Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

CPU goes to 100% when online


  • Please log in to reply

#1
TTerry

TTerry

    New Member

  • Member
  • Pip
  • 6 posts
Hi all,

Whenever I connect to the internet via my DSL connection on SBC, my services.exe goes balistic. Within 2 minutes of a connection, one or more of my services seems to kick in an hog my CPU. It takes all the CPU usage that is left. If there are no other services or software running, it consumes 100% of my CPU usage and seems to be in an endless loop. I have disconnected the DSL after the problem started, but the problem doesn't stop. Once it kicks in, the only method of stopping it is to reboot. If I boot up with my DSL disconnected, I can compute for days with no problems. But as soon as I connect to the internet, I'm done within 2 minutes.

If I need to send emails, I have to compose them offline, go online and quickly send. In fact, this message was composed entirely offline and cut & pasted within 2 minutes to this forum.

I have surfed the web (at the library) for hours. Thousands seem to have the same problem, but no one has the cure. So before I resort to the ultimate committment, I hope you have the answer.

Here are my observations:

1) It only occurs when connected to the internet. Internet browser does not have to be active for the problem to occur.

2) I disabled all non Microsoft services, rebooted and connected to the internet and the problem still occurred.

3) I researched all my running Microsoft services (online at the library) and the all are legitimate. There are no services that seem odd or have an unknown name or author.

4) I have scanned my computer with up to the minute definitions of Panda, McAffee, AVG and Norton AntiVirus. I installed Norton System Works and ran the complete system check up. No viruses, worms, trojans, etc. were found by any of the software programs. However, NSW did stop what it called a worm from transmitting information. Here is the actual message:

Norton Internet Worm Protection has detected and blocked an intrusion attempt.

Intrusion: Portscan.
Intruder: 192.168.0.1
Risk Level: Mediua
Protocol: UDP
Attacked IP: MAIN(92.168.1.64
Attacked Port: 1053.

Based upon this alert, I suspect I may have become a zombie and someone is wating for a signal from my computer saying I'm online and that person(s) has the capability to do dirty deeds such as send out spam using my IP address. Norton blocked it, but does not recognize whatever program is using the CPU in the 1st place.

5) I have run several malware programs including Ad-Aware, XoftSpy, Microsoft AntiSpyware, TrendMicro AntiSpyware, Norton System Works, and SpyWare Blaster. They all seemed to find some threats, but once deleted, the problem still remained.

6) I have run Registry Cleaner & Registry Mechanic to eliminate any old registry items from software that I know I have deleted. But there is still some that I don't recognize and wonder if they are needed because of other software.

7) When I disabled the DHCP Client sevice so it would not start up, the problem stopped. However, I could not connect to the internet. Same was true when I disabled the DNS Client. So that made me think that maybe the threat had lodged itself in the DSL software. I unistalled the software, reinstalled it and whammo....no change. The problem is still there.

I am so frustrated that I'm to the point of reformatting my 80 gig hard drive. Which of course, means reinstalling all my software (much of which I acquired online and don't have the original software) and hoping all my data is readable. You are my last resort.

Here is my HiJack This report:

Logfile of HijackThis v1.99.1
Scan saved at 4:16:58 PM, on 5/14/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\NoteTab Light\NoteTab.exe
C:\Documents and Settings\Dad\Desktop\Desktop\Virus & Malware Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bioperformanceproducts.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program
Files\Yahoo!\Common\ycomp5_1_6_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton
SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton
SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program
Files\Yahoo!\Common\ycomp5_1_6_0.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security
Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe"
-l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP
InSight\SBC\IPMon32.exe"
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID
{05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program
files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program
files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program
files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program
files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program
files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program
Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program
Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -
http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
http://files.member....s/sbc/yinst.cab
O16 - DPF: {3F7E91A0-E33C-11d5-8736-00010260CD82} (JavaSonics) -
http://www.javasonic...onicsPlugin.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) -
http://tools.ebayimg...l_v1-0-3-36.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.micros...b?1125790244844
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) -
http://cdn.digitalci....1.11_en_dl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) -
http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) -
http://download.game...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) -
http://download.game...inematycoon.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -
http://download.game...aploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) -
http://fdl.msn.com/z...s/heartbeat.cab
O20 - Winlogon Notify: avldr - C:\WINDOWS\
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -
C:\WINDOWS\system32\LEXBCES.EXE

I suspect this is an entry in my registry. Again, I sure hope you can find the answer.

Thanks in advance

TTerry

Edited by TTerry, 14 May 2006 - 04:03 PM.

  • 0

Advertisements


#2
TTerry

TTerry

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi all,

I know you're all super busy helping as many as you can. But I posted here on May 14th and alas no reply. I am desperate. Please respond. I don't want to resort to the ultimate refomat.

Thanks

TTerry
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP