Computer help needed, possible virus, trojan or other malware...

Discussion in 'Computers' started by Nathan_F, Sep 23, 2006.

  1. Nathan_F

    Nathan_F Second Unit

    Joined:
    Feb 6, 2001
    Messages:
    274
    Likes Received:
    6
    Trophy Points:
    110
    Location:
    Fishers, IN
    Real Name:
    Nathan
    I am having a problem with my home machine where the process called "System" in task manager is suddenly using 20% (occasionally 50%) of the CPU. This is causing hiccups during gaming. I assumed this was a virus of some sort, but have not had luck detecting it. I use AVG for anti-virus, and run an update and scan every day. I use Sygate for firewall, and Adaware and Spybot as the final pieces of my "security" suite. Reading some other posts here, I have also run/done the following:

    Microsoft Malware Removal Tool: nothing found
    Ewido: 2 viruses found and removed
    SpywareBlaster: nothing
    Microsoft Defender: 1 item found and deleted
    Jave Runtime Engine: latest build installed and old items in the cache were deleted

    I have also posted my Hijack this logs to the tomcoyote forums, but have not heard anything back yet. Seems there is a bit of a backlog over there.

    Any thoughts?

    Thanks,
    Nathan
     
  2. Harold Wazzu

    Harold Wazzu Supporting Actor

    Joined:
    Oct 1, 2003
    Messages:
    885
    Likes Received:
    0
    Trophy Points:
    0
  3. Keith Plucker

    Keith Plucker Screenwriter

    Joined:
    Feb 4, 1999
    Messages:
    1,168
    Likes Received:
    68
    Trophy Points:
    1,610
    Location:
    Sacramento
    Real Name:
    Keith Plucker
    You seem to have all the standard bases covered. You might try using the programs you mentioned in safe mode to run their scans if they allow for that.

    You could also try some of the other virus companies' products. Such as Panda, Kaspersky and Nod32. They all allow you to download and use their programs for 30 days so you can easily try out their products.

    Of course, there is always the dreaded OS reinstall. [​IMG]

    -Keith
     
  4. Paul_Sjordal

    Paul_Sjordal Supporting Actor

    Joined:
    May 29, 2003
    Messages:
    831
    Likes Received:
    0
    Trophy Points:
    0
    It might not be a virus. There are lots of legitimate processes that might list as "system" in your process list. You could have a driver flaking out or need to reinstall an application.

    PS -- when was the last time you did the old tabula rasa routine on your hard drive?
     
  5. Nathan_F

    Nathan_F Second Unit

    Joined:
    Feb 6, 2001
    Messages:
    274
    Likes Received:
    6
    Trophy Points:
    110
    Location:
    Fishers, IN
    Real Name:
    Nathan
    I didn't mention above, but all scans above were in safe mode.

    I have tried housecall, but it just closes IE at some point.

    I have not ever reimaged.. don't want to have to, I can't imagine the carnage.

    Any idea "why" some legitimate process would kick off every 4 seconds and consume 20% of the CPU?
     
  6. Paul_Sjordal

    Paul_Sjordal Supporting Actor

    Joined:
    May 29, 2003
    Messages:
    831
    Likes Received:
    0
    Trophy Points:
    0
    Nope, but if that's the case, tabula rasa (wiping the HD and reinstalling everything) might clear it up.
     
  7. Mike Fassler

    Mike Fassler Supporting Actor

    Joined:
    Jan 17, 2004
    Messages:
    523
    Likes Received:
    0
    Trophy Points:
    0

    I guess I have to ask how long you've been using the pc with this install of windows? It is totaly possible if its been a while that something may have gotten corrupted or something, Id also recommend that if you really must use IE
    install SpywareBlaster and or since you have adaware installed use the adwatch function that will prevent if not totally stop any spyware etc from being installed in the first place. Also when those programs you used removed the virii you said it found it could have removed something legit too or maybe something in the registery is messed.
     
  8. Nathan_F

    Nathan_F Second Unit

    Joined:
    Feb 6, 2001
    Messages:
    274
    Likes Received:
    6
    Trophy Points:
    110
    Location:
    Fishers, IN
    Real Name:
    Nathan
    I've been running this install of Windows for 2 years now, since the computer was new. I have never had to re-install an OS, and the prospect scares me to death. Digging up all the disks for software and/or downloading other tools... trying to match up id keys... latest drivers for everything... it took me 2 months to get this machine running after I received because of the botched job that the vendor performed putting it together. Then if I do all that, and reinstall Windows... I still run the risk that the data that I will be restoring is part of the corruption, and have to just lose that data.
     
  9. Mike Fassler

    Mike Fassler Supporting Actor

    Joined:
    Jan 17, 2004
    Messages:
    523
    Likes Received:
    0
    Trophy Points:
    0
    well you could always put your windows disk in there and try running a repair on the installation,just incase something did get borked you would be back up in no time.

    read this awesome article on how to non-destructively repair windows xp [​IMG]

    http://www.informationweek.com/share...leID=189400897
     
  10. Kimmo Jaskari

    Kimmo Jaskari Screenwriter

    Joined:
    Feb 27, 2000
    Messages:
    1,528
    Likes Received:
    0
    Trophy Points:
    0
    You could also burn a bootable CD (preferrably on some other machine) and use that to run the virus and malware scans. Safe mode is better than nothing, but to be truly sure that no nasty bug manages to hide one should always boot from some other medium. A CD is good because it's easy and because once burned, nothing else can infect it.

    Making a boot CD isn't hard and it is something every windows user might benefit from having laying around in case of troubles. http://www.ubcd4win.com/ is one option (one must also have a Windows XP disc, preferrably with SP2 integrated.)
     
  11. Nathan_F

    Nathan_F Second Unit

    Joined:
    Feb 6, 2001
    Messages:
    274
    Likes Received:
    6
    Trophy Points:
    110
    Location:
    Fishers, IN
    Real Name:
    Nathan
    Mike-- If my disk version is SP1, and I have SP2, can I still do the repair option?

    Kimmo-- same question.. except change repair to boot disk... unfortunately I do not have another machine with XP Home installed either. If I were to create a boot disk, it would have to be from the (possibly) corrupt machine.

    I'm still hoping someone over at tomcoyote sees something in my Hijack log that miraculously cures the problem. I also have several other tools that I have downloaded (see Keith's post above), that I am trying to get installed and run to maybe catch the issue.

    Thanks again for everyone's help!
     
  12. Kimmo Jaskari

    Kimmo Jaskari Screenwriter

    Joined:
    Feb 27, 2000
    Messages:
    1,528
    Likes Received:
    0
    Trophy Points:
    0
    You can copy the contents from the XP CD to the hard drive and then do a process called slipstreaming of the SP2. Essentially, you add SP2 to the XP files on the hard drive and then have an XP with SP2 integrated. That can then be burned back to a CD (with some tinkering to make it bootable) or used to create the boot cd I mention above. The process is described on the web page.

    Creating the boot cd on the possibly infected machine is not the best idea. You might conceivably wind up with a CD that can infect any machine you boot it from. [​IMG] You might be better off downloading the Linux-based Ultimate Boot Cd from http://www.ultimatebootcd.com and burning that iso file directly. It includes among other things several virus scanners.
     
  13. Mike Fassler

    Mike Fassler Supporting Actor

    Joined:
    Jan 17, 2004
    Messages:
    523
    Likes Received:
    0
    Trophy Points:
    0
    yeah you would just need to slipstream SP2 and reburn the disc pretty simple to do. There is also a program called Nlite, that will help you config the disc If you want. Do a google search for Nlite and read about it.

    this site shows you how to slipstream the normal way;
    http://www.tech-recipes.com/windows_...n_tips587.html
     
  14. Nathan_F

    Nathan_F Second Unit

    Joined:
    Feb 6, 2001
    Messages:
    274
    Likes Received:
    6
    Trophy Points:
    110
    Location:
    Fishers, IN
    Real Name:
    Nathan
    Okay guys.. strangest thing.. I had downloaded and was ready to try Panda and P-cillin, but they wouldn't install without uninstalling AVG. So I uninstall AVG and.. no more 20% System process every 5 seconds.
     
  15. Paul_Sjordal

    Paul_Sjordal Supporting Actor

    Joined:
    May 29, 2003
    Messages:
    831
    Likes Received:
    0
    Trophy Points:
    0
    Strange. I had performance problems when I was using McAfee, and switching to AVG cleared it up.

    PS -- you're overdue for a reinstall. Do a web search on "unattended install" and "slipstream" for instructions on burning a new install disk that will make this process a little easier for you.
     
  16. Nathan_F

    Nathan_F Second Unit

    Joined:
    Feb 6, 2001
    Messages:
    274
    Likes Received:
    6
    Trophy Points:
    110
    Location:
    Fishers, IN
    Real Name:
    Nathan
    Paul,
    I will definitely check that out... although I'm more of a "if it ain't broke, don't fix it" kind of guy, I understand that reinstalling Windows more of a maintenance thing.. yet it still scares the crap out of me. [​IMG] When I was still thinking that I needed to do the repair or reinstall, I had a full page of programs that needed reloaded. It was quite a daunting list...

    All-- I haven't tried reinstalling AVG yet to see if the problem persists with it running. If it does, thoughts on other free antivirus software?

    Thanks,
    Nathan
     
  17. Kimmo Jaskari

    Kimmo Jaskari Screenwriter

    Joined:
    Feb 27, 2000
    Messages:
    1,528
    Likes Received:
    0
    Trophy Points:
    0
    I wouldn't recommend a non-technical user to do a reinstall just to do a reinstall. An enthusiast who knows what he/she has installed, where all the install media is, the serial number info for those etc and who has no doubts about his/her ability to back up the important data can do it with no worries, but if the system isn't so badly bogged down with windows-cruft that it is still performing passably then by all means keep using it.

    I think it's a bit of a myth that an average user would need to reinstall every six months or something. What you do need to do is have an updated antivirus, a firewall of some kind, possibly antispyware software especially if you use IE and finally and most importantly, get all security patches from Microsoft as they come out.

    Further, running a defrag program (a third party one like Perfectdisk or Diskeeper is the ideal choice as they can be set to run unattended at night or when you're not using the machine, but the built-in featurefree one in Windows will do the job if you use it regularly) can help a lot with keeping the system responsive.

    One also should take care never to fill up a disk on a machine that is in heavy use. Keeping a 20% margin of empty space on the disk will also help with keeping the system responsive and far less prone to disk fragmentation in the first place.

    I think the whole "reinstall Windows frequently" craze started among enthusiasts who keep installing and uninstalling programs and filling their disks to capacity on a regular basis; with use like that, a Windows install will definitely age pretty gracelessly. For the average user who just uses the machine and bothers to do a bare minimum of maintenance the situation isn't nearly so dire, usually.
     
  18. Don Giro

    Don Giro Supporting Actor

    Joined:
    Jan 22, 2004
    Messages:
    848
    Likes Received:
    19
    Trophy Points:
    610
    Location:
    New Jersey
    Real Name:
    Don
    Nathan,

    If I were you, I would wait until hearing back from the folks at tomcoyote before doing anything drastic. If you're not getting any response from them, there are several other great forums you could try: CastleCops and SpywareInfo.

    Two techs at SpywareInfo recently helped me solve a "context menu" headscratcher that saved me from having to re-install ANYTHING. I've since signed on as a "Helper Trainee" at SpywareInfo, and spend a good bit of free time studying HiJack This logs.

    Try posting the log here, maybe one of us can point out the problem...
     
  19. Rommel_L

    Rommel_L Second Unit

    Joined:
    Apr 25, 2000
    Messages:
    355
    Likes Received:
    0
    Trophy Points:
    0
    Nathan,

    Post the HiJackThis logfile here. Let me take a look...
     
  20. Nathan_F

    Nathan_F Second Unit

    Joined:
    Feb 6, 2001
    Messages:
    274
    Likes Received:
    6
    Trophy Points:
    110
    Location:
    Fishers, IN
    Real Name:
    Nathan
    Kimmo-- not exactly a novice user, but not a pure enthusiast either. I've helped build machines and am comfortable navigating the insides of a case, and also have done a lot to clean up Windows installs, help others remove malware, etc.. still have no desire to do a re-install of Windows [​IMG] Also, I do defrag regulary and keep the OS drive at least 30% free.

    Don, Rommel: Log is below

    Logfile of HijackThis v1.99.1
    Scan saved at 10:18:34 PM, on 9/20/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:WINDOWSSystem32smss.exe
    C:WINDOWSsystem32winlogon.exe
    C:WINDOWSsystem32services.exe
    C:WINDOWSsystem32lsass.exe
    C:WINDOWSsystem32svchost.exe
    C:Program FilesSygateSPFsmc.exe
    C:WINDOWSSystem32svchost.exe
    C:WINDOWSsystem32spoolsv.exe
    C:WINDOWSExplorer.EXE
    C:Program FilesABITABIT uGuruuGuru.exe
    C:PROGRA~1GrisoftAVGFRE~1avgcc.exe
    C:Program FilesJavajre1.5.0_02binjusched.exe
    C:Program FilesBroadJumpClient FoundationCFD.exe
    C:Program FilesCreativeSBAudigy2ZSSurround MixerCTSysVol.exe
    C:Program FilesCreativeSBAudigy2ZSDVDAudioCTDVDDet.EXE
    C:WINDOWSsystem32CTHELPER.EXE
    C:PROGRA~1GrisoftAVGFRE~1avgamsvr.exe
    C:Program FilesABITABIT uGuruuGuru_Event_Receiver.exe
    C:PROGRA~1GrisoftAVGFRE~1avgupsvc.exe
    C:WINDOWSsystem32CTsvcCDA.exe
    C:WINDOWSsystem32driversKodakCCS.exe
    C:WINDOWSsystem32nvsvc32.exe
    C:WINDOWSsystem32wuauclt.exe
    C:WINDOWSsystem32msiexec.exe
    C:WINDOWSSystem32svchost.exe
    C:Hijack thisHijackThis.exe

    R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://www.monarchcomputer.com/search/small_search.html
    R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.msnbc.msn.com/
    R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://www.monarchcomputer.com/search/main.php
    R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInt ernet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesAdobeAcrobat 7.0ActiveXAcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.5.0_08binssv.dll
    O4 - HKLM..Run: [SchedulingAgent] mstinit.exe /firstlogon
    O4 - HKLM..Run: [SmcService] C:PROGRA~1SygateSPFsmc.exe -startgui
    O4 - HKLM..Run: [ABIT uGuru] C:Program FilesABITABIT uGuruuGuru.exe
    O4 - HKLM..Run: [AVG7_CC] C:PROGRA~1GrisoftAVGFRE~1avgcc.exe /STARTUP
    O4 - HKLM..Run: [KernelFaultCheck] %systemroot%system32dumprep 0 -k
    O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre1.5.0_08binjusched.exe"
    O4 - HKLM..Run: [BJCFD] C:Program FilesBroadJumpClient FoundationCFD.exe
    O4 - HKLM..Run: [CTSysVol] C:Program FilesCreativeSBAudigy2ZSSurround MixerCTSysVol.exe /r
    O4 - HKLM..Run: [CTDVDDET] C:Program FilesCreativeSBAudigy2ZSDVDAudioCTDVDDet.EXE
    O4 - HKLM..Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM..Run: [SBDrvDet] C:Program FilesCreativeSB Drive DetSBDrvDet.exe /r
    O4 - HKLM..Run: [UpdReg] C:WINDOWSUpdReg.EXE
    O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
    O4 - HKLM..Run: [nwiz] nwiz.exe /install
    O4 - HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit
    O4 - HKCU..Run: [Yahoo! Pager] 1
    O8 - Extra context menu item: &AOL Toolbar search - res://C:Program FilesAOL Toolbartoolbar.dll/SEARCH.HTML
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_08binnpjpi150_08.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.5.0_08binnpjpi150_08.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.monarchcomputer.com/search/main.php
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {18CD2FD8-81CE-44C3-99E1-0822E1C7116C} (EARTPatch8X Class) - http://files.ea.com/downloads/rtpatch/v4/EARTP8X.cab
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:Program FilesYahoo!commonyinsthelper.dll
    O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
    O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
    O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/...npseatools.cab
    O20 - Winlogon Notify: WgaLogon - C:WINDOWSSYSTEM32WgaLogon.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVGFRE~1avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVGFRE~1avgupsvc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:WINDOWSsystem32CTsvcCDA.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
    O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:WINDOWSsystem32ImapiRox.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:Program FilesiPodbiniPodService.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:WINDOWSsystem32driversKodakCCS.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exe
    O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:Program FilesSygateSPFsmc.exe
     

Share This Page