Tech Support banner

Status
Not open for further replies.
1 - 5 of 5 Posts

·
Registered
Joined
·
3 Posts
Discussion Starter #1 (Edited)
Hello all,

Below is a post of my HijackThis log taken this morning, if anyone has any suggestions as to what may be causing the problem I would appreciate the feedback. I have only posted this here by the way. The computer in question is running Windows XP Professional and is part of a domain; however, it is normally logged on locally.

THE PROBLEM:
Over the last week or so, the computer will periodically, and quite suddenly, start using 100% CPU. The Task Manager does not show any particular culprit, and it tends to be what ever process one would expect to be in use that is hogging the CPU at that time. For example, if you open an internet explorer window, it may take two minutes to open and iexplore will be using between 50 - 100% CPU as it tries to open the window.

There is a definite trend to the problem also. If I leave the computer on (but doing nothing) overnight, it will always, thus far anyway, work well for the first 1 - 3 hours the next day. The problem will then abruptly appear and remain for the rest of the day. If the computer is turned off over night, it will sometimes work fine for 1 - 3 hours as above, although the problem will sometimes be there as soon as you log in.

Oddly, browsing shares on the computer through the network is quite fast. No other computers in the domain appear effected.

WHAT HAS BEEN DONE SO FAR:
I have killed every non-essential process I can think of and nothing appears to help, although as stated above, no one process appears to be obviously causing the problem.

I have also performed a system restore to a point about two weeks ago, which was before the problem developed. This did not help and was reversed. I have uninstalled almost every application bar essential apps, MS Office and a photo processing app, which did not help either. I have installed and subsequently removed Windows Defender which picked up nothing. AVG has always been installed and up to date, although was reinstalled the other day. A full scan in safe mode last night with up to date definitions (two days ago) found no viruses. Spybot found and cleaned a few things a week ago. A full up to date Spybot scan in safe mode last night found nothing.

Here is a post of the Hijack This log, taken a couple of hours ago:

Logfile of HijackThis v1.99.1
Scan saved at 1:59:59 p.m., on 22/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\avgagent.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Map Drives Script.cmd
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0C89E27C-DD69-44BB-A32E-4D093E859FB2} (strprint.trprints) - https://mcp.microsoft.com/mcp/tools/MCPTranscriptPrint.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175729893126
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = SmartNewtown.local
O17 - HKLM\Software\..\Telephony: DomainName = SmartNewtown.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5090D86-7121-46F4-8A80-7C7318DEB426}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = SmartNewtown.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = SmartNewtown.local
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Remote Support Service (AvgAgent) (avgagent) - Unknown owner - avgagent.exe (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Windows Defender (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe (file missing)

Please note that Windows Defender has been uninstalled, so I'm not sure why the MsMpEng.exe is still listed in the log.

The Map Drives Script.cmd (O4) is legitimate, and simply maps a drive to a share resourse on another computer.

I'm starting to suspect it could be hardware, as the pattern could indicate a problem only after the processor heats up. If anyone can see anything in the HiJack This log that indicates a problem, please let me know.

Thanks loads for you help in advance.
 

·
Registered
Joined
·
3,025 Posts
Hi SnootWagg,

There is nothing showing in your logs..

If you want to get rid of that service then..

Click Start->Run - type SERVICES.MSC & then click on the OK button
  • Locate the service - Windows Defender
  • Double-click on it to open the Properties dialog.
  • Under the General tab:
  • Stop the service by using the Stop button.
  • Change the Startup type to Disabled & then click on the OK button
  • Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service
  • In the popup box that appears, type in "WinDefend". Make sure to include the quotes, then click on the OK button and allow reboot.
------------------------------------------

Please put your computer through an online scan at Panda by following the below instructions:

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on
    located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" * The download of the 8 MB Panda's ActiveX control will take place *
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on
    then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


Reply back with the log from the Online scan
 

·
Registered
Joined
·
3 Posts
Discussion Starter #4
Thanks for the reply forhockey,

As there was no malware present (that could be detected anyway) I've reinstalled the OS and things have gone back to normal, so I guess it must have been software and probably Windows itself as there was virtually nothing else left installed.

All good now and a happy PC again.

cheers,

Snootwagg.
 

·
Registered
Joined
·
3,025 Posts
Hi SnootWagg,

Thanks for getting back to me. Sometimes it is just best to start over. Now would be a good time to run Windows Update, and install some anti-spyware measures.


Microsoft Updates

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

Malware Prevention Tools

These programs configure your computer to prevent known malware-related changes. You can have more than one of these at a time and they take up minimal resources.

  • SpywareBlaster - Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items. Check regularly for updates.
  • IE-Spyad - Here is an installation guide -> http://www.techsupportforum.com/content/Security/Articles/63.html
  • MVPS Hosts File - extract and double-click the mvps.bat file. This will replace your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements, preventing your computer from connecting to those sites.
  • McAfee SiteAdvisor - helps to warn you before you interact with a dangerous Web site. Works with both IE and Firefox.
  • SpywareGuard - real-time protection that detects and blocks spyware before it can execute.
Alternative Web Browsers

Using an alternative browser can help prevent malware from being installed without your knowledge, but may not work on all websites.

Firewalls

If you do not have a firewall, here are a few free ones available for personal use:

Understanding and Using Firewalls



Informational Reading

Please take a look at these well written articles:

 
1 - 5 of 5 Posts
Status
Not open for further replies.
Top