looks as clean as a whistle to me. but i see no fiirewall ???

Hi,

Your logs look clean now.

1. Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)
   You may also delete the C:\VundoFix Backups folder and its contents.
   
   
2. Turn off system restore (XP/ME only). Learn how to do that HERE.
   This will remove all the remaining nasties from your old restore points.
   
   
3. After that turn system restore back on.
   This would have created a new safe and clean restore point for your system.
   
   
4. Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
   May I recommend you to read this article.
   This can help to prevent future infections.

Should you have any further problems, please post in this thread.


Regards,
Your friendly momok =)

This thread is for the use of 2kg4u only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

squeaky clean

Thanks for all your help Momok. My computer is so clean now you could eat off it. Unfortunately, nothing has changed to improve my problem as stated in my first posting. Something is eating up my CPU % usage. At idle it sits at 25% to 30%, and opening any applications at all drives it right up to 100%. This does not happen in safe mode, which leads me to the conclusion it is software related.

Since this appears to not be a malware issue, should I move this problem to the Windows OS forum?

Roy

Hi,

Bobbye: no you are not interfering with the clean up =)

May I suggest that you read this thread here on how to speed up your system.

Let us know how it goes.

PS. I'm going overseas for now, will be back on the 23rd.

Regards,
Your friendly momok =)

This thread is for the use of 2kg4u only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

2kg4u can you show us result of netstat command.
Try Start -> Run. Write 'cmd' here and hit enter. Then in black window

netstat -ano

Try to disconnect peripherals or even network connection and look if cpu load will change.

Regards,
emde

reply to Bobbye and emde

Bobbye / emde,

Thank you for your input. Any and all suggestions are welcome and appreciated. Let me respond:

Bobbye,

At sytem idle with all applications closed except the task manager, the CPU usage runs at 15%:
- system idle 85%
- explorer 11%
- taskmgr 4%

When I use Sysinternal's Process Explorer to see what processes are running beneath explorer and taskmgr, I get the following:

- explorer.exe ........ 6% SHLWAPI.dll ....... 5% stobject.dll
- taskmgr.exe ........... 4% taskmgr.exe+0x5944

The other problem is, whenever I open up any other application, CPU usage immediately jumps up to 100% and stays up there for a minute or more. On my other machines, it only jumps to to around 50% and then drops back down within a second or two. I should also mention that in safe mode, the CPU usage is normal (1% to 2%).

emde,

Disconnecting the network connection dropped the CPU usage to 8% instead of the 15% it was running at with the network connected.

netstat -ano yields the following:

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 Listening 640
TCP 0.0.0.0:445 0.0.0.0:0 Listening 4
TCP 127.0.0.1:1027 0.0.0.0:0 Listening 1164
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:500 *.* 424
UDP 0.0.0.0:4500 *.* 424
UDP 127.0.0.1:123 *0* 712

When I ran the command from the "run" command, the screen came up and went away right away. I had to open a DOS window and enter the netstat -ano command at the command prompt.

Thanks for the help. Let me know if my feedback gives you any ideas.

Roy

Booting into safe mode doesn't load all the drivers and startups, only certain ones.

Since CPU usage is unusually high in normal mode but okay in safe mode, it sounds like a driver or software conflict.

Run HJT and do a system scan. Place a check in the box next to the following entry (if there):

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab

Click the Fix Checked button. Once it's done fixing, close HJT.

Please report if this helps with CPU usage at all.

Regards

fresh HJT

kitty500cat,

Thanks for joining in.

- Ran HJT
- fixed entry you referenced (yes, it was there)
- rebooted
- ran fresh HJT and attached it

I agree with your thought the problem is related to a software issue of some sort. How do I isolate the problem? I wonder if the explore.exe file is corrupt, or if that happens to be the one eating CPU usage only because it is open. In other words, any open application is eating CPU usage, so the high CPU usage on explorer.exe is a symtom, not the problem. Still, in order to rule it out, I have been wondering if I should replace the explorer.exe file. What do you think?

Roy

I almost forgot the most important thing. The CPU usage has not improved. Still 11% explorer.exe and 4% task manager.exe.

When I run Process Monitor, the following 9 lines keep repeating continuously:

7378 1:07:15.3898193 AM Explorer.EXE 1340 RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Linkage\Bind SUCCESS Type: REG_MULTI_SZ, Length: 132, Data: \Device\{DE0FFF0F-625E-41E2-821C-885989DB4024}, \Device\NdisWanIp
7379 1:07:15.3938388 AM Explorer.EXE 1340 RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Linkage\Bind SUCCESS Type: REG_MULTI_SZ, Length: 132, Data: \Device\{DE0FFF0F-625E-41E2-821C-885989DB4024}, \Device\NdisWanIp
7387 1:07:15.5072602 AM Explorer.EXE 1340 RegOpenKey HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DE0FFF0F-625E-41E2-821C-885989DB4024} SUCCESS Desired Access: Read
7388 1:07:15.5096666 AM Explorer.EXE 1340 RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DE0FFF0F-625E-41E2-821C-885989DB4024}\EnableDHCP SUCCESS Type: REG_DWORD, Length: 4, Data: 1
7389 1:07:15.5136968 AM Explorer.EXE 1340 RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DE0FFF0F-625E-41E2-821C-885989DB4024}\LeaseObtainedTime SUCCESS Type: REG_DWORD, Length: 4, Data: 1184473772
7392 1:07:15.6255741 AM Explorer.EXE 1340 RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DE0FFF0F-625E-41E2-821C-885989DB4024}\LeaseTerminatesTime SUCCESS Type: REG_DWORD, Length: 4, Data: 1184525336
7393 1:07:15.6295721 AM Explorer.EXE 1340 RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DE0FFF0F-625E-41E2-821C-885989DB4024}\DhcpServer SUCCESS Type: REG_SZ, Length: 24, Data: 192.168.1.1
7394 1:07:15.6334997 AM Explorer.EXE 1340 RegQueryValue HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DE0FFF0F-625E-41E2-821C-885989DB4024}\DhcpServer SUCCESS Type: REG_SZ, Length: 24, Data: 192.168.1.1
7395 1:07:15.7086749 AM Explorer.EXE 1340 RegCloseKey HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DE0FFF0F-625E-41E2-821C-885989DB4024} SUCCESS


What is this process that explorer.exe keeps opening?

It seems to be a problem with your TCP/IP settings. I'm not quite sure what all that stuff from process explorer means though.

In your task manager, terminate the process explorer.exe. Then go to the file menu->new task (run...), and type in iexplore.exe. Press enter.

This will close explorer.exe and open Internet Explorer. See if Internet Explorer takes up so much CPU with explorer.exe not running.

Regards

netstat show that your system is clean from worms. No suspicious connections.
I dunno what's this "UDP 127.0.0.1:123 *0* 712" but still doesn't look suspicious.
I agree with kitty500cat - software or drivers. When you run task manager go to Performance tab and choose Show Kernel Times from View menu. You should see red trend on CPU Usage chart. You can also try with Performance monitor in Administrative Tools from Control Panel.

shut down explorer, open IE

kitty500cat,

- shut down explorer.exe
- task manager shows taskmgr.exe is using 2% (it should have dropped to 0) when everything is sitting idle
- opened IE, sytem usage is at 3%, still all from taskmgr.exe
- open 2nd IE window, usage jumps up to 98% for IEXPLORER.EXE, but once the page loads and everything settles down, it goes back to CPU usage at 3%, all from taskmgr.exe
- shut down IE and restarted explorer.exe, explorer.exe is using 8% and taskmgr.exe is at 3%
- booted into safe mode, CPU usage is 1%, all from taskmgr.exe, CPU usage from explorer.exe is 0%

I'm sorry I'm not smart enough to draw conclusions from all this. I am just trying to provide information to you in a logical manner.

Roy

Sorry, I have to admit I don't know what to do.

Perhaps if you disabled peripherals (printer, webcam, etc.) one at a time, you could find the problem.

If not, I recommend opening a new thread in our Windows OS or our Device Drivers forum.

Regards

moving thread to Windows OS forum

Thanks kitty500cat. I takes a true expert to recognize and admit they don't know what to do next. I admire that.

I opened a new thread in the Windows OS forum.

Roy

Thanks. Sorry I couldn't help.

I hope it works out for you.

Regards