Odd Possible Virus

[thegamefreak0134]

On our network, we have a major issue running rampant on the school. None of the admins can figure out what it is, but when it infects (I hate that term) a computer, it effectively slows it down to about 1/4 the speed. The odd thing is that there is no program in the processes window that shows having enough CPU usage to cause such a slow down. It appears to be a computer thing and not a network thing, because it only affects like half of the computers.

This program also is apparently causing the computers to re-start completely randomly. (I mean like, the screen goes black, not windows is shutting down.) I learned this as the one next to me (and about every other computer in the room except this one) did it whilst I was typing this.

We've never had this kind of issue before, and we're all totally stumped. Have any of you seen something like this? What do you recommend for a scanner that might pick it up? (We have sophos, but that is crap apparently...)

Help... Screen Fading...

-thegamefreak

[CompWiz]

hmm, are your space-heater P4's getting too hot and throttling themselves? Perhaps it gets so bad they shut themselves off or somehow it affects the graphics. Throttling would explain the slowdown, but not really the screens going black. Check to see if the cpu heasinks are full of dust.

[Arcane WIzard]

Reboots could be kernal panic (check error logs).

[thegamefreak0134]

I don't think it's a hardware issue of any kind, because that wouldn't explain almost an entire room doing it at the same time... Plus, I'm pretty sure these computers (desktops) don't have an overheat feature of that sort. They are not-very-new dell machines, but they work alright. The network admin is screaming "hardware issue" down our throats, but we've been having virus issues and since we have clean slate (a security program that prevents hard-drive changes of any kind, sort of) installed, the drivers shouldn't be changing at all, which is what I thought caused hardware issues in the first place.

I realize I can't really give you a lot of information, since we are in the dark ourselves. Is there something I can use that will provide a little more info you can work with?

-gamefreak

[Shadow Phoenix]

hijack this?

[Arcane WIzard]

eventvwr.msc /s

See what is has to say.

[thegamefreak0134]

Tried both. The logs in the second (thanks for this tip Arcanine, it will be usefull elsewhere) show the same thing after a reboot, which leads me to believe that clean-slate is restoring the logs as well. Kinda defeats the purpose of a log, but oh well. I'm relatively certain it is a network virus, or something on the server, but I don't have the admin rights to perform such a scan. I say this because it keeps jumping around from machine to machine with no noticeable pattern. I'll see if I can get our admins to do something on their end.

Thanks for the suggestions guys, and if you have any other thoughts please share. This is particularly frustrating...

-gamefreak

[Arcane WIzard]

Disconnect one clean system and see if it still get's infected?

I don't know much about network infections (scan the server?).

Maybe there are unix network daemons that'll scan network traffic for bugs. idk

[thegamefreak0134]

Ha Ha! Found it! there were actually two causes. One was a keylogger (nasty thing I'll figure out how to actually remove later) that can effectively be disabled in the services window since that's how it manifests itself. This was taking up about 98% of the computer's CPU time, causing the major slow-down-age.

The other was none other than our friendly culprit: Windows Automaic Updates. Turns out that by updating to the newest version of clean slate, (security program, remember?) it will allow the updates to stay put. For some reason, the updates were starting up for our users that did not have access to the desktop, and since they effectively hide away in svchost I was not realizing that that was what it was. The keylogger was a bit of a problem though, and I'll have to find a computer that has it again to ask how to make it go away,seeing as how I can't remember the name of the service off the top of my head.

-gamefreak

[leofox]

I don't think it's a hardware issue of any kind, because that wouldn't explain almost an entire room doing it at the same time...

If the entire room is dusty and too hot.... You do the math.

[Patori]

Ha Ha! Found it! there were actually two causes. One was a keylogger (nasty thing I'll figure out how to actually remove later)
-gamefreak

I hate keyloggers.

[Arcane WIzard]

How did you find them?

[benryves]

I've just installed XP Home + SP2 on a laptop, and as soon as I visited Windows Updates and installed the new ActiveX controls to run it, the computer slowed to a complete crawl. Not a "quarter" - as in, applications would never appear to start, as one instance of svchost.exe was constantly running at 99%. The particular problem service was Windows Management Instrumentation, according to Process Explorer. Thank goodness for System Restore, eh?

http://forums.microsoft.com/Genuine/Sho ... tID=732908

It's not a rare problem, it would appear. Very, very odd.

Strangely enough, it only affected that one machine. All the other XP machines are still running perfectly happily.

Are you running IE7 or an older version?

[Arcane WIzard]

People sometimes ask me why I still use SP1.

Original Install Date: 6-12-2005, 23:20:33
System Up Time: 20 Days, 20 Hours, 17 Minutes, 22 Seconds

It's in use 20/7 as a desktop for games, video, music, scripting, design, chatting and downloading, and 24/7 as an apache2 webserver w/ mysql.

It's my laptop.

[benryves]

People sometimes ask me why I still use SP1.

SP2 isn't the issue. I don't have any machines not running SP2, and they all run fine. It's just when I run the web-based Windows Update on the laptop, it installs something that knackers the machine. Without whatever-it-is-that-it's-trying-to-install, it runs perfectly.