A Unique Glitch Found...Possible Virus

Welcome to Majorgeeks!

Are you saying that the CPU usage remains at 100% or does it jump to 100% and go down?

Have you installed or updated anything on the PC within the time frame of where this began. Even doing something like installing Windows updates etc? Do you have any programs (including Windows) set to do automatic updates in the background that could have installed something without you know it?

Did you install, update, or change an antivirus or security application (like a firewall) recently?

Do you by any chance use McAfee or worse Norton/Symantec?

Did you try a temporary disable of your firewall to see what happens?

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis
​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
  • Bitdefender
  • Panda Scan
  • HijackThis

.

 

I need to see the logs from the READ & RUN ME as requested. Otherwise you are leaving me in the dark and I cannot help you.

What I was requesting was "with the firewall disabled" what is your CPU usage?
The way you answered, it just sounds like you toggle the firewall on and off and then retested which is not what I requested.

If you updated your OS while infected, that could be the root of you problems as updating Windows with infections does not normally work very well.

You must not run multiple antivirus applications (step 3 of the READ ME).

My point about Norton and McAfee is that their security suites can often bring a CPU to its knees. You could try uninstalling them. But as I said at the beginning, without the requested logs, I'm only guessing. Post the logs or all I can say is you have no malware and to try the Software Forum.

 

I see multiple obvious issues! For example the below processes are all malware.
c:\windows\system32\dllcache\win32\winlogon.exe
c:\windows\system32\dllcache\win32\services.exe
c:\windows\system32\dllcache\win32\winlogon.exe
c:\windows\system32\dllcache\win32\csrss.exe

After we fix the above, if your problems with IE not working do not clear up, uninstall IE 7 and go back to IE 6. IE 7 is a beta and should not be used by any one but true beta testers or very experienced users.

We need to fix a few rogue services related to the above malware. One or more of these services may not be found during the procedure. Since your log did not show all of the typical bad services, I'm going to include a fix for them anyway just incase it shows up later.

We need to get these three services removed:
O23 - Service: NTBOOTMGR (NTBOOT) - Unknown owner - C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe
O23 - Service: NTLOAD - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe
O23 - Service: NTSVCMGR - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe

Here is the procedure to remove these bad services! (You probably will not find the first one - just continue).

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to NTBOOTMGR... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Now repeat the above stop and disable for the following services:
NTLOAD
NTSVCMGR

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

NTBOOT

Now repeat the Delete NT Service steps for:
NTLOAD
NTSVCMGR

If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Some items below (like processes and services) may not be seen anymore since the above should have fixed them. Just ignore if not found and continue.
Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O18 - Protocol hijack: its - >IT14H2N1HBIH8-1HT0GAIT{-H000H8IH49PH}
O18 - Protocol hijack: tv - {HBIH08PH-MG4I-11H2-MHDIH00PH4MGBIT6P}
O18 - Protocol hijack: wia - >I3{3HANMH9IH7-4H0MGAI76-H2NMHAIHW{PH}
O23 - Service: NTLOAD - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe
O23 - Service: NTSVCMGR - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
c:\windows\system32\dllcache\win32 <--- the whole folder
C:\WINDOWS\SYSTEM\DRIVER\ntuser.exe <--- probably does not exist

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now we need to Reset Web Settings:

1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

If you want to work with Compaq tech support that's fine. Then work with them.

If you want to work here in this forum then please follow my instructions and do not work anywhere else since it only confuses the situation. You still have malware and you have not done what I requested.