe 3252
    wdfmgr.exe 1596
    HPZipm12.exe 1568
    guard.exe 1344
    avgemc.exe 1120
    winlogin.exe 1008
    lsass.exe 960
    avgupsvc.exe 584
    smss.exe 372
    avgamsvr.exe 328
    System 216
    System Idle Process 16

    23 processes running, CPU usage running at 50% when I am not typing, running up to 85% when I type.

    Roy
     
  8. momok

    momok TS Rookie Posts: 2,265

    Hi,

    I'm sorry if I wasn't explicit enough earlier. I wanted to know which few processes took up the most percentage resources (it's the CPU colomn in the processes tab).

    May I also suggest that you read this thread here on how to speed up your system.

    Let me know the results. Thanks.

    Regards,
    Your friendly momok =)

    This thread is for the use of 2kg4u only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. 2kg4u

    2kg4u TS Rookie Topic Starter Posts: 46

    running processes

    With 2 IE windows open (this one and the tutorial on slow computers you suggested) as well as the task manager open:
    system idle process 78
    explorer.exe 17
    taskmgr.exe 5
    CPU usage 22%

    When I open a 3rd IE window, IEXPLORE.EXE jumps up to 78 and the CPU usage is at 100% until the home page fully loads, after which CPU usage drops back to the 22% to 25% range. This takes up to 30 seconds.

    In comparison, I have my son's laptop next to me, and with the same applications open:
    system idle process 99
    taskmgr.exe 1
    CPU usage 1%

    When I open a 3rd IE window (on my son's puter), IEXPLORER.EXE goes to 2 or 3 % for only a second or so, and then immediately goes back to 0%. The highest the CPU usage jumps to is 35%, but only for a second, then right back to 1%.

    All the above is at idle. When I am typing this response on my puter, IEXPLORE.EXE goes to 30% and CPU usage goes to 52%. In comparison, when I type on my son's puter IEXPLORE.EXE doesn't get above 2, and CPU usage stays around 4 to 5%.

    I had already read the thread on speeding up your system. I have done the following:
    - SSD
    - lavasoft AA
    - deleted a ton of programs and files
    - defrag'd
    - added RAM
    - stopped all start-up programs
    - used crap cleaner many times

    I also read a good article on disabling unnecessary windows services, and followed those instructions.

    I want my puter to run better, but I am also approaching this as a learning experience and trying to find out as much on my own as I can. Your help is invaluable and very much appreciated, and I don't want to waste the time you give me by not learning something in the process.

    Roy
     
  10. 2kg4u

    2kg4u TS Rookie Topic Starter Posts: 46

    tried FreeRam XP Pro

    There was one thing in that thread you suggested I read that I had not tried, and that was to install FreeRam XP Pro. I just installed and ran it. FreeRam is open on my screen, and telling me my puter is using 10% of its RAM. At the same time, I have task manager open, and it shows (at idle):

    Sytem Idle Process 42
    explorere.exe 29
    FreeRam XP Pro 15
    taskmgr.exe 8
    svchost 6
    CPU usage 59%

    I am sending this response from my son's laptop so as to give that status on my puter at idle.

    Roy
     
  11. momok

    momok TS Rookie Posts: 2,265

    Hi,

    I'm not a big fan of freeram XP pro, but if you like it by all means keep it.
    I checked your hijackThis log and your IE doesn't seem to have much plugins or ActiveX objects to load.

    Does the spike occur only when you open IE? Or does it occur when you visit a new page or at other intervals?

    Perhaps you could try a different browser, like FireFox or Opera.

    Regards,
    Your friendly momok =)

    This thread is for the use of 2kg4u only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  12. 2kg4u

    2kg4u TS Rookie Topic Starter Posts: 46

    spike not related to IE

    The spike occurs whenever I load up any program, not just IE. I get the same problem if I load MS word, FreeRam XP Pro, or any other program. The CPU usage is high just sitting at idle with no applications open.

    I am not a fan of FreeRam XP pro either, I only loaded it because it was mentioned in the thread you suggested I follow. It hasn't done anything to fix my problem, so I uninstalled it.

    I'm starting to think this is not a malware problem, but a conflict in one or more of my Windows processes. I know it doesn't happen in safe mode, so I have been thinking about starting there, and keep rebooting while adding back one process at a time until the problem comes back. At least that will tell me which process is causing the problem. This might take me a week or so to complete, but I can't think of anything else. Can you?

    Roy
     
  13. momok

    momok TS Rookie Posts: 2,265

    Hi,

    That actually sounds like a good idea. I'd like you to try something just before doing that.

    Download the Autoruns programme from HERE. When the programme runs, click options and make sure the "Hide Microsoft Entries" is ticked. Click the file menu and select refresh. Click the save icon and save the Autoruns log to wherever you want.

    Attach the Autoruns log here.

    I'm checking to see if anything else can be removed from startup, or if anything fishy appears.

    Regards,
    Your friendly momok =)

    This thread is for the use of 2kg4u only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  14. 2kg4u

    2kg4u TS Rookie Topic Starter Posts: 46

    autoruns scan results

    Momok,

    That's a cool program. Can it be used to remove start up stuff by unckecking the boxes? I see a couple of things that look suspicious (to me) but please tell me what you see.

    Autoruns scan results are attached.

    Roy
     

    Attached Files:

  15. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Run autoruns and uncheck this entry:
    catchme

    Exit the program.

    Search for all instances of "winlogin.exe" on your system and let me know the results.

    Please post a fresh HijackThis, AVG antispyware and ComboFix log in your next reply.

    Regards,
    Your friendly momok =)

    This thread is for the use of 2kg4u only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  16. 2kg4u

    2kg4u TS Rookie Topic Starter Posts: 46

    catchme unchecked in autoruns

    no instances of winlogin.exe found .... was there supposed to be?

    AVG anti-spy found no issues, therefore, no report

    combofix and HJT logs attached

    Just for the heck of it, I used autoruns to uncheck all non-micorsoft processes, and rebooted. It did not improve the CPU usage. Does unckecking a process in autoruns disable it? Does it require a reboot once it is unchecked to disable it? I am asking because it might be a good tool to selectively disable processes until I find the culprit.

    Roy

    Edited by Moderator: No need for a double post if there are no replies between your current post and the last post, unless bumping the thread. In that case, please wait at least 24 hours before doing so. Otherwise, simply use the "Edit post" button instead.

    BTW I unchecked all the non-microsoft processes after the combofix and HJT logs were done, and reversed what I did after I saw the results. In other words, the processes were still all checked (except catchme) when the logs were recorded.

    Roy
     
  17. momok

    momok TS Rookie Posts: 2,265

    Hi,

    You may wish to copy and paste these instructions on notepad for easier reference later.

    Boot into safe mode under your normal user name. See how HERE
    Next turn on "Show all files and folders, including hidden and system". See how HERE

    1. Navigate in Windows Explorer and delete the following files and folders in bold.

      C:\WINDOWS\sbconfig.dat
      C:\WINDOWS\system32\test.bat
      C:\WINDOWS\system32\wuaucsvr.exe

      C:\DOCUMEments and settings\All users\Application Data\winsyscfg

      I have some concerns regarding these two folders.
      C:\Program Files\WideStep Software
      C:\Program Files\APV

      Please let me know if you created/installed them, and what are their contents. WideStep software produces keyloggers, and we should be very concerned if you did not install this.

    2. Reboot into normal mode and rehide your protected OS files.

    Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread.


    Regards,
    Your friendly momok =)

    This thread is for the use of 2kg4u only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  18. 2kg4u

    2kg4u TS Rookie Topic Starter Posts: 46

    As Per Your Instructions

    C:\WINDOWS\sbconfig.dat - DELETED
    C:\WINDOWS\system32\test.bat - DELETED
    C:\WINDOWS\system32\wuaucsvr.exe - DELETED
    C:\DOCUMEments and settings\All users\Application Data\winsyscfg - DELETED
    I have some concerns regarding these two folders.
    C:\Program Files\WideStep Software - THIS IS A KEYSTROKE MONITOR I INSTALLED AND THEN REMOVED ON THE SAME DAY
    C:\Program Files\APV - AUTOSTART AND PROCESS VIEWER DOWNLOADED FROM TECHSPOT SO I CAN SEE WHAT PROCESSES ARE RUNNING

    Please let me know if you created/installed them, and what are their contents. WideStep software produces keyloggers, and we should be very concerned if you did not install this.


    NO ISSUES FOUND WITH AVG ANTISPYWARE THEREFORE NO REPORT, COMBOFIX AND HJT LOGS ATTACHED.

    ROY
     
  19. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Your logs look clean, however..

    You are running an outdated version of HijackThis.
    You can obtain the latest version from the link in my signature. You have also not renamed your Hijackthis executable file to Analyze.exe. Some malware are known to hide from it.

    Post a new HijackThis log for me to double check once more. Then you should be ready to go.

    PS. Your CapsLock Key seems to be jammed. You need to fix that too.


    Regards,
    Your friendly momok =)

    This thread is for the use of 2kg4u only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  20. 2kg4u

    2kg4u TS Rookie Topic Starter Posts: 46

    HJT log

    Momok,

    HJT updated, log attatched.

    Roy
     
  21. tomrca

    tomrca TS Rookie Posts: 1,000

    looks as clean as a whistle to me. but i see no fiirewall ???
     
  22. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Your logs look clean now.

    1. Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)
      You may also delete the C:\VundoFix Backups folder and its contents.

    2. Turn off system restore (XP/ME only). Learn how to do that HERE.
      This will remove all the remaining nasties from your old restore points.

    3. After that turn system restore back on.
      This would have created a new safe and clean restore point for your system.

    4. Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
      May I recommend you to read this article.
      This can help to prevent future infections.

    Should you have any further problems, please post in this thread.


    Regards,
    Your friendly momok =)

    This thread is for the use of 2kg4u only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  23. 2kg4u

    2kg4u TS Rookie Topic Starter Posts: 46

    squeaky clean

    Thanks for all your help Momok. My computer is so clean now you could eat off it. Unfortunately, nothing has changed to improve my problem as stated in my first posting. Something is eating up my CPU % usage. At idle it sits at 25% to 30%, and opening any applications at all drives it right up to 100%. This does not happen in safe mode, which leads me to the conclusion it is software related.

    Since this appears to not be a malware issue, should I move this problem to the Windows OS forum?

    Roy
     
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    2kg4u , after reading all this information, I'd like to pass on a couple of things:

    1. Close all active Windows or programs you have running- as if you were ready to shut down- but don't> right click on the Taskbar> Task Manager> CPU column> is anything using more than 1-2 CPU, with the exception of System Idle, System and taskmgr? If so, you need to ID that process(s).

    2. If you are running in Normal Mode, you should have your anti-virus program starting up when you boot. If you have a laptop, you may also need the touch pad process.

    3. May I suggest you either use Firefox with tabbed browsing or IE7 with tabs instead of launching your browser each time you want another Window?

    I don't mean to interfere with the cleanup help you're getting-just to pass on these tips.
     
  25. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Bobbye: no you are not interfering with the clean up =)

    May I suggest that you read this thread here on how to speed up your system.

    Let us know how it goes.

    PS. I'm going overseas for now, will be back on the 23rd.

    Regards,
    Your friendly momok =)

    This thread is for the use of 2kg4u only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...