jilola
2008-03-01, 06:57
I'm at my wits end.
Laptop, LG, LW75 Express 1G 798MHz Ram, 2Ghz Intel CPU.
XP professional version 2002 SP2 pretty much up to date on everything.
No conflicts reported by system info.
AVG, Outpost PRo 4, StopZilla.
Outpost spyscanner disabled because of incompatibility with AVG.
Symptom:
CPU at 100% all the time
Observations:
CPU hits 100% immediately and does not come down
Various processes get 30-90% CPU processes but the processes change
It seems Outpost, Stopzilla and AVG guard are most often in the high %-ages. Though scvhost processes tend to be in 10-20% and sometimes well above 50
Experiments:
Booting to:
safe mode gives ca. 6% CPU
safe+network gives ca 6% CPU
Killing processes one by one sometimes brings the CPU to 8-16% range but after a boot the problem reoccurs
Disabling Stopzilla/AVG sometimes brings the CPU down, sometimes not. There doesn't seem to be a pattern.
Hijackme log shows following odd items:
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
COMMENT: The file in question belongs to StopZilla which does not complain during startup integrity testing so this is probably just a false positive.
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] E:\Program Files\PeerGuardian2\pg2.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
COMMENT: ctfmon.exe seems to have been loaded three times. Sometimes kiling this process drops the CPU to normal. Sometimes not.
AVG (free) spyware scanner doesn't show anything. There were some trojans before but not anymore.
Stopzilla doesn't detect anything out of the ordinary.
Clamav .92 gives zilch viruses.
Outpost spyware scanner doesn't report anything. (and yes AVG and outpost spyware scanners do not like each other so Outpost spyware scan is disabled.)
Spybot reported disabled security center and open 21 port for two users. Known andOutpost has those cosed anyway.
Outpost reports frequent port scans and blocked incoming connects from the ISP net.
Based on the fact that killing different processes after a boot brings things under control I think there's some bug that doesn't show up on the scanners and reloads itself each boot.
I have no idea what's going on. Obviously someone is knocking at the door but when isn't someone.
Obviously there's something fishy in my system.
Questions:
How do I identify the beast?
How do I kill it?
Really kill it?
How do I collect a sample for possible countermeasures by some anti-bug outfit or another?
Oh, Kaspersky online scan fails to download and run. THe connection drops around 450K.
Spybot reports nothing other than the two items mentioned above.
Laptop, LG, LW75 Express 1G 798MHz Ram, 2Ghz Intel CPU.
XP professional version 2002 SP2 pretty much up to date on everything.
No conflicts reported by system info.
AVG, Outpost PRo 4, StopZilla.
Outpost spyscanner disabled because of incompatibility with AVG.
Symptom:
CPU at 100% all the time
Observations:
CPU hits 100% immediately and does not come down
Various processes get 30-90% CPU processes but the processes change
It seems Outpost, Stopzilla and AVG guard are most often in the high %-ages. Though scvhost processes tend to be in 10-20% and sometimes well above 50
Experiments:
Booting to:
safe mode gives ca. 6% CPU
safe+network gives ca 6% CPU
Killing processes one by one sometimes brings the CPU to 8-16% range but after a boot the problem reoccurs
Disabling Stopzilla/AVG sometimes brings the CPU down, sometimes not. There doesn't seem to be a pattern.
Hijackme log shows following odd items:
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
COMMENT: The file in question belongs to StopZilla which does not complain during startup integrity testing so this is probably just a false positive.
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] E:\Program Files\PeerGuardian2\pg2.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
COMMENT: ctfmon.exe seems to have been loaded three times. Sometimes kiling this process drops the CPU to normal. Sometimes not.
AVG (free) spyware scanner doesn't show anything. There were some trojans before but not anymore.
Stopzilla doesn't detect anything out of the ordinary.
Clamav .92 gives zilch viruses.
Outpost spyware scanner doesn't report anything. (and yes AVG and outpost spyware scanners do not like each other so Outpost spyware scan is disabled.)
Spybot reported disabled security center and open 21 port for two users. Known andOutpost has those cosed anyway.
Outpost reports frequent port scans and blocked incoming connects from the ISP net.
Based on the fact that killing different processes after a boot brings things under control I think there's some bug that doesn't show up on the scanners and reloads itself each boot.
I have no idea what's going on. Obviously someone is knocking at the door but when isn't someone.
Obviously there's something fishy in my system.
Questions:
How do I identify the beast?
How do I kill it?
Really kill it?
How do I collect a sample for possible countermeasures by some anti-bug outfit or another?
Oh, Kaspersky online scan fails to download and run. THe connection drops around 450K.
Spybot reports nothing other than the two items mentioned above.