Graeme −> Language −> Ever wonder? −> Virus troubles 

Virus Troubles

Symptoms

1. Some windows inexplicably close soon after I open them.  For example, in Microsoft FrontPage, if I select a table and try to open the "table properties" window, it closes almost immediately.  When I try to install some software to try to understand or combat this problem, the installation program closes!  (More about that later.)

2. The network light blinks like crazy, and web access is very sluggish.  Some task in my computer seems to be sending and/or receiving a lot of data, but no window is open.  Users of other computers in my home network ask me to stop downloading stuff, and they don't believe me when I say I'm not downloading anything.

Additional keywords, to help people find this page: window closes on its own, excessive network traffic

What I've already tried

1. Ad-aware

2. Blocking advertising with a custom "HOSTS" file

Next steps

1. Google for Unwanted Network Traffic.  Found discussions.hardwarecentral.com/showthread.php?t=173453 which recommend running

netstat -o

in a DOS window to find active connections.  The thread identified Winsvcup.exe, Winupsvc.exe (misspelled as Winupsvx.exe), and Mswinup.exe as the evil virus-infested files.  Well, not on my computer.  But the netstat command was very useful.  It works on a Windows XP system.  Normally, I see one or two active connections, like this:

C:\Documents and Settings\Graeme>netstat -o

Active Connections

Proto Local Address Foreign Address State PID
TCP Graeme:1035 74.125.19.103:http CLOSE_WAIT 336
TCP Graeme:1235 63.236.73.177:http ESTABLISHED 1316

But when the virus-caused nonstop network traffic cranked up, I saw hundreds -- I mean it! -- hundreds of connections to servers with names like mail.sun.com.  It seemed my virus was sending spam to lots of people.  (Sorry, everyone!)  The best thing is that it told me what task was causing the problem.  I used the TASKKILL command to kill it.  (Type TASKKILL /? to get syntax info).  The network traffic stopped instantly, and netstat -o showed the active network connections gradually dwindling to nothing.

I purchased the "pro" version of Ad-aware, which comes with a feature called "process watch" that showed me the offending task was the SVCHOST program in the windows\system32 folder.  I googled for that and found some information including the warning: NEVER DELETE SVCHOST.EXE!  It's a vital part of the operating system, and so you should let virus protection software deal with any problems infecting this file!

2. Google for "Startup Manager".  I got this idea from one of the websites I saw researching item 1, above.  I found software called Startup Manager on sourceforge.net.  I wanted to temporarily disable everything that I either didn't recognize or didn't want.  At first, I couldn't uncheck anything without getting an error message that said simply "unable to remove this program".  Then I selected System Settings, then selected the Startup Manager Key radiobutton.  After that I was able to uncheck programs, but it deleted them instead of just unckecking them.

Then I went into "Add / Delete Programs" (from Start > Settings > Control Panel) and removed all software I didn't know or want.  Rebooted (much faster) but, alas, the virus was still there.

3. Google for Network Traffic Monitor.  Found free software, nicely described, called networktrafficmonitor.zip, which told me what I already knew: a lot of sending and receiving was going on!

Then I found World of Knowledge presents Network Monitoring, which listed Wireshark, a free but feature-rich network sniffer.  Due to my virus closing windows at random, I needed to reboot in safe mode to install it.  First I tried clicking Capture, Interfaces, then I clicked Start next to the wireless interface for my computer.  Even though the network light was blinking like crazy, nothing was captured.  After a while I stopped the trace, and a window popped up that suggested (among other things) that I try unchecking "promiscuous" mode.  I discovered it will capture lots of packets if I follow this exact procedure: Click Capture, Interfaces, then click Options next to the adapter I use, uncheck "promiscuous", then click Start.  Good.  Now I know the procedure.

I rebooted, and started the trace going.  Then I went about my business until the network activity started.  I immediately stopped the trace, killed the offending task, and then looked at the first few packets.  The first suspicious activity was to server mail.uikkl.info.  When I searched for uikkl I found only a Russian site, which said something Google translated as

Scvhost is only "ingot", the basis for launch services. As for the pizza boy. Naturally, he can not be contaminated (verneee may, but is a separate song).

I take the "pizza boy" comment to mean that it would be a mistake to blame the svchost program for the problem, or even to suspect it of being infected because svchost is only the standard delivery mechanism for Windows services, and it's the nasty work svchost is being asked to do that is the real problem.

4. Install AVG.  This is a free virus protector.  I read on one of the other websites that it's best to run virus protection and spyware software in "safe mode" to give it the best chance of eradicating the nastyware.  With windows closing at random I needed to boot in safe mode anyway.  I ran AVG and it found and eliminated 14 threats, including

Trojan Horse Backdoor.Generic7.USL

which infects the svchost program!  After that, the problem was solved.

5. Go to windowsupdate.microsoft.com to get the latest security patches.  There were almost 100 of them -- I guess it had been a while.  I installed all the updates, including Internet Explorer version 7.  I like the new tabs.

More information

Do you know what a "DOS window" is?  If your operating system is Windows XP then click Start, Run, then type CMD, and press enter.

What is a radiobutton?  It's a little circle that gets a black dot in it when you click it.  This is a term (like "dialing" a phone) that refers to ancient technology.  It comes from AM car radios of the 1950's and 1960's that had mechanical buttons for selecting the radio stations.  Only one of the buttons can be pressed at a time.  

Do you know how to boot in "safe mode"?  Shut down completely, then start up.  A screen of hardware information (the BIOS level, manufacturer, etc.) will display, and then it will go black.  At that exact moment, press F8.  You will see some prompts asking you what operating system to boot, etc.  Choose using the keyboard up and down arrows, and then select with the Enter key.  If you see "Safe mode with networking", pick that choice. 

--Graeme