100% CPU usage

[Ed Still]

My computer is running sluggishly. CPU usage is at 100%
much of the time. This began about 3 weeks ago.

I have scanned my system for viruses (Norton AV is
running all the time, but I also did full system scan),
spy software (using Spybot), and trojans (using
www.trojanscan.com). The operating system is up to date
with patches, etc. I can't find anything like this on
Microsoft Knowlege Base except a recommendation to turn
off Language Automatic Detection in Word, which I did.

Dell support (I have an Inspiron 8200) suggested that I
run error-check and defragment from the safe mode. I did.

Dell also suggested that I empty the startup folder using
msconfig. I think that is supposed to let me turn off
certain items at start-up, but once I disabled everything
and rebooted, I had a computer that would not run much of
anything.

I run Windows Task Manager and can see that System Idle
Process runs a lot at 60-90 CPU (I have no idea what the
unit of measurement is), and msmsgs.exe seems to run a
lot.

Any ideas how I can cleanse my computer of the demon
spirits?

 

[Chuck]

My computer is running sluggishly. CPU usage is at 100%
much of the time. This began about 3 weeks ago.

I have scanned my system for viruses (Norton AV is
running all the time, but I also did full system scan),
spy software (using Spybot), and trojans (using
www.trojanscan.com). The operating system is up to date
with patches, etc. I can't find anything like this on
Microsoft Knowlege Base except a recommendation to turn
off Language Automatic Detection in Word, which I did.

Dell support (I have an Inspiron 8200) suggested that I
run error-check and defragment from the safe mode. I did.

Dell also suggested that I empty the startup folder using
msconfig. I think that is supposed to let me turn off
certain items at start-up, but once I disabled everything
and rebooted, I had a computer that would not run much of
anything.

I run Windows Task Manager and can see that System Idle
Process runs a lot at 60-90 CPU (I have no idea what the
unit of measurement is), and msmsgs.exe seems to run a
lot.

Any ideas how I can cleanse my computer of the demon
spirits?

Ed,

If System Idle is using 60 - 90% of CPU, consider yourself lucky. That
says that the system is only busy 40 - 10% of the time.

However, if you have a sluggish system, you may still have a problem.

In addition to Spybot S&D, try HijackThis
<http://www.majorgeeks.com/download.php?det=3155>.
1) Install and run HijackThis. Do NOT make any changes immediately.
Save the Log.
2) Have your HJT log interpreted by experts at one or more of the
following forums (and post it here) (note some forums may be out of
service from DoS attacks so try others as necessary):
<http://forums.tomcoyote.org/>
<http://63.247.79.145/~coyote/forums/index.php?act=idx>
<http://www.wilderssecurity.com/index.php?board=17>
<http://forums.net-integration.net/index.php?s=8a1e9d7c1978cff54ca06a3210c7c1b0&showforum=32>
<http://www.spywareinfo.com/forums/index.php?s=68ddc23721b063d5411ece09e5ac93f9&showforum=11>
(The latter may or may not respond for you as I have read reports that
the SWI site is currently under DoS attack). All of these forums
appear to be rather busy right now, so be patient.

You may also benefit from using Process Explorer (free) from
<http://www.sysinternals.com/ntw2k/freeware/procexp.shtml>. PE is
much more useful than Task Manager, with the ability to find out
details about any process running.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

 

[Ed Still]

Here is my HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 10:43:56 AM, on 2/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Roxio\Easy CD Creator 5
\DirectCD\DirectCD.exe
C:\Program Files\Norton SystemWorks\Password
Manager\AcctMgr.exe
C:\Program Files\HDD Health\HDDHealth.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\Program Files\E-Color\Colorific\hgcctl95.exe
C:\Program Files\Common Files\efax\HotTray.exe
C:\Program Files\Connected\CBRegCap.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Connected\CBlaunch.exe
C:\Program Files\Conversions Plus\FORMATM.EXE
C:\Program Files\Common Files\Microsoft
Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton
Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\Rpcnet.exe
C:\Program Files\Common Files\efax\Dllcmd32.exe
C:\Program Files\Conversions Plus\MacName.exe
C:\Program Files\Norton SystemWorks\Norton
Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\E-Color\True Internet Color\TICIcon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-
LC\symlcsvc.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Connected\CBSysTray.exe
C:\Program Files\BellSouth\Connection Manager\CManager.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\IE New Window Maximizer\iemaximizer.exe
C:\WINDOWS\FSScrCtl.exe
C:\Program Files\POPFile\popfileib.exe
C:\Program Files\HDD Health\hddhealth.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Qualcomm\Eudora\Eudora.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\CONVER~1\dvzeng.exe
C:\DOCUME~1\Ed\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Bar =
http://www.earthlink.net/partner/more/msie/button/search.h
tml
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://www.earthlink.net/partner/more/msie/button/search.h
tml
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.electionline.org/index.jsp
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL =
http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://www.earthlink.net/partner/more/msie/button/search.h
tml
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL =
http://smbusiness.dellnet.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0
\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5F50A50A-0A0F-4F58-8B1C-
62BC60F9B05A} - C:\PROGRA~1\NEWZCR~1\NCRSSA~1.DLL
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-
11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP
Pro\wsbho2K0.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-
CF10577473F7} - c:\windows\googletoolbar_en_2.0.107-
big.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-
FADC6B084872} - C:\Program Files\Norton
SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-
7859DF00B1D6} - C:\Program Files\Norton
SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-
009027A5CD4F} - c:\windows\googletoolbar_en_2.0.107-
big.dll
O4 - HKLM\..\Run: [MMTray] C:\Program
Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program
Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] "C:\Program
Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [RemoveCpl] RemoveCpl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft
Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v1]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MacLicense] "C:\Program
Files\Conversions Plus\MacLic.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32
\dumprep 0 -k
O4 - HKLM\..\Run: [DadApp] C:\Program
Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program
Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common
Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common
Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program
Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [Apoint] C:\Program
Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program
Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton
SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKCU\..\Run: [HDDHealth] C:\Program Files\HDD
Health\HDDHealth.exe -wl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32
\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program
Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program
Files\IE New Window Maximizer\iemaximizer.exe
O4 - Startup: Connected TaskBar Icon.LNK = C:\Program
Files\Connected\CBSysTray.exe
O4 - Startup: Connection Manager.lnk = C:\Program
Files\BellSouth\Connection Manager\CManager.exe
O4 - Startup: HotSync Manager.lnk = C:\Program
Files\Handspring\HOTSYNC.EXE
O4 - Startup: IE New Window Maximizer.lnk = C:\Program
Files\IE New Window Maximizer\iemaximizer.exe
O4 - Startup: Run POPFile.lnk = C:\Program
Files\POPFile\popfile.exe
O4 - Startup: Screen Saver Control.lnk =
C:\WINDOWS\FSScrCtl.exe
O4 - Startup: Shortcut to hddhealth.exe.lnk = C:\Program
Files\HDD Health\hddhealth.exe
O4 - Global Startup: Colorific.lnk = C:\Program Files\E-
Color\Colorific\hgcctl95.exe
O4 - Global Startup: eFax.com Tray Menu.lnk = C:\Program
Files\Common Files\efax\HotTray.exe
O4 - Global Startup: Live Menu.lnk = C:\Program
Files\Common Files\efax\Dllcmd32.exe
O4 - Global Startup: MacName.lnk = C:\Program
Files\Conversions Plus\MacName.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SonnReg.lnk = C:\Program Files\E-
Color\Registration\SonnReg.exe
O4 - Global Startup: True Internet Color Icon.lnk =
C:\Program Files\E-Color\True Internet Color\TICIcon.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program
Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet
Explorer\Control Panel present
O8 - Extra context menu item: &Google Search -
res://c:\windows\GoogleToolbar_en_2.0.107-
big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links -
res://c:\windows\GoogleToolbar_en_2.0.107-
big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://c:\windows\GoogleToolbar_en_2.0.107-
big.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: MT It! -
http://www.votelaw.com/cgi/mt.cgi?
__mode=reg_bm_js&bm_show=trackback,category,allow_comments
,allow_pings,convert_breaks&bm_height=640
O8 - Extra context menu item: Si&milar Pages -
res://c:\windows\GoogleToolbar_en_2.0.107-
big.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English -
res://c:\windows\GoogleToolbar_en_2.0.107-
big.dll/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Newz Crawler (HKLM)
O9 - Extra 'Tools' menuitem: Newz Crawler (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mp3: C:\Program Files\Internet
Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01112B00-3E00-11D2-8470-0060089874ED}
(Support.com RemoteControl Class) -
http://support.fastaccess.com/sdccommon/download/tgrc.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED}
(Support.com Configuration Class) -
http://support.fastaccess.com/sdccommon/download/tgctlcm.c
ab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B}
(SysProWmi Class) -
http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
(QuickTime Object) -
http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000}
(Shockwave ActiveX Control) -
http://download.macromedia.com/pub/shockwave/cabs/director
/sw.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7}
(Scanner Class) -
http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office
Update Installation Engine) -
http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502}
(ForumChat) -
http://objects.compuserve.com/chat/RTCChat.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE
Class) -
http://207.188.7.150/078143512fb677495120/netzip/RdxIE6.ca
b
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE}
(OPUCatalog Class) -
http://office.microsoft.com/productupdates/content/opuc.ca
b
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} -
http://toolbar.google.com/data/en/big/1.1.63-
big/GoogleNav.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} -
http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update
Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuct
l.CAB?37863.1600347222
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE}
(Symantec RuFSI Registry Information Class) -
http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa
..cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}
(Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/sw
flash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE}
(Microsoft Office Tools on the Web Control) -
http://officeupdate.microsoft.com/TemplateGallery/download
s/outc.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C}
(GpcContainer Class) -
https://www.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {F9345AB4-7CB5-11D7-A914-00A0C96F4D57}
(PrjBestView.CtlBestView) -
http://www.monitorsdirect.com/pro/pro_tools/CtlBestView.CA
B

 

[Chuck]

Here is my HijackThis log:

Ed,

What version of Norton AntiVirus are you running? Is it properly
updated?

Looking at your HJT log, I find minor suspicious entries:

C:\WINDOWS\System32\wuauclt.exe is mentioned in
<http://securityresponse.symantec.com/avcenter/venc/data/backdoor.clt.html>.
Is this a clean install of Windows XP, or did you upgrade from Windows
ME?

Please verify for me whether you installed at one time, or can
recognise:
Dataviz Conversions Plus
Newz Crawler

Did you post the log in any of the forums I recommended? If so, which
ones, under what name / article title?

Did you try Process Explorer? If you run it, then look at it when the
system seems to be sluggish and see what processes are using the most
CPU, you may get a clue as to the problem.

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.

 

[Madzilla]

Here is my HijackThis log:

Logfile of HijackThis v1.97.7
Scan saved at 10:43:56 AM, on 2/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

[snip]

Noticed you're running Norton Anti-Virus. I've been having the same
problem with SVC host taking 100% CPU runtime once connected to the
internet, and I JUST RECENTLY SOLVED IT. It was Symantec's internet
connection detector that was taking up my CPU.

I had tried multiple spyware and anti-virus programs that found
nothing. Finally, I tried installing a firewall that prompts before
any application is launched, hidden or not. It's free -- Kerio
Personal Firewall. I launched my ISP connection, and lo and behold a
prompt warned me that a Symantec application was trying to load
immediately after the connection was established. I uninstalled that
Symantec application and now my system runs fine.

Try it, you have nothing to lose by installing a firewall.

 

[Kendrilanthis]

Hey there!

Here is a tinyurl to a microsoft website that has a patch for a buffer
overflow execution in rpcss service. Download this and install it and
your issue should be resolved.

http://tinyurl.com/n7ki

 

[Kendrilanthis]

Oh, and here is the full link if you don't trust tinyurl/me.


http://tinyurl.com/n7k
-
Kendrilanthi

 

[Chuck]

Oh, and here is the full link if you don't trust tinyurl/me.


http://tinyurl.com/n7ki

I still don't trust them. Particularly if they don't allow you to not
use their service? Would like to read the article tho.

Learn to munge properly, to keep yourself a bit safer.
http://www.mailmsg.com/SPAM_munging.htm

Cheers,
Chuck
Paranoia comes from experience - and is not necessarily a bad thing.