High CPU Usage no apps running hangs on shutdown

A lot of detail here, hopefully everything you could possibly want to know. I hope you can help me solve this problem. I have no idea if this is a virus or malware problem.

Running Windows XP Professional SP2, using Boot Camp on a MacBook Pro with dual Intel 2.33 GHz processor, 2 GB RAM.

This problem occurred suddenly two days ago. System restore to dates last week does not resolve this.

As soon as I've booted up and started Windows, with no apps running, I had 52 services running and CPU usage 85% and above. RAM doesn't seem to be tied up. Apps are very slow or unresponsive. Trying to run more than one app. pretty much brings things to a standstill. Services with most CPU usage are System, explorer.exe and svchost. When I try to shut down, I consistently get "Ending program, please wait...explorer.exe. Once it ends that program, my desktop goes away, leaving wallpaper. system just hangs there forever. Only once have I been able to get the machine to actually shut itself down, by ending explorer.exe service and then clicking shut down in the task manager. Have not been able to repeat this success. Every other shutdown the past two days has been by brute force (holding power button down).

Uninstalled AVG antivirus thinking it was the problem. Installed Avanta. No improvement.

I followed Malware removal instructions from this forum. First changed msconfig to normal startup mode (I'd been using msconfig to eliminate some unwanted stuff from starting up; thanks for the lesson on this). Eliminated some unwanted startups using services.msc.

Ran CCleaner, SuperAntiSpyware, SpyBot, Malwarebytes, combofix and MGtools in normal mode following your instructions. All but one turned up nothing. One of the scans I believe found one problem and eliminated it. I believe it deleted bszip.dll. Attaching logs. While running MGTools I got an error message - registered JIT debugger is not availaable. error code: 0x2(2). I cancelled the debugger request.

I also looked at my Advanced System Information Error log, which showed no errors until the morning this CPU high usage and hang on shutdown began occuring. This error log has several entries for "application hanging" from when I tried to use Eudora and it locked up. The application hanging entries that don't specify what application all say Fault bucket 767637487.

I had not defragged first because I knew my drive wasn't too fragmented, but did go ahead and defrag last night, just grasping at straws.

Also ran a couple of these scans later in Safe Mode to see if that would help. Nothing.

 

Attaching one more log here.

 

Thanks! sorry about forgetting the ComboFix log. attaching now. I ran MGtool and attached a log, but it was cut and pasted from within the program because the instructions were a little confusing ("only attach this log from MGtools.exe. DO NOT attach any logs seen in the MGtools folder). I thought this meant I should not attach that zip file. Attaching here.

Thanks for taking a look! I've spent two full days now trying to sort this out.

Dave


Your problems may not be malware but we need all the proper logs to know.

Please attach the ComboFix requested log.

Then please download MGtool.exe from the link given in the READ & RUN ME and follow the procedure for running it. Then attach the log that is requested which is C:\MGlogs.zip Do not create your own log from what you see on the screen! Attach what we ask for.[/QUOTE]

 

So sorry for the hiccups.

1. I am certain I uninstalled AVG, yet there it was. So I uninstalled and double-checked after rebooting that it is gone.

2. Triple-checked I am running in Normal Mode now.

3. Viewpoint is removed.

4. Updated java

5. MGtools: I never got any error messages similar to those listed on the Using MGtools page, however, I did get some errors which I think are preventing a good scan. I tried running the scan several times, and each time I got a slightly different error. With each error I clicked cancel in order to debug. And in every case I then got "Registered JIT debugger is not available. error code 0x2(2). Please check computer settings. cordbg.exe !a 0xe34" At this point I had to cancel the debug request and MGtools seemed to resume scanning but only for a split second and then seemed to be finished (or aborted?).

I am attaching a file with screen shots of all but the first error msg I got (didn't think to snap that one). Still, I am also attaching the log, but suspect it won't be useful.

6. Before taking all the above steps, I ran PC PitStop Exterminate (leaving no stone unturned here). It found 1 moderate threat (prockill) and 2 minor tracking cookies (DoubleClick and HitBox). I went ahead and removed them. Did not solve my problem, clearly.

7. Since that operation, when attempting to shut down Windows XP, instead of that "ending program...explorer.exe" I had been consistently getting, I am now getting a variety of other services that Windows is ending: cftmon.exe, MCI Command hand.... Then after uninstalling AVG, on shutdown Windows was having to end rundll32.exe. Just this once, Windows actually then shut down and restarted on its own. After updating Java, when I next shut down Windows had to end MCI command hand...

8. GMER log attached.

9. Earlier today i looked at performance while in Safe Mode and my CPU usage was fluctuating between 0 and 1%. Tried again tonight after doing all the above, and CPU usage was briefly at 45%, but then settled at 2% and under. three versions of svchost.exe running. It did shut down beautifully from Safe Mode just now.

10. I am forever in your debt, whether you manage to lead me out of the forest or not. Thanks for trying. I hope I got everything right this time!

Dave

 

Whew! Here is a progress report. I have stopped midstream because following running of GetRunKey.bat, ShowNew.bat and attempting sfc/scannow I had to restart my laptop (I attempted to open Eudora to copy your regedit commands into NotePad, and Eudora hung). I could not kill Eudora. In task manager I had 2 instances of it under applications and no matter how many times I clicked on end process they continued to run. Finally got the machine to shut down by using task manager to shut down. The processes it then took its time ending were: ctfmon, explorer.exe, and connections tray (which I haven't seen ending before). On restart my ATI Control Panel failed to initialize ("no driver installed or not working properly"). My performance has gone from slow to glacial, without the graphics driver. So I figure maybe I should not proceed with the remaining steps (to clean up some junk), until you advise me.

During GetRunKey.bat I don't believe there were any error messages. There may have been a few "cannot find file" messages in the window (nothing that popped up in a separate error dialogue box) for some files it was looking for. Are these significant? Do I need to jot these down and give you a list? Log attached.

During ShowNew.bat, I did keep a list during shownew.bat: could not find (but again, these messages just showed in the terminal window, not as special error messages in separate dialog box):

beep.sys
ctf.mon
explorer.exe
svchost.exe
winlogon.exe

It did ask for the Windows XP CD during sfc/scannow. It spent quite awhile verifying files or some such thing while the CD was in. Then in the terminal window it said: "sfcscannow is not recognized as an internal or external command, operable program or batch file."

Finally, and this could be significant, so please read patiently: I wanted to answer your question about irw.exe and brightness.exe. So I did some googling. It looks like brightness might relate to my power settings (source not necessarily authoritative): "Brightness.exe is also a part of power management schemes. Deleting these programs will cause him to not be able to run his battery conservatively, thus greatly reducing his battery longevity."

But here is the kicker! In looking for info. about IRW I found some indications it might be related to a Trojan -
http://www.suggestafix.com/lofiversion/index.php/t28747.html
and
At incodesolutions.com under threats:
Known to RemoveIT Pro as dangerous.

but others that it might have to do with Boot Camp or the Apple Remote control that came with my laptop. http://209.85.141.104/search?q=cach...rw.exe&hl=en&ct=clnk&cd=1&gl=us&client=safari

However, please look at this thread: http://www.sharkyforums.com/archive/index.php/t-298784.html

The above thread seems to be on track. I found it by googling irw.exe, but it is spot on. Especially see the last entry. Guess what? I do have a Windows update waiting to be installed, but since I don’t seem to be having normal shutdowns, it remains pending. It's been there for a day or more. I am not 100% certain it was there when this problem started. I think I may have gotten the "Windows updates available" message on the day that I started having problems, AFTER the problem started, and i clicked to download it. But I have noticed it has not installed.

From the above thread, which is about 100% CPU usage on start up:
"I've seen this the last few days, and primarily on laptops. I'm willing to bet that you also have Windows updates showing ready to be installed. If you look in Task Manager the service is probably one of the generic Windows SVCHOST.EXE, and if you use a process identifier, you will likely find that it is something to do with the Windows updates.

Kill the process so you can work, but when you are done, reboot so the service starts again, then do an "Install updates and shut down" to install the updates. This will resolve the issue...at least until another screwed up MS update comes along."

So, here I am. I will not continue with your cleanup and regedit instructions until you advise as to next steps, considering all the above.

BTW, in answer to your question about Compuserve - I have been keeping it as a backup so I can use dialup to get on the internet in a pinch. Probably about ready to kick it. It is only showing up now in my start programs because you made me ;-) stop using msconfig to disable it from starting up. For the same reason, realplayer and WinDVD are starting up. I haven't had a chance to try disabling these via their programs, except RealPlayer, for which I cannot find a way to disable autostart from within that program! Maddening. there ought to be a law.

To add insult to injury my laptop no longer recognizes my thumb drive when I plug it into a USB port (so I have to reboot every time I want to transfer logs onto the thumb drive so I can upload them over here on my PowerMac that, thank god, is running fine). I'm sure I disabled some service I shouldn't have in services.msc. But haven't been able to figure out which one. And Bill Gates is a billionaire why???

Thank you!

 

I don't see the attachments on the previous message, so I am attaching them here.

 

To access the commands you want me to paste into notepad I had to either copy them out of the email from your post or copy them from this forum website. My system is running so poorly I could not get this forum to even open on it, and I was reluctant to cut and paste from the forum on my PowerMac because I felt it safest to paste directly into notepad (which of course is not on my powermac. You've indicated a low tolerance for creativity, here. Just trying to stay on your good side!

 

Based on what I found when investigating the IRW.exe question you asked, I did the following: rebooted my PowerBook and let it boot in the Mac OS. Authorized the Mac software updates it was indicating. Rebooted in Mac OS. Then rebooted in Windows and my problem was gone. CPU usage down to minimal levels after startup.

So, as you suspected, not malware. Thank you for so patiently trying to help me through this. It is amazing you give your time to help those of us without propellers on our heads. Much appreciated.