Hijack This Log: CPU near to 100% (System Idle Process)

Hi, sounds like my problem is the same as a few other peoples. If anyone can help, I'd really appreciate it!

Certain programmes crash on my PC when I perform certain functions. It's as if the CPU gets overloaded (it tends to only happen when I have large programmes open, eg. Skype and RealPlayer).

It's been doing it over the last 4 weeks, but used to be fine.

Here's the log file from hijack this:

Logfile of HijackThis v1.97.7
Scan saved at 13:29:48, on 04/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Cobian Backup 6\CobBU.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Cobian Backup 6\cobui.exe
C:\PROGRA~1\MOZILL~2\FIREFOX.EXE
D:\Downloads\Tools\procexpnt\procexp.exe
C:\WINDOWS\System32\msiexec.exe
D:\Downloads\Tools\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fattaxi.com/mark/marklinks.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [MAGIXautostart] E:\install\program\setup.exe
O4 - HKLM\..\Run: [Cobian Backup 6] "C:\Program Files\Cobian Backup 6\CobBU.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [Break_Reminder] C:\Program Files\Break Reminder\Break Reminder.exe 1
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38159.5711921296
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD54D7A3-3E87-4A28-BDA4-A215D2A2A27E}: NameServer = 62.241.162.200 158.43.240.3

Any ideas?

Thanks Mark

You posted exactly the same thread yesterday - please give people more time to help you before reposting.

Sorry - I reposted it so that the topic title said "Hijack this log" as it suggested in the instructions written by Tom Myboy. I thought it might explain the problem better, and whenever I edited the original message, it kept the same title. Are you able to delete the original message? Thanks.

Hi Mark,

If you still need help, please post a fresh HijackThis log in this thread.

Tom

Thanks Tom - here's an update.

I've also got a new problem (don't know if it's related or something completely different).

I keep getting emails sent to my own personal email saying that the MyDoom virus has been removed (in an attachment). Reason I'm confused is that the email says it's from noreply@(my email address) and to please reply to postmaster@(my email address). But there is no postmaster@ set up on my email.

(Below is part of the message):

Please reply to postmaster@excelerated-performance.co.uk
if you feel this message to be in error.

Dangerous Attachment has been Removed. The file "attachment.scr" has been removed because of a virus. It was infected with the "W32/Mydoom.N-mm" virus. File quarantined as: "".

I just delete the emails, but I wouldn't mind fixing this problem too!

Below is the Hijacjk this log, thanks.

Mark

Logfile of HijackThis v1.97.7
Scan saved at 10:08:54, on 12/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Cobian Backup 6\CobBU.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Cobian Backup 6\cobui.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\PROGRA~1\MOZILL~2\FIREFOX.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
D:\Downloads\Tools\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fattaxi.com/mark/marklinks.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [MAGIXautostart] E:\install\program\setup.exe
O4 - HKLM\..\Run: [Cobian Backup 6] "C:\Program Files\Cobian Backup 6\CobBU.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [Break_Reminder] C:\Program Files\Break Reminder\Break Reminder.exe 1
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38159.5711921296
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD54D7A3-3E87-4A28-BDA4-A215D2A2A27E}: NameServer = 62.241.162.200 158.43.240.3

I would like you to perform an onlne virus scan at Trend Micro Housecall

http://housecall.trendmicro.com/

Select all of your drives listed for scanning. Please check "Auto clean" before scanning.

If you can, copy and paste the report logs from the scan into your next post. If not, please write down what was found and if anything was or was not deleted. Please include this information into your next post.

Next...

Please update HijackThis, you are using an outdated version. The new version does a better job of detecting malware:

Open HijackThis, click Config > Misc Tools > Check for Update online

Or download a copy of version 1.99 at:

http://www.majorgeeks.com/download3155.html

If you downloaded the newer version, please delete the older version you are using now.

Post a fresh log with this new version.

Tom

Hi Tom,

I ran Trend Micro Housecall. It found absolutely nothing, and there was no report as a result.

I also updated Hijack this and re-ran (log is below).

Finally, just to confirm that this isn't normal - when I do ctrl-alt-del and look under the CPU column, this is where I'm seeing that System Idle Process is usually around 99. Is this normal?

Thanks Mark

Logfile of HijackThis v1.99.0
Scan saved at 09:36:18, on 13/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Cobian Backup 6\CobBU.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Cobian Backup 6\cobui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MOZILL~2\FIREFOX.EXE
D:\Downloads\Tools\hijackthis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fattaxi.com/mark/marklinks.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [MAGIXautostart] E:\install\program\setup.exe
O4 - HKLM\..\Run: [Cobian Backup 6] "C:\Program Files\Cobian Backup 6\CobBU.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [Break_Reminder] C:\Program Files\Break Reminder\Break Reminder.exe 1
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DD54D7A3-3E87-4A28-BDA4-A215D2A2A27E}: NameServer = 62.241.162.200 158.43.240.3
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Hi Tom,

Further to my message above - I've recieved another odd email along similar lines:

Dear user (**my email address in here**)

Your e-mail account has been used to send a huge amount of junk e-mail messages during this week.
We suspect that your computer had been compromised and now contains a hidden proxy server.

Please follow our instruction in order to keep your computer safe.

Have a nice day,
The excelerated-performance.co.uk team.

***************

Tom - what I don't like about this - is my website is http://www.excelerated-performance.co.uk so these people are claiming to be part of my team?!!!

Do you know how I can stop these messages? As well as fix the CPU problem?

Thanks for your help,

Mark

It's great that Mydoom was not found on your computer!


That's an excellent sign that your System Idle cpu time is high! If it were the other way around, I would suspect problems! System Idle goes high when there is little processing being done with other programs/processes.

Your final HijackThis log is clean!

You may have some processes that take up much of your cpu time, such as MAGIX (it is the music studio, right?) and Cobian Backup 6. I dont know if you need them to startup every time your computer boots?

Tom

Thanks for this Tom - that makes me feel a lot better! To be honest - although I'd heard about Mydoom - I'd never realised how bad it is! So, glad about that!

And cheers for explaining the rest. Yes, it is the music studio (MAGIX). I'll stop them starting up when the computer boots as you say.

Hopefully that'll sort things out....really appreciate your help,

Cheers Mark

Is Zone Alarm up to date? Have you checked for updates lately?

Also, is AVG setup properly to scan your email messages? Are you up to date on AVG updates?

I would also delete any suspicious or unneeded mail in your inbox.

Tom

My AVG and Zone Alarm are all up to date - and I'm in the process of deleting unneeded emails.

Do you think that this message that you quoted above is real? It's part of the same message that signs off as "the Excelerated Performance.co.uk Team". Which is clear that they've set it up in an attempt to make it look legitimate. There is no excelerated performance.co.uk team!

Cheers Mark

It seems they might be real, check this out:

http://www.google.com/search?lr=&ie...ce.co.uk%20team

If you feel you have your problems sorted out, let me know.

Tom

Hi Tom,

Thanks again - actually, it looks like I didn't make myself clear in the last message! Excelerated Performance is my company. That's my website you found on google. What I meant was, I have never gone by the name of "The Excelerated Performance.co.uk Team". I don't have a team called that! Which is why I figured they're obviously trying to pose as a legitimate team.

I haven't recieved any of these messages for the last few days, AND I'm very happy that the programme on my PC doesn't seem to crash anymore! So I think that's all problems solved.

I really appreciate your help - you've done a great job! I'll keep everything up to date now to prevent it happening again!

Cheers Mark