Pegged CPU

Mike McCall

Mike McCall

Well-Known Member
Reaction score
1,067
Location
Silverton, Oregon
New client Zotac minipc Win 8.1. Signed them up for the residential monitoring, managed av, patch management, and web protection package. Device wouldn't pass the vulnerability scan. Couldn't connect to the database. I tried pinging update.microsoft.com and a couple others required for updates, and couldn't reach them. Then I ran tracert and it stopped at the same place you see below.Then an av scan found a virus and quarantined it. System dog slow, so I check Task Manager and find that the CPU is pegged at 100%. The main culprit is Windows Module Installer Worker. Apparently, TiWorker has been causing quite a few problems on 8.1 boxes. I tried stopping the service, but it continually restarted. I checked and both it and Windows update services were set to manual start. Ran sfc /scannow in safe mode as administrator, but got a message saying that it was unable to run, but no indication why. Finally, in safe mode I set both Windows Module Installer Worker, and Windows Update services to disabled to spare the CPU while I research this issue further.

Disabling those two services dropped the cpu usage to about 30%, but it remains steady with little fluctuation. Processes fluctuate, but total usage remains consistent. On the left in the screen capture below is the most recent tracert along side Task Manager. I tried running system restore in both normal and safe modes to no avail. I've run several scans for root kits or other malware and found nothing after the managed av found the virus (don't remember which one) and removed it. Uninstalled/reinstalled the monitoring agent, no change.

My thinking at this point is that either there's malware that I've yet to find, or there are corrupted files. I'm leaning toward the latter at this point. If I'm unable to work this out, I might suggest the client upgrade to 10 thinking it would correct whatever potentially corrupted files there are, as well as any software incompatibilities. So, what am I missing in this?


upload_2015-10-9_8-34-56.png
 
Thanks! Yeah, done that and no change. One of the troubleshooters did find that there were some corrupted files and corrected them, but no change in things. I've been remoted into this thing until after midnight last night, and again all morning and am just not making any headway. So, at this point I've imaged her drive onto her backup drive, and will recommend she upgrade to 10 hoping that straightens things out. She has Frontier as her ISP and her DSL modem acts as both her DHCP and DNS server. I've changed her DNS server to the ones at OpenDNS, but that made no difference either. Ugh. If upgrading to 10 fixes things that's good for her (and me too in a sense), but I still won't know what went sideways or how to fix it...unless 10 is the fix.
 
I'm seeing multiple instances of wermgr.exe, which is a Windows error reporting process. I know that generally if I've left things alone the system would finish updating itself and stop running flat out. But this has been 4-days now. I'd hate to see her system get cooked.

upload_2015-10-9_11-58-59.png
 
Mike McCall said:
Device wouldn't pass the vulnerability scan. Couldn't connect to the database. I tried pinging update.microsoft.com and a couple others required for updates, and couldn't reach them.
Click to expand...
Almost always a symptom of infection. I see you found one, but are there more? Can you do a reliable rootkit check remotely?

Mike McCall said:
... and will recommend she upgrade to 10 hoping that straightens things out.
Click to expand...
Risky strategy, upgrading a system that has problems. I might try it on the bench, away from client's eyes, where I can restore the image and start over, if necessary. What are you going to do if the upgrade borks and you can't remote in? If there is a rootkit infection, an upgrade failure is very possible.
 
NJW said:
Almost always a symptom of infection. I see you found one, but are there more? Can you do a reliable rootkit check remotely?


Risky strategy, upgrading a system that has problems. I might try it on the bench, away from client's eyes, where I can restore the image and start over, if necessary. What are you going to do if the upgrade borks and you can't remote in? If there is a rootkit infection, an upgrade failure is very possible.
Click to expand...

Good points, Nick. It was the managed av on a new install (Bitdefender) that caught the initial infection. I also ran scans using Kaspersky and RogueKiller, both came up empty. There absolutely could still be something on there. If so, I haven't found it yet. The client lives next door, so logistics aren't an issue. I can easily bring the device into the shop and deal with it there. I've already imaged the drive, understanding I may have imaged a virus as well.

Part of what makes me lean toward a problem with TiWorker are the number of complaints of this very issue related to it and Win 8.1. Unfortunately, none of the fixes have had any effect. It certainly could be a remaining virus, or it could be some corrupted files damaged by the virus. Either way, I agree with you that the best approach is to bring it into the shop (along with her external drive) and make sure I've done everything I possibly can to ensure a clean install first. It's not like I've never been wrong or anything.
 
For giggles, try running my utility (ORT: www.oakslabs.com). It kills all processes running under the current user. If the CPU drops back to normal, you know that it is one of the processes in the ORT log (that's probably creating multiple threads). Otherwise, you know it's system/driver/crafty malware related.
 
I would be willing to try it, but Kaspersky says:

The requested URL cannot be provided

Object URL:

http://www.oakslabs.com/ORT.exe

Reason:

object is infected by Trojan.Win32.Diztakun.aaes

I turned off my AV long enough to download and run it on one of my own machines, and it certainly does kill nearly everything. However, I'm not able to send it while remoting so it's an in-house tool only. One that gets flagged and fought by everything it encounters, including the OS itself. Will it reveal a hidden virus on her machine? It may. Unfortunately, when my AV reinitialized it immediately flagged and deleted ORT so I have to start all over again. I guess I'll have to treat it as a highly dangerous combination of Hydrochloric Acid, Nitroglycerin, and Nuclear Waste. ;)
 
Mike McCall said:
Reason:

object is infected by Trojan.Win32.Diztakun.aaes

I turned off my AV long enough to download and run it on one of my own machines, and it certainly does kill nearly everything. However, I'm not able to send it while remoting so it's an in-house tool only. One that gets flagged and fought by everything it encounters, including the OS itself. Will it reveal a hidden virus on her machine? It may. Unfortunately, when my AV reinitialized it immediately flagged and deleted ORT so I have to start all over again. I guess I'll have to treat it as a highly dangerous combination of Hydrochloric Acid, Nitroglycerin, and Nuclear Waste. ;)
Click to expand...


Yes, every AV product known to man likes to flag ORT as malicious. I have an explanation and a work around in the Sea Turtle thread: https://www.technibble.com/forums/threads/the-ort-thread-aka-sea-turtle-thread.64451/#post-501976. Changing the file extension to a text file for transport purposes might also do the trick.
 
NJW said:
LOL! I had visions of you having a three-hour drive in the early hours of the morning to rescue it!
Click to expand...

Naw, if that were the case I would have had it in the shop from the very beginning. Part of the problem is she has a roommate who likes to hang out in seedy places. As I was speaking with her yesterday on the phone about the issue I could hear him complaining that the web filtering was blocking his access to porn. Fortunately, I think she trusts me.
 
Mike McCall said:
So, if I change it to a .txt file, can I paste it into Powershell and run it from there?
Click to expand...

No....If you download the file, you can change the extension to .txt, you can then move it to the other PC, turn off the AV/AM, and then change the file extension back to .exe. If would avoid having the client AV or router eat ORT.
 
OaksLabs said:
No....If you download the file, you can change the extension to .txt, you can then move it to the other PC, turn off the AV/AM, and then change the file extension back to .exe. If would avoid having the client AV or router eat ORT.
Click to expand...

Thought that would be too easy. I just saw that it seems to open a Powershell window and had a temporary case of wishful thinking.
 
Mike McCall said:
Thought that would be too easy. I just saw that it seems to open a Powershell window and had a temporary case of wishful thinking.
Click to expand...

Well ORT does use PowerShell to create a restore point.....but alas, I can't keep the AV's away. It's like a dog and a raw steak.....
 
You must log in or register to reply here.

Similar threads

Fred Claus
HP trouble codes
Replies
7
Views
525
Rigo
Rigo
britechguy
Mirametrix Virtual Camera & Intel Microphone Array - Sudden failure
Replies
14
Views
1K
britechguy
britechguy
SAFCasper
Intel Historical CPU Benchmark Charts
Replies
14
Views
427
Sky-Knight
Sky-Knight
britechguy
Which Outlook has touched your Google Account, and when, makes a difference in what Microsoft apps & services can access
Replies
3
Views
273
John Kennedy
John Kennedy
Big Jim
site to site vpn with draytek routers
Replies
6
Views
246
YeOldeStonecat
YeOldeStonecat
Back
Top