re: High CPU by system process freezes system Sunday, August 10, 2008 at 6:02 am Windows XP Annoyances Discussion Forum Posted by Rincewind (9 messages posted) Regedit looking for MchInjdrv.sys reveals HLM\System\Controlset001\Enum\Root\Legacy_Mchinjdrv The associated fields and keys suggest (to my ignorant eyes) seems to suggest that it is loaded as a service Also present under current control set\ I loaded up UBCD4WIN got it to search the C drive for mchinjdrv and it found nothing. (Previously I had found a reference to it in a-squared anti-malware which I then uninstalled) To try to short cut things a bit, I hit it with a registry cleaner (RegCure) - loads of errors. (Dont know if it matters but while RegCure was running the normal system freeze did not occur There were periods of high system usage but the system did not freeze.) Then a reboot with boot logging enabled (to see if mchinjdrv.sys is still loaded). It is. Log at the end. Another check via UBCD4WIN to see if it is there. Seems clear and it is not. its not in system32\drivers\ (which is where bootlog says it comes from) nor anywhere else on C: So presumably an earlier driver/file is creating it and instructing windows to load it. Sounds highly suspicious but how do I progress further to finding out the problem? Anyway, I had a go with RootKitRevealer which produced a whole bunch of stuff none of which seemed obviously an issue. I can post the log if it is of interest. Rootkit revealer showed a bunch of stuff as follows I'll get rid of all the temp stuff and temporary internet stuff and try again HKLM\SECURITY\Policy\Secrets\SAC* 9/18/2007 03:59 0 bytes Key name contains embedded nulls (*) HKLM\SECURITY\Policy\Secrets\SAI* 9/18/2007 03:59 0 bytes Key name contains embedded nulls (*) HKLM\SOFTWARE\TrendMicro\PC-cillin\15\ScanInfo\LastScanFile 8/10/2008 16:10 60 bytes Windows API length not consistent with raw hive data. C:\Documents and Settings\New User\Local Settings\Temp\14.tmp 8/10/2008 16:36 0 bytes Hidden from Windows API. C:\Documents and Settings\New User\Local Settings\Temp\fb_1728.lck 8/10/2008 16:35 256.00 KB Hidden from Windows API. C:\Documents and Settings\New User\Local Settings\Temp\Rar$DI01.200 8/10/2008 16:14 0 bytes Hidden from Windows API. C:\Documents and Settings\New User\Local Settings\Temp\Rar$DI01.200\autoruns.chm 8/10/2008 16:14 47.34 KB Hidden from Windows API. C:\Documents and Settings\New User\Local Settings\Temp\Rar$DI14.028 8/10/2008 16:12 0 bytes Hidden from Windows API. C:\Documents and Settings\New User\Local Settings\Temp\Rar$DI14.028\RootkitRevealer.chm 12/7/2005 14:19 99.77 KB Hidden from Windows API. C:\Documents and Settings\New User\Local Settings\Temp\Rar$EX05.083 8/10/2008 16:15 0 bytes Hidden from Windows API. C:\Documents and Settings\New User\Local Settings\Temp\Rar$EX05.083\autoruns.chm 8/10/2008 16:15 47.34 KB Hidden from Windows API. C:\Documents and Settings\New User\Local Settings\Temp\Rar$EX05.083\autoruns.exe 8/10/2008 16:15 630.54 KB Hidden from Windows API. C:\Documents and Settings\New User\Local Settings\Temp\Rar$EX05.083\autorunsc.exe 8/10/2008 16:15 528.04 KB Hidden from Windows API. C:\Documents and Settings\New User\Local Settings\Temp\Rar$EX05.083\Eula.txt 8/10/2008 16:15 6.84 KB Hidden from Windows API. C:\Documents and Settings\New User\Local Settings\Temp\~DF9C38.tmp 8/10/2008 16:14 16.00 KB Hidden from Windows API. C:\Documents and Settings\New User\Local Settings\Temp\~DF9C4A.tmp 8/10/2008 16:14 512 bytes Hidden from Windows API. C:\Documents and Settings\New User\Local Settings\Temp\~DFC6DB.tmp 8/10/2008 16:12 16.00 KB Hidden from Windows API. C:\Documents and Settings\New User\Local Settings\Temp\~DFC6ED.tmp 8/10/2008 16:12 512 bytes Hidden from Windows API. C:\Documents and Settings\New User\Local Settings\Temporary Internet Files\Content.IE5\8LG105ZL\eBayISAPI[5].htm 8/10/2008 16:07 34.59 KB Visible in Windows API, but not in MFT or directory index. C:\Documents and Settings\New User\Local Settings\Temporary Internet Files\Content.IE5\8LG105ZL\version[4].txt 8/10/2008 16:36 3 bytes Hidden from Windows API. C:\Documents and Settings\New User\Local Settings\Temporary Internet Files\Content.IE5\C5UJJ7FN\CA0589WR.HTM 8/10/2008 16:12 788 bytes Visible in Windows API, but not in MFT or directory index. C:\Documents and Settings\New User\Local Settings\Temporary Internet Files\Content.IE5\C5UJJ7FN\eBayISAPI[8].htm 8/10/2008 16:31 34.59 KB Hidden from Windows API. C:\Documents and Settings\New User\Local Settings\Temporary Internet Files\Content.IE5\C5UJJ7FN\version[4].txt 8/10/2008 16:07 3 bytes Visible in Windows API, but not in MFT or directory index. C:\Documents and Settings\New User\Local Settings\Temporary Internet Files\Content.IE5\U00AJUWD\CA4RWD6N.HTM 10/8/2008 09:39 1.15 KB Visible in Windows API, but not in MFT or directory index. C:\Documents and Settings\New User\Local Settings\Temporary Internet Files\Content.IE5\U00AJUWD\CAS963S5.HTM 8/10/2008 16:14 1.15 KB Hidden from Windows API. C:\Documents and Settings\New User\Recent\AutoRuns.txt.lnk 8/10/2008 16:23 285 bytes Hidden from Windows API. C:\Documents and Settings\New User\Recent\NEW VOLUME (F).lnk 8/10/2008 16:23 189 bytes Hidden from Windows API. C:\System Volume Information\_restore{AB398F2E-04D3-4338-80FB-8F06075A6CB0}\RP23\A0013282.exe 8/10/2008 15:39 940.00 KB Hidden from Windows API. C:\System Volume Information\_restore{AB398F2E-04D3-4338-80FB-8F06075A6CB0}\RP23\A0013283.exe 7/10/2007 19:14 191.26 KB Hidden from Windows API. C:\System Volume Information\_restore{AB398F2E-04D3-4338-80FB-8F06075A6CB0}\RP23\A0013284.dll 6/13/2007 16:25 220.50 KB Hidden from Windows API. C:\System Volume Information\_restore{AB398F2E-04D3-4338-80FB-8F06075A6CB0}\RP23\A0013285.dll 7/10/2007 19:14 1.40 MB Hidden from Windows API. C:\System Volume Information\_restore{AB398F2E-04D3-4338-80FB-8F06075A6CB0}\RP23\A0013286.ini 3/1/2006 22:21 256 bytes Hidden from Windows API. C:\System Volume Information\_restore{AB398F2E-04D3-4338-80FB-8F06075A6CB0}\RP23\A0013287.dll 7/10/2007 19:14 209.26 KB Hidden from Windows API. C:\System Volume Information\_restore{AB398F2E-04D3-4338-80FB-8F06075A6CB0}\RP23\A0013288.dll 6/25/2007 15:24 314.00 KB Hidden from Windows API. C:\System Volume Information\_restore{AB398F2E-04D3-4338-80FB-8F06075A6CB0}\RP23\A0013289.ini 8/10/2008 15:39 162 bytes Hidden from Windows API. C:\System Volume Information\_restore{AB398F2E-04D3-4338-80FB-8F06075A6CB0}\RP23\A0013290.old 8/10/2008 16:23 433 bytes Hidden from Windows API. C:\WINDOWS\Prefetch\AUTORUNS.EXE-2E809734.pf 8/10/2008 16:15 32.24 KB Hidden from Windows API. C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 10/8/2008 18:08 64.00 KB Visible in Windows API, but not in MFT or directory index. Again, while these processes were running, the typical symptoms of three peaks of 100% system usage repeated every minute were not visible. Typically system usage was 30%, process 10% and idle 50% What next? TFAI R Uses statistics as others use lamp posts - for support rather than illumination Written in response to: re: High CPU by system process freezes system (Spexx: Sunday, August 10, 2008 at 2:05 am) There are presently no replies to this message. All messages in this thread [show all] High CPU by system process freezes system (Rincewind: Wed, Jul 30, 2008, 11:54 pm) re: High CPU by system process freezes system (Spexx: Thu, Jul 31, 2008, 4:03 am) re: High CPU by system process freezes system (Rincewind: Thu, Jul 31, 2008, 5:35 am) re: High CPU by system process freezes system (Spexx: Thu, Jul 31, 2008, 5:53 am) re: High CPU by system process freezes system (Rincewind: Fri, Aug 1, 2008, 1:11 am) re: High CPU by system process freezes system (Spexx: Fri, Aug 1, 2008, 4:38 am) re: High CPU by system process freezes system (Spexx: Fri, Aug 1, 2008, 8:34 am) re: High CPU by system process freezes system (Rincewind: Sun, Aug 3, 2008, 1:36 pm) re: High CPU by system process freezes system (beebs: Mon, Aug 4, 2008, 12:00 pm) re: High CPU by system process freezes system (Rincewind: Sat, Aug 9, 2008, 6:32 pm) re: High CPU by system process freezes system (Rincewind: Sat, Aug 9, 2008, 7:55 pm) re: High CPU by system process freezes system (Rincewind: Sat, Aug 9, 2008, 10:59 pm) re: High CPU by system process freezes system (Spexx: Sun, Aug 10, 2008, 2:05 am) re: High CPU by system process freezes system (Rincewind: Sun, Aug 10, 2008, 6:02 am) re: High CPU by system process freezes system (Spexx: Sun, Aug 10, 2008, 6:05 am) re: High CPU by system process freezes system (Rincewind: Sun, Aug 10, 2008, 10:55 am) re: High CPU by system process freezes system (Spexx: Sun, Aug 10, 2008, 11:06 pm) re: High CPU by system process freezes system (Rincewindwiz: Mon, Aug 11, 2008, 2:37 pm) re: High CPU by system process freezes system (Spexx: Mon, Aug 11, 2008, 2:49 pm) re: High CPU by system process freezes system (Rincewindwiz: Wed, Aug 13, 2008, 3:59 am) re: High CPU by system process freezes system (Spexx: Wed, Aug 13, 2008, 8:07 am) re: High CPU by system process freezes system (Rincewindwiz: Wed, Aug 13, 2008, 10:27 am) re: High CPU by system process freezes system (Rincewindwiz: Wed, Aug 13, 2008, 11:30 am) re: High CPU by system process freezes system (Spexx: Wed, Aug 13, 2008, 11:53 am) re: High CPU by system process freezes system (Rincewindwiz: Wed, Aug 13, 2008, 1:07 pm) re: High CPU by system process freezes system (Spexx: Wed, Aug 13, 2008, 1:32 pm) re: High CPU by system process freezes system (Rincewindwiz: Wed, Aug 13, 2008, 1:23 pm) re: High CPU by system process freezes system (Spexx: Wed, Aug 13, 2008, 1:43 pm) Reply or follow-up to this message Search this forum Start a new thread on a different subject Report abuse of the forum Return to the Windows XP Discussion Forum