Cpu running 100%, causing freeze-up

[garebo]

win xp pro exec w sp 1 installed, dont trust sp 2 yet.
p4 3.0
mobo - IBM
i gig ram
Home built system w same win xp pro running daily for yrs.

Computer keeps locking up. Task mgr shows explorer running at 90% and more, computer at 100%. I have norton av 2005 up to date daily, adaware, hijack this, spybot, stinger, cw shredder and more. I have run them all a few times and i did an online scan at computer associates, which found
some virii that norton didnt, deleted them, still have the problem. Norton says all is well.

Running out of options here, have honestly run all these progs a few times. Computer just freezes, have to reboot, never seen this before. Sometimes task mgr shows 2 explorers. I havent re-installed xp over xp, have had the same xp install for maybe 3 or 4 yrs now. I admit that i am a great bittorrent fan, honestly dont do the porn thing, healthy male here with weird attitude as i dont like degrading stuff on net, only like normal stuff, lol. Only pointing this out so you know i dont visit porn sites is all,not a rant. But, again, i do the bittorrent thing.

I did put the info from computer associates into a wordpad file but now its empty, like twilight zone- doo doo doo doo. Sure, i could have deleted it, so lets say i did. From memory, computer associates found a few infected java files, cant remember more as i had it in a file,
but there were about 6 infected files, all removed by comp associates online scan. Other on-line scans wouldnt work.

Any help i can get will be greatly appreciated.
Thanks.

Good advice + great people = tek-tips

 

[Ali147gta]

ok first things first

switch off system restore before starting any virus removal
run the online scan again
make sure your AV software is fully updated and then run a full system scan.
Download and run hijack this, post the log file contents here.

 

[garebo]

ok, yes, i forgot all about system restore!
I have already run hijack this and everything else, but i forgot about system restore.
Will do it all again and post hijack results.
thanks


Good advice + great people = tek-tips

 

[bcastner]

faq608-4650

 

[garebo]

Trying to do things the right way but i cant. I can only get on net so long and i freeze up.
Computer associates no longer works, freezes up, system restore is off.
So i cant follow by the rules, sorry. Trying since 2 pm to do things right, its now 6:45.
Here is contents of hijack this.. I will save this post and then come back and comment as i dont know how long i have.


Logfile of HijackThis v1.99.0
Scan saved at 6:38:47 PM, on 22/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\NovaStor\NovaBACKUP\NbkCtrl.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\NovaStor\NovaBACKUP\NSENGINE.exe
C:\Program Files\Photodex\CompuPicPro\ScsiAccess.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\0 GARY\hijack this1.99 f a\HijackThis v1.99.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://us.cnn.com

O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "C:\Program Files\NovaStor\NovaBACKUP\NbkCtrl.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409

O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) -

http://www.amiuptodate.com/vsc/bin/1,0,0,7/McUpdatePortal.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) -

http://www-3.ibm.com/pc/support/IbmEgath.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) -

http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) -

http://www.live365.com/players/play365.cab

O23 - Service: AutoComplete Service - Acesoft - C:\Program Files\Internet Sweeper Pro\autocomp.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NsEngine - Unknown - C:\Program Files\NovaStor\NovaBACKUP\NSENGINE.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown - C:\Program Files\Photodex\CompuPicPro\ScsiAccess.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



Good advice + great people = tek-tips

 

[bcastner]

There was a complaint here recently about this causing issues: C:\Program Files\NovaStor\NovaBACKUP\NbkCtrl.exe

 

[garebo]

Again, sorry i cant do thing by the book.
However, when computer associates was running, it went past the place where it originally found virii, so they may be gone, however i still freeze up of course.
Now for hijack this, most of the stuff there should be there:

for the first part, under c:\
Symantec, microsoft intelli, nova, logitech, goback, norton,
compupic, soundmax, zonelabs, all are good.
The second part where the numbers start:
R0 to 02 to 04 inclusive look good to me.
016 mcupdate - suspicious to me
next 2 under 016, trendmicro and ibm are good
same with next 2 under 016 - thats me trying to get an online scan to no avail.
last 016 - live365 is inet radio - good
the first 4 under 023 look ok to me
the next one under 023, gearsec - looks suspicious to me
all the rest look ok to me, soundmax is my sound, sony is my sony mindisk player s\ware

Some of the running processes at the very top are of concern to me but i dont know enuf to be sure.

thanks very much
Im still on, but any time now i wont be.





Good advice + great people = tek-tips

 

[CorBlimeyLimey]

Using

http://www.hijackthis.de/index.php

everything shows "safe".
Latest version of HJT is 1.99.1

mcupdate is part of McAffee application.
gearsec.exe is a process relating to Gear CD/DVD Burning Software.

Are you sure your backup program isn't trying to do a backup?
Have you tried using System Restore or GoBack to reset to a time before you started having problems?

& all the best.

 

[garebo]

I have been turning my Novastor backup software off the last week as i suspected it might be that, so its not that.
goback disabled itself due to too much traffic.
I have disabled system restore as you need to do that when using hijack this and other progs, when you delete something it could come back on if you keep system restore on. It likely would have been the same as goback anyway, too much stuff going on and they turn themselves off.

Further, i use msconfig and have only the very minimum there on startup.


Good advice + great people = tek-tips

 

[garebo]

By the way, does nerocheck need to be running in startup?
That is the only one listing i would question, all the others need to be there.
Something is running all the time once i trigger it by going on the net myself.


Good advice + great people = tek-tips

 

[garebo]

Thanks, guys, for the help and info.

Bcastner, er, Bill, i didnt see your post til now.

I have disabled novabackup for now as far as scheduled bkups and will do manuals from novabackup for a while.
There is a new free one that i want to install anyway.
Its just that novabackup is supposed to be a very good program, darn!!

I now seem to be able to come and go as i please, a good sign. I have run all my av, spyware, trojan, etc progs, all at least 3 times each, maybe about 8 hours of work. So maybe i am good to go, dont know yet, dont even know why i am suddenly ok, if i am indeed ok, will find out though. Could be because someone here reminded me to turn off system restore. I guess i didnt think of it because i usually have it off anyway, in favor of goback 4, which is superior, imho. But i did have it on so maybe thats the answer.

At least i am backed up to the max, its a darn good feeling but it doesnt beat the sinking feeling of having to re-install all my apps and progs i have on this baby. You tend to get protective of your install.

Thanks for the help guys. At this point i seem to be ok, hope it stays that way.




Good advice + great people = tek-tips

 

[garebo]

Still ok, but i am going to have to do make some changes in how i keep my computer clean to avoid this down the road.

Also, I'm not quite out of the woods yet, antispyware progs tell me i have nothing on my computer and av says all is well, other progs say that too.

However, norton av keeps having to inform me of a Trojan Horse and tells me it has qauarantined it. However, it keeps coming back as #2, #3.
the file is in c:\docs & settings|admin\local settings\temp
and its called arc0001.tmp. When norton quarantines it then it comes back later as arc0002, now its at arc0003.

So i still have work to do here.








Good advice + great people = tek-tips

 

[LloydSev]

run housecall at

http://housecall.trendmicro.com/

and panda's online virus scan at

http://www.pandasoftware.com/

sometimes they find ones they others do not... just like spyware and adware proggies.

Computer/Network Technician
CCNA

 

[garebo]

Problem started all over again!!

Good advice + great people = tek-tips

 

[jimp56]

you should yank your master drive out, put it as a slave in another pc, and run the online scanners as well as ad-aware, etc. on it as stated above. you have trojans that keep reinfecting the system and may be hiding themselves when windows is running. when its a slave, windows isnt running, the scanners have a better chance to find the nasties.

also, i would manually delete everything in \documents and settings\your profile\local settings\temp and all the temp internet files under \documents and settings\your profile\local settings\temporary internet files\content.ie5

and as bill has stated before, sometimes the trojans/etc burrow so deep into windows theres no choice but to reload from scratch after backing up data. make a ghost image of your fresh install, and use it for a quick restore in case it ever happens again.

 

[garebo]

Well, i have found out that what i have, or hopefully had, was the download.trojan.
I didnt pay enough attention to what norton had been telling me. You know that read and white small screen that pops up. Tells you you have a virus. You click on it and get another screen just the same, and then another one.
I thought they were the same, they werent and that is how i missed the actual name.
I went to the NAV site and got the info and it turns out its supposed to be easy to get rid of this. I did all i was supposed to do, to the letter, so we'll see.
The weird thing is that norton doesnt catch this on a full, complete virus scan, it only catches it as i am in windows and lets me know then. Even when i went into safe mode and did a full scan Norton said all was fine. Yet i went into the temp file where i knew this file would be and there it was. But it could be that the file only gets "hot" at a certain time or point and isnt "hot" all the time, something like that, dont quite have the terminology down, or the actual mode, but something like that.

Anyway, because of this my computer is the cleanest its been in years and running real well in between bouts with this trojan! Hope its gone for good this time. Will leave system restore off for a while to make sure.


Good advice + great people = tek-tips

 

[garebo]

Problem came back a few days after my last post, so i still have it.
I am working away and all of a sudden my computer freezes up. I go to task mgr and find that explorer is running over 90% and cpu running at 100% full time.
I can reboot and i can also log off as admin and go back in as admin and all will be well until the next attack.
Other than that i see no other symptoms or problems, but this is bad enuf, makes me worry that someone is getting personal info or trying to do so, and i worry system will totally crash. I have done backups and move stuff off c drive right away.

Any help would be appreciated.
I will run scans again if someone wants me to but i feel like its a total waste, i have run every scan that exists pretty much. Even got trojan remover and a bunch of other progs. No progs have found anything except the usual junk that adaware and other similar progs find. Havent found any trojans or virus at all.

thanks


Good advice + great people = tek-tips

 

[LloydSev]

I had this same problem on a Windows 2000 Advanced Server machine... turned out that my machine had been breached and that someone was running a warez ftp server from my system..

Your best option at this point? Backup needed work, and reformat and reinstall..

Computer/Network Technician
CCNA

 

[garebo]

Starting to sound like an option over here.
I have norton av up to date and it catches nothing.
I try to run online scans from the major co's and most dont work but when they do they always find something and give it a name. This is the 3rd time now and now trend micro is saying i have W32.Arnger. Looked that up and its not too bad of a prob and should be able to get rid of it.
Last time it was something else and i got rid of it only to have my prob still be here anyway.

These are the ways to get most of these viri
chat - i dont
porn sites - i dont
warez - guilty
email - possible but i do have attachments blocked and supposed to be protected by up to date norton 2005 pro.
No use not being honest here!!

So its likely the one source and it fits with your info, Lloydsev!






Good advice + great people = tek-tips

 

[garebo]

Update

I ran rav antivirus online scan and it worked. Many others didnt so i was surprised. Rav picked up a few different trojans and fixed things up for me as well, so now its a wait and see.

Im posting this as i know for sure there are tons of people out there with the same prob, all you have to do is search here on this forum and you will find a few, and a google search shows a lot more, not that they will find their way here on their own, but these posts tend to show up in google as well, so one hand washes the other.

In my case rav seems to have done more for me than:
Norton AV - up to date
A dozen anti-trojan, spyware, etc progs such as adaware, spybot, hijack this, stinger, etc, etc. I have run them all. I posted my "hijack this" on a site that specializes in this and it was clean.
A half-dozen online scanning sites that wouldnt work.

And yes, i have system restore turned off until i get this problem fixed or re-install xp pro. I just hate to do that as i have been running it for years and i like to see how long i can run on the same install, lol.


Good advice + great people = tek-tips