PDA

View Full Version : Processor going mad??



chad_bridge
01-22-2003, 09:39 AM
when i leave my computer about 10 mins after the hard drive and obviously the processor go mad, it only happens after about 10 mins of being idle. can someone please help me terminate this problem.

I have windows xp professional, 600mhz pentium 3 processor, 120gb Maxtor HDD.

thanks

chad

oh yeah and i downloaded that x-box thing from theneoproject.com whether thats has anything to do with it i dont know. but i cant find the un-installer for this program.

Budfred
01-22-2003, 10:24 AM
What do you mean when you say it goes "mad"? Without knowing what it is actually doing, it will be very difficult to give you any ideas.

That said, have you checked in Add/Remove programs to see if you can remove that program you mentioned? If it isn't there, there are uninstallers you can download that do a good job of clearing stuff like that out. You can check downloads at www.pcworld.com for a long list of uninstallers.

Budfred

chad_bridge
01-22-2003, 10:43 AM
What i mean by mad is the hdd light on the front of the case flashes rapidly and i can hear it roaring the same as when its loading an application.

Rick
01-22-2003, 11:02 AM
Check you Index service settings and the other services you are running under XP
By default it should run only after the system has been idle for XX amount of time
In your case that may 10 min.

Also check for Virus / Malware / Trojan

mjc
01-22-2003, 11:16 AM
Get HijackThis (http://www.spywareinfo.com/~merijn/) and run it, post the log from it, then go to the Config button, Misc Tools and post a Startuplist log, too.

chad_bridge
01-22-2003, 12:29 PM
As you requested he is the first log.

Logfile of HijackThis v1.91.2
Scan saved at 17:26:54, on 22/01/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.google.co.uk/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=http://www.google.co.uk/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.bbc.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.google.co.uk/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=England Vs. Turkey - 02/04/03
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [WinsysRsr] C:\Program Files\Wsr\WinsysRsr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /1
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1F996EAE-3D97-4862-AA0E-27F257C089DE} (blueyonder Game Launcher Control) - http://www.bygames.com/activex/launcher.ocx
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37595.3749652778
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O18 - Protocol: df2 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: df23chat - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: df3 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: df4 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: df5 - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: df5demo - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)
O18 - Protocol: ofpjoin - {219A97F3-D661-4766-B658-646A771AE49E} - (no file)

chad_bridge
01-22-2003, 12:31 PM
And here is the startup list.log

StartupList report, 22/01/2003, 17:27:20
StartupList version: 1.51
Started from : C:\Documents and Settings\Chad\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Wsr\WinsysRsr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\NoAds\NoAds.exe
C:\Program Files\Washer\washer.exe
C:\PROGRA~1\INCRED~1\bin\INCMAIL.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\KaZaA Lite\kazaa.exe
C:\Program Files\KaZaA Lite\Speed Up.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chad\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SystemTray = SysTray.Exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
Advanced Tools Check = C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
WinsysRsr = C:\Program Files\Wsr\WinsysRsr.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Once

washindex = C:\Program Files\Washer\washidx.exe "Chad"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce

washindex = C:\Program Files\CCWasher\washidx.exe "Chad"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

NoAds = "C:\Program Files\NoAds\NoAds.exe"
IncrediMail = C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
Washer = C:\Program Files\Washer\washer.exe /1

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once

washindex = C:\Program Files\Washer\washidx.exe "Chad"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce

washindex = C:\Program Files\CCWasher\washidx.exe

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\SYSTEM32\MACROMED\DIRECTOR\SWDIR.DLL
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[blueyonder Game Launcher Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\launcher.ocx
CODEBASE = http://www.bygames.com/activex/launcher.ocx

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe

[{8AD9C840-044E-11D1-B3E9-00805F499D93}]

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37595.3749652778

[{CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA}]

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SWFLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[MSN Chat Control 4.5]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.2\MSNChat45.ocx
CODEBASE = http://fdl.msn.com/public/chat/msnchat45.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: \??\C:\DOCUME~1\Chad\LOCALS~1\Temp\_iu14D2N.tmp||\ ??\C:\DOCUME~1\Chad\LOCALS~1\Temp\_iu14D2N.tmp


--------------------------------------------------
End of report, 6,346 bytes
Report generated in 0.560 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
___________________________________

Thanks and i hope you can help me,

chad

mjc
01-22-2003, 02:08 PM
The suspicious things I found are:

O4 - HKLM\..\Run: [WinsysRsr] C:\Program Files\Wsr\WinsysRsr.exe (can't find anythin on this one, so you may want to check it out, in any case it is running from startup)

O16 - DPF: {1F996EAE-3D97-4862-AA0E-27F257C089DE} (blueyonder Game Launcher Control) - ht..tp://www.bygames.com/activex/launcher.ocx (blueyounder has been known to cause some problems, also it may not be something you actually intended)

Symantec NetDetect.job (it looks like your Norton may also be trying to scan everything when you are idle...check your background scan settings, and make sure it isn't trying to do a full scan in the background)

chad_bridge
01-22-2003, 02:10 PM
Thanks for being so helpful, i noticed somthing that might help.

I pressed ctrl-alt-del on my pc and went to the processes tab, and noticed that there were 4 SVCHOST.EXE running at the same time one with the username : LOCAL SERVICE and another with NETWORK SERVICE and the other two are SYSTEM. and one of them has a mem usage of 10,464k

thanks for all the help in the posts above.

chad