Any ideas on what's going with my buddy's computer (virus, etc...?)

[Booty]

He's running XP Home. When he starts his system, for one, it takes *forever* to boot... once it's in Windows, well, it doesn't quite get there... he gets his background and nothing else, no shortcuts, no taskbar, etc... anyway, when you check the running processes, explorer.exe has the cpu pinned at like 95-99%. At one point it did the whole NT Authority system shutdown thing, so I immediately went out and grabbed the blaster removal tool and ran it in safe mode (which, by the way, boots fine). Well, it didn't find blaster, so I rebooted from CD and scanned with Norton 2004, which also came up clean. I went back into safe mode and installed/scanned with ad-aware, which found some junk, but nothing out of the ordinary (I've yet to run across a PC without some adware). I used msconfig to disable a bunch of startup crap, but that didn't seem to do anything. So, at this point, I'm not sure what to do next. Here's a list of his running processes when we're at the semi-booted stage:

explorer.exe
fast.exe - this one looks unfamiliar...?
scvhost.exe ( 6 of these )
alg.exe
lsass.exe
services.exe
winlogon.exe
csrss.exe
taskmgr.exe
smss.exe
system
system idle process (duh )

Any of these look like something someone recognizes?

 

[Booty]

Oh btw, if I leave it sit long enough now it'll bluescreen on me... I'm going to follow that and see where it leads me. Don't know why he'd have hardware/driver issues all the sudden, but I'm gonna check it out...

 

[johnjkr1]

If it works ok in safe mode, its probably not hardware related....maybe its time for a format?

 

[amdskip]

I've seen a virus that attaches itself to the svchost process and takes like all of the cpu cycles. It was on an older machine and there was nothing important there so just ended up formatting it.

 

[Hubris]

sVChost is fine, but if you see sCVhost, then you've got gaobot. It's clever by looking like svchost, but it switches the two letters. Look closely at all the instances, and kill any sCVhost running. Also, if you do see a SCV one, open up Services and look for config loader. Also look for config loader in the registry under run and run services. That's where Gaobot hides, and sometimes Norton doesn't find it.

Best thing to do if it starts in Safe Mode is to do Safe Mode with networking and update Norton, then run a full system scan. Course, that won't work if you can't get into normal mode cause you can't install Norton in Safe Mode (Unless you can with the later version, I dunno).

But definitely look for the scvhost.

 

[goshawk066]

one thing you could try is hook the drive up as a slave to a good computer (working fine) and run a scan on the drive that way with the updated version of norton. just because its on the cd doesnt mean that its updated.

if it works fine in safemode then you might want to try removine applications and possibly try reinstalling hardware. Did you add/change something recently?

Might also want to check network traffic to see if it is trying to use explorer.exe to flood network traffic which can lockup the machine.

 

[PopPop77]

Originally posted by: Hubris
sVChost is fine, but if you see sCVhost, then you've got gaobot. It's clever by looking like svchost, but it switches the two letters. Look closely at all the instances, and kill any sCVhost running. Also, if you do see a SCV one, open up Services and look for config loader. Also look for config loader in the registry under run and run services. That's where Gaobot hides, and sometimes Norton doesn't find it.

Best thing to do if it starts in Safe Mode is to do Safe Mode with networking and update Norton, then run a full system scan. Course, that won't work if you can't get into normal mode cause you can't install Norton in Safe Mode (Unless you can with the later version, I dunno).

But definitely look for the scvhost.

Thank You for posting about this Virus! I was trying to get a friends computer going and this is the second virus he had on it and thanks to this forum I found it. Had me stumped for a day. Couldn't load any new virus programs and the old virus program was out of date. Thanks again

 

[OZEE]

Originally posted by: PopPop77

Originally posted by: Hubris
the old virus program was out of date. Thanks again

hmmm -- imagine that...

I worked on a computer the other day that was full of viruses and hijacks... They were running Norton AV -- Dated 1999 and NEVER updated. After I got it cleaned up, I installed AVG.

And when you can't get an AV to install or when a computer is really bad - I always use housecall - it's free and always up-to-date. It's always a good starting point for a case like yours.