Computer Hope

Software => Computer viruses and spyware => Topic started by: Dues12 on June 26, 2009, 11:56:38 AM

Title: CPU running at 100% with no applications open
Post by: Dues12 on June 26, 2009, 11:56:38 AM

When I start up my Laptop I see the power indicator light flashing, but it doesn't stay lit. 
Once I actually login to my user account, it jumps to 100% and stays there.
I also get a notification upon login that I have no Firewall running...I've gone in and turned Windows Firewall on, and rebooted, but still get the same notification upon my next login.

If I boot from (not sure if it's HDD, or IDD) and then start Windows in Safe Mode, I do not get this problem, which leads me to believe it is a Virus.

I have:
Gateway 7330GZ, Pentium 4
Windows XP Home Edition, Version 2002, Service Pack 3, 3.06GHz, 3.06GHz, 480 MB of Ram (taken from my "System" screen)

My AVG hasn't caught anything, and I have it set to run every night and usually try my best to keep my CPU clean...I've ran HJT numerous times in the past, and am familiar with the results - here's the recent HJT log, nothing seems to be new...I haven't made any changes to my system...last thing I recall doing before this problem came up was just running Windows Clean Up! followed by a Defrag of my C & D Drives.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:50 PM, on 6/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ssstars.scr
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\taskmgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sportingnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://secure.webroot.com/keycodes/alreadyregistered.asp?kc=SSDCRETLAAAANSLHUPPQ&lang=en
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\twext.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPLpr] "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30FEDFBF-391B-45F7-8AFF-796E8A532869} (PCRHTML3.HTML1) - http://www.pcrecruiter.net/pcrimg/PCRHTML.CAB
O16 - DPF: {4F1F4A2E-F7D0-402E-BBFB-04AC32A6755F} (PCRMANF.FILEM) - http://www.pcrecruiter.net/pcrimg/pcrfilem.cab
O16 - DPF: {8FAC20B4-0B1D-4BAC-BCE0-59DA519DEE67} (PCRALM.ALARM1) - http://www.pcrecruiter.net/pcrimg/PCRALM.CAB
O16 - DPF: {F8E159B1-2433-478A-B82E-9CCC87A7FAFB} (PCRRTF4.RTF4) - http://www.pcrecruiter.net/pcrimg/MS.CAB
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 6440 bytes



Thank you in advance for any assistance.  If there's anything missing let me know and I can get it and post it tonight; I'm at work now and my Laptop is at home.

Josh




*Also, if I posted this in the wrong thread, I apologize and please let me know where to move it to.

Title: Re: CPU running at 100% with no applications open
Post by: harry 48 on June 26, 2009, 04:13:29 PM

go to task manager , proccess , and take a photo of everything thats there so an expert can see it


http://www.screencapturer.com/


go to above download and this will take a photo ( maybe 2 ) , save to docs and post here , use the 3rd right

at the top it will take what you want , harry

Title: Re: CPU running at 100% with no applications open
Post by: Quantos on June 26, 2009, 04:46:10 PM

Quote

go to task manager , proccess , and take a photo of everything thats there so an expert can see it

Make sure that you get all of the processes, if you can't fit them all in one image scroll down and take a second.  Also make sure that you enable 'Show Processes For All Users'.

Title: Re: CPU running at 100% with no applications open
Post by: harry 48 on June 27, 2009, 02:12:50 PM

quantos , when you open task manager it opens at processes , where do you enable " show processes for all "


Also make sure that you enable 'Show Processes For All Users'

Title: Re: CPU running at 100% with no applications open
Post by: Dues12 on June 29, 2009, 09:05:10 AM

Thanks, Quantos and harry 48; hectic weekend so I didn't get a chance to jump online and work on this...
I'll take the screen shot(s) tonight when I get home from work and will post.

Title: Re: CPU running at 100% with no applications open
Post by: Dues12 on July 02, 2009, 05:43:05 PM

I've attached the two shots taken with Screencapture.
As indicated, I took these shots with 'Show Processes For All Users' enabled.
(harry, at the bottom right of the task manager processes screen, you can check a box to 'Show Processes For All Users')

I'm not sure if this will be helpful also, but in case it is, I have also attached the last HJT Log I'd saved before this problem started - I haven't compared the two HJT Logs yet as this thought just occurred to me.

Thank you in advance for the assistance.




[attachment deleted by admin]

Title: Re: CPU running at 100% with no applications open
Post by: geek hoodlum on July 02, 2009, 09:55:25 PM

Hi Dues12,

Have you tired SAS and MBAM?

Title: Re: CPU running at 100% with no applications open
Post by: Dues12 on July 03, 2009, 07:56:16 AM

Quote from: randysilverio on July 02, 2009, 09:55:25 PM

Hi Dues12,

Have you tired SAS and MBAM?

Randy,
I am not familiar with either program, but can look into downloading and running them today.
I'm also starting to move the few files I do have on my hard drive to an external hard drive so I'm ready to do a destructive system restore if need be to fix my problem...but first let me try the programs you'd mentioned.
Thank you.

Title: Re: CPU running at 100% with no applications open
Post by: Dues12 on July 03, 2009, 08:03:03 AM

Forgive my ignorance here, but I'm assuming I cannot run all the virus/etc scans when my computer is started in safe mode, and instead I need to run the virus/etc scans in normal mode (which will take forever...) - is this correct?





*Also,
I just compared the two HJT Logs I have, I noticed a few inconsistencies, some which can be explained...others though...here are all the inconsistencies found:

Processes that were running on 6/25, but not on 6/5:

C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ssstars.scr
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE


Reg Entries not found on 6/25, but found on 6/5:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page =
http://go.microsoft.com/fwlink/?LinkId=54843
(This was an old entry I had removed)

O4 - HKLM\..\Run: [StartupDelayer] "C:\Program Files\r2
Studios\Startup Delayer\Startup Launcher GUI.exe"
(I'd decided since I wasn't starting up more than a couple of programs now, I no longer needed to run SUD)

O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
(Didn't look like I needed this - I don't use excel much - so I removed it)

Title: Re: CPU running at 100% with no applications open
Post by: evilfantasy on July 04, 2009, 12:21:44 PM

If you already have Malwarebytes be sure to update it before running the scan!

Download Malwarebytes' Anti-Malware (MBAM) (http://www.malwarebytes.org/mbam-download.php)

Alternate MBAM download link (http://www.besttechie.net/tools/mbam-setup.exe)

• Double-click mbam-setup.exe and follow the prompts to install the program.
  
• At the end, be sure a checkmark is placed next to the following:
• Update Malwarebytes' Anti-Malware
  
• Launch Malwarebytes' Anti-Malware

• Then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

----------

Download DDS from |HERE| (http://www.techsupportforum.com/sectools/sUBs/dds) or |HERE| (http://download.bleepingcomputer.com/sUBs/dds.scr) or |HERE| (http://www.forospyware.com/sUBs/dds) and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.

Title: Re: CPU running at 100% with no applications open
Post by: Dues12 on July 06, 2009, 01:58:44 PM

Thank you to everyone for your comments and help.
I'm pleased to announce my issue has been resolved.
After installing, updating, and running a couple Anti-Spyware programs I was able to remove 8 traces of a Trojan Horse - progdav or something like that - and my cpu is now back to running as it should.
Thank you!!!!

Josh

Title: Re: CPU running at 100% with no applications open
Post by: evilfantasy on July 06, 2009, 02:03:53 PM

Lack of symptoms doesn't always mean all of the malware is gone. Without posting the logs we can't know if everything was actually removed or not.

Title: Re: CPU running at 100% with no applications open
Post by: Dues12 on July 08, 2009, 09:23:25 AM

Quote from: evilfantasy on July 06, 2009, 02:03:53 PM

Lack of symptoms doesn't always mean all of the malware is gone. Without posting the logs we can't know if everything was actually removed or not.

Good point; thank you, evilfantasy.
What logs in specific should I post?
I'm pretty sure it was Spysweeper out of the 3 I ran that located the traces and removed them...

Let me know and I should be able to post any needed logs tonight after work.

Thank you,
Josh

Title: Re: CPU running at 100% with no applications open
Post by: evilfantasy on July 08, 2009, 10:47:37 AM

If you already have Malwarebytes be sure to update it before running the scan!

Download Malwarebytes' Anti-Malware (MBAM) (http://www.malwarebytes.org/mbam-download.php)

Alternate MBAM download link (http://www.besttechie.net/tools/mbam-setup.exe)

• Double-click mbam-setup.exe and follow the prompts to install the program.
  
• At the end, be sure a checkmark is placed next to the following:
• Update Malwarebytes' Anti-Malware
  
• Launch Malwarebytes' Anti-Malware

• Then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

----------

Download DDS from |HERE| (http://www.techsupportforum.com/sectools/sUBs/dds) or |HERE| (http://download.bleepingcomputer.com/sUBs/dds.scr) or |HERE| (http://www.forospyware.com/sUBs/dds) and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.