Computer help needed, possible virus, trojan or other malware... (1 Viewer)

[Nathan_F]

I am having a problem with my home machine where the process called "System" in task manager is suddenly using 20% (occasionally 50%) of the CPU. This is causing hiccups during gaming. I assumed this was a virus of some sort, but have not had luck detecting it. I use AVG for anti-virus, and run an update and scan every day. I use Sygate for firewall, and Adaware and Spybot as the final pieces of my "security" suite. Reading some other posts here, I have also run/done the following:

Microsoft Malware Removal Tool: nothing found
Ewido: 2 viruses found and removed
SpywareBlaster: nothing
Microsoft Defender: 1 item found and deleted
Jave Runtime Engine: latest build installed and old items in the cache were deleted

I have also posted my Hijack this logs to the tomcoyote forums, but have not heard anything back yet. Seems there is a bit of a backlog over there.

Any thoughts?

Thanks,
Nathan

 

[Harold Wazzu]

Here's something else you can try: http://housecall.trendmicro.com/

 

[KeithAP]

You seem to have all the standard bases covered. You might try using the programs you mentioned in safe mode to run their scans if they allow for that.

You could also try some of the other virus companies' products. Such as Panda, Kaspersky and Nod32. They all allow you to download and use their programs for 30 days so you can easily try out their products.

Of course, there is always the dreaded OS reinstall.

-Keith

 

[Paul_Sjordal]

It might not be a virus. There are lots of legitimate processes that might list as "system" in your process list. You could have a driver flaking out or need to reinstall an application.

PS -- when was the last time you did the old tabula rasa routine on your hard drive?

 

[Nathan_F]

I didn't mention above, but all scans above were in safe mode.

I have tried housecall, but it just closes IE at some point.

I have not ever reimaged.. don't want to have to, I can't imagine the carnage.

Any idea "why" some legitimate process would kick off every 4 seconds and consume 20% of the CPU?

 

[Paul_Sjordal]

Nope, but if that's the case, tabula rasa (wiping the HD and reinstalling everything) might clear it up.

 

[Mike Fassler]

I guess I have to ask how long you've been using the pc with this install of windows? It is totaly possible if its been a while that something may have gotten corrupted or something, Id also recommend that if you really must use IE
install SpywareBlaster and or since you have adaware installed use the adwatch function that will prevent if not totally stop any spyware etc from being installed in the first place. Also when those programs you used removed the virii you said it found it could have removed something legit too or maybe something in the registery is messed.

 

[Nathan_F]

I've been running this install of Windows for 2 years now, since the computer was new. I have never had to re-install an OS, and the prospect scares me to death. Digging up all the disks for software and/or downloading other tools... trying to match up id keys... latest drivers for everything... it took me 2 months to get this machine running after I received because of the botched job that the vendor performed putting it together. Then if I do all that, and reinstall Windows... I still run the risk that the data that I will be restoring is part of the corruption, and have to just lose that data.

 

[Mike Fassler]

well you could always put your windows disk in there and try running a repair on the installation,just incase something did get borked you would be back up in no time.

read this awesome article on how to non-destructively repair windows xp

http://www.informationweek.com/share...leID=189400897

 

[Kimmo Jaskari]

You could also burn a bootable CD (preferrably on some other machine) and use that to run the virus and malware scans. Safe mode is better than nothing, but to be truly sure that no nasty bug manages to hide one should always boot from some other medium. A CD is good because it's easy and because once burned, nothing else can infect it.

Making a boot CD isn't hard and it is something every windows user might benefit from having laying around in case of troubles. http://www.ubcd4win.com/ is one option (one must also have a Windows XP disc, preferrably with SP2 integrated.)

 

[Nathan_F]

Mike-- If my disk version is SP1, and I have SP2, can I still do the repair option?

Kimmo-- same question.. except change repair to boot disk... unfortunately I do not have another machine with XP Home installed either. If I were to create a boot disk, it would have to be from the (possibly) corrupt machine.

I'm still hoping someone over at tomcoyote sees something in my Hijack log that miraculously cures the problem. I also have several other tools that I have downloaded (see Keith's post above), that I am trying to get installed and run to maybe catch the issue.

Thanks again for everyone's help!

 

[Kimmo Jaskari]

You can copy the contents from the XP CD to the hard drive and then do a process called slipstreaming of the SP2. Essentially, you add SP2 to the XP files on the hard drive and then have an XP with SP2 integrated. That can then be burned back to a CD (with some tinkering to make it bootable) or used to create the boot cd I mention above. The process is described on the web page.

Creating the boot cd on the possibly infected machine is not the best idea. You might conceivably wind up with a CD that can infect any machine you boot it from. You might be better off downloading the Linux-based Ultimate Boot Cd from http://www.ultimatebootcd.com and burning that iso file directly. It includes among other things several virus scanners.

 

[Mike Fassler]

yeah you would just need to slipstream SP2 and reburn the disc pretty simple to do. There is also a program called Nlite, that will help you config the disc If you want. Do a google search for Nlite and read about it.

this site shows you how to slipstream the normal way;
http://www.tech-recipes.com/windows_...n_tips587.html

 

[Nathan_F]

Okay guys.. strangest thing.. I had downloaded and was ready to try Panda and P-cillin, but they wouldn't install without uninstalling AVG. So I uninstall AVG and.. no more 20% System process every 5 seconds.

 

[Paul_Sjordal]

Strange. I had performance problems when I was using McAfee, and switching to AVG cleared it up.

PS -- you're overdue for a reinstall. Do a web search on "unattended install" and "slipstream" for instructions on burning a new install disk that will make this process a little easier for you.

 

[Nathan_F]

Paul,
I will definitely check that out... although I'm more of a "if it ain't broke, don't fix it" kind of guy, I understand that reinstalling Windows more of a maintenance thing.. yet it still scares the crap out of me. When I was still thinking that I needed to do the repair or reinstall, I had a full page of programs that needed reloaded. It was quite a daunting list...

All-- I haven't tried reinstalling AVG yet to see if the problem persists with it running. If it does, thoughts on other free antivirus software?

Thanks,
Nathan

 

[Kimmo Jaskari]

I wouldn't recommend a non-technical user to do a reinstall just to do a reinstall. An enthusiast who knows what he/she has installed, where all the install media is, the serial number info for those etc and who has no doubts about his/her ability to back up the important data can do it with no worries, but if the system isn't so badly bogged down with windows-cruft that it is still performing passably then by all means keep using it.

I think it's a bit of a myth that an average user would need to reinstall every six months or something. What you do need to do is have an updated antivirus, a firewall of some kind, possibly antispyware software especially if you use IE and finally and most importantly, get all security patches from Microsoft as they come out.

Further, running a defrag program (a third party one like Perfectdisk or Diskeeper is the ideal choice as they can be set to run unattended at night or when you're not using the machine, but the built-in featurefree one in Windows will do the job if you use it regularly) can help a lot with keeping the system responsive.

One also should take care never to fill up a disk on a machine that is in heavy use. Keeping a 20% margin of empty space on the disk will also help with keeping the system responsive and far less prone to disk fragmentation in the first place.

I think the whole "reinstall Windows frequently" craze started among enthusiasts who keep installing and uninstalling programs and filling their disks to capacity on a regular basis; with use like that, a Windows install will definitely age pretty gracelessly. For the average user who just uses the machine and bothers to do a bare minimum of maintenance the situation isn't nearly so dire, usually.

 

[Don Giro]

Nathan,

If I were you, I would wait until hearing back from the folks at tomcoyote before doing anything drastic. If you're not getting any response from them, there are several other great forums you could try: CastleCops and SpywareInfo.

Two techs at SpywareInfo recently helped me solve a "context menu" headscratcher that saved me from having to re-install ANYTHING. I've since signed on as a "Helper Trainee" at SpywareInfo, and spend a good bit of free time studying HiJack This logs.

Try posting the log here, maybe one of us can point out the problem...

 

[Rommel_L]

Nathan,

Post the HiJackThis logfile here. Let me take a look...

 

[Nathan_F]

Kimmo-- not exactly a novice user, but not a pure enthusiast either. I've helped build machines and am comfortable navigating the insides of a case, and also have done a lot to clean up Windows installs, help others remove malware, etc.. still have no desire to do a re-install of Windows Also, I do defrag regulary and keep the OS drive at least 30% free.

Don, Rommel: Log is below

Logfile of HijackThis v1.99.1
Scan saved at 10:18:34 PM, on 9/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
Crogram FilesSygateSPFsmc.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:WINDOWSExplorer.EXE
Crogram FilesABITABIT uGuruuGuru.exe
CROGRA~1GrisoftAVGFRE~1avgcc.exe
Crogram FilesJavajre1.5.0_02binjusched.exe
Crogram FilesBroadJumpClient FoundationCFD.exe
Crogram FilesCreativeSBAudigy2ZSSurround MixerCTSysVol.exe
Crogram FilesCreativeSBAudigy2ZSDVDAudioCTDVDDet.EXE
C:WINDOWSsystem32CTHELPER.EXE
CROGRA~1GrisoftAVGFRE~1avgamsvr.exe
Crogram FilesABITABIT uGuruuGuru_Event_Receiver.exe
CROGRA~1GrisoftAVGFRE~1avgupsvc.exe
C:WINDOWSsystem32CTsvcCDA.exe
C:WINDOWSsystem32driversKodakCCS.exe
C:WINDOWSsystem32nvsvc32.exe
C:WINDOWSsystem32wuauclt.exe
C:WINDOWSsystem32msiexec.exe
C:WINDOWSSystem32svchost.exe
C:Hijack thisHijackThis.exe

R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Search Bar = http://www.monarchcomputer.com/search/small_search.html
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.msnbc.msn.com/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://www.monarchcomputer.com/search/main.php
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInt ernet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - Crogram FilesAdobeAcrobat 7.0ActiveXAcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - Crogram FilesJavajre1.5.0_08binssv.dll
O4 - HKLM..Run: [SchedulingAgent] mstinit.exe /firstlogon
O4 - HKLM..Run: [SmcService] CROGRA~1SygateSPFsmc.exe -startgui
O4 - HKLM..Run: [ABIT uGuru] Crogram FilesABITABIT uGuruuGuru.exe
O4 - HKLM..Run: [AVG7_CC] CROGRA~1GrisoftAVGFRE~1avgcc.exe /STARTUP
O4 - HKLM..Run: [KernelFaultCheck] %systemroot%system32dumprep 0 -k
O4 - HKLM..Run: [SunJavaUpdateSched] "Crogram FilesJavajre1.5.0_08binjusched.exe"
O4 - HKLM..Run: [BJCFD] Crogram FilesBroadJumpClient FoundationCFD.exe
O4 - HKLM..Run: [CTSysVol] Crogram FilesCreativeSBAudigy2ZSSurround MixerCTSysVol.exe /r
O4 - HKLM..Run: [CTDVDDET] Crogram FilesCreativeSBAudigy2ZSDVDAudioCTDVDDet.EXE
O4 - HKLM..Run: [CTHelper] CTHELPER.EXE
O4 - HKLM..Run: [SBDrvDet] Crogram FilesCreativeSB Drive DetSBDrvDet.exe /r
O4 - HKLM..Run: [UpdReg] C:WINDOWSUpdReg.EXE
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [nwiz] nwiz.exe /install
O4 - HKLM..Run: [NvMediaCenter] RUNDLL32.EXE C:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit
O4 - HKCU..Run: [Yahoo! Pager] 1
O8 - Extra context menu item: &AOL Toolbar search - res://Crogram FilesAOL Toolbartoolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Crogram FilesJavajre1.5.0_08binnpjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Crogram FilesJavajre1.5.0_08binnpjpi150_08.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Crogram FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Crogram FilesMessengermsmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.monarchcomputer.com/search/main.php
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {18CD2FD8-81CE-44C3-99E1-0822E1C7116C} (EARTPatch8X Class) - http://files.ea.com/downloads/rtpatch/v4/EARTP8X.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - Crogram FilesYahoo!commonyinsthelper.dll
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/...npseatools.cab
O20 - Winlogon Notify: WgaLogon - C:WINDOWSSYSTEM32WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - CROGRA~1GrisoftAVGFRE~1avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - CROGRA~1GrisoftAVGFRE~1avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:WINDOWSsystem32CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - Crogram FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:WINDOWSsystem32ImapiRox.exe
O23 - Service: iPodService - Apple Computer, Inc. - Crogram FilesiPodbiniPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:WINDOWSsystem32driversKodakCCS.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - Crogram FilesSygateSPFsmc.exe