I'm having a problem with the process "System" taking up 100% cpu usage as soon as the computer turns on. This started happening a few days ago and not sure why. I have AVG 8.5 free i think and ran a full scan on it, Ad-Aware and Spybot search and destroy. Here's the log from Hijackthis if anyone can help me find the problem. I wanna say it has something to do with a Virtumonde virus or something. Read it makes a randomly named dll and runs or something. I would like to say it is the file "Rundll32.exe" that keeps poping up but I deleted the actual file and it keeps poping back up... Any ideas on how to fix this problem? Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:59:44 PM, on 3/29/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\system32\libusbd-nt.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\PROGRA~1\AVG\AVG8\avgnsx.exe C:\Program Files\AlienGUIse\wbload.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\System32\MsPMSPSv.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe C:\windows\system\hpsysdrv.exe C:\HP\KBD\KBD.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\VTTimer.exe C:\WINDOWS\AGRSMMSG.exe C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe C:\WINDOWS\ALCXMNTR.EXE C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Saitek\SD6\Software\ProfilerU.exe C:\Program Files\Saitek\SD6\Software\SaiMfd.exe C:\Program Files\Saitek\CyborgKeyboard\SaiVolume.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\CursorXP\CursorXP.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe C:\Program Files\Fantastic Flame Screensaver\FantasticFlameAgent.exe C:\Program Files\InterMute\PopSubtract\PopSub.exe C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe C:\Program Files\Trend Micro\Tmasy\Tmasy.exe C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\AVG\AVG8\aAvgApi.exe C:\Program Files\Mozilla Firefox 2 Beta 1\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost F2 - REG:system.ini: Shell=Explorer.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: (no name) - {510fdce3-d15b-4acf-aebf-a07392062d32} - C:\WINDOWS\system32\jigefuwi.dll O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O2 - BHO: AIMSite Class - {D70E6A20-7060-4829-B3D7-B6624A1DE7C6} - C:\Program Files\AIM Toolbar\aimhelper.dll (file missing) O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [DaemonTools_WhenUSaveNow_Installer] C:\Program Files\DaemonTools_WhenUSaveNow_Installer\DaemonTools_WhenUSaveNow_Installer.exe O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt O4 - HKLM\..\Run: [NI.UGES_0002_N108M1607] "C:\Documents and Settings\Owner\Desktop\setup_en.exe" -nag O4 - HKLM\..\Run: [ProfilerU] C:\Program Files\Saitek\SD6\Software\ProfilerU.exe O4 - HKLM\..\Run: [SaiMfd] C:\Program Files\Saitek\SD6\Software\SaiMfd.exe O4 - HKLM\..\Run: [SaiVolume] C:\Program Files\Saitek\CyborgKeyboard\SaiVolume.exe O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe O4 - HKLM\..\Run: [tomevutuwo] Rundll32.exe "C:\WINDOWS\system32\pozogere.dll",s O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [1&1 EasyLogin] C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe O4 - HKUS\S-1-5-19\..\Run: [tomevutuwo] Rundll32.exe "C:\WINDOWS\system32\pozogere.dll",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [tomevutuwo] Rundll32.exe "C:\WINDOWS\system32\pozogere.dll",s (User 'NETWORK SERVICE') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: Alienware Dock.lnk = C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe O4 - Startup: IMStart.lnk = C:\Program Files\InterMute\IMStart.exe O4 - Startup: Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe O4 - Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmasy\Tmasy.exe O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe O4 - Global Startup: Fantastic Flame Agent.lnk = C:\Program Files\Fantastic Flame Screensaver\FantasticFlameAgent.exe O4 - Global Startup: PopSubtract.lnk = C:\Program Files\InterMute\PopSubtract\PopSub.exe O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm O8 - Extra context menu item: &Save Flash In This Page - C:\PROGRA~1\FLASHS~1.0\save.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1.0\save.htm O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1.0\save.htm O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: *.att.net O15 - Trusted Zone: http://*.att.net O15 - Trusted Zone: *.sbcglobal.net O15 - Trusted Zone: http://*.sbcglobal.net O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: wbsys.dll C:\WINDOWS\system32\vitasosu.dll c:\windows\system32\yuzeditu.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: LibUsb-Win32 - Daemon, Version 0.1.10.1 (libusbd) - http://libusb-win32.sourceforge.net - C:\WINDOWS\system32\libusbd-nt.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 10921 bytes also if there are ne programs I really should get rid of let me know ^^ Thanks in advanced for any info and/or help you may provide.
Sorry to double post but I think this is what I caught and wanted to throw this up for anyone with the same probelm.. hope it fixes mine ^^ "Win32/Virut.A infector: polymorphic Names,aliases: Win32/Virut.D (AhnLab-V3), W32/Virut.E (AntiVir), Win32.Virtob.2.Gen (BitDefender), W32.Virut.ci (ClamAV), Win32.Virut.5 (DrWeb), W32/Virut.E (Fortinet), Virus.Win32.Virut.e (F-Secure), Virus.Win32.Virut.d (Ikarus), Virus.Win32.Virut.e (Kaspersky), W32/Virut (McAfee), Virus:Win32/Virut.D (Microsoft), Win32/Virut (NOD32v2), W32/Virutas.G (Panda), W32/Vetor-A (Sophos), W32.Virut.B (Symantec), Win32.Virut.Gen (VirusBuster), Win32.Virut.E (Webwasher-Gateway) Behavior: Parasitic file infector of PE files with .EXE extension. Acts like an IRC bot, communicating on TCP port 65520, it opens channel #virtu on the proxim.ircgalaxy.pl IRC server. Its first step upon running is injecting the process (winlogon.exe), for this reason firewalls will not identify the virus. The virus will infect files on local and shared drives. It does not depend on usage of these files. Infected files are approx. 9kB longer, and will not keep the original timestamp, (the timestamp will change to the time when the virus was written into the file). The virus is activated in the "classical" way: HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\Run Note: the name of the infected file can be variable. It selects a name from the infected files in the folder %SystemRoot%\system32. It doesn't use any stealth or rootkit techniques for hiding infected files. It uses process injection technology, which provides good camouflage. There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus. Remover: Usage: Rmvirut (check and repair all accessible disk drives) Rmvirut C: (check and repair the entire C drive) Rmvirut C: D: (check and repair the C a D drives) Rmvirut C:\Windows (check and repair files in the C:\Windows folder) Rmvirut C:\Windows\explorer.exe (check and repair C:\Windows\explorer.exe) Remover features: - if AVG is installed, it correctly registers itself in the resident shield to avoid collision with it. - If it detects a locked file (unable to open), the remover arranges removal for immediately after booting the computer - when system files are not yet locked. - Files RMVIRUS.DOS and Rmvirus32.nt are part of the remover for repairing before booting Windows 98 or Windows 2000 - You must have administrator privileges to run the remover, the remover tests this at the beginning. - Repaired files are usually different to the originals, but they are working. - Due to the damaged caused to files by virut it's possible to find repaired but corrupted files. They became corrupted by the incorrect writing of the viral code during the process of infection. undetected, corrupted files (possibly still containing part of the viral code) can also be found. this is caused by incorrectly written and non-function viral code present in these files." this is from avgs site and there is the program to supposedly fix it... I'll post if it helps or not once I restart my computer. http://free.avg.com/virus-removal.ndi-67762
