Possible Spyware CPU running at 100%

I hope it's icon is a command window with a gear on it??

 

Noahdfear,

Yes it is...It does indeed have a gear design on the icon...

 

Double click it and post the contents of the log that opens.

Can you now access yahoo by typing www.yahoo.com (or clicking that link) or do you have to use the numbers?

 

Noahdfear,
I access yahoo by typing: www.yahoo.com which has not been the problem ,it's been accessing the yahoo mail that keeps saying "this page cannot be displayed'...Here is the log:

Volume in drive C is PRESARIO
Volume Serial Number is 64CE-D752

Directory of C:\WINDOWS\I386

2003-08-16 01:26 734 HOSTS
1 File(s) 734 bytes

Directory of C:\WINDOWS\system32\drivers\etc

2007-07-28 16:02 27 hosts
1 File(s) 27 bytes

 

Thanks

Please download HostsXpert, saving it to the desktop.

1. Unzip HostsXpert.zip
2. Double click on HostsXpert.exe
3. Then click on "Restore Original Hosts" to restore your Hosts file to its default condition.
4. Click on Make Hosts Read Only to secure it against further infection.
5. Close program when complete.

Ok. Previously you had reported not being able to get to yahoo, but after trying it using numbers you could. Just wanted to make sure you could get there normally now.

Can you get to http://mail.yahoo.com/
Can you login to the account?

 

Noahdfear,
In all honesty I don't recall ever saying I could not access Yahoo because they had that as their home page and wether I typed it in or used the ip address you furnished, access was always good...Getting into the mail was the problem since day one...I just tried it again, access to the yahoo page was good but the mail issue remains even after trying to sign in...

I followed you instructions for the HostsXpert download and all went very well...

While awaiting further instructions previous to your last posts, I ran:
(1) Spybot = found 4 and removed all 4.
(2) SpyHunter = found 5 and removed all 5.
(3) Adaware2007 = found none.

 

Noahdfear,
After all that which was impressive, the CPU still runs at 100% with AVG installed, have to end tasks in taskmanager to get the CPU down...I also can not run defrag, get the same error message...

 

Look back to post #11
http://www.windowsbbs.com/showpost.php?p=356155&postcount=11

Get Process Explorer, open and without clicking on any entries, click File>Save As and put the log on the desktop. Post the contents here. Do that while CPU usage is at 100%

What method are you trying for defrag?

 

Noahdfear,
Here is the Process Explorer log:

Process PID CPU Description Company Name
System Idle Process 0 13.64
Interrupts n/a 1.52 Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 416 Windows NT Session Manager Microsoft Corporation
csrss.exe 480 3.03 Client Server Runtime Process Microsoft Corporation
winlogon.exe 508 Windows NT Logon Application Microsoft Corporation
services.exe 552 1.52 Services and Controller app Microsoft Corporation
svchost.exe 724 7.58 Generic Host Process for Win32 Services Microsoft Corporation
wmiprvse.exe 1156 WMI Microsoft Corporation
svchost.exe 780 Generic Host Process for Win32 Services Microsoft Corporation
wuauclt.exe 600 Windows Update Automatic Updates Microsoft Corporation
wuauclt.exe 1644 Windows Update Automatic Updates Microsoft Corporation
svchost.exe 912 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 980 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1264 Spooler SubSystem App Microsoft Corporation
aawservice.exe 1888 Ad-Aware 2007 Service Lavasoft AB
alg.exe 1904 Application Layer Gateway Service Microsoft Corporation
avgamsvr.exe 1920 AVG Alert Manager GRISOFT, s.r.o.
avgupsvc.exe 1940 AVG Update Service GRISOFT, s.r.o.
avgemc.exe 1992 1.52 AVG E-Mail Scanner GRISOFT, s.r.o.
lsass.exe 564 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 1148 7.58 Windows Explorer Microsoft Corporation
kbd.exe 1444 KBD EXE Hewlett-Packard Company
sgtray.exe 1464 Sonic Update Manager Sonic Solutions
ALCXMNTR.EXE 1552 Realtek AC97 Audio - Event Monitor Realtek Semiconductor Corp.
jusched.exe 1576 Java(TM) Platform SE binary Sun Microsystems, Inc.
avgcc.exe 1612 53.03 AVG Control Center GRISOFT, s.r.o.
msmsgs.exe 1660 Messenger Microsoft Corporation
sgmain.exe 1744 SpywareGuard
sgbhp.exe 1860 SG Browser Hijacking Protection
WkCalRem.exe 1764 Microsoft® Works Calendar Reminder Service Microsoft® Corporation
procexp.exe 1428 10.61 Sysinternals Process Explorer Sysinternals

 

Noahdfear,
Method used for defrag is:
Start - programs - accessories - system tools - disk defragmenter

 

Check the properties of that defrag shortcut. It should be pointed at;
%SystemRoot%\System32\dfrg.msc

 

Noahdfear,

It says: MMC cannot open the file C:\WINDOWS\system32\dfrg.msc

 

That Process Explorer log doesn't contain the info I was hoping for. Please open Process Explorer again and click on the first entry, System Idle process. Then click a few others. You will see the cpu column populate. Again click on System Idle Process, then File>Save As and post that log.

 

Click Start>Run and type (or copy/paste) the following comands, one at a time, hitting enter after each.

regsvr32 /u msxml3.dll
regsvr32 msxml3.dll

Reboot and see if defrag works.

 

And a few more things .............

Suggest you remove these scheduled tasks, either by browsing to the tasks folder or via Start>All Programs>Accessories>System Tools>Scheduled Tasks.

C:\WINDOWS\tasks\Easy Internet Sign-up.job
C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job

Lets make sure the yahoo mail problem is machine specific and not a problem on Yahoo's end. Use your computer rather than the one you're working on to try accessing the account via www.mail.yahoo.com

 

Noahdfear,

The start -run trick did not work...

Here is the Process Explorer log you requested: Note: when I clicked on a few it showed the following entry under TCP/IP: your-xb2x7i77gn "Listening ".

Process PID CPU Description Company Name
System Idle Process 0
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4 1.54
smss.exe 416 Windows NT Session Manager Microsoft Corporation
csrss.exe 480 Client Server Runtime Process Microsoft Corporation
winlogon.exe 504 Windows NT Logon Application Microsoft Corporation
services.exe 548 1.54 Services and Controller app Microsoft Corporation
svchost.exe 720 3.08 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 776 Generic Host Process for Win32 Services Microsoft Corporation
wuauclt.exe 1444 Windows Update Automatic Updates Microsoft Corporation
svchost.exe 908 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 984 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1256 Spooler SubSystem App Microsoft Corporation
aawservice.exe 1892 Ad-Aware 2007 Service Lavasoft AB
alg.exe 1904 Application Layer Gateway Service Microsoft Corporation
avgamsvr.exe 1920 AVG Alert Manager GRISOFT, s.r.o.
avgupsvc.exe 1944 AVG Update Service GRISOFT, s.r.o.
avgemc.exe 1972 3.08 AVG E-Mail Scanner GRISOFT, s.r.o.
lsass.exe 560 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 1156 16.92 Windows Explorer Microsoft Corporation
kbd.exe 1452 KBD EXE Hewlett-Packard Company
ALCXMNTR.EXE 1556 Realtek AC97 Audio - Event Monitor Realtek Semiconductor Corp.
jusched.exe 1584 Java(TM) Platform SE binary Sun Microsystems, Inc.
avgcc.exe 1604 72.31 AVG Control Center GRISOFT, s.r.o.
msmsgs.exe 1644 Messenger Microsoft Corporation
sgmain.exe 1732 SpywareGuard
sgbhp.exe 1844 SG Browser Hijacking Protection
WkCalRem.exe 1760 Microsoft® Works Calendar Reminder Service Microsoft® Corporation
procexp.exe 2212 1.54 Sysinternals Process Explorer Sysinternals

 

Noahdfear,
I went to start - run - cmd and typed in netstat -a
and there was 26 entries, 12 TCP and 14 UDP showing "your-xb2x7j77gn" as listening...To the best of my knowledge this is definetely abnormal and possibly the culprit behind the CPU issue...I even suspect that this computer has it's own univited guardian angel ???

 

Noahdfear,

I used a non-infected computer to access www.yahoo.mail.com and had no problems, was able to bring up the page (because I do not know the email address or password to that account I could not sign in)...

 

Noahdfear,
When I checked thru google on "your-xb2x7j77gn" I came across info that recomended to run Smitfraudfix.exe...I did and wanted to post the log here for your expertise:

SmitFraudFix v2.207

Scan done at 9:56:51.01, 2007-07-29
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs "=" "


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System "=" "


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{7E054D29-422E-409C-9137-EDD2F6750A30}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7E054D29-422E-409C-9137-EDD2F6750A30}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7E054D29-422E-409C-9137-EDD2F6750A30}: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1 192.168.1.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

 

SmitfraudFix was not necessary. your-xb2x7j77gn is the name of that computer. It is normal to see it associated with the tcp entries. The netstat results are normal as well. You should have several that show as establish in addition to the listening.

The second process explorer log didn't look any different, and I think you might have posted the same log. If you created the second log as instructed, unless you gave it a different name upon saving, it would be named System Idle Process.txt ........ I should have clarified that, sorry.

When doing the regsvr commands, you should have gotten a message after each one, the first being the dll was successfully unregistered, the second being that the dll was successfully registered. Did you get those messages? Please try each of the following commands from the run line and let me know the results.

compmgmt.msc
devmgmt.msc
diskmgmt.msc
eventvwr.msc
services.msc

Download ATF Cleaner by Atribune and save it to your Desktop.
Double click ATF-Cleaner.exe to run the program.
Click 'Select All' then click 'Empty Selected'
When done, click exit and reboot.

Attempt to open mail.yahoo.com