CPU at 100% all the time -- what's going on?

[Ken90630]

Hey, All,

I'm trying to help an acquaintance of mine with a problem he's having with his Dell. It's a Dimension 3000 with a Celeron 2.4GHz chip & 512MB of RAM. It's about 3 years old.

He said it has been running unbelievably slow lately, so he asked me to take a look at it. Wow, is he right. It boots up in decent time, but from then on it takes forever to launch an application or open a file. I checked Task Manager, and his CPU is at 100% all the time. :Q It doesn't drop at all.

First thing I did, of course, was run a virus scan (McAfee, with up-to-date def's) & 2 spyware scans (Ad-Aware and SpySweeper, both up to date). Neither scan yielded anything (except some cookies). I've cleaned out his browser cache & Windows Temp folder and deleted all cookies. We also ran a disk de-frag (for a different reason).

I printed out some screen shots of the Processes tab in Task Manager, and as soon as I'm done typing this I'm gonna Google some of them. Prob there is that I know that some malware uses the same file names as legit programs/processes, so I don't know how definitive that's gonna be.

Also, I find this odd: On the Performance tab within Task Manager, it shows CPU usage at 100%. But on the Process tab, under the CPU column, the processes running don't add up to anywhere near 100%. More like 23%. Is this normal or ???

One other thing: His McAfee a-v did find and quarantine a virus a couple weeks ago. It said it could not be cleaned, so he just deleted it from the quarantine folder. Can we assume that took care of it, or ????

Anyone have any ideas here? This guy is a friend of a friend and it'd be nice if I could help him out. And we're hoping to avoid having to do a reformat. Thanks in advance for any ideas/assistance.

 

[DAPUNISHER]

The security thread is the best place to start.

 

[Ken90630]

Thanks, but I don't see anything there that'll help with this particular problem. He already has security measures in place (Linksys router, McAfee a-v and firewall, and SpySweeper & Ad-Aware), and I've run all scans. Nothing is coming up, yet CPU usage is at 100% all the time.

 

[xtknight]

Almost certainly you have a rootkit which hides its CPU usage. Run Blacklight and RootkitRevealer.

 

[NotquiteanooB]

Is he running anything from BOINC , such as Seti@Home ?? That and other apps from BOINC will have the CPU at 100%. Can you see if it is transmitting data continously, check modem lights. If it is, you may have a trojan that has turned the PC into a server for spaming.

 

[Ken90630]

Originally posted by: NotquiteanooB
Is he running anything from BOINC , such as Seti@Home ?? That and other apps from BOINC will have the CPU at 100%. Can you see if it is transmitting data continously, check modem lights. If it is, you may have a trojan that has turned the PC into a server for spaming.

No, nothing like BOINC or Seti@home. This is just an "average guy" using his PC to surf the Web, do e-mail, & some light word processing & occasional photo work.

Good idea about checking the modem lights. I'll have to go back over to his house and check. Funny thing is, you'd think the McAfee, Ad-Aware or SpySweeper scans would find something if there's a Trojan or other malware on there. But who knows. I think I'm gonna also run a Kaspersky online scan (in Safe Mode) when I go back over there. I'm also gonna disconnect his Web connection & see if that drops the CPU usage. If so, that'll point me in the right direction (I hope).

 

[Ken90630]

Originally posted by: xtknight
Almost certainly you have a rootkit which hides its CPU usage. Run Blacklight and RootkitRevealer.

Okay, that's something I don't know anything about. I'll check 'em out.

Thanks.

 

[NotquiteanooB]

Originally posted by: Ken90630

Originally posted by: NotquiteanooB
Is he running anything from BOINC , such as Seti@Home ?? That and other apps from BOINC will have the CPU at 100%. Can you see if it is transmitting data continously, check modem lights. If it is, you may have a trojan that has turned the PC into a server for spaming.

No, nothing like BOINC or Seti@home. This is just an "average guy" using his PC to surf the Web, do e-mail, & some light word processing & occasional photo work.

Good idea about checking the modem lights. I'll have to go back over to his house and check. Funny thing is, you'd think the McAfee, Ad-Aware or SpySweeper scans would find something if there's a Trojan or other malware on there. But who knows. I think I'm gonna also run a Kaspersky online scan (in Safe Mode) when I go back over there. I'm also gonna disconnect his Web connection & see if that drops the CPU usage. If so, that'll point me in the right direction (I hope).

Some of the more recent trojans and worms can hide themselves very well... Make sure the most recent updates are in the virus and spyware apps.

 

[Ken90630]

Some of the more recent trojans and worms can hide themselves very well... Make sure the most recent updates are in the virus and spyware apps.

Yeah, I know. I went online and got all the latest updates before I ran the scans. I still wanna try an online scanner or two next time I go over there. I wonder: Can I run an online scanner while in Safe Mode? I've never tried that before.

I just checked out those Blacklight and RootKit Revealer programs that xtknight suggested in his post. I wasn't aware that the bad guys had reached this level of sophistication. This malware stuff is outta control. :|

I may try one or both of those, then reformat if the prob persists. Thanks for the help.

 

[NotquiteanooB]

If the OS is XP ... there is an option to run 'Safe Mode with internet connection'.

 

[Ken90630]

Yeah, it's XP. I'll try that. Thanks again.

 

[Ken90630]

If anyone cares, I figured out the problem.

There was a process called WksCal.exe running multiple times within Task Manager. Combined, they were using up 100% of the CPU usage all the time.

As soon as I clicked "End Process" on each one, I could see the CPU usage drop a lot. Ending all of them dropped the CPU usage down to like 2%, 4%, etc. I then went into Msconfig and disabled the Works Calendar Reminder from Startup. The machine is now back to normal.

I have no idea what caused that process to be running multiple times or why it would be so CPU-intensive. Particularly when they don't even use the Works Calendar. And the DSL modem light was not active when the CPU was at 100%, so I don't think the machine had been hijacked as a spam zombie.

I'm obviously happy the prob is resolved, but I'd have better "closure" if I knew, definitively, what caused the prob in the first place. Weird ....

 

[NotquiteanooB]

Congrats .. and thanks for posting your findings.

 

[Ken90630]

Originally posted by: NotquiteanooB
Congrats .. and thanks for posting your findings.

No prob. Another thing that threw me in the beginning was that the Processes (in Task Manager) weren't adding up to 100% CPU usage even though the Performance tab was showing 100% usage. I think what was happening was I didn't have the "show processes for all users" box checked, so I wasn't seeing everything that was running. (There are three people who use the machine.) As soon as I checked that box and saw the WksCal.exe process running multiple times, and collectively adding up to 100% CPU usage, I knew I'd found the prob.

Sure glad there wasn't some root kit malware on there. That would certainly have been a good suspicion though if there had in fact been hidden processes stealthing their CPU usage. Yikes. :Q