unknown processes spiking my cpu to 100%, and other stuff

Hi. I've followed all of your preliminary steps for getting rid of spyware (download apps, run safemode, etc). This did manage to get rid of a lot of stuff that I didn't know was on my computer (thanks). However, it didn't solve the problem that led me to start this clean-up; a handful of processes are constantly running my cpu at 100%. These are the processes and their approximate amount of cpu usage (with just this one browser window and AIM running):

System: 03-13
SERVICES.EXE: 31-61
LSASS.EXE: 10-21
syscont.exe: 25-42
TBPS.exe: 00-03

I use firefox as my browser. firefox.exe is running between 00 and 05.

This tbps thing is in my pr...

holy crap, this waccccccky thing just happened:

I got a random popup window titled: "Messenger Service." Inside the window reads: "Message from TRUNDLE to 160.39.32.107 on 1/17/2005 3:18:46 PM. Threat Found!Threat: W32.Randex in syscont.exe" There's a click box that says "OK" on it. I just clicked the X in the corner to close it.

As I opened My Computer to check something in my program files, this download manager thing I have never seen before popped up, installed what it was calling a 'skin,' and suddenly my "My Computer" window had this mountain scenery on the top.

Like I said earlier, I use firefox as my browser. However, when somebody occassionally sends me a link and i forget to copy/paste into firefox, windows opens the link with IE. My IE has had this mountain background thing on the top for a while now (I see it whenever this link situation occurs). I guess some of your spyware countering programs got rid of part of the toolbar trojan but not enough to keep it from reinstalling itself...

So, back to the TBPS.exe thing, I have a program folder called "Toolbar" that, even after running all the counter-spyware programs, will not go away. When I try to delete the folder, it tells me: "Cannot delete common.dll: There has been a sharing violation. The source or destination file may be in use."


One last thing: This computer was given to me by my roommate. It has (an almost-definitely cracked) copy of Trend Micro's PC-cillin. When I ran the cleaning program stinger.exe it found a ton of bad files in this app's "QUARANTINE" folder. I don't use the program because it seems pretty outdated (2000) and since it's cracked I can't update it, so this quarantine folder is just sitting in the program folder.


Thank you very very much in advance for your help. You guys have a great site here.

Sincerely,
Joe

 

A couple of additions/corrections:

First thing: The "Toolbar" program folder has the TBPS.exe in it. This is why I'm associating this folder with the process in my task manager.

Second thing: When stinger.exe found all the bad files in pc-cillin's quarantine folder, it read "can not repair" after each item, as opposed to "deleted" for files it found elsewhere.

Third thing: The mountain background toolbar has never showed up on my "My Computer" window before, only on Internet Explorer windows. This just happened for the first time while I was writing the last post.

Thanks again.

 

I have been getting the pop-up "Message from TRUNDLE to 160.39.32.107 on 1/17/2005 3:18:46 PM. Threat Found!Threat: W32.Randex in syscont.exe" about once every 15 minutes. The TRUNDLE part changes sometimes to another name, but otherwise its the same.

JAYLAMBO is another of the names.

 

Hi Joed,

If you are certain that you've exhausted the Tutorial's options ( including the Online Scans), then go ahead and send us a HijackThis Log. Make sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!
If you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.


There are only a few of us who offer advice in this forum and I’ve been tied up with work these days, but somebody will try to take a look at your log when they get a chance.

Best
PP

 

hi phillie. well, there have been some new, unfortunate developments.

first, i hadn't/haven't run the online scans. the nature of my problem makes the trend micro java scan seem to not work, though it may just be taking forever because the cpu is maxed out.

second, the scary new development, is that when i run hijackthis, i get an error message saying that the program has created errors and will close. i first ran it in normal mode with no other programs running when i got the error, so i tried running it in safe mode but i got the same error

also, after getting the first error while running hijackthis, i tried opening My Computer and i got a message saying that explorer.exe has generated errors.

what can i do to get a hjt log? if it helps, the program always generates the error when it's going through the 023 files, the service files. SERVICES.exe is the task that has been eating up most of my cpu. in normal mode it's averaging about 50% of my cpu. in safe mode the task still appears but is at 00.

in the meantime, i'm going to try to run the trend micro java scan while in safe mode.

this is freakin me out. thanks for your help, hope i can get through it.

-joe

 

Hi Joe,

I'm heading out the door and will have to check back when I get some free time. . . . But, try scanning with the old version of HJT and see if that works.


http://www.merijn.org/files/hijackthis1982.zip

PP

 

hey. haven't tried the older version of hjt yet, but i was just wondering something: if i'm using firefox, can i just uninstall internet explorer altogether? just now i got rid of microsoft's java, as per the tutorial, and wondering if i can just ditch the whole god-forsaken thing.

i'll try out the older hjt asap. getting ready to get some dinner right now though, be back in a couple hours.

thanks a lot phillie

 

hey. i've done a bunch of stuff since last time and things have generally improved. at this point i've pretty much done everything you suggest in all of your tutorials, including installing a new AV program to replace the old Trend Micro PC-cillin 2000. However, I got an error uninstalling PC-cillin, so I ended up just deleting all of its program files. Everything except two .dll files deleted. The two .dll's are: PCCNTRES.dll and Tmdshell.dll. any advice on how to get rid of parts of old programs that are just sitting around, such as these?

however, my cpu is still being maxed in normal mode, despite my having apparently gotten rid of the toolbar problem and a large number or other nasty files. i have managed to get a hjt log, though. here it is. hopefully this will provide the answer to this cpu maxing riddle.

thanks again very much!!

-joe

 

hey guys. just waiting for one of you to take a look at my hjt log. thought i'd refresh the post. take your time.

thanks,
joe

 

Hi Joe,

Please look in Add or Remove Programs for the following and Uninstall them if found:
ToolBar / HuntBar
WinTools

Please print out these instructions so that you can operate with All Browser Windows CLOSED.
Please make sure the Viewing of Hidden Files is Enabled as per the tutorial.

Now scan with HijackThis and Check the Boxes for the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50193
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50193
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50193
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll (file missing)

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll (file missing)
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll (file missing)

O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll (file missing)

O4 - HKLM\..\Run: [Windows Media] syscont.exe

O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\RunServices: [Windows Media] syscont.exe
O4 - HKCU\..\Run: [Windows Media] syscont.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll (file missing)

O23 - Service: WebSeach Toolbar support NT service - Unknown - C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)
O23 - Service: WinTools for IE service - Unknown - C:\Program Files\Common Files\WinTools\WToolsS.exe (file missing)
Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following if they should remain:

C:\PROGRAM FILES\Toolbar ---> The Folder
syscont.exe ---> You’ll have to search for this one using Windows Explorer
C:\Program Files\Common Files\WinTools ---> The Folder


NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I will try to check back when time permits.

Best luck
PP

 

ok, well... things seem to be good right now. i did everything you said to do without any problems, and my cpu is currently sitting at around 4% as i type this (yay). i've attached my new hjt log.

i just have a couple of other questions if you wouldn't mind answering before we wrap this thread up:

- as mentioned earlier, the trend micro folder has been tricky to get rid of in my program files... there is currently only one .dll sitting in it, Tmdshell.dll. whenever i try to delete it or rename it, it says that it can't do it. any suggestions on how to get rid of it?

- as also mentioned/asked before, can i uninstall internet explorer? i never use it an would be happy to be rid of it, but i'm afraid that it would mess windows up.

that's it. thanks a ton for your help!

-joe

 

You're Welcome! Happy to help

Your HJT Log looks OK. Let us know if you run into further problems.

You need to keep Internet Explorer. Too many hassles getting rid of it (May not even be possible the way it is integrated with Windows) + you may need to use it occasionally. Suggest you use FireFox as main browser.

For the problem DLL, try booting to Safe Mode and removing it with Pocket KillBox

PP

 

didnt read everything, but sounds like you should change your default browser to firefox, so you don't have to cut and paste links.