Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WinXP: CPU usage suddenly 100%, hijackthis log


  • This topic is locked This topic is locked
6 replies to this topic

#1 samak

samak

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:07:27 AM

Posted 02 January 2010 - 05:13 PM

I am using windows xp. Suddenly, the CPU usage is close to 100% and extremely slow. I already updated and did a scan using malwarebytes and superantispyware. I also ran CCleaner and also scanned the registry. Usually these steps fix all problems, but now these programs did not find any problem, so I do not know why the computer is very slow suddenly.

I just ran hijackthis and got the following logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:08:06 PM, on 1/2/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://caculator/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.3.7.16.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.3.7.16.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 3146 bytes


Do you have any ideas what the problem could be and how to fix it? Do I have a virus?

Thanks!Edit: Moved topic from XP to the more appropriate forum. ~ Animal

Edited by samak, 02 January 2010 - 05:42 PM.


BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:27 PM

Posted 11 January 2010 - 12:21 AM

Hello,

My name is Syler and I will be helping you to solve your Malware issues. If you have since resolved your issues I would appreciate if you
would let me no so I can close this topic, if you still need help please let me no what issues you are still having, in your next reply.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and
we are trying our best to keep up.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs, as this process may crash your computer.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Double click on Gmer to run it.
  • Allow the gmer.sys driver to load if asked.
  • You may see a rootkit warning window, If you do, click No.
  • Untick the following boxes on the right side of the Gmer screen.
    Sections
    IAT/EAT
    Files
    Show All
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.



Then please post back here with the following:
  • log.txt
  • info.txt
  • Gmer log
Thanks

unite.jpg


#3 samak

samak
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:07:27 AM

Posted 15 January 2010 - 09:50 PM

Thank you. To clarify the problem, I found that whenever I ran "superantispyware" the cpu usage would go to 100% and it would take a very long time for the program to open, or sometimes it would never open. Now the problem went away, I think I fixed it by uninstalling "superantispyware" and downloading and installing it again. But could a bad rootkit have already infected my computer and still be there without me knowing it?


I will do what you said and post the log here.

#4 samak

samak
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:07:27 AM

Posted 15 January 2010 - 10:06 PM

Ok got the log file pasted below. Does everything seem fine?

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-15 22:03:34
Windows 5.1.2600 Service Pack 2
Running: 7mhe7oqf.exe; Driver: C:\DOCUME~1\HOME~1.LAY\LOCALS~1\Temp\uftdapob.sys


---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwCreateKey [0xF84470D0]
SSDT sptd.sys ZwEnumerateKey [0xF844CFB2]
SSDT sptd.sys ZwEnumerateValueKey [0xF844D340]
SSDT sptd.sys ZwOpenKey [0xF84470B0]
SSDT sptd.sys ZwQueryKey [0xF844D418]
SSDT sptd.sys ZwQueryValueKey [0xF844D298]
SSDT sptd.sys ZwSetValueKey [0xF844D4AA]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 823641E8
Device \FileSystem\Fastfat \FatCdrom 81D9C790

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBPDO-0 821C91E8
Device \Driver\usbuhci \Device\USBPDO-1 821C91E8

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\PCI_NTPNP3104 \Device\00000049 sptd.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 823D51E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 823D51E8
Device \Driver\Cdrom \Device\CdRom0 821B31E8
Device \Driver\Cdrom \Device\CdRom1 821B31E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 823651E8
Device \Driver\atapi \Device\Ide\IdePort0 823651E8
Device \Driver\atapi \Device\Ide\IdePort1 823651E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 823651E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 81E5F1E8
Device \Driver\NetBT \Device\NetbiosSmb 81E5F1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{BA59BC0B-0419-4780-B782-0D9F4A2A64AC} 81E5F1E8

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\usbuhci \Device\USBFDO-0 821C91E8
Device \Driver\usbuhci \Device\USBFDO-1 821C91E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 81DDF790
Device \FileSystem\MRxSmb \Device\LanmanRedirector 81DDF790
Device \Driver\Ftdisk \Device\FtControl 823D51E8
Device \Driver\a96b8git \Device\Scsi\a96b8git1Port2Path0Target0Lun0 821901E8
Device \Driver\a96b8git \Device\Scsi\a96b8git1 821901E8
Device \FileSystem\Fastfat \Fat 81D9C790

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 820AA4C0

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x41 0x39 0x24 0x0A ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x15 0xC1 0xB3 0xA2 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x2F 0xBF 0x52 0x65 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x41 0x39 0x24 0x0A ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x15 0xC1 0xB3 0xA2 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x2F 0xBF 0x52 0x65 ...

---- EOF - GMER 1.0.15 ----

Edited by samak, 15 January 2010 - 10:06 PM.


#5 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:27 PM

Posted 16 January 2010 - 04:01 AM

Yes that log looks fine, no other problems then?

unite.jpg


#6 samak

samak
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:07:27 AM

Posted 16 January 2010 - 10:41 AM

Great! No other problems.

Thanks!

#7 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:12:27 PM

Posted 17 January 2010 - 07:49 AM

Ok I will close this topic then .

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

unite.jpg





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users