Unexplained CPU Usage...Malware??

Welcome to Major Geeks!

There is no unexplained CPU useage in your snapshow. System Idle Process is not a process! It it the amount of free time your CPU has. Thus your CPU was free (not doing anything) 98% of the time.

Your problem may not be malware related, however, if you want to check your PC for malware, follow the below instructions.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, renaming, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis​

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy - only for Windows XP, 2K, & NT users
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy. - only for Windows XP, 2K, & NT users
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

So if it is only temporary when running particular applications (especially a scanning tool), then it is not a problem either. However, Task Manager is really not a very good tool to show what is running on your PC. There are many, many things it will not show especially when it comes to malware. A tool like Process Explorer is much better and will show everything except rootkit like processes.

You need to attach all the other logs so that we can determine you malware status.

 

I have seen this happen on many PCs when it wasn't malware related. Sometimes it is related to the software/processes running on the PC. I'm not saying that is your case. Just that it is possible that it is not malware. We will know when you finish with the READ & RUN ME.

Yes the scans can take quite awhile to run. It is best that you not be doing anything else (especially surfing) while running the scans. It will slow them down tremendously and it could interfere with fixing problems. Thus if you have the scans running and you are using the PC to connect here, you should not be doing that.

 

You forgot to attach the requested log from AVG Antispyware. Please attach it.

Did you put the below items in your hosts file? Why are they necessary?
O1 - Hosts: 82.96.43.2 www.imperialconflict.com
O1 - Hosts: 82.96.43.2 imperialconflict.com

Do you recognize the below to be something valid and that you installed?
O2 - BHO: ThunderIEHelper - {0005A87D-D626-4B3A-84F9-1D9571695F55} - C:\WINDOWS\system32\xunleibho_v14.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder\ComDlls\XunLeiBHO_007.dll
O8 - Extra context menu item: &ʹÓÃѸÀ×ÏÂÔØ - C:\Program Files\Thunder\Program\GetUrl.htm
O8 - Extra context menu item: &ʹÓÃѸÀ×ÏÂÔØÈ«²¿Á´½Ó - C:\Program Files\Thunder\Program\GetAllUrl.htm
O9 - Extra button: ???¡¥??¨¤¡Á5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: ???¡¥??¨¤¡Á5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder\Thunder.exe

Why do you have the below running? Do you have a remote control for the DVD player in your PC? Is it used in a Home Theater system?
WINREMOTE"="\"C:\\Program Files\\Common\\Bin\\WinRemote.exe\""
"Home Theater SchSvr"="\"C:\\Program Files\\Common Files\\InterVideo\\SchSvr\\SchSvr.exe\""


Why do two of the below need to be run at startup?
"DAEMON Tools-1033"="\"C:\\My Gaming Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"DAEMON Tools"="\"C:\\My Gaming Files\\DAEMON Tools\\daemon.exe\" -lang 1033"

Do you know what the below file is for?
C:\WINDOWS\system32\dskdrull.ini

You did not do step 2 of the READ ME. Please do it now so that hidden & system files can be seen and also so that file extensions can be viewed.

 

Do you want to remove those entries from Startup? We can fix them with HJT!

Probably due to using MSconfig to disable it and then maybe doing another install or a tweak which causes the program to reinstate the startup. This is another of about 10 reasons you should not use MSconfig to control startups as we state in the READ ME. If you don't need this, why are they here. Do you want to have HJT fix them so they no longer load? My procedure below will remove one of them, but you can remove both if it is not needed. Some people have experienced problems using Daemon Tools.

Load the file into wordpad. What kind of info do you see in it? Does anything look familiar.

No!

Potentially some software that you are loading. Does it happen in safe mode?

It did not find anything but LogMeIn which I assume you use.


Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now reboot in normal mode

Now locate the below files and delete them if found:
C:\WINDOWS\IFinst27.exe
C:\WINDOWS\system32\nnnmp.ini
C:\WINDOWS\system32\buyurl0501.dat
C:\WINDOWS\Downloaded Program Files\HGStart9USA.exe

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!