What can be the MEMORY CHOMPER?

[fokuz]

Recently, something been slowing my pc (vista os) on my laptop. I scanned with NOD32, spybot (search & destroy) & a-squared only to find minor stuff (like adware). In taskbar, the cpu usage jumps to 50% to even 90-100% sometimes. Please! I would appreciate any help that can assist the problem to a solution. Heres my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:50 PM, on 7/27/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.17184)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\PROGRAM FILES\A-SQUARED FREE\A2FREE.EXE
C:\Windows\system32\Taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common 

Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7967F963-1A1F-475C-96F5-80B90D8CB39C} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows 

Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B414E1CA-3227-4DBD-8499-C01F9930FBF2} - (no file)
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User '?')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-21-658057386-4236903089-2978409280-1000\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" 

(User '?')
O4 - HKUS\S-1-5-18\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl (User 'Default user')
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet 

Security 7.0\SCIEPlgn.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows 

Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix: 
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - 

http://cdn.scan.onecare.live.com/resource/download/scanner/en-US/wlscctrl2.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - AppInit_DLLs: avgrsstx.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll,C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O22 - SharedTaskScheduler: Ave's FolderBg - {73526E5A-FD53-4BE7-B5E2-D3C89D7413DC} - (no file)
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Bonjour Service - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy 

Sweeper\SpySweeper.exe

--
End of file - 7120 bytes

[Dc'1]

The same thing happens to me now! Not so much CPU usage though, but it just goes so slow. Games don't seem to work either, if I try to play TF2 on Vista it lags so much, even with every non-system process closed... Yet when I try on XP with WLM, WMP etc open it works perfect :|

Oh, and no, I'm not an XP fanboy... I actually like Vista better but I'm forced not to use it anymore...

[zhangm Supervisor]

Open Resource Monitor and see what's using the CPU cycles.

[fokuz]

  Relativity_17 said:

Open Resource Monitor and see what's using the CPU cycles.

Okay, got it open, (real time monitor), but i dont know what area am i specifically looking for.

if u can show me a sshot or something, Ill post my sshot. thanks again.

[zhangm Supervisor]

  fokuz said:

Okay, got it open, (real time monitor), but i dont know what area am i specifically looking for.

if u can show me a sshot or something, Ill post my sshot. thanks again.

Uhm, basically you can sort by CPU usage, and see what process is using how much processing power.

[fokuz]

  Relativity_17 said:

Uhm, basically you can sort by CPU usage, and see what process is using how much processing power.

sorry for the late response, i checked it out & google on the file that juices my cpu usage.

its the file called "LSASS.exe" I found out its actial malware. Now...

I need to know whats the BEST APP to remove this dangerous thing so it doesnt return.

[dmd3x]

I would try:

Ad-Aware 2008 http://lavasoft.com/

Spybot Search & Destroy: http://safer-networking.org/

Windows Defender (Some may say this should be first but I have found a lot of stuff to sneak by it.)

Also, do you have anti virus?

For that I recommend Avast AntiVir: http://www.free-av.com/

[zhangm Supervisor]

  fokuz said:

sorry for the late response, i checked it out & google on the file that juices my cpu usage.

its the file called "LSASS.exe" I found out its actial malware. Now...

I need to know whats the BEST APP to remove this dangerous thing so it doesnt return.

Ok, stop, take a deep breath, pause and think, because lsass is a legitimate Windows process. Do you have just one, multiple ones? Do you get any error popups? Have you rushed out to download something to get rid of it already, if you haven't, don't. Its not necessary, and can do way more harm than good.

Open Task Manager, right-click on the LSASS process and hit Open File Location. Where is the executable kept?

[Brandon Live Veteran]

Can you post a screenshot? lsass.exe is a very key Windows component, responsible for the creation and management of securable objects, as well as security-related logs.

Unless you have multiple instances of it running, or an instance running in the user context, you're probably just seeing the normal Windows one. Just look at the image path to see if it is coming from \windows\system32 as expected.

[soldier1st]

so it seems your running 3 security software so i would get rid of all and go with nod and get rid of spy sweeper as that hogs memory and aol instant messenger is crap(use trillian instead)running more than 1 antivirus/firewall at a time is a bad idea,only use 1 and mcafee is crap and kaspersky has problems but nod seems the best and i would not use adaware as it installs a useless service that needs to be running.for antimalware apps i would use malwarebytes antimalware and spyware doctor starter edition and avg antispyware and superantispyware and they are all free and leave windows defender alone as it serves it's purpose.

[morphen]

  soldier1st said:

so it seems your running 3 security software so i would get rid of all and go with nod and get rid of spy sweeper as that hogs memory and aol instant messenger is crap(use trillian instead)running more than 1 antivirus/firewall at a time is a bad idea,only use 1 and mcafee is crap and kaspersky has problems but nod seems the best and i would not use adaware as it installs a useless service that needs to be running.for antimalware apps i would use malwarebytes antimalware and spyware doctor starter edition and avg antispyware and superantispyware and they are all free and leave windows defender alone as it serves it's purpose.

+1

Use ONLY ONE antivirus / security software at the time. As these scan all files that are executed, they will

try to scan it at the same time. + check what gadgets you are running in the sidebar, some 3rd party gadgets are poorly programmed, and tend to use ALOT of memory and cpu power.

but first off, please uninstall all AV / IE-security / antispyware / antimalware applications properly, and then install one of your own choice.

By the way;

Lsass.exe - It generates the process responsible for authenticating users for the Winlogon service. This process is performed by using authentication packages such as the default Msgina.dll. If authentication is successful, Lsass generates the user's access token, which is used to launch the initial shell. Other processes that the user initiates inherit this token.

Edited July 29, 2008 by morphen

[fokuz]

I FOUND THE SOURCE... its... Conhook.l Trojan\Virus. Everytime my program remove it, it returns!!!

It what been chewing & freezing my memory for a WHILE!

Please, someone tell me how to FULLY get rid of this God awful thing!

[dmd3x]

You need to run an anti-virus scan with the latest definitions.

[soldier1st]

are you running the latest java/flash/shockwave?it sounds to me that it keeps coming back as it is something that is either installed or running.

[morphen]

  fokuz said:

I FOUND THE SOURCE... its... Conhook.l Trojan\Virus. Everytime my program remove it, it returns!!!

It what been chewing & freezing my memory for a WHILE!

Please, someone tell me how to FULLY get rid of this God awful thing!

Ahh, well, still, use only ONE IE-security/AV program.

And, backup and reinstall ;) best solution, and it's time saving :p

Trying to remove Spyware/trojans that just does'nt want to go,

isn't worth it when a backup - reinstall only sets you back 1-3 hours ;)

[psionicinversion]

i use eset smart security - low footprint and seems be very good at detecting stuff. i used norton once and friggin hell took me like 30 minutes to train it not to think a proper file was having a go, nod32 is the best (well i upgraded to smart security for the firewall section) as far as im concened. tried kaspersky on an xp machine once and for me it didnt work at all wouldnt even load. best think is maybe read reviews etc but the highest detection rate vs lowest resource usage will be the best

also windows defender ive seen on internet can be a resource hog and if youve got a good av and firewall then disable it first through startup then in the management console. waste of time

[soldier1st]

windows defender is not a hog,you could turn off scheduled tasks and see if that helps.

[ViperAFK]

Using multiple a/v = trouble. This is surely what is destroying your performance.