Question

Locked

CPU use 50-60 % for explorer.exe

By sanjana8480 ·
Good day to all Friends!

I have windows server 2000 with SP4 installed on IBM x Series 236 with SQL 2005, AV is Office Scan with current updates.
Now I guess it is infected with some virus / Trojans.
When I double click on My computer it doesn?t open and looking at task manager explorer.exe shows 25% CPU uses, when I again double click to open my computer, explorer.exe again goes to 50-60 %. When I close explorer.exe and again run explorer.exe, CUP come down to normal operation which is 0-2%. I tried opening explorer.exe from C:\winnt\explorer.exe but the result remains the same.
For your reference I am sending Hijackthis Log & processlist.txt


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:19:41 AM, on 4/14/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\IBMHPASV.EXE
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\mmc.exe
C:\WINNT\system32\taskmgr.exe
C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlservr.exe
C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlagent.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1.somedomain.net.ae:8080
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://podgateway.mydomainname.com:808/OfficeScan/console/ClientInstall/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - http://podgateway.mydomainname.com:808/OfficeScan/console/ClientInstall/setupini.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://domaingateway.mydomainname.com:808/OfficeScan/console/ClientInstall/RemoveCtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mydomainname.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{70157781-EBBD-4643-8AF7-A0ABBF5136F9}: NameServer = 192.168.100.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{9B61389F-76B5-4347-9490-E5E1925F3AFD}: NameServer = 192.168.100.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mydomainname.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{70157781-EBBD-4643-8AF7-A0ABBF5136F9}: NameServer = 192.168.100.11
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mydomainname.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{70157781-EBBD-4643-8AF7-A0ABBF5136F9}: NameServer = 192.168.100.11
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM Active PCI Alert Service (IBMHPS) - IBM Corporation - C:\WINNT\System32\IBMHPASV.EXE
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

--
End of file - 5120 bytes


Process list saved on 9:20:48 AM, on 4/14/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)

[pid] [full path to filename] [file version] [company name]
192 C:\WINNT\System32\smss.exe 5.0.2195.6601 Microsoft Corporation
212 C:\WINNT\system32\winlogon.exe 5.0.2195.6714 Microsoft Corporation
264 C:\WINNT\system32\services.exe 5.0.2195.6700 Microsoft Corporation
276 C:\WINNT\system32\lsass.exe 5.0.2195.6695 Microsoft Corporation
420 C:\WINNT\system32\svchost.exe 5.0.2134.1 Microsoft Corporation
464 C:\WINNT\System32\svchost.exe 5.0.2134.1 Microsoft Corporation
512 C:\WINNT\system32\spoolsv.exe 5.0.2195.6659 Microsoft Corporation
760 C:\WINNT\System32\IBMHPASV.EXE 5.0.0.0 IBM Corporation
776 C:\WINNT\System32\inetsrv\inetinfo.exe 5.0.2195.6620 Microsoft Corporation
792 C:\WINNT\System32\llssrv.exe 5.0.2195.6697 Microsoft Corporation
932 C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe 6.0.0.1250 Trend Micro Inc.
964 C:\WINNT\system32\MSTask.exe 4.71.2195.6704 Microsoft Corporation
1052 C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe 6.0.0.1250 Trend Micro Inc.
1236 C:\WINNT\System32\WBEM\WinMgmt.exe 1.50.1085.100 Microsoft Corporation
1296 C:\WINNT\system32\svchost.exe 5.0.2134.1 Microsoft Corporation
1308 C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe 10.0.5520.0 VERITAS Software Corporation
2220 C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe 6.0.0.1250 Trend Micro Inc.
1960 C:\WINNT\System32\svchost.exe 5.0.2134.1 Microsoft Corporation
2224 C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe 10.0.5520.0 VERITAS Software Corporation
1360 C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe 6.0.0.1250 Trend Micro Inc.
2496 C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe 6.0.0.1250 Trend Micro Inc.
1740 C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe 2000.80.760.0 Microsoft Corporation
900 C:\WINNT\explorer.exe 5.0.3700.6690 Microsoft Corporation
2096 C:\WINNT\system32\mmc.exe 5.0.2195.6601 Microsoft Corporation
1980 C:\WINNT\system32\taskmgr.exe 5.0.2195.6620 Microsoft Corporation
820 C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlservr.exe 2000.80.760.0 Microsoft Corporation
1232 C:\PROGRA~1\MICROS~3\MSSQL\binn\sqlagent.exe 2000.80.760.0 Microsoft Corporation
1264 C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe 9.107.8320.0 Microsoft Corporation
1188 C:\WINNT\System32\msdtc.exe 1999.9.3421.3 Microsoft Corporation
2512 C:\Program Files\Trend Micro\HijackThis\HijackThis.exe 2.0.0.2 Trend Micro Inc.

************************************************************************

Pls tell me how I can get rid of this problem.
Your valuable answers are welcome.

Many thanks.

This conversation is currently closed to new comments.

2 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Hmmm.

by seanferd In reply to CPU use 50-60 % for explo ...

http://www.microsoft.com/technet/sysinternals/SystemInformation/ProcessExplorer.mspx
May give you further insight on the process.

There are further tools if you want to look around your system, such as Autoruns, Filemon, Process Monitor, etc.
http://technet.microsoft.com/en-us/sysinternals/bb545027.aspx

You can look for malware with these:
Rootkit Revealer
http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx
GMER
http://www.gmer.net
MBAM
http://www.malwarebytes.org

You might want to run these in safe mode.

Have you instantiated a manual scan of the entire system with your AV?

I wonder if the high CPU usage has anything to do with the broken My Computer shortcut, it may be trying to display as well as task manager. If clicking it again doubles this, it is likely trying, unsuccessfully, to display another explorer window.

If you move Task Manager window aside, is there also a searching flashlight box there?

You may want to run regedit, go to HKCR\CLSID\ and search "my computer". Check the subkeys under the Shell key. Make sure they look right - maybe check against a known good Win2K registry.

See also the reg fixes here for Directory, Drive, and maybe Folder, to give you an idea of what the reg entries should look like. They are for XP, but again, maybe you can compare entries with another Win2k.
http://www.dougknox.com/xp/file_assoc.htm

Back to Networks Forum
2 total posts (Page 1 of 1)  

Hardware Forums