Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

100% Cpu Usage


  • Please log in to reply
1 reply to this topic

#1 atmsvcs

atmsvcs

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:29 PM

Posted 03 May 2007 - 10:53 PM

I have similar problem to "lovingtahoe", but my CPU usage goes up to 100% and will then not allow any programs to launch.

When I go in to Task Manager there is an iteration of "svchost.exe" running that is the 100% CPU usage process.

When I kill that process any program will now run normally and the CPU usage is back down to 2-4%.

Just by chance I tried to enable the Windows Firewall (I don't have it enabled as my Router Switch has a hardware firewall in it, and I have several other PC's on the netwrork) it gives me a message that "Firewall/Internet Connection sharing Service must be enabled" to turn on the Firewall.

I believe the process I killed is related to the ICS. It then tells me that it cannot start this service. I then have to reboot the PC.

I have run Ad-Aware, Search and Destroy, SpywareDetector, and a-Squared to no avail.

When the PC first reboots everything is fine but after the PC has been up for 3-4 minutes this iteration of "syshost.exe" goes up to 100% CPU usage and then no program can be launched without killing that process in Task Manager.

When the PC first boots up it has a "blue" bar across the top of my screen so I know something is really screwed up her.

I did some research and found that some describe this as a possible Trojan but none of the scanners will fix this ??

I am ready to fdisk the drive and start over but I found your forum and decided to try to have somebody else help me fix this.

Driving me crazy...

Please advise.

I attached a picture of my Task Manager screen.

Here is my HiJackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 9:42:11 PM, on 5/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\FolderShare\FolderShare.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\YTBSDK.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Scott Christiansen\Local Settings\Temp\HijackThis.exe
C:\Documents and Settings\Scott Christiansen\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe"
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SystemTraySD] C:\Program Files\SpywareDetector\SDSystemTray.exe -AUTO
O4 - HKLM\..\Run: [SDAutoLiveupdate] C:\Program Files\SpywareDetector\LiveUpdateSD.exe -AUTO
O4 - HKCU\..\Run: [FolderShare] "C:\Program Files\FolderShare\FolderShare.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.xdrive.com/downloads/std_install/setup.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1171388584659
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://main.3lpartners.net/Remote/msrdp.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O20 - Winlogon Notify: SDNotify - C:\Program Files\SpywareDetector\SDNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: MSSQL$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe" -sMICROSOFTSMLBIZ (file missing)
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: SQLAgent$MICROSOFTSMLBIZ - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE" -i MICROSOFTSMLBIZ (file missing)

I read a post titled "How Malware hides and is installed a a service". I know this is what is happening.

It tells you to run "tasklist /SVC" to see the processes that are being loaded by svchost.exe.

When I run that command it will not run and display anything until I go to Task Manager and kill the svchost.eve process that is 100%.

Then it displays the following:

Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Scott Christiansen>tasklist /SVC

Image Name PID Services
========================= ====== =============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 544 N/A
csrss.exe 608 N/A
winlogon.exe 632 N/A
services.exe 676 Eventlog, PlugPlay
lsass.exe 688 PolicyAgent, ProtectedStorage, SamSs
svchost.exe 844 DcomLaunch, TermService
svchost.exe 908 RpcSs
svchost.exe 1044 Dnscache
svchost.exe 1180 LmHosts, RemoteRegistry, SSDPSRV, WebClient
spoolsv.exe 1456 Spooler
explorer.exe 1680 N/A
avgamsvr.exe 2016 Avg7Alrt
avgcc.exe 188 N/A
LogMeInSystray.exe 212 N/A
J2GDllCmd.exe 220 N/A
jusched.exe 208 N/A
SDSystemTray.exe 304 N/A
avgupsvc.exe 320 Avg7UpdSvc
avgemc.exe 392 AVGEMS
FolderShare.exe 400 N/A
ramaint.exe 468 LMIMaint
reader_sl.exe 812 N/A
LogMeIn.exe 992 LogMeIn
J2GTray.exe 1084 N/A
qbupdate.exe 1216 N/A
sqlmangr.exe 1256 N/A
WZQKPICK.EXE 1280 N/A
sqlservr.exe 1400 MSSQL$MICROSOFTSMLBIZ
SDService.exe 1660 SDService
alg.exe 2500 ALG
svchost.exe 2892 HTTPFilter
wuauclt.exe 3056 N/A
wscntfy.exe 3184 N/A
IEXPLORE.EXE 3240 N/A
YTBSDK.exe 3292 N/A
jucheck.exe 3520 N/A
taskmgr.exe 3632 N/A
taskmgr.exe 3664 N/A
cmd.exe 1836 N/A
tasklist.exe 244 N/A
svchost.exe 2572 EventSystem, helpsvc, SENS, winmgmt
wmiprvse.exe 2792 N/A

C:\Documents and Settings\Scott Christiansen>

This listing is minus the 100% process of course because it won't execute while that process is active.

The listings with (svchost.exe)'s do not look right. I think there several malwares here.

I do remember now about a week ago my RegCure reported a message that my registry had been changed and my have listed some chages but at that time I didn;t know what was going on.

Please help... :thumbsup:

Attached Files


Edited by atmsvcs, 04 May 2007 - 12:38 AM.


BC AdBot (Login to Remove)

 


m

#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:08:29 PM

Posted 09 May 2007 - 04:16 PM

Hello atmsvcs and welcome to the BC HijackThis forum. I don't see any signs of viruses or malware in the log. It is clean.

It is natural on most Windows operating systems to have anywhere from 3 to 6 (or more) svchost processes running. It depends on the system and the installed software. Depending on what the svchost process is running, terminating it can cause other issues in the operating system.

The HijackThis forum deals exclusively with virus and malware issues. HijackThis cannot analyze performance, hardware or application issues. For other non-malware related issues I would suggest posting to the forum listed below:The techs there specialize in matters pertaining to their field of expertize. When posting to any other forum, do not post a HijackThis log or the post will simply be moved back to this forum for infection analysis. That is what HijackThis is used for and that is what we specialize in here in this forum.

When posting in any other forum for assistance, give as much detail as possible regarding any issues that are occurring. The more information they have, the better the techs can analyze the issue and make any recommendations for resolving it.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users