Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

One cpu of a Pentium D dual core pegs at 100% - Malware?


  • Please log in to reply
25 replies to this topic

#1 Whatsup22

Whatsup22

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 11 August 2009 - 12:15 AM

Dell XPS with Pentium D dual core processor.

For the last year I have a recurring problem. For unknown reasons, cpu 0, can hit 100%, while cpu1 usage bounces around as "normal". While overall cpu usage may be say 53%, with cpu0 pegged at 100%, the computer just crawls. I have been unable to identify the source of the problem.

SAS, MBAM, AAW, SS&D and F-secure (branded by my ISP as Shaw-secure) have found various problems and corrected them, but the 100% cpu issue persists. Just when I think it's gone, it's back. Not sure what's triggering it.

When this issue happens and I display processes in task manager, there is often no correlation between total of processes cpu usage and what's being reporting as total cpu usage (and as seen on the performance tab graphs). I think this suggests malware ... but I can't find it if it's there.

I did produce a hijackthis log via Anvir while I was experiencing the problem and will post it if needed. I also have some .pdf screen captures of task manager while the problem is occuring if they are of use.

Other interesting (or not) things I'm currently noticing ...
  • outlook.exe often doesn't stop when the outlook gui is closed (this is something new)
  • the font on the task bar looks like "safe mode" fonts but I'm not in safe mode (I've seen this before from time to time)
  • once in safe mode, it's hard to get the computer to reboot normally. I often have to choose "last settings known to be good" (or whatever the exact wording) to get it to reboot normally. (I've had this problem for quite some time).

Help ! Jay

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:12:45 AM

Posted 11 August 2009 - 07:36 PM

Welcome to BC

Update mbam and run a FULL scan
Please post the results
------------------------------------------

Then run ATF and SAS



ATF
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

------------------------------------

SAS,may take a long time to scan
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 Whatsup22

Whatsup22
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 12 August 2009 - 01:09 AM

Thanks Mark !

Ran updated MBAM, ATF and SAS as requested. MBAM and SAS logs follow.

Still had problems getting it to reboot into normal mode. It reboots into something that looks like normal mode (screen background looks normal for example), but only some processes start and F-Secure (Shaw Secure) won't run. Using the "reboot using last known good settings" (sorry, I've forgotten the exact wording), I manage to get a normal boot.

SAS found 4 tracking cookies which it deleted.



Malwarebytes' Anti-Malware 1.40
Database version: 2608
Windows 5.1.2600 Service Pack 3

8/11/2009 10:31:49 PM
mbam-log-2009-08-11 (22-31-49).txt

Scan type: Full Scan (C:\|)
Objects scanned: 178440
Time elapsed: 46 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 08/11/2009 at 11:32 PM

Application Version : 4.27.1002

Core Rules Database Version : 4051
Trace Rules Database Version: 1991

Scan type : Complete Scan
Total Scan Time : 00:45:39

Memory items scanned : 242
Memory threats detected : 0
Registry items scanned : 6451
Registry threats detected : 0
File items scanned : 72699
File threats detected : 4

Adware.Tracking Cookie
C:\Documents and Settings\J. Wear\Cookies\j._wear@advertising[1].txt
C:\Documents and Settings\J. Wear\Cookies\j._wear@doubleclick[1].txt
C:\Documents and Settings\J. Wear\Cookies\j._wear@atdmt[2].txt
C:\Documents and Settings\J. Wear\Cookies\j._wear@247realmedia[2].txt

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:45 AM

Posted 12 August 2009 - 01:37 AM

Let's get a good look at what's running on that computer.

Please download and run Processexplorer

http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Under file and save as, create a log and post here

copy and paste into a reply
Chewy

No. Try not. Do... or do not. There is no try.

#5 Whatsup22

Whatsup22
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 12 August 2009 - 02:03 AM

Here's the Processexplorer log. Note that at the moment, my system is behaving itself (cpu usage negligible). I have a recent hijackthis log (via AnVir) taken while the problem was occurring yesterday if that's of any use.

I see Outlook.exe continues to run even though I exited the application several minutes ago.

Many thanks.


Process PID CPU Description Company Name
System Idle Process 0 98.48
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 652 Windows NT Session Manager Microsoft Corporation
csrss.exe 720 Client Server Runtime Process Microsoft Corporation
winlogon.exe 744 Windows NT Logon Application Microsoft Corporation
services.exe 788 0.76 Services and Controller app Microsoft Corporation
svchost.exe 1016 Generic Host Process for Win32 Services Microsoft Corporation
CTxfispi.exe 2236 SPI (Creative X-Fi Module) Creative Technology Ltd
ehmsas.exe 2448 Media Center Media Status Aggregator Service Microsoft Corporation
unsecapp.exe 3796 WMI Microsoft Corporation
wmiprvse.exe 3828 WMI Microsoft Corporation
svchost.exe 1096 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1204 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1252 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1304 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1444 Generic Host Process for Win32 Services Microsoft Corporation
AAWService.exe 1512 Ad-Aware Service Application Lavasoft
spoolsv.exe 1600 Spooler SubSystem App Microsoft Corporation
svchost.exe 2008 Generic Host Process for Win32 Services Microsoft Corporation
a2service.exe 128 a-squared Service Emsi Software GmbH
cisvc.exe 196 Content Index service Microsoft Corporation
cidaemon.exe 3508 Indexing Service filter daemon Microsoft Corporation
CTSVCCDA.EXE 204 Creative Service for CDROM Access Creative Technology Ltd
fsgk32st.exe 260 F-Secure Anti-Virus Scanning Service F-Secure Corporation
fsgk32.exe 276 Gatekeeper Handler II F-Secure Corporation
fssm32.exe 512 F-Secure Scanner Manager F-Secure Corporation
FSMA32.EXE 272 F-Secure Management Agent F-Secure Corporation
FSMB32.EXE 428 F-Secure Message Broker F-Secure Corporation
FCH32.EXE 548 F-Secure Configuration Handler F-Secure Corporation
FAMEH32.EXE 920 F-Secure Alert and Management Extension Handler F-Secure Corporation
fsqh.exe 1660 F-Secure Quarantine Handler F-Secure Corporation
fspc.exe 1820 F-Secure Parental Control F-Secure Corporation
fsav32.exe 5032 FSAV Handler F-Secure Corporation
jqs.exe 476 Java™ Quick Starter Service Sun Microsystems, Inc.
nvsvc32.exe 540 NVIDIA Driver Helper Service, Version 77.74 NVIDIA Corporation
sprtsvc.exe 552 SupportSoft Agent Service SupportSoft, Inc.
svchost.exe 608 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 692 Generic Host Process for Win32 Services Microsoft Corporation
searchindexer.exe 2232 Microsoft Windows Search Indexer Microsoft Corporation
searchfilterhost.exe 4508 Microsoft Windows Search Filter Host Microsoft Corporation
searchprotocolhost.exe 5144 Microsoft Windows Search Protocol Host Microsoft Corporation
fsdfwd.exe 4080 F-Secure Internet Shield daemon F-Secure Corporation
fsaua.exe 640 F-Secure Automatic Update Agent F-Secure Corporation
fsorsp.exe 1012 F-Secure ORSP Service F-Secure Corporation
ehSched.exe 1184 Media Center Scheduler Service Microsoft Corporation
lxcjcoms.exe 1364 Printer Communication System
alg.exe 2776 Application Layer Gateway Service Microsoft Corporation
dllhost.exe 3496 COM Surrogate Microsoft Corporation
lsass.exe 800 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 1876 0.76 Windows Explorer Microsoft Corporation
DLLML.exe 848 DLL Module Loader Creative Technology Ltd.
VolPanel.exe 1744 VolPanel.exe Creative Technology Ltd
lxcjmon.exe 1644 Lexmark Device Monitor Lexmark International, Inc.
itype.exe 2096 IType.exe Microsoft Corporation
point32.exe 2128 Point32.exe Microsoft Corporation
ezprint.exe 2148 Lexmark Fast Pics Application Lexmark International Inc.
ehtray.exe 2292 Media Center Tray Applet Microsoft Corporation
DVDLauncher.exe 2344 CyberLink PowerCinema Resident Program CyberLink Corp.
tfswctrl.exe 2428 Drive Letter Access Component Sonic Solutions
Ctxfihlp.exe 2456 CTXfiHlp MFC Application Creative Technology Ltd
CtHelper.exe 2472 CtHelper Application Creative Technology Ltd
CTDVDDET.exe 2492 CTDVDDET Creative Technology Ltd
FSM32.EXE 2540 F-Secure Settings and Statistics F-Secure Corporation
fsguidll.exe 3096 F-Secure GUI component F-Secure Corporation
RTDCPL.EXE 2608 Realtek AC97 Audio Control Panel Realtek Semiconductor Corp.
AAWTray.exe 2728 Ad-Aware Tray Application Lavasoft
sprtcmd.exe 2812 SupportSoft, Inc.
jusched.exe 2892 Java™ Platform SE binary Sun Microsystems, Inc.
ctfmon.exe 3032 CTF Loader Microsoft Corporation
WindowsSearch.exe 3092 Windows Search System Tray Microsoft Corporation
OUTLOOK.EXE 2652 Microsoft Office Outlook Microsoft Corporation
iexplore.exe 2248 Internet Explorer Microsoft Corporation
iexplore.exe 4868 Internet Explorer Microsoft Corporation
iexplore.exe 424 Internet Explorer Microsoft Corporation
procexp.exe 5720 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
fsus.exe 224 F-Secure Automatic Update Agent - Run Upstreamer F-Secure Corporation

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:45 AM

Posted 12 August 2009 - 02:21 AM

A lot of those Dell's only came with 512 megs of ram
Chewy

No. Try not. Do... or do not. There is no try.

#7 Whatsup22

Whatsup22
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 12 August 2009 - 02:32 AM

I have 1 MB of RAM currently.

I can see the computer being slow, and both cpu's at high utilization if there were many proesses running, but in my trouble shooting, I've actually stopped many of them, including F-Secure, and have stopped many of the services ... with no improvement. CPU0 would still be pegged at 100% while CPU1 was hardly being used. Is this normal behavior?

Thanks.

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:45 AM

Posted 12 August 2009 - 02:50 AM

http://www.alexnolan.net/software/sysspec.htm

Use this tool to post a spec log


Use File/save to csv
Chewy

No. Try not. Do... or do not. There is no try.

#9 Whatsup22

Whatsup22
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 12 August 2009 - 09:20 AM

Here's the systemspec log ...

Windows: Microsoft Windows XP Professional 5.1.2600 Service Pack 3
Internet Explorer: 8.0.6001.18702
Memory (RAM): 1022 MB
CPU Info: Intel® Pentium® D CPU 3.00GHz
CPU Speed: 2936.1 MHz
Sound card: SB X-Fi Audio [DCE0]
Display Adapters: NVIDIA GeForce 6800 | NetMeeting driver | RDPDD Chained DD
Monitors: 1
Screen Resolution: 1680 X 1050 - 32 bit
Network: Network Present
Network Adapters: NVIDIA nForce Networking Controller #2 - Packet Scheduler Miniport
CD / DVD Drives: D: SONY DVD-ROM DDU1615 | E: HL-DT-STDVD+-RW GWA4164B
COM Ports: COM1
LPT Ports: NOT Present
Mouse: 5 Button Wheel Mouse Present
Hard Disks: C: 232.8GB
Hard Disks - Free: C: 199.0GB
USB Controllers: 2 host controllers.
Firewire (1394): 1 host controllers.
PCMCIA (Laptops): Not Installed
Manufacturer: Dell Inc.
Product Make: Dell DXG051
AC Power Status: OnLine
BIOS Info: AT/AT COMPATIBLE | 07/26/06 | DELL - 9
Time Zone: Mountain Standard Time
Battery: No Battery
Motherboard: Dell Inc. 0UH741
Modem: Not detected
:

#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:45 AM

Posted 12 August 2009 - 09:41 AM

I was hoping for more info on the cpu than that

http://www.intel.com/support/processors/to...b/CS-014921.htm
Chewy

No. Try not. Do... or do not. There is no try.

#11 Whatsup22

Whatsup22
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 12 August 2009 - 08:14 PM

Here you go...

Intel® Processor Identification Utility
Version: 4.10.20090310
Time Stamp: 2009/08/13 01:10:09
Number of processors in system: 1
Current processor: #1
Active cores per processor: 2
Disabled cores per processor: 0
Processor Name: Intel® Pentium® D CPU 930 3.00GHz
Type: 0
Family: F
Model: 6
Stepping: 2
Revision: F
Maximum CPUID Level: 6
L1 Instruction Cache: 2 x 12 Kµops
L1 Data Cache: 2 x 16 KB
L2 Cache: 2 x 2 MB
Packaging: LGA775
Enhanced Intel SpeedStep® Technology: No
MMX™: Yes
Intel® SSE: Yes
Intel® SSE2: Yes
Intel® SSE3: Yes
Intel® SSE4: No
Enhanced Halt State: No
Execute Disable Bit: Yes
Intel® Hyper-Threading Technology: No
Intel® 64 Architecture: Yes
Intel® Virtualization Technology: Yes
Expected Processor Frequency: 3.0 GHz
Reported Processor Frequency: 3.0 GHz
Expected System Bus Frequency: 800 MHz
Reported System Bus Frequency: 800 MHz
*************************************************************

#12 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:45 AM

Posted 12 August 2009 - 09:02 PM

My best guess is there is somr damage to the OS/windows shell from past infections?

Please perform this online scan: Kaspersky Webscan
Read the Requirements and Privacy statement, then select "Accept"
A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
Select "Install" to download the ActiveX controls that allows ActiveScan to run.
When the download is complete it will say ready, click "Next"
Select a target to scan: Click on "My Computer"
When the scan is complete choose to save the results as "Save as Text"
Chewy

No. Try not. Do... or do not. There is no try.

#13 Whatsup22

Whatsup22
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 12 August 2009 - 11:10 PM

I was able to replicate the problem earlier tonight. I had a couple of streaming video windows open for quite a while and things were fine. Started up Media Player and played a .wmv file. Almost instantly, cpu0 went to 100%, cpu1 bounced between 5-10% utilization and things practically stopped. I was eventually able to shut down the streaming video windows and cpu0 utilization began to drop.

This is one example. The problem occurs at times when streaming video and/or Media Player are not active as well.

Some type of damage to the Windows shell could explain the challenges I have getting a normal reboot after beeing in safe mode, and the few other annomolies I'm seeing such as the Taskbar font.

I'll post the log asap.

Many thanks !

#14 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:12:45 AM

Posted 12 August 2009 - 11:18 PM

The problem with your video file playback is common, utilizing a single threaded player and improperly configured codecs and compounded by a myriad of improperly encoded avi/mpeg4/h264/mkv's


Then you have to consider the driver and configuration for that video card which should be offloading cpu cycles to the video chipset better
Chewy

No. Try not. Do... or do not. There is no try.

#15 Whatsup22

Whatsup22
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:45 PM

Posted 12 August 2009 - 11:52 PM

I'm getting the following error after downloading the various program files and database updates.

Update has failed. Program has failed to start. Close the Kaspersky Online Scanner 7.0 window and open it again to install the program. You must be online to update the Kaspersky Online Scanner 7.0 database. With the latest database updates, you can find new viruses and other threats. Please go online to use Kaspersky Online Scanner 7.0. [ERROR: Key is expired]




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users