Posted 26 June 2011 - 02:46 PM
I've got something screwy going on with my home WinXP box, and I'm hoping someone here can point me in the direction of a solution to the problem.
I'm running XP Home, Service Pack 2, on a machine with (according to the properties tag) 960MB RAM. I've been running Avast antivirus, and allowing it to update definitions automatically. At the time this incident happened, the most recent update it had acquired was from yesterday morning.
There was a power outage at my house yesterday morning, lasting for ~2 minutes. I powered the system back on after that, and everything appeared to be working; I mention this merely for completeness of information.
The first symptom of my problem occured yesterday afternoon. I heard the little 'ding' sound made by a download finishing, during a time where I had no downloads running, and within a few minutes of this, my system seemed to grind to a halt. Anything I already had running would continue to work, but I couldn't open anything new, including the windows task manager, nor could I get new pages to load in the copy of Firefox I was running. I was planning to visit my parents' house at that point, so I powered the system down and took it with me. I had to manually power the system down (done via the on/off switch just above the power cable socket); the attempt to shut the system down fell victim to the same halt as everything else.
For the record, I may have had Spider Solitare up when I heard the ding, and I had know that I had Firefox up with multiple tabs - one to a deep archive page (~200-250 pages deep) of the website 'notalwaysright.com', a page from the Internet Archive Wayback Machine - circa May 2007 - for a site called Phylomortis.com, a Youtube page, and several pages either from the website EquestriaDaily.com or from Google Docs with fanfiction linked from said site. I had previously had some deviantart pages linked from said site up as well, but do not recall any of those being up at the time the problem began. Finally, I may have had a tab open to the website rpgmaker.net. The notalwaysright and wayback machine pages had been up for several days at that point, and I regularly visit rpgmaker.net and have as yet had no problems I can trace back to it.
In my own home network, this machine is plugged via Cat5 ethernet cable directly into the router/modem. At my parents' house, it connects to their wireless network using a linksys wireless adaptor. I mention this because of the change in behavior evident in shifting between the two; I do not know that it is connected in any way to my problems, but wish to include it for completeness while describing the issue.
After arriving at my parents' house, I reconnected the cables and powered the machine back on. After the desktop came up, within a few minutes I received a message from Avast saying it had detected a threat. The exact message was:
avast! Network Shield has blocked a harmful site.
Object: 220.127.116.11/?9sb5S6BP7DgMBIMkZpMDMcolZy8e06D9Zieov4KAEW7 (Personal note: The actual object extended beyond the range of the message block.)
It should be noted that the original symptom, system slowdown, is probably also connected to this - after finally managing to get the task manager up (by restarting the system and popping it as soon as I could), I noted a copy of svchost.exe, listed as being owned by SYSTEM, that eventually hit 50% of the system's CPU usage, and ranged from thereabouts to a high of 99% CPU usage. I manually killed this copy of svchost with the task manager - the WinXP style for the taskbar and window borders briefly changed to the style I recall from Win98 before reverting to normal. It didn't seem to help; another copy of svchost ended up spawning and doing the same thing.
I ended up running a system scan after that, using Avast's quickscan option. During the scan, the Network Shield came up with that same message. That, in fact, is the problem I'm having - the scan did discover a few things, and I duly had them moved to the chest, then scheduled a boot scan and restarted the system, telling Avast to move anything suspicious into the chest. As by this point it was getting late, I went to bed. I was woken up at a few minutes after 11 by the same 'threat has been detected' message blaring over my speakers, with the same message popping up. A full system scan revealed no apparent malware (no files listed as infected), but that same message kept popping up at 3-7 minute intervals between repititions. Exact same message - I'd done a screenshot of one of the early ones, and was able to compare against each new repitition. Eventually I got tired of fighting it and powered the system back off.
Before I powered off the system, I did trigger task manager, and recorded the following list of processes running on it:
svchost.exe (multiple copies, variously owned by three things: Network Service, System, and Local Service)
System Idle Process
wuauclt.exe (owned by SYSTEM)
wuauclt.exe (owned by Owner)
I tried to track down a few of those that I didn't recognize via google search. I believe (but do not know) that my system may also have some kind of redirector on it, as the first one I tried, ViewpointService.exe, brought up a page of google links, but clicking on the link shown for bleepingcomputer.com ended up redirecting to another page. I did end up going to the bleepingcomputer.com website directly, and attempting to look over some of those, but of those I looked at, the only one I can recall that the site thought might be malware was jusched.exe, which it recommended removing from the system startup. I'm currently working on trying to figure out how to do this. I'm uncertain as to whether or not it will help - I did kill that process via the task manager, only to have the Avast message continue to pop up. I'm not sure that's the real problem here anyway; the copy I have is in the directory marked as 'Valid, but unneccessary', and there is not a copy in either the Windows directory or the System32 directory marked as target locations for the malware versions.
I'm currently sitting at work, with my home box up in place of my work devbox so I can type this on a good system (my work laptop). I've physically removed the Linksys Wireless card from the box, and ensured that there was no ethernet cable plugged into my home machine, so as to ensure that I didn't spread whatever it is that's causing the problem. I don't have speakers here, so it's possible I've missed something, but I don't recall having seen the avast message pop up while I've been here. (Going on almost two hours now.) While it's possible that my system has simply finally fought off whatever the problem was, I find it more likely that either the unknown problem process, or else Avast's attempts to block the process, require an active network connection.
Does anyone have any suggestions as to what my problem might be, or advice on where I can check to more clearly determine this? I would be very appreciative of either such.