Hi everyone,

I am new to this forum bit. My laptop has a process running under task manager that jumps from 95% - 99% constantly. It is "CCSVCHST.EXE". when looking it up says my Norton Antivirus, so I left it alone for a day thinking updates could cause bit of lag. It's been like this a week now, I have researched alot and tried hijack this, not sure if that is the direction I should go or what. I have ran the standard stuff, adware, spubot, antivirus etc all after updates, but I don't think those are the problem. I am not familiar with hijack stuff so looking for advice.

Any advice would be greatful, including telling me to go to the Hijack this forum too if that's what's needed.

Thanks

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file. However, it then places itself in a different location on your computer. A file's properties may give a clue to identifying it. Right-click on the file, Properties and examine the General and Version tabs.

You can also download and use AnVir TaskManager Free or System Explorer to investigate all running processes and gather additional information to identify and resolve problems. These tools will show the process CPU usage, a description and its path location. If you right-click on the file in question and select properties, you will see more details about the file.

Thanks quietman,

I have not had too much time to mess with it. I did install the avir and try to look at detailed properties on each, then cross reference them with the trend secure or something like that. But when I did a search for them in folders on my comp it came up empty, even looking in the registry folders.

I did forget to mention yest just saw it when I boot up, that Norton has noted that winlogon.exe made 12601916 modifications to my comp. And every time I boot up Norton shows "an intrusion attempt by members.chello.pl was blocked. I am looking at the intrusion attempts in Norton and I see alot from different ip addresses. this can't be good.

Help.

Norton's might need a little help, sounds like something got thru

http://www.bleepingcomputer.com/forums/ind...st&p=876163

I would MBAM from normal mode

and run a full scan with Norton's from safe mode

http://www.malwareremoval.com/tutorials/safemodeboot.php

Hey Chewy,

Thanks for the suggestions. I did what you said and with the malware found 4-5 items like backdoorbots etc. removed them. Ran Norton in safe, but only found 1 tracking cookie that they considered low risk. A friend of mine suggested Trend Micro house calls, ran that and found 30 tracking cookies and removed. House calls at the end trys to upload info i guess to their site but that shows as unable try again? which I do over and over but no sucess.

Your recommendation and Malwareremoval got rid of the huge cpu consumption and computer seems to be clean.

Thank you.
Jussbe1

If malwarebytes comes up clean with another scan you might keep an eye on the computer and be sure and read this link as a closing all clean one

An ounce of prevention

http://www.bleepingcomputer.com/forums/ind...st&p=878943

there are a few infections that come back after a reboot, it's always better to post the MBAM log of the initial cleansing

Here is the original MBAM log, if I remember correctly MBAM showed 4-5 things after scan, maybe some were dups. I did run it at least 2 more times, same with trend micro housecall. Things are smoother now, but something is always running close to cap on CPU, right now it is system idle process around 92, last night starcraft 99, originally why I posted was ccscvhost running max. Makes me think infection moved somewhere else in computer, though it does run better now.


Scan type: Full Scan (C:\|D:\|)
Objects scanned: 194118
Time elapsed: 3 hour(s), 23 minute(s), 38 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
C:\Documents and Settings\Brandon\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\AdvRemoteDbg (Adware.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows logon applicationedc (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\WhoisCL.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Brandon\winlogon.exe (Backdoor.Bot) -> Delete on reboot.

My system idle stays in the high 90's, when I start a video encoding(my other hobby), it goes to 99% for that program

system idle is what's available, the more the better

To elaborate on what DaChew said. System Idle process is used for measuring how much idle time the CPU is having at any particular time (100% minus the sum of all tasks CPU usage). It accounts for processor time when the system is not processing other threads and will display how much CPU resources, as a percentage are 'idle' and available for use. One instance of this process operates per CPU, and runs to occupy the processor when other threads are not running. System Idle process also issues HLT commands which put unused parts of the CPU into a suspend mode, thereby cooling the processor. Normally this process should take up at least 90%+ of processor time on average (this is the value in the CPU column). Thus, in non-technical terms, this figure represents how much CPU time has not been requested by anything else on your system.

Did you reboot the computer after using MBAM? If it encounters a file that is difficult to remove, you need to restart the computer so the malware can be fully removed. Failure to do so will prevent MBAM from removing all the malware. Your log indicates some files will be deleted on reboot. If you have not rebooted, make sure you do this. When done, rescan again with MBAM, click the Logs tab and copy/paste the contents of the new report in your next reply.

IMPORTANT NOTE: One or more of the identified infections was a backdoor Trojan. Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge. Read Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the backdoor Trojan was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the backdoor Trojan has been removed the computer is now secure. Further, in some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

"When should I re-format? How should I reinstall?"
"Help: I Got Hacked. Now What Do I Do?"
"Where to draw the line? When to recommend a format and reinstall?"