CPU 100% used

VipinKrSharma · Oct 27, 2005

Hi,

I have used all steps given at "http://forums.majorgeeks.com/showthread.php?t=35407" but could nto solve my problem of 100% CPU usage all the time. I have hijackthislog, let me know if some one can help me.

I have attached hijackthislog with this thread.

Thanks,
Vipin

VipinKrSharma · Oct 28, 2005

I have done some more RnD with my system. I have noticed that explorer.exe is using 100% all time and if I kill it from task manager CPU usage goes down to normal.

I tried lot many antiviruses as suggested by link I posted in previos POST. Now I can not even start system in Safe mode. In safe mode system shows me blank screen after loggin on to my account (administrator). Looks like my OS is screwed up.

If I do reinstall of OS Win XP with SP2, will I lost my all data. I dont have any medium to take back of my data whcih is around 12 GB.

Please help. Let me know if I can provide some other relevant information to troubleshoot this problem.

chaslang · Oct 28, 2005

You should have click this Special Removal Procedures link when you where doing the READ & RUN ME. You need to run the procedure it mentions for Virtumonde. That is your main problem. The direct link is Virtumonde aka Trojan Vundo Fix w/ Tool

You will need to be able to boot in safe mode though! Try using Safe mode with networking and then physically unplug your cable to the internet (this is necessary to keep the malware from having access to the web).

Let me know if you have any problems trying to run the fix. The lines you need to be concerned with from your log are:

O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\system32\ddcyy.dll
O20 - Winlogon Notify: ddcyy - C:\WINDOWS\system32\ddcyy.dll

You have other problems too. We can fix them after you complete the Virtumonde fix.

If you cannot get this to work, I have another procedure we can use.

VipinKrSharma · Oct 28, 2005

Thx a ton chaslang for helping me. I need to go out. I will try your suggestions once I am back and will post my result here.

chaslang · Oct 28, 2005

Okay! We will be around!

VipinKrSharma · Oct 31, 2005

Hi chaslang,

Sorry for delay. I followed your instruction and looks like I got rid of ddcyy.dll. But ddcyy.dll was removed even before running killvundo.bat.

Here are my result for different tools I used

#1 http://www.bitdefender.com
Result : C:\Windows\system32\ddabx.dll Infected with: Trojan.Downloader.Agent.YF

#2 http://www.windowsecurity.com/trojanscan/trojanscan.asp
7 Malware detected
Result #1 : C:\Document and Settings\Vipin\Local Settings\Temp\nsd.tmp ( and other6 files) were diagnosed with Riskware.RiskTool.Win32.Processor.32

Result #2 : C:\Windows\system32\ddcyy.dll.vir was diagnosed with Adware.Win32.Virtumonde.q

#3 Insatlled a-squared software
20 files were infected with Trace.TrackingCookie and Riskware.RiskTool.Win32.Processor.20

#4 http://www.kaspersky.com/downloads/kws/kavwebscan.html
No Virus Found

#5 · Physically unplug your cable to the internet (even if you have dial-up, unplug modem)
· Shut down ALL unrequired applications including browsers
· Reboot into safe mode (with or without networking, it does not matter at this point)

#6 Run Ccleaner with the default options to clean out temporary files. Only use the Default Scan on the Windows Tab and select Run Cleaner. Do not run any other options from other tabs.
Result : 1.55MB removed.

#7 Run Ad-Aware SE and select Perform full system scanbox and allow it to fix all that it finds
Result : 4 MRU List and 6 Tracking Cookies(Under Critical Objects category)

#8 Run Spybot Search & Destroy and allow it to fix all that it finds. Make sure you use the Immunize feature and do not use Teatimer.
Result : No Virus Found

#9 Run Microsoft Antispyware and allow it to fix all that it finds
Result : No Virus Found

Optional tools to scan with:

#10 CWShredder – run if you seem to have any CWS type infections. Make sure you select Fix
Result : No Virus Found

I have attached hijackthis.log also .

Please let me know if my system is still infected with any Virus.

Once again thx a ton for help.

-Vipin

chaslang · Oct 31, 2005

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to CWShredder Service ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

CWShredder Service

Now exit HJT and do not reboot if it asks you to do so. We will reboot later.

Why is the below from McAfee still running when you have Symantec antivirus installed:

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

Did you uninstall McAfee? If so, it did not uninstall completely. You could use the same procedure as above (for CWShredder Service) to get rid of this McAfee service.

Also look in Add/Remove programs for the below and uninstall if found:
MyWay or MyWaySA or MyWay Search Assistant

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\MyWaySA

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

VipinKrSharma · Nov 3, 2005

Hi chaslang,

I was help up with many issues recently so could not find time to follow your insrtuctions.

Here are results :

Task : Deleting CWShredder Service
Result : The Service you entered is system-critical! It can't be deleted.

Task : Deleting McAfee Framework Service Service
Result : Done Sucessfully.

Task : Remove myway.
Result : Done Sucessfully.

Task : Removing R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
Result : This enrty did not came in HiJackThis scan.

I am attaching HiJackThis log, which I ran after following your instuctions.

Please let me know if my system is safe.

I appreciate your help and time in resolving this problem.

Thanks,
Vipin

chaslang · Nov 4, 2005

Your log is clean! How are things working?

If everything is back to normal, it is time to work thru the below:

How to Protect yourself from malware!

I will not be around until about 11/15/05 but one of our other capable Malware Fighters can continue to help you if it is necessary.

VipinKrSharma · Nov 4, 2005

Thank you very much chaslang. My system is working fine, thanks for all your help. I will follow the link you provided me.

Hope if same problem come back I can ask for help with this thread itself.

Log in or Sign up

CPU 100% used

VipinKrSharma Private E-2

Attached Files:

hijackthis.log

VipinKrSharma Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

VipinKrSharma Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

VipinKrSharma Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

VipinKrSharma Private E-2

Attached Files:

hijackthis.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

VipinKrSharma Private E-2