CPU usage high...

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by roemer7, Aug 22, 2006.

  1. roemer7

    roemer7 Private E-2

    I am guessing when I say this is a Malware problem. (After all, aren't most problems?)

    This weekend my pc began running slowly. I opened Task Manager and found that the CPU Usage was almost always @ 100%. I looked at the processes and found that there were several rundll32 processes running. Once I killed these, the usage dropped to normal. But if I open any program the rundll32 shows up again and slows the computer down.

    I have ran AdAware and Spybot. Still happening. I tried a system restore, but it wasn't allowed (can't restore).

    Where should I go from here?

    Thanks for your time.

    Respectfully,
    Roemer7
     
    Last edited: Aug 22, 2006
  2. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    Hi, your best options to rule out malware is to run the below guide and attach the logs requested, then one of our malware guys will give them a look and post some more tailored removal instructions if they find this high CPU usage is due to malware.

    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.
    • Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
    • Make sure you check version numbers and get all updates.
    • Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
    • After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
    Downloading, Installing, and Running HijackThis

    Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.


    • When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:

      • [*]runkeys.txt - the log from GetRunKey.bat
        [*]newfiles.txt - the log from ShowNew.bat
      • CounterSpy - ONLY IF you were not able to run Windows Defender
      • Bitdefender - from step 6
      • Panda Scan - from step 6
      • HijackThis

    NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!
     
  3. roemer7

    roemer7 Private E-2

    CPU usage high...(HJT log)

    I posted previously that my CPU usage was showing 100% nearly all the time. I looked under the task manager and saw 4-5 rundll32's running and using all the CPU. (They would run all day if I let them.) One I ended the processes, all is OK...until I open a program and it's rundll32 slows everything down again.

    That said, I ran through all the previous steps before posting my HJT log. While running CounterSpy (I only have SP1 with XP) I didn't run the thorough scan, just the quick scan. Most all other scans found something I will attach these.

    The problem still exists even after reboot in normal mode. Anything you can do for me will be of great help. HJT and other scan logs attatched.

    Respectfully,
    Roemer7
     

    Attached Files:

  4. roemer7

    roemer7 Private E-2

    Re: CPU usage high...(HJT log)

    Here are the others...

    Roemer7
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Re: CPU usage high...(HJT log)

    Please do not start multiple threads for the same problem! You must remain in one thread for a problem. Also please do not post the same requests for help in multiple forums. I'm merging you back to your original thread in the malware forum.

    Why did you have CounterSpy ignore what it found. You should have allowed it to fix problems. Run it again and fix the problems this time.

    Do you know what the below is:
    O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\QicSetup.exe"


    Now install the current version of Sun Java from: Sun Java Runtime Environment

    Then uninstall the below old versions of software:
    J2SE Runtime Environment 5.0 Update 5
    J2SE Runtime Environment 5.0 Update 6


    Now click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Ps2numif8 ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

    Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

    Ps2numif8

    If you receive any error messages just ignore them and continue.

    Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

    Make sure viewing of hidden files is enabled (per the tutorial).
    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [rztyhvnA] C:\WINDOWS\rztyhvnA.exe
    O4 - HKCU\..\Run: [Notn] "C:\PROGRA~1\FNTS~1\notepad.exe" -vt yazr
    O4 - HKCU\..\Run: [Lmdobxqx] C:\Documents and Settings\Owner\My Documents\??crosoft\m?dtc.exe
    O23 - Service: Ps2numif8- - Hewlett-Packard Company - (no file)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\rztyhvnA.exe
    C:\Program Files\FNTS~1\notepad.exe
    C:\Documents and Settings\Owner\My Documents\??crosoft\m?dtc.exe
    C:\WINDOWS\3d.exe
    C:\WINDOWS\3d_sexvilla_v25_install.exe
    C:\WINDOWS\system32\wtssvcc.exe
    C:\WINDOWS\system32\setup.exe.tmp
    C:\Program Files\Windows <--- delete the whole folder
    c:\windows\system32\rundll32 <--- only delete this exact file if found. DO NOT delete rundll32.exe.

    Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
    Now run Ccleaner (installed while running the READ ME FIRST).

    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!

    Now reboot in normal mode and post a new HJT log.

    Make sure you tell me how things are working now.

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    Last edited: Aug 23, 2006
  6. roemer7

    roemer7 Private E-2

    I did not find rundll32 in the system32 folder.
    I could not open properties for internet explorer. Right clicking and selecting "properties" would not open "properties".
    The cpu usage is still sky high with several rundll32's still running.
    I can't open "add or remove programs" in the control panel either.
    Roemer7
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I repeat some things from my previous message!


    You must answer questions and you must also run CounterSpy again and fix problems and attach a new log.

    Use Step 3 to Reset Web Settings!

    What happens when you try to run Add/Remove Programs?
     
  8. roemer7

    roemer7 Private E-2

    I apologize, but I neglected to write that I did run Counterspy before the last HJT log and elected to fix what it found.

    The "Insight" file you questioned about is my local service provider.

    When I try to open "add or remove programs" my CPU usage shoots to 100% and hovers there for as long as I let it. Then when I look at the the Task Manager, I see one, sometimes two or three, rundll32's running and using all the CPU.
    When using step 3 to reset Web Settings, I get the same thing as "add or remove programs", the CPU usage goes to 100% and the computer slows to a halt.
    (I have also discovered that when I try to open the "System" icon in control panel, the same thing happens.)

    In all three cases, maybe more, the file looks like it is trying to load, but the CPU usage hits 100% and nothing happens. (I've let it sit and try to open for several minutes.)

    Roemer7
     
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try using Add/Remove Programs to uninstall those items after booting in safe mode.

    Also while in safe mode, see if you can Reset Web Settings.

    These problems are more than likely not malware.

    You could check out what is said in the below link as this is sometimes and issue:

    http://www.bleepingcomputer.com/startups/rundll32.exe_nview.dll_nViewLoadHook-3824.html

    You could fix the O4 line referring to this in you HJT log and see if it helps. The line below is what I'm referring too:

    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
     
    Last edited: Aug 25, 2006

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds