vista 32 - something causing cpu to run at 100%

[weewun]

Creating a new post for my HJT logs as previous one has been moved to the 'finished' thread. I have had some serious problems with vista to do with some form of virus.

Main thread: http://www.techist.com/forums/f9/black-screen-instead-desktop-after-virus-vista-32-a-225130/

Now when in vista something is causing the CPU usage to be stuck at 100% even when i have nothing running.




HJT log:

----------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:14:34, on 08/02/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\RegCure\RegCure.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Windows\system32\msconfig.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
F:\downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Gamasutra - The Art & Business of Making Games
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Bing
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] F:\power iso\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [P17RunE] RunDll32 P17RunE.dll,RunDLLEntry
O4 - HKLM\..\Run: [Adobe_Reader] c:\program files\internet explorer\wmpscfgs.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\program files\windows live\messenger\msnmsgr .exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [smss32.exe] C:\Windows\system32\smss32.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~3.0_0\bin\ssv.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: app_dll.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LogMeIn Hamachi 2.0 Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe

--
End of file - 4495 bytes

 

[joelm3103]

I'm not versed in the whole HJT log thing, but have you checked Task Manager -> Processes to see if you can identify which process is consuming the CPU usage?

 

[weewun]

yes, but i couldnt see what was using it all. Im back in vista just now and firfox is currently at the top of the cpu column hopping about between 60-80 (assuming thats %). I am assuming this is because i set it's process's priority to high so i could actually use the internet the next item on the list is just 'System' going between 5-20 and everything else is hopping about....

 

[joelm3103]

Hmmm

, well give it sometime before the thread has more posters, maybe 1 of them could help you with the HJT log.

 

[Osiris]

You keep on getting reinfected some how. Your pc is hosed once again.

You need to run Combofix again and post its log and then go the same with malwarebytes.

 

[weewun]

Ok, I ran combo fix again from within vista and it said that root kit activity has been detected, it is disabling it.
c:\windows\system32\run_dll.dll

It then started scanning and half way through I got a BSOD, when it re-booted I was back to the black screen and no desktop. Through task manager i managed to run it again and then get back into vista normally. It was very late last night so i left it running again over night to see if anything happened and i assume it got another BSOD because when i looked at it this morning it was just the desktop with the "windows has recovered from an unexpected shut down" message. Im in work at the moment so will run it again along with malware bytes and post their logs. Does that .dll file mean anything to you?

Cheers

 

[Osiris]

I need you to run a few rootkit detectors to see which one can fix it

Best Free Rootkit Scanner/Remover

PC Hell: Free RootKit Removal Tools and Software

 

[weewun]

Ok, I just ran GMER rootkit finder thing. It looks like wmpscfgs.exe is something bad here?

Here is the log:

GMER 1.0.15.15281 - GMER - Rootkit Detector and Remover
Rootkit scan 2010-02-09 22:59:57
Windows 6.0.6002 Service Pack 2
Running: xsmmlbyr.exe; Driver: C:\Users\ian\AppData\Local\Temp\uxldypog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8F607000, 0x205494, 0xE8000020]
.text bridge.sys 8FECA462 334 Bytes [8B, FF, 55, 8B, EC, 81, EC, ...]
.text bridge.sys 8FECA5B1 184 Bytes [FF, 15, 68, A1, ED, 8F, 53, ...]
? C:\Windows\system32\drivers\rootrepeal.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[852] ole32.dll!CoCreateInstance 761F9EA6 5 Bytes JMP 00CA000A
.text F:\downloads\xsmmlbyr.exe[5140] ntdll.dll!NtQuerySystemInformation 77484F94 5 Bytes JMP 10001524 C:\Windows\system32\app_dll.dll
.text C:\Program Files\WinRAR\WinRAR.exe[5216] ntdll.dll!NtQuerySystemInformation 77484F94 5 Bytes JMP 10001524 C:\Windows\system32\app_dll.dll
.text C:\Users\ian\AppData\Local\Temp\Rar$EX00.743\RootRepeal.exe[5368] ntdll.dll!NtQuerySystemInformation 77484F94 5 Bytes JMP 10001524 C:\Windows\system32\app_dll.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[5528] ntdll.dll!NtQuerySystemInformation 77484F94 5 Bytes JMP 002F1524 C:\Windows\system32\app_dll.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Processes - GMER 1.0.15 ----

Process C:\Program Files\Internet Explorer\wmpscfgs.exe (*** hidden *** ) 2376

---- Services - GMER 1.0.15 ----

Service C:\Program (*** hidden *** ) [MANUAL] Steam Client Service <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

 

[Osiris]

Disable System Restore first

Go here and delete the file C:\Program Files\Internet Explorer\wmpscfgs.exe

Then go to here and delete the reg file

HKLM->Software -> Microsoft -> Windows -> CurrentVersion –> Run delete the %ProgramFiles%\Internet Explorer\wmpscfgs.exe If you dont see it there, do a Find in the registry for wmpscfgs.exe and delete it.

And look here too %%ProfileFolder%%\local settings\temp\wmpscfgs.exe and delete it


Then follow this

Here is what you can do to get rid of it. Don't bother about scanning as scanners cant fully fix your problem and will end up corrupting your applications.

• Boot in safe mode. The reason for this is that in safe mode there is not much processes running. You need this setup in step 9 below as this virus is a nasty one.
• Open up windows explorer and go to Tools -> Folder options .
  a. Make sure the following are TICKED -> Show hidden files and folders
  b. Make sure the following are UNticked -> Hide Extensions for known file types
• Go to the following directories (this is for vista home premium):
  C:\Program Files\Internet Explorer
  C:\Users\user\AppData\Local\Temp
  And you will see there a file called wmpscfgs.exe. Delete them.
• Open up your task manager, make sure the 'show all processes' is ticked and look for the same process. If it is running. Kill it.

Starting this part, steps needs more technical experience. If you are not comfortable in doing the below steps, look for someone that can help you.

• Open up regedit and go to: HKLM->Software -> Microsoft -> Windows -> CurrentVersion –> Run
• Look for Adobe_reader entry with data: “%ProgramFiles%\Internet Explorer\wmpscfgs.exe“. Delete it. For me from this point almost all of the things written in the NET currently don't have the steps below. And its the reason why this virus keeps coming back.
• Hopefully you dont have much applications under “HKLM->Software -> Microsoft -> Windows -> CurrentVersion -> Run”. Because you have to visit each one of them literally because this virus hijacks almost every application in the RUN list above.
• Basically it renames the old exe file from say “mcagent.exe” to “mcagent .exe”. With a space between the filename and the “.exe” or extension. It will then create a copy of itself with the same filename as your executable file so that when someone executes your file, the virus will be executed first then your file. It will do this for every apps you have in your Run list. Thus if you go to the location of say of McAfee mcagent.exe application you will see two to three files with almost the same filename:
  • mcagent.exe -> which is a 39 KB file, and very recently created and which is the virus that keeps adding back that wmpscfgs.exe file.
  • mcagent .exe -> the original mcagent file, renamed.
  • mcagent.exe.delme<some random number> -> delete this one as well. I don't see this occurring every time, but i have seen some apps with this file in them and very recently created.
• You first need to kill the corresponding process of the infected file if they are running in task manager, manually remove the existing .exe file which is around 39KB only and rename back your old executable file to its former filename. Repeat this for every application you have in your Run list above. The only thing that i saw this virus didn't infect was the windows defender application. The rest in my Run list were screwed. Uninstalling and reinstalling them doesn't help as well as the former Trojan exe file will be retained in the application directory. This is the reason why Microsoft Security Essentials was complaining that your startup executable files are viruses.
• Once you have verified that each application in your run list has been restored. To be fully sure that you don't have any such files lingering in your system, do a drive search for any file that has 39KB size and has just been recently created and examine each one carefully if they are just copies of your original executable file. Follow step 7 for each occurrence of it. So far, i only saw this virus attach itself into executable files.
• If you want to be 100% sure, next thing you need to do is double check every process running in your task manager if they are legit. Some process specially those started by system wont be able to take you to its process file, its ok, but most of them if you do a right click in them, you should see an option there called “Open File Location”. Then follow steps 7 above.

After this is completed, run GMER again to see if it detects it again. Let me know how it goes or if you have any questions.

 

[weewun]

Ok, I followed your steps and found the entries where you said they would be. I also did a search in the registry for any referance to 'wmpscfgs' them. After that I searched for ' .exe' and found that msn messenger had been altered as you described (with a new .exe and the origional renamed) and also malwarebytes. I went into the folders of these applications and removed all of the fake .exe files and renamed the proper ones. I rebooted out of safe mode and ran GMER again which did not find the wmpscfgs process.

However I looked in 'c:\program files\internet explorer' and the wmpscfgs.exe had returned (swiftly deleted). When trying to open regedit it gives me the message "registry editing has been disabled by your administrator" which it did before, but I assumed this would be fixed if i had managed to completely remove the virus.( I have a .vbs file I can run to re-enable registry which worked in safe mode but does not work outside of it for some reason)

About to reboot again to see if the wmpscfgs.exe is in my internet explorer folder again.