100% CPU usage & Internet disconnection

Bobathan · #1 03-29-2007, 11:19 PM

Ever since I got a RangeBooster G WUA-2340 wireless USB adapter, problems have been occurring with my Internet connection. The connection would be fine for a period of time, until the "System" process (6 letters, uppercase S, lowercase everything else) starts consuming all of my CPU. This continues for a minute, after which my wireless adapter just shuts off and the internet disconnects. Yes, I know this might only seem like a nuisance, but it might be hiding a much more serious problem, like a virus. I did several scans of my PC using AVG and Spybot, but none of the threats detected were got rid of the problem.

- I use XP Home Edition.
- I don't have Windows XP SP2.
- I only use AVG and Spybot.

Anyone know what is wrong? Thanks in advance.

Monty007 · #2 03-31-2007, 05:53 AM

Hi you have to start from the beginning, waht happens when you remove the Range booster? (you need a couple of days to see waht happens) Does it make any difference?
I think it might be some thing else.

Bobathan · #3 03-31-2007, 11:18 AM

If I remove the wireless, the internet obviously disconnects, and the CPU returns to normal.

Neil.A · #4 03-31-2007, 12:36 PM

Sounds like you have a process running in the background.
It has the symptoms of a trojan.
First off, download Adaware personal from here. Run the program and update the definitions. (may take a while if the puter is running its head off).
Then boot into safe mode (keep tapping the f8 key on start up and select safe mode)
Then do a FULL system scan (should take about 20 mins)
Follow the instructions and delete anything it finds, then close Adaware.
Then go to:
Start (button)
Run
In the box Type in msconfig
OK
A box will pop up, go to startup tab
Hopefully you will see a load of box's in there all ticked.
These are all processes that are loaded when you turn on the machine.
99% of them you dont want.
leave the ones related to antivirus and possibly your broadband modem.
untick the rest. (you can always go back in and tick them again if something you need doesn't load)
Restart the puter.
You will then get a box pop up moaning about using the selective startup, tick the box botton left and nob it off.
See if that works.

Bobathan · #5 04-01-2007, 05:38 PM

No, it doesn't work. The virus is still in my system.

It might be worth noting that my system uses a huge amount of memory, even at its bare minimum:

Bobathan · #6 04-02-2007, 09:55 PM

Could it be a USB trojan? I didn't have this problem when I used a wireless card.

Oggie02 · #7 04-03-2007, 01:40 PM

Have you had any viruses in the past? Have you suspected a trojan recently? (Any warnings or notifications that you have just let go?)

It seems simple but I've noticed a lot of people leave viruses thinking they are nothing and I know one or two friends who have had problems.

Bobathan · #8 04-03-2007, 05:57 PM

I didn't let go of any warnings. It probably didn't get picked up by my antivirus.

oddjob · #9 04-04-2007, 02:53 AM

Hi Bobathan

To see if there is anything clearly bad running on your system do this.

Make sure you have exposed all Hidden Files & Folders.

To enable the viewing of Hidden files follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Put a checkmark in the checkbox labeled Display the contents of system folders.
6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
9. Press the Apply button and then the OK button and close My Computer.

***********************

Download Ewido/AVG Anti Spyware from here ….

http://www.ewido.net/en/

It has a fully working 30 day trial period.

Install it and update it to the latest definitions.

Do NOT use it yet.

Now boot to safe mode. Here’s a “how to” if you’re not sure ..

http://service1.symantec.com/SUPPORT...01052409420406

When in safe mode run a full system scan with AVGAS and let it fix what it wants to.

REMEMBER TO SAVE THE SCAN REPORT and also remember where you saved it.

Reboot to normal mode and use the computer as you would usually do.

[FOOTNOTE > this is a good program to use as an “on demand” scanner even after the trial period is over. Keep it updated and use it to scan your computer from time to time].

*******************

If this doesn’t succeed in fixing the problem download a self-extracting copy of HijackThis from here …….

http://downloads.malwareremoval.com/hijackthis_sfx.exe

Save it to your Desktop.

Double-click on the file hijackthis_sfx.exe file and it will self-extract into its own folder ……

C:\Program Files\HijackThis

Go to this folder and run the hijackthis.exe file.

From the menu click on "Do a system scan and save a logfile".

Copy and paste both the AVG AS scan report and the HJT logfile to this thread. More specific removal instructions will follow.

OJ

Bobathan · #10 04-04-2007, 07:55 PM

No, the problem is still here.

--------------

Logfile of HijackThis v1.99.1
Scan saved at 5:51:52 PM, on 4/4/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\AVG\AVGFRE~1\avgamsvr.exe
D:\AVG\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
D:\AVG\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\System32\lamqhicv.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AVG7_CC] D:\AVG\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\AVG\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Rkaa] C:\Program Files\F??nts\m?config.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office 2000\Office\OSA9.EXE
O8 - Extra context menu item: Microsoft Excel にエクスポート(&X) - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ???T?[?` - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/game...lugin10USA.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winygm32 - winygm32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\AVG\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\AVG\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\AVG\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:28:40 PM 4/4/2007

+ Scan result:

C:\WINDOWS\Downloaded Program Files\ATPartners.inf -> Downloader.Rameh.c : Cleaned with backup (quarantined).

(The rest are all tracking cookies, and they were cleaned. It made my post too long.)

::Report end

oddjob · #11 04-05-2007, 04:57 AM

I suggest you print this out to help you follow the advice.

Firstly, you not only don't have SP2, as you stated in your first post, you don't have ANY service packs. Your machine is going to be a magnet for malware without them.

However, do NOT install SP2 as your machine is infected. You must only install SP2 on to a clean machine.

First you MUST install SP1a from here ....

http://www.microsoft.com/windowsxp/d...1/default.mspx

**************

Go to Add/Remove Programs and uninstall this one IF it is on the list ...

F??nts

**************

Open your task manager by pressing the ctrl+alt+delete keys together.

Click on the processes tab.

Find this Process IF present ....

m?config.exe

Click on it once, to highlight it, then on "end process".

Close task manager.

**************

Open HJT again ... put tick/check marks next to these entries IF they are still in the log ...

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\System32\lamqhicv.dll (file missing)

O4 - HKCU\..\Run: [Rkaa] C:\Program Files\F??nts\m?config.exe

Close ALL open browser windows - including this one - before clicking on "Fix Checked" at the foot of the HJT window.

**************

Find these named in BOLD and delete them IF they are still present ....

C:\WINDOWS\System32\lamqhicv.dll ... file

C:\Program Files\F??nts ... whole folder

**************

Then update AVG AS, rescan your machine and let it fix what it wants.

Make sure you empty any "quarantine" folder of AVG AS and any other protection programs you have.

**************

Finally download ComboFix from here ....

http://download.bleepingcomputer.com...a/ComboFix.exe

**Save it to your desktop**

Double click on ComboFix.exe & follow the prompts.

When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply include that ComboFix log, a fresh HJT log and an update on how your system is operating now.

OJ

user001 · #12 04-11-2007, 03:18 PM

If you do a search on the internet for this system file, you will see this is EXTREMELY common. If you have scanned your system for infections, etc., you will find it to be clean.

The problem is MICROSOFT's insistence on forcing Microsoft Update. Not to be confused with "Windows" Update. The difference is the former gathers information for both Windows operating system AND Office products, and then attempts to download the necessary patches, updates, etc.

That's the PROBLEM! Somewhere during this process the svchost that controls updates is damaged. This results in CPU utilization approaching 100%. For many (including me) it ALSO disables your internet connection.

As a TEMPORARY measure to deal with this. I did the following. MIND YOU THIS IS A TEMPORARY FIX IF THE HOTFIX BELOW DOES NOT WORK!

1) Under Administrative Tools -->SERVICES:
I DISABLED Automatic Update Service
2) Under Control Panel -->SYSTEM ICON:
I DISABLED Automatic Updates

Your firewall and/or antivirus will undoubtedly complain about this. Ignore it for now.

POSSIBLE FIX (worked for me)
After searching all of Google, I found a few references to Microsoft hotfixes for this issue.

http://support.microsoft.com/kb/927891

The above hotfix pertains to an "installation error" that effects the svchost.exe process. Download the appropriate fix for YOUR VERSION of Windows and reboot. Then re-enable automatic updates. All is running fine again on my machine. Your mileage may vary.

Hope this helps.

user001

DaveC2003 · #13 04-12-2007, 03:24 AM

To sort out the 100% CPU usage you are having:

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.

When you are sure you are clean turn it back on and create a restore point.(later)

Restart to safe mode.

How to start your computer in safe mode
http://service1.symantec.com/SUPPORT...01052409420406

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Now find and delete
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe from folder
C:\WINDOWS\assembly\temp\mainiis.exe
C:\WINDOWS\Web\Ers_src.htm

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the Recycle Bin

Hope this helps.

DaveC2003 · #14 04-12-2007, 05:16 AM

TRY THIS INSTEAD OF MY FIRST ENTRY!!!!!!!!!

1) turn off automatic updates, reboot, then manually go to windows
updates and install the updates, turn on automatic updates, reboot.

or (as in my case)

2) Perform these steps:

1. Click Start->Run, type "services.msc" (without quotation marks) in the
open box and click OK.
2. Double click the service "Automatic Updates".
3. Click on the Log On tab, please ensure the option "Local System account"
is selected and the option "Allow service to interact with desktop" is
unchecked.

4. Check if this service has been enabled on the listed Hardware Profile. If
not, please click the Enable button to enable it.
5. Click on the tab "General "; make sure the "Startup Type" is "Automatic".
Then please click the button "Start" under "Service Status" to start the
service.
6. Repeat the above steps with the other service: Background Intelligent
Transfer Service (BITS)

Step 4: Re-register Windows Update components and Clear the corrupted
Windows Update temp folder

1. Click on Start and then click Run,
2. In the open field type "REGSVR32 WUAPI.DLL" (without quotation marks) and
press Enter.
3. When you receive the "DllRegisterServer in WUAPI.DLL succeeded" message,
click OK.
4. Please repeat these steps for each of the following commands:

REGSVR32 WUAUENG.DLL
REGSVR32 WUAUENG1.DLL
REGSVR32 ATL.DLL
REGSVR32 WUCLTUI.DLL
REGSVR32 WUPS.DLL
REGSVR32 WUPS2.DLL
REGSVR32 WUWEB.DLL

After the above steps are finished. Sicne temporary folder of Windows Update
may be corrupted. We can refer to the following steps to rename this folder
that

1. Click Start, Run, type: cmd and press Enter. Please run the following
command in the opened window.

net stop WuAuServ
(note, you might need to reboot before the net stop command will work)

2. Click Start, Run, type: %windir% and press Enter.
3. In the opened folder, rename the folder SoftwareDistribution to SDold.
4. Click Start, Run, type: cmd and press Enter. Please run the following
command in the opened window.

net start WuAuServ

Hope this helps,

Bobathan · #15 04-21-2007, 03:54 PM

Nothing has worked.
I can't update since my XP key is pirated.
No hidden processes were found.