Malware Causing Processor To Run At 100%

[macman81]

I seem to have a virus or malware infection that is proving resistant to all attempts to remove it and would welcome any advice on what it might be.
When booted in Normal Mode the processor load is showing in Task Manager as 100% at all times, making it almost impossible to use the laptop. System is running XP with Service Pack 2. I have checked all possible hardware problems I can think of (all normal in Device Manager) and even fitted an additional 1GB RAM (now has 1.25GB-made no difference).
When booted in Safe Mode the system runs at normal processor mode, eg 5-20% when no programs open, and functions normally. Therefore I'm thinking that the virus/malware is only loading under Normal Mode boot conditions.
I have tried running the following to clean it (I have run all these in both Normal Mode and Safe Mode).
AVG Antivirus 8.0.
Windows Defender.
MalwareBytes Anti-Malware.
Spybot 1.6.
I have also run the usual clean ups-Disk Cleanup, CCleaner, and Defrag.
Hard disk is only about 60% full so this is not the problem. Chkdsk ran and found no problems either,
All these have found various things, but none have removed the cause of the above problem.
I have also tried reverting to Last Known Good Configuration (no difference) and doing a System Restore to the earliest possible date, however the earliest date it offered was a month ago and the problem predated that.
I have now run a Hijack This scan and am posting the log below in the hope that someone can offer me some advice, as I'm really out of ideas-thank you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:39, on 07/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\Icons\SetIcon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Belkin\F5D7011\Belkinwcui.exe
C:\Program Files\Belkin\F5D7011\ChkDev.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\winlogon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [VirusScan] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\Icons\SetIcon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = ?
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm428YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.co.uk/downloads/BU..._2/axofupld.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 7855 bytes

 

[Estrella]

There is a trace of spyware in that HJT list. But more importantly can you tell us the processes that are hogging all teh resources plz.

 

[TonyWarrington]

While it could be a virus or malware from the information you provided I cannot see this is the case. You may wish to try something like SuperAntiSpyware . Run from safe mode.

Have you tried msconfig from run menu to disable all non essential applications? This should help in identifying resource hoggers.

It looks like you are actually running 2 antivirus apps at the same time i.e. AVG and McAffee - this is asking for trouble.

You are also running Spybot Windows Defender and Adaware together !

You should only run one Anti virus and Spyware application at one session.

EDIT: Must learn to type quicker

 

[macman81]

Thanks, I will try SuperAntiSpyware too.
I only have one antivirus running on here (AVG), McAfee could be a trace of an older program that has been uninstalled?
I was not aware that it was a problem to install more than one anti-spyware prog (as opposed to anti-virus).
According to Task Manager, the biggest resource users at idle (no other programs open) are:
services.exe
taskmgr.exe
explorer.exe
chkdev.exe
svchost.exe
seticon.exe

Does this throw any light?

 

[Estrella]

What percentages?

And fix this to stop McAfee starting

O4 - HKLM\..\Run: [VirusScan] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe

 

[TonyWarrington]

I was not aware that it was a problem to install more than one anti-spyware prog (as opposed to anti-virus).

There's nothing wrong running an anti-spyware scan with more than one anti-spyware program. As long as it is just a scan which you initiate - i.e. you do not have more than one running at start up.

By running more than one there is a chance of conflict with other anti-spyware apps. due to the fact that when you install most anti-spyware programs they usually install and enable real-time monitoring. Therefore running two or more real-time anti-spyware monitors at the same time could cause a conflict.

Correction to my original post you may in fact be running 4 anti-spyware - AVG 8 also has an anti-spyware component which is probably running automatically!

 

[macman81]

Sorry, typical percentages are:

taskmgr.exe 13.
services.exe 9-46.
explorer.exe 3.
svchost.exe 7.
chkdev.exe 9.
seticon.exe 1-20.

As you can see, two of them are not stable, but spiking up high regularly (service.exe and seticon.exe).

 

[Estrella]

So there isnt any one app thats hogging 100% then ?

What CPU is it ?

Disable 'seticon.exe' in MSconfig and see if that helps matters. Its a non essential process anyway.

 

[Chudley]

Would recommend running Process Explorer (http://live.sysinternals.com/procexp.exe) - from there you should see Services.exe in the task tree display, along with each svchost process running within that process indented (and coloured pink usually). Find the one that is using the most CPU up & right click/properties. The Services tab will show you which services are running in that host, so can tell you which are likely to be responsible. It may not be anything untoward to be honest, which might explain why you haven't picked anything up scanning. It could just be a service that is causing the problem for some reason.

 

[macman81]

No it doesn't seem to be one app in particular, though services.exe and seticon.exe are accounting for most of the overload!
The processor is a Celeron 2.4 Ghz, 1.25GB of RAM.
Am disabling seticon and a couple of other minor things at startup, will report back.

 

[macman81]

Sorry, still running at 100% processor capacity. I also switched off AVG as one of it's services seemed to be using 20-30% of processor power.
Could this actually be a faulty processor-but if so surely it wouldn't run OK in Safe Mode-so it's got to be software-related?

 

[TonyWarrington]

How did you switch off AVG? If you only killed it by exit from taskbar icon you will still probably have 5 avg components still running - check in Task Manager / Process for avg*. If there then right click and kill process for each.

Have you tried disabling all non essentials applications either via msconfig or perhaps using Spybot start up options - making sure to disable all but one anti- spyware?

 

[macman81]

Have killed 4 AVG progs as you described and CPU usage has setled back to around 24-28% (figure bottom left of Task Manager window). But whIat I don't understand is that System Idle Process is now appearing as using 75% of CPU power! How can that be?
Chkdev.exe and tskmgr.exe still account for about 10% each.
I don't understand how AVG can be the problem-it was already on the machine when I got it, I reinstalled it last week as it wouldn't update. But acccording to the person who gave me this machine, it has been running increasingly slowly for about a year.
Not sure what else I can kill without possible harm to the system progs.
The original problem was there with only AVG installed-I put all the other spyware progs on in a vain attempt to fix it.

 

[Estrella]

So if you uninstall AVG and all spyware app's with the exception of SSD, and then install Avast - How does it behave?

I am assuming you also stopped McAfee with HJT ?

Fix this as well
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm428YYGB

 

[macman81]

OK will try that, sorry which program is SSD?
Cancel that...Spybot Search and Destroy.
OK I'm on the case.