Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Not sure of infection type, but ntoskrnl.exe+0x17a9a maxes out CPU


  • Please log in to reply

#1
dannygirl15

dannygirl15

    New Member

  • Member
  • Pip
  • 2 posts
OS: Windows 2000 Professional SP4
Intel Pentium 4 CPU
776,260 KB RAM

For the past 5 days, the "System" process in the Task Manager has spiked up to 80%-90%+ every few seconds, thus maxing out the CPU at 100% for minutes at a time. I began to notice this first when trying to use Firefox, which I installed a couple of weeks ago because IE had been running so painfully slow, especially when attempting to log in to my Hotmail account. Now both Firefox and IE seem to affect the System CPU usage tremendously, although the CPU will max out even when neither are running. This computer (as well as another) is hooked up to a server.

Through Process Explorer, I can see that ntoskrnl.exe+0x17a9a is responsible for the entire CPU spike.

I followed the Malware and Spyware Cleaning Guide. Although I was not able to run SysRestorePoint (not allowed by a security policy), I was able to follow the other steps. I have pasted the RootRepeal log below. (note - after running, I received an error message: DeviceIoControl Error! Error Code=0x0). I was not able to run OTL - received error message: System Restore Interface not Present. When running Malwarebyte's Anti-Malware, 0 malicious files were found. I would like to run OTL, so if there is something I can do to avoid that error message, please let me know.

Any suggestions would be helpful as I have not been able to find a solution to my problem in any forums that I have searched. Let me know any add'l info you need.

Thank you in advance.


ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/12/11 13:10
Program Version: Version 1.3.5.0
Windows Version: Windows 2000 SP4
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINNT\System32\Drivers\dump_atapi.sys
Address: 0xAF85D000 Size: 90112 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINNT\System32\Drivers\dump_WMILIB.SYS
Address: 0xEBA4D000 Size: 4096 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINNT\system32\drivers\rootrepeal.sys
Address: 0xAEDAD000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
ServiceTable Hooked [0x8055c000]!

#: 016 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x82926fa0

#: 035 Function Name: NtCreateKey
Status: Hooked by "<unknown>" at address 0x82903020

#: 041 Function Name: NtCreateProcess
Status: Hooked by "<unknown>" at address 0x8284c420

#: 046 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8284c2a0

#: 053 Function Name: NtDeleteKey
Status: Hooked by "<unknown>" at address 0x8284c620

#: 055 Function Name: NtDeleteValueKey
Status: Hooked by "<unknown>" at address 0x8284c4a0

#: 158 Function Name: NtQueueApcThread
Status: Hooked by "<unknown>" at address 0x82926020

#: 164 Function Name: NtReadVirtualMemory
Status: Hooked by "<unknown>" at address 0x82926ea0

#: 186 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8284c120

#: 196 Function Name: NtSetInformationKey
Status: Hooked by "<unknown>" at address 0x8284c5a0

#: 198 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x8284c320

#: 199 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x8284c1a0

#: 215 Function Name: NtSetValueKey
Status: Hooked by "<unknown>" at address 0x8284c520

#: 221 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8284c0a0

#: 224 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x8284c3a0

#: 225 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8284c220

#: 240 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x82926f20

==EOF==
  • 0

Advertisements







Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP