Suddenly Very Slow Response

[Marvin L. Zinn]

I have a new problem with an HP Pavilion running XP
home which I no doubt caused somehow.

Here is what I did:

I was trying to write a folder to a CD. The first
step the program takes when I select the folder and
"Send to Drive D" (or something like that) is
apparently to copy the files into a buffer area from
which I select "Write to CD". In this buffer area, I
noted some files which I really did not want to
include, so I began to delete them. When I came to a
file labeled "lbrdll.doc" (not sure the exact name) I
noticed that in spite of the ".doc" suffix, it had a
command prompt icon. Since this was a folder containing
mail downloads, I considered it could be a virus and
tried to delete it. It would not delete, so I went to
properties to try to find out why. Somewhere in
properties/advanced I did something that made the CD-RW
window close, and everything on the computer became
extremely slow.

Next I powered down the computer (after being
unable to do anything else for about ten minutes). It
came up very slow, but I waited perhaps an hour until I
could get into the original folder where this file
resided and did a virus check on the entire folder with
Mcafee, just updated last night. No virus was found,
and I deleted the file from there with no problem.

I restarted again, and response is still very slow,
but improves over time to perhaps 25% of normal speed.
Task manager shows normal cpu usage (0-10% most of the
time, but sometimes spiking to 100%, system idle runs
about 30-70%, and during startup the only significant
task time is for svchost.exe. BOTH TIMES I RESTARTED,
XP FOUND IT NECESSARY TO INCREASE THE PAGEFILE SIZE.
The first time it went to about 1340MB, and the second
time to 943MB.

There have been other errors and symptoms which
unfortunately I did not write down. Basically after the
system has been up for 30 minutes or so, everything
seems almost normal, only slower.

I hope someone can give me some direction to
getting my computer back to normal without losing any
recent work.

Thanx,


Marvin L. Zinn
(e-mail address removed)
Using Virtual Access
Windows 2000 build 2600

 

[Marvin L. Zinn]

Yoe,

Do you have any Virtual hard drives?
With most CD Writer programs they come with Virtual > hard drive software built in.

I don't think so. Nothing shows up in My Computer
but the two physical drives, each of which has multiple
partitions. There is also the HP Recovery disc, but I
think that physically resides on the C: drive.

If so did you copy those files to the Virutal hard >

drive by accident instead of the CDR

directly?

I just used the "Send to" command. This seems to
copy the files to some sort of buffer, and from there
it goes to the CD upon command. But that area (where I
normally view the files that were ready to be copied)
is blank. However, it was full of long files when the
problem developed and I had to power down, so I am
thinking they may still be there taking up space, but
invisible to the file system. A defrag might take care
of that.

Is your hard drive maxed out now?

All partitions are less than half full except for
the HP recovery partition which cannot be resized by
Partition Magic. I have several GIGS free on each
partition.

Check this article for the svchost.exe.
Microsoft Knowledge Base Article - 250320

This tells me to do the following:

1. Click Start on the Windows taskbar, and then
click Run.
2. In the Open box, type CMD, and then press ENTER.
3. Type Tasklist /SVC, and then press ENTER.

The result is an error message:

Windows cannot find 'Tasklist' . . . .

Search also found nothing on the C: drive with
that string.

I am going to do a defrag, then see whether I can
find TASKLIST on the Microsoft web site somewhere that
I might be able to download.

Thanks for your ideas.

marvin
"
Marvin L. Zinn
(e-mail address removed)
Using Virtual Access
Windows 2000 build 2600

 

[Guest]

Hi

From what you tell it is sure that the file mentioned was a virus. You should definately do a thorough check on your system, perhaps by using some of the online scanning tools.

And you should go to folder options and untick the "hide known file extensions" options. That way you would see that some files have double extensions like dfsfs.doc.pif. Easier to recognize virii that way

No idea if your current problems are related to this virus at all

Teem

----- Marvin L. Zinn wrote: ----

I have a new problem with an HP Pavilion running XP
home which I no doubt caused somehow

Here is what I did

I was trying to write a folder to a CD. The first
step the program takes when I select the folder and
"Send to Drive D" (or something like that) is
apparently to copy the files into a buffer area from
which I select "Write to CD". In this buffer area, I
noted some files which I really did not want to
include, so I began to delete them. When I came to a
file labeled "lbrdll.doc" (not sure the exact name) I
noticed that in spite of the ".doc" suffix, it had a
command prompt icon. Since this was a folder containing
mail downloads, I considered it could be a virus and
tried to delete it. It would not delete, so I went to
properties to try to find out why. Somewhere in
properties/advanced I did something that made the CD-RW
window close, and everything on the computer became
extremely slow

Next I powered down the computer (after being
unable to do anything else for about ten minutes). It
came up very slow, but I waited perhaps an hour until I
could get into the original folder where this file
resided and did a virus check on the entire folder with
Mcafee, just updated last night. No virus was found,
and I deleted the file from there with no problem

I restarted again, and response is still very slow,
but improves over time to perhaps 25% of normal speed.
Task manager shows normal cpu usage (0-10% most of the
time, but sometimes spiking to 100%, system idle runs
about 30-70%, and during startup the only significant
task time is for svchost.exe. BOTH TIMES I RESTARTED,
XP FOUND IT NECESSARY TO INCREASE THE PAGEFILE SIZE.
The first time it went to about 1340MB, and the second
time to 943MB.

There have been other errors and symptoms which
unfortunately I did not write down. Basically after the
system has been up for 30 minutes or so, everything
seems almost normal, only slower

I hope someone can give me some direction to
getting my computer back to normal without losing any
recent work

Thanx


Marvin L. Zin
(e-mail address removed)
Using Virtual Acces
Windows 2000 build 260

 

[Marvin L. Zinn]

Teemu,

And you should go to folder options and untick the "hide known file extensions" options. That way you would see that some files have double extensions like dfsfs.doc.pif. Easier to recognize virii that way.

That is what was so puzzling. I am NOT hiding file extensions,
and I did NOT open the file, only went to properties and clicked the
"Advanced" button. I agree it acted like some sort of virus, but I a
strange one indeed, and one not detected by the latest McAfee DAT file.

Now I have basically a stable to repeatable pattern. It is still
very slow, and I get a lot of errors on startup pertaining to svchost.exe.
Otherwise everything seems to work.

I plan to go to HP tech support next, and if that fails I'll have to
decide whether to restore from a previous date, or pay Microsoft $35.

marvin
Marvin L. Zinn
(e-mail address removed)
Using Virtual Access
Windows 2000 build 2600

 

[Marvin L. Zinn]

My computer is now fixed. Following is a summary of all
that transpired. It was a good education for me to know
that a virus can actually be activated by attempting to
delete the attachment that contains it!

------------------------------------------------------

Virus experience - When everything I could think of to
do was not enough:

Preparation: I have always been judicious about
protecting my computer against virus attacks. I keep my
McAfee anti-virus program up to date and run full scans
periodically. Every couple weeks and as soon as a known
problem is reported I apply any available security
patches. I use Mail-Washer to delete suspicious mail
prior to downloading. Instead of Microsoft products, I
collect mail and news with Virtual Access, which stores
attachments in an isolated folder which I then review
and delete anything suspicious prior to opening. I felt
very secure about these actions until last week.

Deleting a file may not help: Last week I discovered a
file with a name something like "lbrdll.doc" in my mail
download folder that looked very suspicious. (Folder
view , is set to NOT hide suffixes.) Since this
appeared as a doc file, I was tempted to open it to see
what it was, but noticed it had a Command Prompt icon!
Therefore I chose to delete this file. But it would not
delete! So I opened properties to see if I could figure
out what might be done to get rid of it short of
opening DOS). As soon as I clicked on the Advanced tab,
the screen flashed blank and every action on the
computer became extremely slow. A restart took about an
hour, and did nothing to correct the problem. I found
another instance of the same file, and this one deleted
successfully, but the deletion gave me the same
indications as for the first. Looking more deeply, I
discovered that there were multiple svchost services
running all the time, and occasionally SMSSxx.exe
taking up to 99% of the CPU time. I ran my McAfee
Anti-virus program again, it detected nothing!

Second attack: In my discussion with "HP Instant
Support", I had to do a lot of things unrelated to the
problem in order to convince them that I was willing to
follow directions. One of these things was to increase
the pagefile size. At the same time they had me turn
off anti-virus. This was in an attempt to make the
computer run faster on startup. After I did this, the
problem got much worse, but I discovered later this was
not related to the pagefile size, but rather to another
virus that I got into my computer while I was using
this service! (The fifth person I spoke with was
leading in the right direction, but recommended removal
of the virus "Backdoor.egghead". There were no traces
of that virus in my computer.) I cannot say for sure
that this new virus came from the HP chat, which I
think uses ICQ, but I had done nothing else on the
internet during that time. It could have come in
through a security flaw in IE unrelated to the site I
was using to contact HP.

Comparing Anti-virus programs: When I reactivated
McAfee, it detected the second virus as "exploit-code
base", and offered no repair. It still failed to detect
the first virus. Later, a free trial of Norton
(www.sarc.com) found "W32.torvil.B@mm" seen in
WINDOWS/SYSTEM32 as multiple versions of "SMSSxx,
SPOOLxx, and a corrupted Svhost, and the second virus
"trojan.sefex" buried in several files in the folder
containing the Control Panel programs. (Apparently
Norton would not continue past a certain number of
corrupted files, as it got only to about 20%, but later
completed the scan after the viruses were removed.)
Then I ran another on-line scanner by Trend Micro which
detected only the first virus, which it called
"torvil.c". It's solution was to delete the files. I
allowed Trend Micro to do this, after which no .exe
program would open on the computer, even after two
restarts.

How it got fixed: Back to HP (this time using the $40
paid telephone service - very good). It had been their
recommendation to run the Norton scan that lead to
discovery of the second virus. I was prepared to format
and reload the operating system with the HP restore
function. I had good backups, so I was not worried
about losing anything but my time. I had restarted
twice, and could find no simple way to recover the
deleted files. But while waiting for HP to call me
back, I ran another web-based free-trial virus tool,
eAnthology's "Stop-Sign". It detected several viruses
and some spy-ware which I did not record, stopping at
one and demanding a restart to continue. Although it
did not specifically tell me it would repair the
problem, a short time later I discovered everything was
working and the files I had deleted from
WINDOWS/SYSTEM32 were now restored without the viruses!
Note: Stop-Sign is not supposed to cure any virus
without a paid subscription which I did not have.

Summary:

McAfee (only anti-virus on board)
Virus #1 - No detection. Virus #2 detected
as exploit-code-base.

Norton
Virus #1 - Detected as Trojan.Sefex. Virus #2
detected as W32.Torvil.B@mm

Trend Micro
Virus #1 - Not recorded. Virus #2 detected as
Torvil.C; manually deleted infected files.

eAnthology
I did not record the names, but several
viruses were detected and it seems to have restored all
previously deleted files and removed all traces of
these two viruses without request. It still reports two
viruses which McAffee, Norton, and Trend Micro do not
report. If this program did not restore those files,
then I don't know what did.

Marvin L. Zinn
(e-mail address removed)
Using Virtual Access
Windows 2000 build 2600