Mystery running processes

[Doug]

Here is a litle background first.

I have a PC running XP pro, with 256 meg ram it runs through a router to a
DSL connection. It is part of a workgroup which accesses SABRE travel host.
All updates have been done via Windows update. About a week ago, it began
runnning VERRRRRY slow. I checked the antivirus software and it was way out
of date, so I installed a fresh copy of Norton AV pro 2004. Ran all
liveupdates and scanned drive. No virus found. Ran ADAWARE SE. Found a bunch
of things, cleaned them and rebooted. No change. Then I tried SpyBot S&D
thinking maybe ADAWARE missed something. I had heard of this happening.
Found a few items, but nothing big, and no change.

So......................... I do a Ctrl/Alt/Del and look at running
Processes. I see that there are two files running up a HUGE CPU count (up
and down up to 92, and back down to 2) Memory usage id very high as well
sometimes up to 120meg!!!! These files are called FAXINFO.exe, and
SVCMSVC.exe. I try to delete (end) the running process, and it goes away for
a second, then pops right back up!?!?.

I look for the files doing a search within XP, and see they are in the
Prefetch folder. (I do a little research to see what this is, and find out
it is a type of Cache) I clean out the folder per MS KB article, and reboot
thinking this will fix it. NO LUCK!!! In fact they are there again as a
running process.

Do a search on the drive again, and the only place these files are found are
in this Prefetch folder. WHAT ARE THEY??? I still cannot end the process for
more than 2 seconds before it pops up again.

Now, last night I noticed something even more odd. When they are both on the
running process list (FAXINFO.exe, and SVCMSVC.exe) only one of them really
is eating up the CPU and Memory usage. but I still can't stop it from
running.

Is this a virus? Spyware? I have no clue why they are running in the
background when I can't even find an associated program with those exe
commands.

HELP!!!!! I reeally don't want to wipe the drive clean and start from
scratch.



*************Oh yea, I am curious also. If I identify this issue as a virus
or spyware. an run a system restore, back say 6 months or so, will it delete
it and fix thiose issues? Or no? In fact just as a general question,
and not just for this issue, but accross the board????****************


Thanks! I am pulling what is left of my hair out.

Doug douggeri @ Hot mail. c o m

 

[Wesley Vogel]

Neither file is an XP file.

The only thing I could find on faxinfo.exe was this...

C:\WINDOWS\addins\faxinfo.exe

Nothing found on SVCMSVC.exe.

This may indicate that they are spyware or virii.

If they keep reappearing in the Prefetch folder, they do, indeed exist on
your machine.

HOW TO: Search For Hidden Or System Files In Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;302347

 

[Doug]

I did a search for both files (have to check on hidden files though) and it
only came up in prefetch dir. I agree, if it shows up there it's gotta be
somewhere else on the drive. Hmmmmmmm....

I looked in my work PC in the folder you saw FAXINFO @ but there was no such
file??

Anyone know about this/these files?? Also how about the restore question?
Just curious if it will get rid of viruses, or not help in those situations.

Thanks

 

[Doug]

I did a search after "showing hidden files" as well.
No luck.

Any ideas??

 

[Wesley Vogel]

Doug,

Are faxinfo.exe & SVCMSVC.exe still showing up in Task Manager?

If so...

Download, install, run, update and run again; one or all. They are all
good, FREE utilities. Make sure you update every program, even if you
just downloaded it. You must have the latest updates. Without updates,
you have a gun without ammo. You also need to use more than one
anti scumware program. One program will *not* catch everything.

1) CWShredder ver. 1.59 direct download:
http://www.merijn.org/files/cwshredder.zip

1a) CWShredder ver. 2.0 direct download:
http://www.aumha.org/downloads/cwshredder.zip

2) SpywareBlaster
[[SpywareBlaster doesn't scan and clean for spyware - it prevents it from
ever being installed.
The most important step you can take is to secure your system. And
SpywareBlaster is the most powerful protection program available.]]
http://www.javacoolsoftware.com/spywareblaster.html

3) Spybot S & D (More for the advanced user)
http://www.safer-networking.org/index.php?lang=en&page=download

4) HijackThis (some other stuff that may be of interest also)
http://www.spywareinfo.com/~merijn/downloads.html

4a) HijackThis (direct download)
http://aumha.org/downloads/hijackthis.zip

5) Bazooka Adware and Spyware Scanner v1.13
http://www.kephyr.com/spywarescanner/index.html?source=appvisit

6) ToolbarCop
http://www.mvps.org/sramesh2k/toolbarcop.htm

7) Ad-aware SE Personal
http://www.lavasoft.de/support/download/

=====

HijackThis log tutorial
http://www.spywareinfo.com/~merijn/htlogtutorial.html

HijackThis Log Tutorial
http://www.aumha.org/a/hjttutor.htm

How to use HijackThis to remove Browser Hijackers & Spyware
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42#warning

How To Install Spybot Search and Destroy & a brief tutorial
http://tomcoyote.com/SPYBOT/index1.php

HOW TO: Reconfigure Ad-aware for a Full Scan
http://forum.aumha.org/viewtopic.php?t=5877

 

[Doug]

Well, after a SH&#LOAD of time spent trying to track this down, I believe I
found it. Here are the steps I took and what I found. In case anyone comes
up with similar problems.



On the suggestion of another board I did the steps contained in
http://aumha.org/a/quickfix.php



Cwshredder found two violators and removed them one was cws.jksearch and
the other was cws.hiddenDll Figuring this might have been it, I rebooted
but it was still slow. Hmmmmmmmmm Tried ADAWARE, it found a few new ones
it called it “malware” virumonde ?? So…… DELETE!



Then viruscan both Norton and PANDA online. None found. So last thing to
try, on the suggestion of Steve @FZ1OA.com , I booted again in SAFE MODE,
and I looked into the registry and did a “find” on FAXINFO.EXE, as well as
the other culprit SVCMSVC.EXE they were BOTH found in the
HKEY_LocalMachine\software\microsoft\windows\currentversion\run area.



One has the value attached to it C:\windows\tasks\faxinfo.exe and the other
has a value of c:\windows\driver cache\svcmsvc.exe



I looked to both areas that the string was pointing to, and there was
nothing there even CLOSE to those keys or targets. SO……..I deleted them.
(hold breath) Wrote down how to get em back of course. J



Did a reboot, and whaddya know?! It seems to be gone. Having done so many
steps I am not 100% sure what the ultimate fix was, but Thanks to everyone
that helped!



Some of these viruses are pesky bastards!



Doug

Doug,

Are faxinfo.exe & SVCMSVC.exe still showing up in Task Manager?

If so...

Download, install, run, update and run again; one or all. They are all
good, FREE utilities. Make sure you update every program, even if you
just downloaded it. You must have the latest updates. Without updates,
you have a gun without ammo. You also need to use more than one
anti scumware program. One program will *not* catch everything.

1) CWShredder ver. 1.59 direct download:
http://www.merijn.org/files/cwshredder.zip

1a) CWShredder ver. 2.0 direct download:
http://www.aumha.org/downloads/cwshredder.zip

2) SpywareBlaster
[[SpywareBlaster doesn't scan and clean for spyware - it prevents it from
ever being installed.
The most important step you can take is to secure your system. And
SpywareBlaster is the most powerful protection program available.]]
http://www.javacoolsoftware.com/spywareblaster.html

3) Spybot S & D (More for the advanced user)
http://www.safer-networking.org/index.php?lang=en&page=download

4) HijackThis (some other stuff that may be of interest also)
http://www.spywareinfo.com/~merijn/downloads.html

4a) HijackThis (direct download)
http://aumha.org/downloads/hijackthis.zip

5) Bazooka Adware and Spyware Scanner v1.13
http://www.kephyr.com/spywarescanner/index.html?source=appvisit

6) ToolbarCop
http://www.mvps.org/sramesh2k/toolbarcop.htm

7) Ad-aware SE Personal
http://www.lavasoft.de/support/download/

=====

HijackThis log tutorial
http://www.spywareinfo.com/~merijn/htlogtutorial.html

HijackThis Log Tutorial
http://www.aumha.org/a/hjttutor.htm

How to use HijackThis to remove Browser Hijackers & Spyware
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42#warning

How To Install Spybot Search and Destroy & a brief tutorial
http://tomcoyote.com/SPYBOT/index1.php

HOW TO: Reconfigure Ad-aware for a Full Scan
http://forum.aumha.org/viewtopic.php?t=5877

--
Hope this helps. Let us know.
Wes

In

I did a search after "showing hidden files" as well.
No luck.

Any ideas??

 

[Wesley Vogel]

Doug,

Glad you got it sorted out and that you let us know.

Keep having fun!

--
Hope this helps. Let us know.
Wes

In

Well, after a SH&#LOAD of time spent trying to track this down, I
believe I found it. Here are the steps I took and what I found. In
case anyone comes up with similar problems.



On the suggestion of another board I did the steps contained in
http://aumha.org/a/quickfix.php



Cwshredder found two violators and removed them one was cws.jksearch
and the other was cws.hiddenDll Figuring this might have been it, I
rebooted but it was still slow. Hmmmmmmmmm Tried ADAWARE, it found
a few new ones it called it “malware” virumonde ?? So…… DELETE!



Then viruscan both Norton and PANDA online. None found. So last thing
to try, on the suggestion of Steve @FZ1OA.com , I booted again in
SAFE MODE, and I looked into the registry and did a “find” on
FAXINFO.EXE, as well as the other culprit SVCMSVC.EXE they were
BOTH found in the
HKEY_LocalMachine\software\microsoft\windows\currentversion\run
area.



One has the value attached to it C:\windows\tasks\faxinfo.exe and the
other has a value of c:\windows\driver cache\svcmsvc.exe



I looked to both areas that the string was pointing to, and there was
nothing there even CLOSE to those keys or targets. SO……..I deleted
them. (hold breath) Wrote down how to get em back of course. J



Did a reboot, and whaddya know?! It seems to be gone. Having done so
many steps I am not 100% sure what the ultimate fix was, but Thanks
to everyone that helped!



Some of these viruses are pesky bastards!



Doug

<SNIP>