Possible infection causing CPU to constantly max out

Status
Not open for further replies.

Gazington

Posts: 11   +0
First off, i'm new around here so a big 'hello' to you all.

Secondly, apologies if after reading this the experts amongst you feel this should be in another part of the forum - I thought I'd start with poss malware / virus infection etc. and go from there.

My problem - since last Friday my CPU seems to constantly hit 100% no matter what process(es) I'm using.

I noticed the problem started after upgrading to the latest iTunes update. First off my sound kept skipping and my mouse pointer became sluggish and I thought it was merely an iTunes problem. So, I uninstalled and rolled back to a previous version. However, the same problem was apparent. Then I began to notice all other apps were becoming sluggish and finally my system freezes for several seconds at a time as the CPU hits max. This is why I think I may have malware / virus probs - iTunes update was probably a coincidence.

So, I've followed the Sticky Thread info on malware, i.e. ran spyware, virus sofware etc. and nothing seems to have changed. I've attached logs so if anyone would be so kind as to cast their eye over them I'd be very, very grateful!

Cheers,

G
 
First you need to go here and follow the directions exactly.

After you have completed all of the steps, you need to post your hardware specs: OS, Processor, Ram, HDD, etc....
 
Cheers Maximus. Looks like I need to perform one or two more steps (namely Trend online scan, AVG Anti-Spyware and SS&D).

Have already ran rootkit and nothing to report. Nothing on Ad-Aware. Nothing on either Norton (which I've now removed as it was annoyingly slow and I've been meaning to do so for a while) and nothing on AVG Anti-Virus which I installed today.

Also, I'm running Windows XP SP2 on a HP Pavillion t340.uk Desktop using 2.6ghz processor and 512mb RAM.

Will post back once other processes have been completed.

G
 
Hi Gazington and welcome to techspot. =)

It appears that you hadn't attached your AVG Anti spyware log. Please do so in your next reply.

You may wish to copy and paste these instructions on notepad for easier reference later.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Go to start > run and type services.msc. Press the enter key.
Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

AlcxMonitor

Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

ALCXMNTR.EXE

After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O3 - Toolbar: (no name) - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm813XXUS
O15 - Trusted Zone: http://www.bomis.com
O15 - Trusted Zone: http://www.xfm.co.uk
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) -
O16 - DPF: {F09BFD07-20B5-46D8-A6D5-BE4EF22F1F4D} - http://67.19.107.18/DGTx.CAB

Close HJT.


Navigate in Windows Explorer and delete the following files and folders in bold.

C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\TWUNK_16.EXE
C:\WINDOWS\system32\TWUNK_32.EXE
C:\WINDOWS\system32\TWAIN_32.DLL
C:\found.001

Reboot into normal mode and rehide your protected OS files.

Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread.


Regards,
Your friendly momok =)

This thread is for the use of Gazington only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Many, many thanks for the advice Momok! Very much appreciated.

Ok, so I've actioned everything now from the link Maximus supplied and have also performed the actions Momok suggested. The system is a little better but still very, very sluggish.

I have attached updated HJT, Combofix and AVG Anti-Spyware logs as requested. One thing I've noted in the AVG log is the items detected are shown as having 'No action' taken against them whereas the app settings are per the instructions on Maximus' link, i.e. set to Quarantine? Not sure if that is relevant or as expected per the log? After running AVG the Aware.RogueSuspect element is listed as Quarantined and the tracking cookies are listed as deleted.

One other point, which is a sidetrack of sorts, is several items are listed on the HJT log relating to software which I've removed? These are:

-Evidence Eliminator
-Epson Printer
-Daemon Tools
-iTunes
-Windows Defender
-Speedtouch Modem
-Symantec

If you've any advice on how to ditch this lot too I'll be singing your praises for ever! I was surprised to see Symantec, for example, as I used the Norton removal utility suggested elsewhere on the forum.

Anyway, many thanks in advance for any help you can provide. Will check back in the a.m.

G
 
Hi,

Regarding your AVG log displays for 'No Action Taken', please run AVG again and quarantine the files.
Pictorial instructions HERE.


You may wish to copy and paste these instructions on notepad for easier reference later.

Download the attached "Combofix-Do.txt" (from my attachment) and save it to the same folder as Combofix.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Go to start > run and type services.msc. Press the enter key.
Search for the following services. Double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

UTLLSTCK.exe
SpeedTouch USB Diagnostics
Symantec NetDriver Monitor
Windows Defender


Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

UrlLstCk.exe
Dragdiag.exe
SNDMon.exe
MSASCui.exe


After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

Close HJT.

Drag the Combofix-Do.txt that you downloaded earlire over on to Combofix.exe and release.

This will ask Combofix to execute the instructions within my file. Let Combofix run normally and do its job. Attach the resultant log in your reply.

Reboot into normal mode and rehide your protected OS files.

Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread.


Regards,
Your friendly momok =)

This thread is for the use of Gazington only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Hi Momok.

Many thanks again for the advice! I'm very impressed with how helpful people are on this forum.

One thing:

Download the attached "Combofix-Do.txt" (from my attachment) and save it to the same folder as Combofix.

I've looked and I can't see this attachment? Now, it might just be me after only 5 hours sleep being a touch unfocused! If not, would you be able to up it so I can peform your suggested actions?

Re: the AVG log - my mistake. I did have actions set to Quarantine but saved the report prior to performing the actions! Very daft. I'll run a new log and attach once you up the Combo-Do.txt file.

Cheers,

G
 
Hi,

I'm sorry about that. I vaguely remember attaching it, though I might really have forgotten. Here it is.

Regards,
Your friendly momok =)

This thread is for the use of Gazington only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Why not take a look in Task Manager and actually see which process is hogging the CPU? Sort the process list by CPU usage and the hogs will nicely climb to the top.
 
Ok, first things first.....

Momok - have followed your instructions to the tee and have posted the resulting log files. Will await your reply!

CCT - many thanks for this info! I shall have a good read and see where it takes me.

Nodsu - many thanks also for taking time out to provide advice. However, I was aware of this little tip and as mentioned above it was initially iTunes which seemed to be messing with the CPU then, even when uninstalled, all other programmes (when used) appeared to be maxing out at 100%.

Anyway, cheers for all responses!

G
 
Hi,

Your system logs appears to be void of infection and the undesired programs/software you specified. However, I noted a suspicious new entry in your combofix rootkit scan.

Please run AVG Anti Rootkit via Step 11 of the instructions HERE. Let me know the results of the scan.

Post a fresh ComboFix log in your next reply. Thanks.


Regards,
Your friendly momok =)

This thread is for the use of Gazington only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Hey momok,

Have now ran Anti-Rookit again and the results came back clean, which is good news.

Have also attached an up-to-date Combofix log.

Will await your reply.

Thanks in advance,

G
 
Hi,

Your logs look clean now.

Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)

You may also delete the C:\VundoFix Backups folder and its contents.

Turn off system restore (XP/ME only). Learn how to do that HERE.
This will remove all the remaining nasties from your old restore points.

After that turn system restore back on.
This would have created a new safe and clean restore point for your system.

Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
May I recommend you to read this article.
This can help to prevent future infections.

Should you have any further problems, please post in this thread.


Regards,
Your friendly momok =)

This thread is for the use of Gazington only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
By definition, several processes cannot use 100% of CPU each. If you launch Notepad and the calculator, they can't both be at 100%, can they? Not to mention that at any moment in time you are running dozens of processes anyway and your CPU should be maxed out even when you do absolutely nothing at all.
 
Many thanks for all your help, guys. Things are a lot better. Still not 100% but I can at least use my PC again.

Btw, I was originally unable to use the Trend Micro online scan but I thought I'd give it another go today.

It seemed to be going great guns but, unfortunately, it hung after the scan appeared to finish. However, it did highlight several spyware / grayware items which I was about to jot down when iexplorer shut down! These items were not picked up by Norton (prior to the uninstall of said piece of junk) nor by AVG on any of the scans I performed.

I'm going to try the online scan again so I can hopefully at least ascertain the info and will post back here.

G
 
Well, Trend Micro ran to a point and then hung again. Very annoying. So, I tried Panda's online system scan and it brought up 9 items. I've attached the log. Any ideas?

Thanks as always!

G
 
Hi,

I would advise you to run the online scan again and fix the first 5 entries. The log is not detailed enough and does not provide which files or values in the registry are infected so I can't instruct you exactly which to remove.

With regards to the following however, they are actually legit files, not infections, though most likely rarely used. Fixing them is entirely up to your choice.

These two are related to a software bundle from HP:
C:\hp\bin\KillIt.exe
C:\hp\bin\Terminator.exe

Part of the backweb utility which according to McAfee:
This is neither a virus or trojan. ProcKill-BU is a potentially unwanted program. This is a command-line utility to terminate applications. Such utilities have been known to be misused; bundled with trojans for malicious purposes.

These two are part of the files we used in helping you fix your infection previously. Retaining them is again up to your choice.
C:\WINDOWS\nircmd.exe
C:\WINDOWS\system32\Process.exe


Regards,
Your friendly momok =)

This thread is for the use of Gazington only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Well it's taken me a while to get back to this but I think I have found the answer! Having run various anti-virus scans etc. (and, by the way, a couple of nasties were found including one Trojan) my system was still dragging badly and especially on audio / video files or system hogs like Photoshop (which I need for work).

Blindly typing into search engines led me to the following site which contained info about the Primary IDE's Direct Memory Access (DMA) possibly being set from Ultra DMA Mode 5 to PIO as a result of any one of a number of system related things (more info within the link):

http://winhlp.com/WxDMA.htm

And, guess what? On checking out my Primary IDE's DMA.... VOILA! It was set to a default of PIO! Having followed the advice given in the above link I removed the MasterIdDataChecksum from the relevant key and rebooted and now my system is running like a dream!

It's only been 24 hours so it's still early days. However, I know that in the short term at least, I have a solution.

No idea if the Mods have this remedy stickied anywhere else on this Forum but it certainly saved me from going out of my mind and I would recommend it is added maybe to an existing (relevant, i.e. non-Spyware) thread?

Anyway, I just wanted to let you guys know about this. I also wanted to say a BIG thank you to all those who have helped me along the way. I'll be a frequent visitor here for tips and system advice as the anti-virus info and system tune-up threads are excellent.

Keep up the good work.

G
 
Glad that your system is fine again.
I have moved this to the CPUs, Chipsets and Mobos section.

Regards,
Your friendly momok =)
 
Status
Not open for further replies.
Back