OT: Do I have a virus or what?

smashguy37 wrote on 4/11/2008, 11:04 AM
This past weekend I dealt with the amvo.exe virus which manage to slip in while updating a firewall (I won't get in to it). I managed to get rid of it. Today is the first day I've really been on my computer because I've been busy with an awards show all week and I was preparing a project in DVDA and listening to some music on VLC media player and I noticed everything was really slow. My task manager showed 100% CPU usage and I did some poking around and I assumed it was this svchost.exe virus (the one that pretends to be svchost.exe, I know it's a legit Windows function).

I used SpySweeper and it detected nothing, but if I boot up my computer and do nothing but open up task manager first thing, my CPU usage shows 100% for a second, then drops to roughly 50% just sitting idle. If I'm doing some things like running Spyware stuff, it jumps around within seconds from the 90s, then 60s, then 80s, to 100, etc. I did a search and found a problem with this Windows Update thing and I downloaded Process Explorer and none of the svchost.exe's are really showing 100% usage or anything.

Here is a shot when my computer is completely idle, having been freshly booted up:
http://s5.photobucket.com/albums/y157/smashguy37/?action=view&current=taskmanager.jpg

At one point in the day I even got a blue screen of death indicating something about a memory dump while I was installing some more virus scanners. I have a basic image file of an early state of my computer saved on an external hard drive, but I'm not sure if I should just use the image file and go through the joy of re-installing everything or what. At this point it looks my only option.

Any ideas?

By the way I'm running a 3GhZ Pentium D with 2 gigs of RAM.

Comments

johnmeyer wrote on 4/11/2008, 12:14 PM
I don't see anything abnormal in your tasks.

There are various things I've read over the years about processes launched by the legitimate svchost.exe causing 100% CPU usage. Do a Google on "svchost cpu task manager" and you'll get this:

svchost problems

The blue screen, however, is abnormal for sure. I am sure that you are aware that virus scanners can cause your computer to slow to a crawl, so I would recommend temporarily disabling or uninstalling all the anti-virus and anti-spyware software you've installed. 90% of the time on client computers I "restore," this is the culprit.

Of course, some viruses are very resilient. If you know the date/time of your virus infection, you should do a search of your entire computer for all files modified or created at this time (make sure to enable searching for ALL files, which may require a registry hack, and also look for hidden files). This is how I track all virus infections on client computers. Most all the dirty work done by viruses happens within ten minutes of initial infection and installation.

You can usually use the date/times of the prefetch files, the files in the temp folder, and the creation dates of folders in the program folder to pretty much nail what went on.

Once you know the exact date/time of the invection, look in the WINDOWS\SYSTEM32 folder. What you will often find are files in the SYSTEM32 folder, dated within minutes of the infection, that are still hanging around doing bad things, even after your anti-virus software has supposedly eliminated things. These can be very difficult to deal with, because you also have to search in the registry for references to these files, and also for registry keys associated with these files that can be used to regenerate the virus.

While everyone has their own "workflow," I strongly recommend that everyone get rid of ALL anti-virus software (and anti-spyware software). Partition your hard drive so that only Windows and programs are on the C: drive, and all other files, including temp folder files and Internet temp files are placed on some other drive. Then, do image backup on a regular (every few day basis) of the C: drive. If something gets hosed, you can restore the image in about five minutes, and all your data is still intact. Up until six months ago, I had never had a virus, but I finally did get one. I was back up and running, totally virus free, in less than ten minutes, much less time than trying to run the virus removal tools.

I also recommend turning off ALL automatic updates. I haven't updated this computer in almost five years, and only updated some of my other computers because some piece of software I really needed refused to install without the updates.

All the automatic updating violates one of the most basic and oft-repeated rules:

If it ain't broke, don't fix it.
John_Cline wrote on 4/11/2008, 12:20 PM
"while I was installing some

Running more than one virus scanner is just asking for trouble. I had one client that was running AVG, McAfee and Zone Alarm's virus scanners and she could't figure out why her machine kept crashing.
smashguy37 wrote on 4/11/2008, 12:36 PM
I would shut my usual scanner down and try a new one. Some scanners pick up things other ones don't and I was trying to nail this thing, I wasn't running them all at once. I'm well aware of how they slow down systems, but my machine is normally quite speedy and I have no problems with it. SpySweeper has caught a couple of viruses since I've been using it.

I'm really not sure the exact time it hit, but I don't want to go into WINDOWS/system32 and start deleting things. I have come across that page you posted but everything I've found on the net so far has got me no where. My computer seems to be running normally now, but I don't know how it'll react when I start running a couple of larger programs, I'll try to check this weekend.

Though my task manager looks normal, does the CPU usage seem quite high for my computer just sitting idle? The numbers don't seem to add up.
riredale wrote on 4/12/2008, 9:49 AM
This won't help you now, but I would strongly suggest that you begin a regimen of partition imaging on a periodic basis. I say this based on my own experience of sometimes getting myself into a hole I just simply couldn't get out of, whether it was a virus or some weird interaction between programs that I could not resolve. In such a situation I made a final image of the sick system, went back to a known good image, and then transferred over to the new image the current data from the sick image. In other words I was able to bring the old image up to the present by copying a couple of items such as the "Documents and Settings" folder.

Since I am a tinkerer I seem to get myself in such a situation about every 6 months. After backtracking and updating, everything is fine again.

I'd recommend Acronis for the imaging function, but there are other equally-suitable utilities out there.
smashguy37 wrote on 5/16/2008, 3:04 PM
I'm still having this problem. I recently moved and been without the net for about 2 weeks. I can turn on my computer, have nothing running and have task manager and this Task Info 2003 program showing 53% CPU usage, which is a lot for sitting idle. It still bounces around a lot too, jumping from 100, to 60, 50, etc. back and forth.

My computer seems to be running at a fine speed, but it also seems to get unnecessarily hot from sitting idle, but I'm not sure if my computer working harder by sitting idle is putting off more heat. I need a new PSU anyway, but still. Process Explorer seems to show proper CPU usage, but I'm still at a loss as to why Task Manager and Task Info 2003 show high levels.

There doesn't seem to be any sort of rouge process either that is eating up CPU. I have an image file of an early state of my computer, but I'm not in the mood (who ever is?) to go through re-installations of all my software, so I just want to see if there is anything else I can try. Thanks.
pete-schaefers wrote on 5/16/2008, 3:18 PM
These guys are a great help: http://forums.spybot.info/forumdisplay.php?&f=22
johnmeyer wrote on 5/16/2008, 3:46 PM
In addition to what I recommended doing in my earlier post last month, you should fire up MSCONFIG and turn off ALL startup programs. You can also turn off all non-Microsoft startup processes, but I'd do that after you see the effect of turning off the startup programs. After you've made the changes, you have to re-boot to see the effect. If things are better, great. If they are worse, you can simply re-run MSCONFIG and re-enable whatever you've turned off.
smashguy37 wrote on 5/16/2008, 4:46 PM
Sorry John, I must've missed that part of your last post.

Thanks a lot though, I turned off all my startups and now I'm back down to regular CPU usage levels, which is awesome. Question though, one of my startup items was something I was unsure of -- it's a svchost, but it says it's located somewhere in my Docments in some sort of Temp folder (i.e. C:\DOCME~1\ETC~1\LOCALS~1\Temp\svhcost.exe)

Does that sound like a legit Windows function, or something disguising itself? I'll run some tests later on, but thanks a million.
John_Cline wrote on 5/16/2008, 4:55 PM
SVCHOST.EXE is a legitimate Windows service, but NOT when running from a temp folder. Highly suspicious!
johnmeyer wrote on 5/16/2008, 7:22 PM
I second what John said. Nothing should be running from your TEMP folder. If you have any anti-virus software, have it scan that one file. I think there may also be online sites where you can submit individual files for scrutiny (or, if you have a Yahoo account, just email it to yourself as an attachment and then have Yahoo scan it for you).
MarkWWW wrote on 5/17/2008, 4:53 AM
C:\DOCME~1\ETC~1\LOCALS~1\Temp\svhcost.exe is definitely a wrong 'un on at least two obvious counts.

1. Nothing that is a normal part of a Windows installation would be running from a directory called "temp".

2. The filename SVHCOST is attempting to disguise whatever this actually is as a legitimate part of Windows called SVCHOST (a host program for services - typically you will have a number of legitimate instances of this running on your system). It relies on you not noticing that the letters V, H and C in the filename are in the wrong order.

Mark
smashguy37 wrote on 5/17/2008, 8:27 AM
Of course. It was actually labelled "svchost.exe" and not "svhcost.exe", that was just a typo on my part. I've done many searches, but I can't seem to find this file. I downloaded a program to remove entries from my start up list (since I had 90% of them unchecked and unused), and it gave me an address for this svchost, but nothing happens in my Explorer when I enter it.

I use Spy Sweeper and CCleaner and they can't find it. I'm not sure if it's going to cause any problems still, if it's still on my system, but everything seems to be 100% now.
John_Cline wrote on 5/17/2008, 9:54 AM
In the menu bar in Windows Explorer, go to "Tools" > "Folder Options" > "View" and make sure "Show Hidden Files and Folders" is checked and "Hide Protected Operating System Files" is not checked.
smashguy37 wrote on 5/17/2008, 1:01 PM
The "Hide Protected Operating System Files" option did the trick, thanks. I located it but Windows wouldn't let me deleted, so I booted up in safe mode and removed it and it seems to be gone for good.