Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CPU Maxed at 100% all the time.


  • This topic is locked This topic is locked
13 replies to this topic

#1 VicMJ

VicMJ

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Massachusetts, United States
  • Local time:04:15 AM

Posted 29 May 2010 - 05:53 AM

This is a Toshiba laptop with an AMD chip and running Windows 7 home premium. Using the task manager and selecting the "show processes from all users" button on the processes tab I see hundreds of Windows error reports running. None of the programs running in the processes tab of the task manager shows any time but the CPU is at maxed out or at 100 % all the time. This system is so bad that I have to file this report from another PC. Has anyone seen anything like this before? Vic

BC AdBot (Login to Remove)

 


#2 coxchris

coxchris

  • Members
  • 1,151 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atwater
  • Local time:02:15 AM

Posted 29 May 2010 - 11:30 AM

CPU should not run at 100% contently unless you running a very high intense application.

Please download Process Explorer (http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx) and extract it and run the application. you don't need to install this program its run from itself.

Theres a graph in that program that tells what process its bugging down your CPU. Please reply with the name of that process on your next post

What are some applications do you have on your laptop and What Anti-Virus do you have on it? I know that Panda Anti-Virus does this.

AA in Computer Networking Technology

BS in Information Technology 

Comptia A+, Project+, L+

Renewable:  N+,S+

CIW Web Design Specialist, JavaScript Specialist,  Database Design Specialist 

LPIC-1, SUSE 


#3 VicMJ

VicMJ
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Massachusetts, United States
  • Local time:04:15 AM

Posted 30 May 2010 - 05:22 PM

Thank you very much for your help. The firs thing was boot-up and uninstall Panda Anti Virus. On reboot the same Microsoft updates want to install. They keep the system from going down to restart. I had to force a power off and back on. I then disabled Microsoft updates. The anti virus is Norton Security 2010. Applications that are now running are System Guard, Lime Wire, Synaptics Pointing Device, Vech Web Player, AOL messenger, and Toshiba eco utility. I was able to download and tried to run the the app you sent me the link for. The laptop would go off somewhere and become busy. The screen would go black. I have seen this before with the laptop. Sometimes it will come back. You also get messages on the screen that you are out of memory and should close your apps, save your work and restart. I was not able to run Process Explorer but I am still trying. Vic

#4 VicMJ

VicMJ
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Massachusetts, United States
  • Local time:04:15 AM

Posted 30 May 2010 - 07:26 PM

I was just now able to boot-up. I find that I have fewer problems at this point if I stay disconnected from the Internet. I was able to run Process Explorer. When it opened everything looked okay for the first few minutes. Then a Host Process for Window Services (Svchest.exe) opened and under it opened hundreds of tasks called WerFault.exe. No one program showed a lot of CPU usage but the overall usage went to 100%. After a few more minutes the Process Explorer window I was viewing seemed to close. I quickly did a system selected shutdown. Vic

P. S. System will not do a controlled power off. This is something that is new and I think started last night. I will have to do a forced power off.


P. P. S. System did shut itself down okay. It took a little time for it to do it that was all. I power it back up to be sure and then I let it shut itself down again.

Edited by VicMJ, 30 May 2010 - 11:12 PM.


#5 VicMJ

VicMJ
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Massachusetts, United States
  • Local time:04:15 AM

Posted 31 May 2010 - 01:22 PM

Booted up in Safe Mode Internet. Opened browser and loged onto BleepingComputer.com. Went to the Spy Removeral section and downloaded Malwarebytes antivirus setup. Installed it and ran it. It found 37 infected items. I have cut and pasted the log. Vic

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4157

Windows 6.1.7600 (Safe Mode)
Internet Explorer 8.0.7600.16385

5/31/2010 10:12:36 AM
mbam-log-2010-05-31 (10-12-36).txt

Scan type: Full scan (C:\|)
Objects scanned: 260681
Time elapsed: 31 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 14
Registry Values Infected: 4
Registry Data Items Infected: 6
Folders Infected: 3
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{d34d56e9-b37b-4c37-a854-1ac144592d5c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d34d56e9-b37b-4c37-a854-1ac144592d5c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d34d56e9-b37b-4c37-a854-1ac144592d5c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{beac7dc8-e106-4c6a-931e-5a42e7362883} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{beac7dc8-e106-4c6a-931e-5a42e7362883} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{beac7dc8-e106-4c6a-931e-5a42e7362883} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\init32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install[1].exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install[2].exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install[3].exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install[4].exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install[5].exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smart.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Gamevance (Adware.Gamevance) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Environment\evapp (Rogue.Antivir2010) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Environment\evuninst (Rogue.Antivir2010) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\live pc care (Rogue.LivePCCare) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe\debugger (Security.Hijack) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=211&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=211&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=211&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\URL (Hijack.SearchPage) -> Bad: (http://findgala.com/?&uid=211&q={searchTerms}) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.

Folders Infected:
C:\Users\derek\AppData\Roaming\Live PC Care (Rogue.LivePCCare) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Uninstall\AV (Rogue.Antivir2010) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance (Adware.Gamevance) -> Quarantined and deleted successfully.

Files Infected:
C:\Users\derek\AppData\Roaming\Live PC Care\Instructions.ini (Rogue.LivePCCare) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Uninstall\AV\Uninstall.lnk (Rogue.Antivir2010) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\ars.cfg (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\gamevancelib32.dll (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\gvtl.dll (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\Program Files\Gamevance\icon.ico (Adware.Gamevance) -> Quarantined and deleted successfully.
C:\Users\derek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live PC Care.lnk (Rogue.LivePCCare) -> Quarantined and deleted successfully.
C:\Users\derek\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Live PC Care.lnk (Rogue.LivePCCare) -> Quarantined and deleted successfully.
C:\Users\derek\AppData\Roaming\Microsoft\Windows\Start Menu\Live PC Care.lnk (Rogue.LivePCCare) -> Quarantined and deleted successfully.

Edited by VicMJ, 31 May 2010 - 01:27 PM.


#6 coxchris

coxchris

  • Members
  • 1,151 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atwater
  • Local time:02:15 AM

Posted 31 May 2010 - 01:51 PM

What i can see from the information provided

The applications that worry me I dont know about the rest of the forums members

Lime Wire is a Per to Per application for file sharing and It requires a constant internet connection to download programs. From your symptoms, It sounds like it may have infected your computer with spy-ware without your knowledge. this is why i worry about P2P programs.

Processes that are normal is Svchest.exe At startup, Svchost.exe checks the services part of the registry to construct a list of services that it must load.
WERFault is the process that Windows error reports are running. this is how to disable Windows Error reports http://www.blogsdna.com/6027/how-to-disabl...r-reporting.htm

I would suggest disabling Windows Error reporting because I think that is what causing this constant 100% CPU usages and I would run Anti-virus and Spy ware scan (for example of a Spy ware program http://www.malwarebytes.org/mbam.php) in safe mode if the CPU is constant at 100% after disabling Windows Error Reporting.

Safe Mode is basically the default processes in order to run the computer http://www.bleepingcomputer.com/tutorials/...1.html#windows7.

if you have anymore questions please reply back

Edited by coxchris, 31 May 2010 - 01:53 PM.

AA in Computer Networking Technology

BS in Information Technology 

Comptia A+, Project+, L+

Renewable:  N+,S+

CIW Web Design Specialist, JavaScript Specialist,  Database Design Specialist 

LPIC-1, SUSE 


#7 coxchris

coxchris

  • Members
  • 1,151 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atwater
  • Local time:02:15 AM

Posted 31 May 2010 - 01:56 PM

/quote Booted up in Safe Mode Internet. Opened browser and loged onto BleepingComputer.com. Went to the Spy Removeral section and downloaded Malwarebytes antivirus setup. Installed it and ran it. It found 37 infected items. I have cut and pasted the log. Vic/quote

After running that is your computer still at 100% usage

AA in Computer Networking Technology

BS in Information Technology 

Comptia A+, Project+, L+

Renewable:  N+,S+

CIW Web Design Specialist, JavaScript Specialist,  Database Design Specialist 

LPIC-1, SUSE 


#8 VicMJ

VicMJ
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Massachusetts, United States
  • Local time:04:15 AM

Posted 01 June 2010 - 08:51 AM

After disabling Error Reporting and rerunning Malwarebytes again is Safe Mode I still have the system running at 100% with the same problem. I also found an Uninstall Guide on BleepingComputer for Security Guard a rogue anti-virus program. When I posted a list of some of the programs running I said one was System Guard--well the program is really Security Guard. I did the procedure but still have Security Guard running on my system. Vic

#9 coxchris

coxchris

  • Members
  • 1,151 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atwater
  • Local time:02:15 AM

Posted 01 June 2010 - 10:02 AM

I am going to redirect you to the AIM forum on here Please post a new thread Name "CPU 100% got Security Guard" Please reference this thread in that post. The Am I Infected forums are more advance people and they have knowledgeable running advance program.

My suspicion is that Mal ware attack got into your Restore Points and re-activated your threat. http://www.winhelponline.com/blog/how-to-d...ints-windows-7/ is how to remove the restore points. spyware like to hide in them.

You may need to run rkill program in that guide probably more than once.

I hope this helps

AA in Computer Networking Technology

BS in Information Technology 

Comptia A+, Project+, L+

Renewable:  N+,S+

CIW Web Design Specialist, JavaScript Specialist,  Database Design Specialist 

LPIC-1, SUSE 


#10 VicMJ

VicMJ
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Massachusetts, United States
  • Local time:04:15 AM

Posted 01 June 2010 - 01:04 PM

Thank you very much for your help. Vic

#11 coxchris

coxchris

  • Members
  • 1,151 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atwater
  • Local time:02:15 AM

Posted 01 June 2010 - 02:30 PM

Your Welcome:)

AA in Computer Networking Technology

BS in Information Technology 

Comptia A+, Project+, L+

Renewable:  N+,S+

CIW Web Design Specialist, JavaScript Specialist,  Database Design Specialist 

LPIC-1, SUSE 


#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:15 AM

Posted 01 June 2010 - 03:07 PM

If security guard is still running in here then we need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 VicMJ

VicMJ
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Massachusetts, United States
  • Local time:04:15 AM

Posted 02 June 2010 - 05:33 PM

I opened a new posting like you told me to but I can't seem to close the posting you asked me to. Vic

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:05:15 AM

Posted 03 June 2010 - 08:55 AM

VicMJ
Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.


there are too many different peple in this thread.
To avoid confusion, I am closing this topic. If any one nneds something PM me or any moderator.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users