100 % CPU usage! All the time

[tinker]

ComboFix 11-03-05.01 - p 08/03/2011 23:01:30.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.511.342 [GMT 5.5:30]
Running from: c:\documents and settings\p\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\p\Desktop\CFScript.txt
AV: Net Protector 2010 *Disabled/Updated* {5AE99E99-35D6-47B8-87C2-D8A82C07FB43}
.
FILE ::
"c:\windows\system32\drivers\ivdhhva.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system\MFC42D.DLL
c:\windows\system\MSVCRTD.DLL
.
.
((((((((((((((((((((((((( Files Created from 2011-02-08 to 2011-03-08 )))))))))))))))))))))))))))))))
.
.
2011-03-08 17:14 . 2011-03-08 17:15 -------- d-----r- C:\32788R22FWJFW
2011-03-01 06:09 . 2011-03-01 06:09 -------- d-----r- C:\MSOCache
2011-02-23 16:03 . 2011-03-07 19:47 -------- d-----r- C:\Program Files
2011-02-23 16:00 . 2011-02-23 10:50 -------- d-----w- C:\Documents and Settings
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-05 16:19 . 2011-03-05 16:19 119808 ------w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
------- Sigcheck -------
.
[-] 2008-10-21 . 32272BF10467C8ACF1F83138C61D541E . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
[-] 2008-04-14 . 9DD07AF82244867CA36681EA2D29CE79 . 1614848 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-03-08_16.41.48 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-08 17:29 . 2011-03-08 17:29 16384 c:\windows\Temp\Perflib_Perfdata_564.dat
+ 2011-03-08 09:00 . 2011-03-08 16:49 53248 c:\windows\Installer\{BF6F1CCB-4666-412B-810E-B6002BC01E33}\ARPPRODUCTICON.exe
- 2011-03-08 09:00 . 2011-03-08 09:00 53248 c:\windows\Installer\{BF6F1CCB-4666-412B-810E-B6002BC01E33}\ARPPRODUCTICON.exe
+ 2011-03-08 09:00 . 2011-03-08 16:49 204800 c:\windows\Installer\{BF6F1CCB-4666-412B-810E-B6002BC01E33}\BSNL_3G.exe_B9F38B60FD474B8A8B1CC66C5BF0015B.exe
- 2011-03-08 09:00 . 2011-03-08 09:00 204800 c:\windows\Installer\{BF6F1CCB-4666-412B-810E-B6002BC01E33}\BSNL_3G.exe_B9F38B60FD474B8A8B1CC66C5BF0015B.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-02-26 65024]
"Rscmpt"="c:\windows\system32\Rscmpt.exe" [2002-08-22 481792]
"Zero-V Virus Shield"="c:\progra~1\NETPRO~1\EMAIL SCAN\EMAILSCN.EXE" [2011-03-01 141352]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-04-09 200704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-03-28 4616192]
"nwiz"="nwiz.exe" [2003-03-28 323584]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-10 40048]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2011-03-05 30192]
"MCtlSuc"="c:\program files\BSNL 3G Data Card\BSNL 3G\Resource\MCtlSuc.exe" [2010-01-13 91136]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-3-5 10872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NPLogon]
2010-09-20 17:37 45056 ----a-w- c:\windows\system32\NPLOGON.DLL
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\UGS\\NX 7.0\\UGII\\ugraf.exe"=
"c:\\WINDOWS\\system32\\CNAB4RPK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
.
R2 NPVProt;NPAV Antivirus Protection;c:\documents and settings\p\NPProt.exe [23/02/2011 4:43 PM 45056]
R2 UG Nx 7.0;UG Nx 7.0;c:\program files\UGS\NX 7.0\UGFLEXLM\lmgrd.exe [20/07/2009 8:20 AM 1372160]
R2 ZVONLINE;ZVONLINE;c:\program files\Net Protector 2010\ZVScan\ZVOnline.sys [10/05/2010 6:01 PM 18176]
R2 ZVRegMon;Zero-V Registry Monitoring;c:\program files\Net Protector 2010\ZVRegMon\ZVRegMon.exe [16/07/2010 7:26 PM 73728]
R3 u302bus;HSPADataCard WMC Bus Driver (WDM);c:\windows\system32\drivers\u302bus.sys [30/07/2010 9:23 AM 119112]
R3 u302mdfl;HSPADataCard Modem Filter;c:\windows\system32\drivers\u302mdfl.sys [30/07/2010 9:23 AM 14920]
R3 u302mdm;HSPADataCard Modem Driver;c:\windows\system32\drivers\u302mdm.sys [30/07/2010 9:23 AM 135880]
R3 u302mgmt;HSPADataCard USB Device Management Drivers (WDM);c:\windows\system32\drivers\u302mgmt.sys [30/07/2010 9:23 AM 129992]
S0 jtjqite;jtjqite;c:\windows\system32\drivers\ivdhhva.sys --> c:\windows\system32\drivers\ivdhhva.sys [?]
S2 UG Nx-7.0;UG Nx-7.0;c:\program files\UGS\NX 7.0\UGFLEXLM\lmgrd.exe [20/07/2009 8:20 AM 1372160]
S2 ZeroVProtect;Zero-V AntiVirus Protection;c:\program files\Net Protector 2010\ZVScan\ZVMonNt.exe [01/06/2010 11:39 AM 208896]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [05/03/2011 9:48 PM 30192]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.bsnllive.in/
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\p\Application Data\Mozilla\Firefox\Profiles\e3t5u5nz.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: [email protected] - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-08 23:06
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(548)
c:\windows\system32\NPlogon.dll
.
Completion time: 2011-03-08 23:08:11
ComboFix-quarantined-files.txt 2011-03-08 17:38
ComboFix2.txt 2011-03-08 16:45
.
Pre-Run: 14,038,716,416 bytes free
Post-Run: 14,036,504,576 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 03885969762E1B6D178CC21866B98D50

 

[tinker]

The pc seems ok.
The cpu usage seems stable around 19 to 35 % if I leave it on its own withut touching anything.
As soon as I touch the mouse it shoots 100%.
Typing is fine as before, No signs of lagging.

 

[tinker]

There is this file Rscmpt.exe in TastManager/Process. This file is the most volatile. It fluctuates from 22 % to anywhere upto 95 or so %.

 

[tinker]

John,
I think you have solved this problem

 

[tinker]

When I open a CAD software, the cpu runs 100% even though I leave it alone.
The file Rscmpt.exe in TastManager/Process runs 99%.

 

[tinker]

There used to be a file uploading process in the Taskbar/Applications, seems like it has disappeared.

For John,
I can never forget the way you have helped me. Your invested time in my problem and the consistent follow up is some thing I am seeing for the first time. You are one of the most outstanding moderators I have ever come across on the internet.No wonder the tag says Super Moderator I am sincerely thankful to you

 

[Metal Man 2]

:good:

 

[johnb35]

It looks like we still have 2 issues.

1. Rscmpt.exe is still taking up your cpu usage.
2. The entry in combofix is still there that needs to be removed.

Look in device manager and tell me what is listed under display adapters.

If you are running CAD software then I think your aren't running the proper card. Or you have bad drivers installed.

Lets perform the combofix script again.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

Driver::
jtjqite

Service::
jtjqite

File::
c:\windows\system32\drivers\ivdhhva.sys

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

 

[tinker]

Under Device manager- Display Adapters > GeForce4 MX440 with AGP8X

Performing combofix advice.

John, Its 10 am here and probably I think its end of day for you there. Just incase you are leaving , I can come back at your starting time (Night at my place).

 

[tinker]

WHen I tried combofix today as you sugested, the program did not work. My antivirus must have stopped it.
When I bring the combofix icon to the desktop , it disappears in 2 secs.
When I run the combofix program message appears saying, Not a valid win 32 application and after that second window saying, Process cannot be executed.

I tried running it with the antivirus closed, but still failed with it.
Can`t figure out what to do.
The cpu is back to 100%

 

[tinker]

Double post due to inrternet getting disconnected.

 

[tinker]

I have a hitch that my antivirus is messing things up, because I was not able to connect to the internet for almost half an hour. It was only after I closed it that i got connected properly.

I am using a 3g internet usb device.

 

[johnb35]

Please post an uninstall list using hijackthis. Open hijackthis, click on open misc tools section, click on open uninstall manager, click on save list and save it to your desktop. Then copy and paste the log back here.

Please delete the existing combofix file from your desktop. Uninstall your current antivirus program, we will install a better one after we get your system cleaned up. Please download a new combofix file from here and save it to your desktop.

http://www.bleepingcomputer.com/download/anti-virus/combofix

Then run the procedure I last mentioned and post the new log.

 

[johnb35]

Are you still with me or did you give up?