My CPU sometimes runs at 100% even after closing all programs. I've run both
ESET virus scanner and Windows Defender and neither found any spyware or
viruses. Looking at the Process Monitor application, there a lot of read file
and registry transactions generated by Winlogon.exe and lsass.exe. The
Winlogon entries look suspicious because they are accessing files with names
like tmghlmrb.dat and jaccaqad.dat. However, I checked the file's properties
and it looks like a legit file from Microsoft.

Can anyone diagnose this problem?

The problem could well be malware. An anti-virus programme will not
detect malware and Windows Defender is not a strong player.

I suggest you download and run Spybot S & D (freeware version). There
is a freeware version buried in this link:
http://www.safer-networking.org/en/spybotsd/index.html

This programmes is getting good results -Malwarebytes' Anti-Malware
1.32 -freeware (if you upgrade you pay).
http://www.download.com/Malwarebytes...-10804572.html

Run Malwarebytes' in safe mode and turn off ESET before you do to avoid
a conflict. Disregard the invitation on the web site regarding the
Regostry Optimiser -a Registry Optimiser is not a helpful utitity.

Process Monitor is not so easy to use as it provides so much data.
Another utility to monitor CPU activity is Process Explorer.
Download Process Explorer (freeware).
For further information about Process Explorer see here:
http://www.microsoft.com/technet/sys...sExplorer.mspx



--



Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~
the K wrote:
> My CPU sometimes runs at 100% even after closing all programs. I've
> run both ESET virus scanner and Windows Defender and neither found
> any spyware or viruses. Looking at the Process Monitor application,
> there a lot of read file and registry transactions generated by
> Winlogon.exe and lsass.exe. The Winlogon entries look suspicious
> because they are accessing files with names like tmghlmrb.dat and
> jaccaqad.dat. However, I checked the file's properties and it looks
> like a legit file from Microsoft.
>
> Can anyone diagnose this problem?

Check in Task Manager in Processes then sort on CPU by clicking on CPU
heading twice to see what process are taking up CPU cycles. If you have
Windows Search 4.0 it will hog CPU cycles and I would uninstall it.

Report back on your CPU cycle load numbers...

--
Randem Systems
Your Installation Specialist
The Top Inno Setup Script Generator
http://www.randem.com/innoscript.html



"the K" <(E-Mail Removed)> wrote in message
news:74EEEE1A-8CC0-40C4-87E6-(E-Mail Removed)...
> My CPU sometimes runs at 100% even after closing all programs. I've run
> both
> ESET virus scanner and Windows Defender and neither found any spyware or
> viruses. Looking at the Process Monitor application, there a lot of read
> file
> and registry transactions generated by Winlogon.exe and lsass.exe. The
> Winlogon entries look suspicious because they are accessing files with
> names
> like tmghlmrb.dat and jaccaqad.dat. However, I checked the file's
> properties
> and it looks like a legit file from Microsoft.
>
> Can anyone diagnose this problem?

"the K" <(E-Mail Removed)> wrote in message
news:74EEEE1A-8CC0-40C4-87E6-(E-Mail Removed)...
> My CPU sometimes runs at 100% even after closing all programs. I've run
> both
> ESET virus scanner and Windows Defender and neither found any spyware or
> viruses. Looking at the Process Monitor application, there a lot of read
> file
> and registry transactions generated by Winlogon.exe and lsass.exe. The
> Winlogon entries look suspicious because they are accessing files with
> names
> like tmghlmrb.dat and jaccaqad.dat. However, I checked the file's
> properties
> and it looks like a legit file from Microsoft.

Not to me they don't. They look completely bogus. Generated, random
names like that are a giveaway.

> Can anyone diagnose this problem?

Yes. Your system is infected.

Attach the drive to another system and scan with up-to-date antivirus, after
locating and deleting the contents of all temp and temporary internet files
folders. Create a folder for tools, and download HijackThis to it.

Once the scan is done, move the drive back, do not connect to the network.
Run HijackThis, and remove undesired entries and files. This does require
some knowledge. Once that's done, reconnect to the network and run
HijackThis again. Some malware requires a network connection to launch,
and so it's harder to detect when there isn't one.

Run msconfig and carefully examine the startup entries. This will give you
strong clues as to where the malware launchers are located.

You will also need to uninstall and reinstall your antivirus program,
because it's been compromised. You may want to switch to something else
for a while.

HTH
-pk

K

An addendum. In Google the file names you mention appear nowhere other
than your post. Whilst this is not conclusive it strongly suggests they
are part of a malware infestation.

This thread is being carried by a web site "www.pcreview.co.uk/forums".
Certain words, which appear in the the original, are highlighted in blue
e.g. "safe mode" and link to another page. These are unauthorised
alterations to my post and in no way do I wish to be associated with
what is said in the links.

The links I included in my post which were included in the original are:
http://www.safer-networking.org/en/spybotsd/index.html
http://www.download.com/Malwarebytes...-10804572.html
http://www.microsoft.com/technet/sys...sExplorer.mspx

To read a correct copy of my post you should read what is posted on:
microsoft.public.windowsxp.general


--



Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

Gerry wrote:
> The problem could well be malware. An anti-virus programme will not
> detect malware and Windows Defender is not a strong player.
>
> I suggest you download and run Spybot S & D (freeware version). There
> is a freeware version buried in this link:
> http://www.safer-networking.org/en/spybotsd/index.html
>
> This programmes is getting good results -Malwarebytes' Anti-Malware
> 1.32 -freeware (if you upgrade you pay).
> http://www.download.com/Malwarebytes...-10804572.html
>
> Run Malwarebytes' in safe mode and turn off ESET before you do to
> avoid a conflict. Disregard the invitation on the web site regarding
> the Regostry Optimiser -a Registry Optimiser is not a helpful utitity.
>
> Process Monitor is not so easy to use as it provides so much data.
> Another utility to monitor CPU activity is Process Explorer.
> Download Process Explorer (freeware).
> For further information about Process Explorer see here:
> http://www.microsoft.com/technet/sys...sExplorer.mspx
>
>
>
>
> Gerry
> ~~~~
> FCA
> Stourport, England
> Enquire, plan and execute
> ~~~~~~~~~~~~~~~~~~~
> the K wrote:
>> My CPU sometimes runs at 100% even after closing all programs. I've
>> run both ESET virus scanner and Windows Defender and neither found
>> any spyware or viruses. Looking at the Process Monitor application,
>> there a lot of read file and registry transactions generated by
>> Winlogon.exe and lsass.exe. The Winlogon entries look suspicious
>> because they are accessing files with names like tmghlmrb.dat and
>> jaccaqad.dat. However, I checked the file's properties and it looks
>> like a legit file from Microsoft.
>>
>> Can anyone diagnose this problem?

Randem

The posts to this thread are appearing in a modified form on this site:
http://www.pcreview.co.uk/forums/thread-3711882.php
http://www.pcreview.co.uk/copyright.php

I have looked for a way to complain about unauthorised alterations but
it would seem you need to register to do so.


--



Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~
Randem wrote:
> Check in Task Manager in Processes then sort on CPU by clicking on CPU
> heading twice to see what process are taking up CPU cycles. If you
> have Windows Search 4.0 it will hog CPU cycles and I would uninstall
> it.
> Report back on your CPU cycle load numbers...
>
>
> "the K" <(E-Mail Removed)> wrote in message
> news:74EEEE1A-8CC0-40C4-87E6-(E-Mail Removed)...
>> My CPU sometimes runs at 100% even after closing all programs. I've
>> run both
>> ESET virus scanner and Windows Defender and neither found any
>> spyware or viruses. Looking at the Process Monitor application,
>> there a lot of read file
>> and registry transactions generated by Winlogon.exe and lsass.exe.
>> The Winlogon entries look suspicious because they are accessing
>> files with names
>> like tmghlmrb.dat and jaccaqad.dat. However, I checked the file's
>> properties
>> and it looks like a legit file from Microsoft.
>>
>> Can anyone diagnose this problem?

Patrick

The posts to this thread are appearing in a modified form on this site:
http://www.pcreview.co.uk/forums/thread-3711882.php
http://www.pcreview.co.uk/copyright.php

I have looked for a way to complain about unauthorised alterations but
it would seem you need to register to do so.


--



Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~

Patrick Keenan wrote:
> "the K" <(E-Mail Removed)> wrote in message
> news:74EEEE1A-8CC0-40C4-87E6-(E-Mail Removed)...
>> My CPU sometimes runs at 100% even after closing all programs. I've
>> run both
>> ESET virus scanner and Windows Defender and neither found any
>> spyware or viruses. Looking at the Process Monitor application,
>> there a lot of read file
>> and registry transactions generated by Winlogon.exe and lsass.exe.
>> The Winlogon entries look suspicious because they are accessing
>> files with names
>> like tmghlmrb.dat and jaccaqad.dat. However, I checked the file's
>> properties
>> and it looks like a legit file from Microsoft.
>
> Not to me they don't. They look completely bogus. Generated,
> random names like that are a giveaway.
>
>> Can anyone diagnose this problem?
>
> Yes. Your system is infected.
>
> Attach the drive to another system and scan with up-to-date
> antivirus, after locating and deleting the contents of all temp and
> temporary internet files folders. Create a folder for tools, and
> download HijackThis to it.
> Once the scan is done, move the drive back, do not connect to the
> network. Run HijackThis, and remove undesired entries and files. This
> does require some knowledge. Once that's done, reconnect to
> the network and run HijackThis again. Some malware requires a
> network connection to launch, and so it's harder to detect when there
> isn't one.
> Run msconfig and carefully examine the startup entries. This will
> give you strong clues as to where the malware launchers are located.
>
> You will also need to uninstall and reinstall your antivirus program,
> because it's been compromised. You may want to switch to something
> else for a while.
>
> HTH
> -pk