Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Cannot access antivirus website, CPU usage spike to 100% when internet


  • This topic is locked This topic is locked

#1
siweling

siweling

    New Member

  • Member
  • Pip
  • 1 posts
Hello, i have some problem problem with my machine

First, i can't access to any antivirus website. Before, i dont have internet connection to my machine, so, i never try this out earlier. but today i installed internet, and i try to open antivirus wbsite, the website wont open.

Second, when i connect my machine to internet, my CPU process just spike to 100%. This never happen before i install internet. I have do some research about the cause, and its maybe caused by malware. I checked the Resource monitor and found the program that use almost 97% of my resource. The program named 7D2C.exe . after i run combofix, the program change name to 7899.exe . i have to suspend the program to run my PC in normal state again, if i end the process, the program will run again by itself.

also, i have try to run combofix and here the log report.

Sorry if my explanation is not clear enough, as im not a savvy computer user and english is not my main language.
Thank you kindly for your help, here the log report from combofix

ComboFix 13-01-06.01 - User 01/08/2013 14:26:40.2.3 - x86
Microsoft Windows 7 Professional 6.1.7600.3.1252.1.1033.18.3198.2145 [GMT 7:00]
Running from: c:\users\User\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\User\AppData\Roaming\7899.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-12-08 to 2013-01-08 )))))))))))))))))))))))))))))))
.
.
2013-01-08 07:29 . 2013-01-08 07:29 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-12-31 10:04 . 2012-12-31 10:04 -------- d-----w- c:\windows\Derpy and the Elusive Muffin Uninstaller
2012-12-31 10:04 . 2012-12-28 18:07 1135247 ----a-w- c:\windows\Derpy and the Elusive Muffin.scr
2012-12-30 06:48 . 2012-12-30 06:48 -------- d-----w- c:\users\User\AppData\Roaming\Lonely Troops
2012-12-17 06:36 . 2012-12-17 06:36 -------- d-----w- c:\windows\Pinkie Finished Uninstaller
2012-12-17 06:36 . 2012-12-15 22:40 1116157 ----a-w- c:\windows\Pinkie Finished.scr
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-13 04:39 . 2012-06-07 10:01 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IDM Shell Extension]
@="{CDC95B92-E27C-4745-A8C5-64A52A78855D}"
[HKEY_CLASSES_ROOT\CLSID\{CDC95B92-E27C-4745-A8C5-64A52A78855D}]
2012-02-08 00:49 22376 ----a-w- c:\program files\Internet Download Manager\IDMShellExt.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files\Internet Download Manager\IDMan.exe" [2012-07-24 3487128]
"Steam"="c:\program files\Steam\Steam.exe" [2013-01-08 1354736]
"MSIDLL"="msivii32.dll" [2012-07-28 180224]
"RGSC"="e:\game\Rockstar Games Social Club\RGSCLauncher.exe" [2008-11-14 305064]
"PIg"="c:\users\User\AppData\Roaming\7899.exe" [BU]
"PIg"="c:\users\User\AppData\Roaming\7899.exe" [BU]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-05 500208]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-21 406992]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"RemoteControl11"="c:\program files\CyberLink\PowerDVD11\PDVD11Serv.exe" [2011-04-20 234792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2012-06-07 198160]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"StartRun"="c:\program files\EVDO USB Modem\StartRun.exe" [2009-07-23 204800]
"PIg"="c:\users\User\AppData\Roaming\7899.exe" [BU]
.
c:\users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2012-7-3 40136]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.0.207\SSScheduler.exe [2011-6-18 272528]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.0.207\McCHSvc.exe [x]
R3 qcusbser;Mobile Connector USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\cmusbser.sys [x]
R3 SwitchBoard;SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [x]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [x]
S2 {329F96B6-DF1E-4328-BFDA-39EA953C1312};Power Control [2012/06/07 17:06];c:\program files\CyberLink\PowerDVD11\Common\NavFilter\000.fcl [x]
S2 CLHNServiceForPowerDVD;CLHNServiceForPowerDVD;c:\program files\CyberLink\PowerDVD11\Kernel\DMP\CLHNServiceForPowerDVD.exe [x]
S2 CyberLink PowerDVD 11.0 Monitor Service;CyberLink PowerDVD 11.0 Monitor Service;c:\program files\CyberLink\PowerDVD11\Common\MediaServer\CLMSMonitorService.exe [x]
S2 CyberLink PowerDVD 11.0 Service;CyberLink PowerDVD 11.0 Service;c:\program files\CyberLink\PowerDVD11\Common\MediaServer\CLMSServer.exe [x]
S2 IDMWFP;IDMWFP;c:\windows\system32\DRIVERS\idmwfp.sys [x]
S2 ntk_PowerDVD;ntk_PowerDVD;c:\program files\CyberLink\PowerDVD11\Kernel\DMP\ntk_PowerDVD.sys [x]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
.
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-08 c:\windows\Tasks\AutoKMS.job
- c:\windows\AutoKMS.exe [2012-06-07 09:26]
.
2013-01-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-152147981-2974144520-1009932935-1000Core.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-17 22:50]
.
2013-01-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-152147981-2974144520-1009932935-1000UA.job
- c:\users\User\AppData\Local\Google\Update\GoogleUpdate.exe [2012-07-17 22:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.gamesgofree.com/
mStart Page = hxxp://home.gamesgofree.com/
IE: Download all links with IDM - c:\program files\Internet Download Manager\IEGetAll.htm
IE: Download with IDM - c:\program files\Internet Download Manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~1\Office14\ONBttnIE.dll/105
TCP: Interfaces\{62AA58AF-9CF8-440B-806D-783F5561FFB1}: NameServer = 202.169.224.3,202.169.224.4
FF - ProfilePath - c:\users\User\AppData\Roaming\Mozilla\Firefox\Profiles\cnc3ym8f.default\
FF - prefs.js: Keyword.Enabled - true
FF - prefs.js: browser.startup.homepage - hxxp://home.gamesgofree.com/
FF - prefs.js: keyword.URL - hxxp://home.allgameshome.com/results.php?category=web&s=
FF - prefs.js: network.proxy.http - 202.75.102.18
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.type - 0
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\{329F96B6-DF1E-4328-BFDA-39EA953C1312}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD11\Common\NavFilter\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-152147981-2974144520-1009932935-1000\Software\SecuROM\License information*]
"datasecu"=hex:b5,e0,17,24,56,55,3f,ab,4a,2f,6e,58,54,28,8f,60,2f,c9,8a,07,0d,
83,bb,f9,4c,56,97,01,bc,39,70,38,c2,d8,27,fe,cc,df,30,1f,6a,ee,65,ba,72,92,\
"rkeysecu"=hex:88,3f,71,43,47,c0,f5,e4,1f,48,73,71,aa,57,75,18
.
[HKEY_USERS\S-1-5-21-152147981-2974144520-1009932935-1000_Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):78,a3,c7,f5,34,82,1c,eb,d0,e6,dc,dc,cd,69,11,65,e9,f6,ea,27,de,
e9,a5,f8,08,98,ef,f3,e5,81,b9,b7,c6,d4,3d,12,60,0a,f7,2f,00,00,00,00,00,00,\
.
[HKEY_USERS\S-1-5-21-152147981-2974144520-1009932935-1000_Classes\CLSID\{7fce31d0-91d6-4a5a-9d36-500f37f595a6}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:00000112
"Therad"=dword:0000000f
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2013-01-08 14:30:41
ComboFix-quarantined-files.txt 2013-01-08 07:30
ComboFix2.txt 2013-01-08 06:59
.
Pre-Run: 85,623,721,984 bytes free
Post-Run: 85,568,393,216 bytes free
.
- - End Of File - - FDA2F46637207B0F1CAC8B1B4C250A17

Edited by siweling, 08 January 2013 - 01:39 AM.

  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there it is not a good idea to run combofix as a first tool, unless you know what you are doing

Download OTL to your Desktop
Secondary link
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

    Posted Image
  • Select All Users
  • Under the Custom Scan box paste this in

    netsvcs
    BASESERVICES
    %SYSTEMDRIVE%\*.exe
    /md5start
    services.*
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    winsock.*
    /md5stop
    CREATERESTOREPOINT

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs

THEN

Download and run farbar service scanner

Posted Image

Tick "All" options.
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.
  • 0

#3
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP