Solved Hidden 50% CPU use + Internet connects but no function

[WanderDragon]

I seem to be having an odd issue I'm not finding any information on. Likely I just don't know where to look, but so far nothing has resembled any of what I'm dealing with beyond the MyWebSearch malware aspect. All communication is currently through a laptop I also have.

Task Manager claims CPU in use approximately 50% or so, mild increases and decreases but it averages to a lovely half. The difficulty I am having is while it claims usage, it also does NOT indicate any running process that is drawing the power. I've checked several times over the course of a week. So far I have run a fully updated Microsoft Security Essentials scan, SDFix, CHKDSK, pagefile reset/defrag, and the entire 8-step guide for viruses/spyware/malware. Have somewhat regularly used Advanced WindowsCare as well, but not in the duration of this issue. Due to the lack of internet success Malwarebyte could not be updated beyond the install file updated last at 4/29/2010 I believe. Still blasted over 40 items, most of which were mywebsearch. I am including the following logs: hijackthis, gmer, DDS/Attach, mbam (both a quick and a full scan found something, a third scan was clean, quick log attached, can only attach 5 files).

To the internet problems, likely tied to the malware as I believe it took place around a similar time. I have no problems whatsoever connecting to the Wireless LAN or to the internet. The problem is specifically I am almost totally unable to transfer any data through said connection. Occasionally it will slow down and I get reasonable data transfer rates, other times bad rates. Generally it has all been growing slowly worse over the past few weeks. Have had no transfer windows long enough to even get 5mb for almost two days. Appeared to have a pattern of doing better on initial startup...or as long as something was transferring....or late at night. All possible patterns have been disproved by randomness and is likely just perception. Been completely locked up since yesterday now with no change.

Last time I had a strange problem I actually needed assistance with, I stumped Tier II tech support. That had been an issue with City of Heroes and not my computer though, if I recall it right.

Help is greatly appreciated. Have enough problems right now without fighting with my computer.

 

[Broni]

You're running two AV programs, Norton and MSE. One of them has to go.
If Norton, use Norton Removal Tool: http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

Then...


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[WanderDragon]

I appear to have left it lacking clarity. I do not have functional internet access on my desktop to download updates. I get, if I'm lucky, speeds as blazing fast as 0.6 kB/s. I am currently trying to let ComboFix try to run it's updates and get the Recovery Console, but it could be a few hours if I don't get any speed spikes, of course only if it manages to work at all. I'll just let it run and hope the connection cooperates.

Also, in addition to the despised Norton needing removal, it is a 2001 version, partially uninstalled. I never thought much of it until recently as nothing was making it cranky. It has been gradually showing it's age in recent months and complaining about things like Google Desktop. My system was less than a year ago completely upgraded from a hardware stance, with all data transferred to a new 500GB HDD via Acronis. I know I should have spent time to clean up the software spaghetti that is my computing habits over the past ten years, but a combo of not having all the disks together at any single point or lacking time, it never happened.

Yes, I'm sure I'm giving you professional, knowledgeable, well-experienced tech guys some serious groans, but at least you get another unique situation to add to your belts. Oh, and as long as it is clear to a layman that has fiddled with msconfig (startup tab only) without crashing the system, I think I can handle relatively complex instructions as needed with proper step-by-step. I haven't even plugged my external HDDs back in yet. I'll deal with those later. x.x;

(Quick update: Two hours after trying to let combofix do it's thing, it stopped the crawling progress at 18% while trying to download from download.microsoft.com while trying to get Recovery Console. Will run without updates one time for now. I have to accept total block on internet at this point. Still potential to put a Cat5 to the router, but have a feeling that won't do anything useful. ...help... )

(Another quick update: Combofix log attached. Un-updated run one time through.)

 

[Broni]

Did you have a chance to run Norton Removal Tool?

======================================================================

Unless you installed Viewpoint Manager knowledgeably...
Go Start>Control Panel>Add\Remove (Programs and Features in Vista), and...
Uninstall any of the following programs associated with Viewpoint:
* Viewpoint Manager
* Viewpoint Media Player
* Viewpoint Toolbar
This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware ("drive-by-install") as it is installed without your consent through programs like AOl, AIM, Compuserve, etc.

====================================================================

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\ezsidmv.dat
c:\documents and settings\Slade D'ravnos\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
c:\windows\Alcmtr.exe
c:\docume~1\SLADED~1\LOCALS~1\Temp\lredbooo.sys
c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
c:\windows\Tasks\Symantec NetDetect.job


Folder::
c:\documents and settings\All Users\Application Data\Viewpoint


Driver::
Viewpoint Manager Service
lredbooo


Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^Slade D'ravnos^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]


RegLockDel::

SecCenter::
{B5510F6F-87E1-47F7-A411-360BC453007C}

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[WanderDragon]

Norton uninstalled smoothly via Add/Remove Programs. I had this braindead habit for a while years ago to just delete files willy nilly when I wanted to get rid of a program. I don't know why this made sense at the time. Never tried Add/Remove Programs method because it didn't occur to me with most programs having their own uninstall included.

Viewpoint is gone too. Never opened it at all, just saw this random update window pop up one day and didn't know what the heck it was from because I'd never heard of Viewpoint before.

ComboFix ran smoothly. Txt was above 200kb so I broke it in half to get the file uploaded.

 

[Broni]

You must run Norton Removal Tool: http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039 as I suggested to remove all Norton's leftovers. Add\Remove, in case of damn Norton is not enough.

How is computer doing at the moment?

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

======================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
CREATERESTOREPOINT



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[WanderDragon]

Ran the Norton tool and far as I know, it ran fine. No indication other than a reboot.

Computer is still indicating the CPU usage without a process claiming it. Internet has not improved either. Whatever the heck is wrong, it seems to be untouched just yet, but at least each step gets me closer to solving the problem. Maybe I'm the lucky holder of a botnet file or something. x.x

Ran OTL as requested. Files were plenty small enough to simply attach.

 

[Broni]

Update your Java version here: http://www.java.com/en/download/installed.jsp
Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista/7).

=====================================================================

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  SRV - [2004/10/15 16:24:42 | 000,206,048 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
  DRV - [2004/10/15 16:24:18 | 000,266,432 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\symtdi.sys -- (SYMTDI)
  DRV - [2004/10/15 16:24:16 | 000,025,824 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\SYSTEM32\DRIVERS\symredrv.sys -- (SYMREDRV)
  DRV - [2003/05/27 12:00:34 | 000,073,496 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Symantec\SYMEVENT.SYS -- (SymEvent)
  O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - Reg Error: Value error. File not found
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {724D43A0-0D85-11D4-9908-00400523E39A} - No CLSID value found.
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
  O16 - DPF: {00000161-0000-0010-8000-00AA00389B71} http://codecs.microsoft.com/codecs/i386/msaudio.cab (Reg Error: Value error.)
  O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
  O16 - DPF: Yahoo! Chat http://cs5.chat.sc5.yahoo.com/c381/chat.cab (Reg Error: Key error.)
  [2004/07/13 19:08:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Slade D'ravnos\Application Data\Kontiki
  
  
  :Services
  
  :Reg
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
  "139:TCP" =-
  "445:TCP" =-
  "137:UDP" =-
  "138:UDP" =-
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
  "1900:UDP" =-
  "2869:TCP" =-
  "139:TCP" =-
  "445:TCP" =-
  "137:UDP" =-
  "138:UDP" =-
  
  :Files
  C:\Program Files\Common Files\Symantec Shared
  C:\WINDOWS\SYSTEM32\DRIVERS\symtdi.sys
  C:\WINDOWS\SYSTEM32\DRIVERS\symredrv.sys
  C:\Program Files\Symantec
  
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [resethosts]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[WanderDragon]

Java updated.

OTL fix and quick scan completed.

CPU usage and internet problems unchanged. Can only imagine how slow things would be if I didn't have a dual core.

 

[Broni]

Download Process Explorer: http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
Unzip ProcessExplorer.zip, and double click on procexp.exe to run the program.
Click on View > Select Colunms.
In addition to already pre-selected options, make sure, the Command Line is selected, and press OK.
Go File>Save As, and save the report as Procexp.txt.
Attach the file to your next reply.

===========================================================

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

• Spyware, Adware, Dialers, and other potentially dangerous programs
  [*] Archives
  [*] Mail databases

6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

 

[WanderDragon]

Bah...internet was working with hiccups for less than three minutes. At least it actually worked briefly but not long enough to manage a Kaspersky scan. The only reason I've been getting anything done is specifically because I have been transferring files back and forth via USB flash drive. No internet-required tools are available until the internet problem is fixed for the forseeable future.

Ran process explorer. From what I can tell, the primary draw appears to be in Interrupts. Specifically hardware interrupts. I do not know what this means but the log is attached. I left all start-up booting programs running for this. Been turning them off after boot to give as much over to cleaning programs as I can. Not running any scans beyond requested and not changing any program settings until this is all resolved.

 

[Broni]

Yeah, I think, we're dealing here with two issues.
1. There was definitely some infection, which should be pretty much clear by now. We'll finish cleaning procedure in couple more steps and then...

2. Hardware Interrupts high CPU usage is most likely related to some hardware issues.
I'm not a hardware guy, but from what I gather, it can be almost anything, hard drive, hard drive controller, or even motherboard. When we're done here, I'll ask you to create new topic at hardware forum here.

For now, since you have internet issues...using another computer and USB stick...

Please download AVP Tool by Kaspersky.

• Save it to your desktop.
• Reboot your computer in SafeMode.
  
  • You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
  • Use your up arrow key to highlight SafeMode then hit Enter.
• Double click the setup file to start installation.
• It will by default install it to your desktop folder.
• After installation, black window may open for a few moments. It's normal.
• When program opens, make sure following boxes are checked:
  
  • 
    
    [*]Hidden startup objects
    [*]Startup Objects
    [*]Disk Boot Sectors.
    [*]My Computer.
    [*]Any internal, or external drives
• After that click on Recommended (next to "Security level")then Settings then Additional tab and make sure, Deep scan under "Rootkit scan" is checked. Click OK.
• Click on Start scan green button.
• It will automatically neutralize any objects found.
• If some objects are left un-neutralized then click the button that says Neutralize all.
• If it says it cannot be neutralized then chooose The delete option when prompted.
• After that is done click on the reports button at the bottom and save it to file name it VRT.
• Save the file to your desktop and just post only the detected Virus\malware in the report. It will be at the very top under Detected.
  

Note: This tool will self uninstall when you close it so please save the log before closing it.

 

[WanderDragon]

Ran the tool without a problem. Perhaps I missed the right spot to look, but I could not find what seemed to be a log like you mentioned. I did however copy and past the text of the log. Only two items were deleted. No other problems detected by the kaspersky scan.

And I really hope my hardware is working and it's just a driver problem that needs updating. The whole damn computer is new. Oldest thing is a Wireless-N card about a year old. Would be my luck if something broke.

 

[Broni]

OTL Clean-Up
Clean up with OTL:

* Double-click OTL.exe to start the program.
* Close all other programs apart from OTL as this step will require a reboot
* On the OTL main screen, press the CLEANUP button
* Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

=====================================================================


Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.

 

[WanderDragon]

Well this message is being posted with my desktop so the internet is functioning much better now. Which is to say it actually works now. o.O;

Had a BSOD yesterday. Not sure why, but I believe it was more likely due to stupidity with the Spring Engine's SpringLobby (http://springrts.com/) and some mod issues. Updated my WDA-552 wireless card driver as well, now version 1.60.

Going to give some time and see if it was just a driver issue causing the hardware interrupts, but so far it is looking much improved. As the CPU usage was sometimes variable, a couple days should show if I just had a driver issue or not. Internet was still quirky, though improved, after the cleaning and post-driver update appears full strength.

Thank you for all the help!

 

[Broni]

You're very welcome

Good luck and stay safe