cpu usage 100%

March 13th, 2006, 12:29 pm

hi guys, my cpu usage in task manager is going up to 100 percent, i ran ewido, and my antivirus but it didn't help, here is my log:


Logfile of HijackThis v1.99.1
Scan saved at 2:25:44 PM, on 3/13/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\viwhlph.exe
C:\Documents and Settings\Administrator\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Yvakt Class - {0DEADE31-9A37-48B2-921A-7825EA93D32A} - C:\WINDOWS\System32\wdc1n.dll
O4 - HKLM\..\Run: [SA] C:\Program Files\Logitech\QuickCam\SA3.EXE
O4 - HKLM\..\Run: [SystemSearch] REGEDIT.EXE -s C:/WINDOWS/sys.reg
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {0EC4C9E3-EC6A-11CF-8E3B-444553540000} (WaveTab Control) - http://www.riffinteractive.com/setup/RiffLick.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {BA576CDE-9949-4473-A8F7-6C17C2A7E600} - C:\WINDOWS\System32\wdc1n.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe



any help will be greatly appreciated. thanks.
david

March 13th, 2006, 1:06 pm

Hi David,
here is what you have to do

1. Run HijackThis and check the following items but dont click fix yet

Quote:

C:\WINDOWS\System32\viwhlph.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: Yvakt Class - {0DEADE31-9A37-48B2-921A-7825EA93D32A} - C:\WINDOWS\System32\wdc1n.dll

O4 - HKLM\..\Run: [SystemSearch] REGEDIT.EXE -s C:/WINDOWS/sys.reg

O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing

O18 - Filter: text/html - {BA576CDE-9949-4473-A8F7-6C17C2A7E600} - C:\WINDOWS\System32\wdc1n.dll

O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe

2. Now close all open windows and applications and press 'fix checked'

3. You may wish to restart and then you can take another log to post that here to verify whether it is clean.

March 13th, 2006, 3:05 pm

This is a common and very annoying Aurora related problem.

http://www.bleepingcomputer.com/forums/topic34408.html

That has a pretty good tutorial for removing it. The file will change its name randomly maknig it annoying to remove.

March 13th, 2006, 3:21 pm

thank you guys, i remember deleting manually "nail.exe" from c:\, but now it moved to c:\windows, but I will try once again tonight, thank you both.
david.

March 13th, 2006, 4:01 pm

Keep us posted, because this is a finicky one.

March 13th, 2006, 9:03 pm

ok, i ran spybot and re-ran adaware, this time with the vx2 cleaner snap in installed, it found 609 critical objects and the vx2 found 1 virus. however my pc is still taking 100 percent in task manager/performance, it happens for about 10 minutes after loading windows. here is my new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:53:20 PM, on 03/13/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\System32\dgfgql.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\xzuaxuzA.exe
C:\WINDOWS\System32\klsx9e.exe
C:\WINDOWS\etb\pokapoka79.exe
C:\Documents and Settings\Your Name Here\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webfile.com/
R3 - Default URLSearchHook is missing
O2 - BHO: Yvakt Class - {0DEADE31-9A37-48B2-921A-7825EA93D32A} - C:\WINDOWS\System32\wdc1n.dll
O4 - HKLM\..\Run: [SA] C:\Program Files\Logitech\QuickCam\SA3.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{F74D336E-CCB1-4644-B2DD-0C7A7B46165A}: NameServer = 192.168.1.1
O18 - Filter: text/html - {BA576CDE-9949-4473-A8F7-6C17C2A7E600} - C:\WINDOWS\System32\wdc1n.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe


thanks all for your help.
david.

March 13th, 2006, 9:20 pm

I noticed several questionable items in your HiJack log. What I would do is make sure that Spybot and Adaware are updated, and scan from within Safe Mode to make sure they're finding everything. Heres the entries I know are bad:

C:\WINDOWS\System32\dgfgql.exe (Spyware)
C:\WINDOWS\SYSC00.exe (Trojan!)
C:\WINDOWS\xzuaxuzA.exe (Spyware)
C:\WINDOWS\System32\klsx9e.exe (Spyware)
C:\WINDOWS\etb\pokapoka79.exe (Adware)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webfile.com/ (Trying to overwrite your start page)

What virus software do you have? I would recommend getting at least the free version of Avast, and immediately do the boot scan after the install-initiated restart.

These files may not necessarily contribute to the 100% CPU usage. There is some junk on your machine however. I would make sure that you have good virus software that is up to date, and that your spyware programs are fully up to date before scanning. Make use of Spybot's Immunization feature.

March 13th, 2006, 9:22 pm

:\WINDOWS\System32\dgfgql.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\xzuaxuzA.exe
C:\WINDOWS\System32\klsx9e.exe
C:\WINDOWS\etb\pokapoka79.exe
O18 - Filter: text/html - {BA576CDE-9949-4473-A8F7-6C17C2A7E600} - C:\WINDOWS\System32\wdc1n.dll


i think am gonna have to use killbox to remove this lines...

March 13th, 2006, 9:26 pm

If you have trouble deleting an entry because it is "in use" then you can do it from dos with the "del" and "rmdir" commands. This tutorial should help:

http://xona.com/2004/08/19.html

March 13th, 2006, 9:34 pm

good tip, didn't think about it. i'll give it a try...

March 13th, 2006, 9:58 pm

that's a great link rick, thanks..
but before doing that either by command prompt, safe mode or killbox, i need to know what to delete....i'll make a research on those files like zuaxzu and others to see if they are indeed malicious..thanks again.

March 13th, 2006, 9:59 pm

one more question: can you delete in command prompt a file that is hidden..? or you have to do
attrib -h "filename" and then delete it?

March 14th, 2006, 12:25 am

You should be able to delete it whether it is hidden or not. If necessary you should use attrib -r -s -h "filename"
That attrib will take off read-only, system and hidden flags so will remove them all at once rather than if it has all three doing it one at a time.

Is your computer still going up to 100%? If so have you checked in Task Manager to see what is causing it? Or using Process Explorer from http://www.sysinternals.com?

Parts of your log appear missing, unless something is settings hook you should have alot more startup items than are being listed in the log.

pokapoka79 is definately bad and I would bet that the rest are as well.
To identify what they are you can submit them to this website that analyzes them for you while you wait:
http://www.virustotal.com/flash/index_en.html

March 14th, 2006, 12:29 am

You should also fix the following:

Quote:

O2 - BHO: Yvakt Class - {0DEADE31-9A37-48B2-921A-7825EA93D32A} - C:\WINDOWS\System32\wdc1n.dll
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing

March 14th, 2006, 8:06 am

i tried deleting in command prompt files like pokapoka79.exe, owinragg.exe,
zuaxuza.exe but i get "access denied", when I do attrib pokapoka79.exe,
on the next line it says :
A c:\windows\etb\pokapoka79.exe

i believe that stands for "archive", maybe if i unarchive it i will be able to delete them all one by one, but i forgot how....

here is my new hjt log, before i ran adaware in safe mode with all the updates:

Logfile of HijackThis v1.99.1
Scan saved at 9:52:44 AM, on 03/14/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\xzuaxuzA.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\System32\klsx9e.exe
c:\windows\system32\dwdsregt.exe
C:\WINDOWS\System32\owinrrag.exe
C:\WINDOWS\etb\pokapoka79.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Your Name Here\Desktop\New Folder\HijackThis.exe

O4 - HKLM\..\Run: [SA] C:\Program Files\Logitech\QuickCam\SA3.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{F74D336E-CCB1-4644-B2DD-0C7A7B46165A}: NameServer = 192.168.1.1
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe



thanks guys..