A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows XP » Performance and Maintainance of XP
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)



 
 
Thread Tools Display Modes
  #76  
Old April 18th 04, 02:10 PM
cquirke (MVP Win9x)
external usenet poster
 
Posts: n/a
Default SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)

On Fri, 16 Apr 2004 16:19:40 -0400, "Rocket J. Squirrel"

Interesting sig ("Running Windows-based av..."). Could you explain why you
feel that way?


Basically, whichever code runs first has the potential to assert "air
superiority", i.e. is in a position to block other code from running,
monitor its files and threads to detect attempts to kill itself, and
take punitive action, e.g. a "poison-pill" effect.

There are two easy ways for malware to take countermeasures against
antivirus software. The first - which is routine these days - is to
watch for known av process names. It's a little bit like a virus
scanning for antivirus software, and a lot easier for the malware to
do - given there are far more viruses (that the av successfully looks
for) than there are antivirus programs for the malware to look for.

The second is to be self-aware, i.e. to watch the malware's own
startup and integration settings and files. If these vanish, it can
re-assert them, or take revenge. Some malware spawn multiple threads,
which watch each other; when one thread is terminated, the other acts.

For this reason, it's safest to detect the malware while it is not
active. As you don't know where in the HD the malware has patched in
(that's what you are scanning to find out), it's best to run no code
off the HD at all. Then you *know* the malware's inactive and it's
safe to identify it, if not necessary to delete it. You also have
more confidence that a negative result doesn't just mean the malware
has found a way to hide itself via some runtime duck and jive.

Once you know what you are dealing with (and can believe the results),
you can look up reference info on the malware to see whether it's safe
to clean it, or whether particular caveats apply.

Trouble is, there's no maintenance OS for NTFS - the only OS that can
read NTFS without any compatibility FUD is NT, and NT can only run
from the ?infected HD. MS has what could be a maintenance OS (the PE
disk) but it's so tightly held that techs who need it can't get it,
and with such a tiny market, av vendors won't write products to run
from it. Bart's PE builder is an alternative, but once again it's an
uncertain market for av vendors to develop for.

"cquirke (MVP Win9x)" wrote this sig:




-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
-------------------- ----- ---- --- -- - - - -

Ads
  #77  
Old April 18th 04, 02:10 PM
cquirke (MVP Win9x)
external usenet poster
 
Posts: n/a
Default SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)

On Fri, 16 Apr 2004 16:19:40 -0400, "Rocket J. Squirrel"

Interesting sig ("Running Windows-based av..."). Could you explain why you
feel that way?


Basically, whichever code runs first has the potential to assert "air
superiority", i.e. is in a position to block other code from running,
monitor its files and threads to detect attempts to kill itself, and
take punitive action, e.g. a "poison-pill" effect.

There are two easy ways for malware to take countermeasures against
antivirus software. The first - which is routine these days - is to
watch for known av process names. It's a little bit like a virus
scanning for antivirus software, and a lot easier for the malware to
do - given there are far more viruses (that the av successfully looks
for) than there are antivirus programs for the malware to look for.

The second is to be self-aware, i.e. to watch the malware's own
startup and integration settings and files. If these vanish, it can
re-assert them, or take revenge. Some malware spawn multiple threads,
which watch each other; when one thread is terminated, the other acts.

For this reason, it's safest to detect the malware while it is not
active. As you don't know where in the HD the malware has patched in
(that's what you are scanning to find out), it's best to run no code
off the HD at all. Then you *know* the malware's inactive and it's
safe to identify it, if not necessary to delete it. You also have
more confidence that a negative result doesn't just mean the malware
has found a way to hide itself via some runtime duck and jive.

Once you know what you are dealing with (and can believe the results),
you can look up reference info on the malware to see whether it's safe
to clean it, or whether particular caveats apply.

Trouble is, there's no maintenance OS for NTFS - the only OS that can
read NTFS without any compatibility FUD is NT, and NT can only run
from the ?infected HD. MS has what could be a maintenance OS (the PE
disk) but it's so tightly held that techs who need it can't get it,
and with such a tiny market, av vendors won't write products to run
from it. Bart's PE builder is an alternative, but once again it's an
uncertain market for av vendors to develop for.

"cquirke (MVP Win9x)" wrote this sig:




-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
-------------------- ----- ---- --- -- - - - -

  #78  
Old April 18th 04, 02:10 PM
Rocket J. Squirrel
external usenet poster
 
Posts: n/a
Default SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)

Perhaps you should alert the folks at Symantec (for example.) According to
you, they've completely missed the boat.

I've been using Norton AntiVirus since 1997 and never once has my computer
been infected. Talk about a string of luck!

Rocky

"cquirke (MVP Win9x)" wrote in message
...
On Fri, 16 Apr 2004 16:19:40 -0400, "Rocket J. Squirrel"

Interesting sig ("Running Windows-based av..."). Could you explain why

you
feel that way?


Basically, whichever code runs first has the potential to assert "air
superiority", i.e. is in a position to block other code from running,
monitor its files and threads to detect attempts to kill itself, and
take punitive action, e.g. a "poison-pill" effect.

There are two easy ways for malware to take countermeasures against
antivirus software. The first - which is routine these days - is to
watch for known av process names. It's a little bit like a virus
scanning for antivirus software, and a lot easier for the malware to
do - given there are far more viruses (that the av successfully looks
for) than there are antivirus programs for the malware to look for.

The second is to be self-aware, i.e. to watch the malware's own
startup and integration settings and files. If these vanish, it can
re-assert them, or take revenge. Some malware spawn multiple threads,
which watch each other; when one thread is terminated, the other acts.

For this reason, it's safest to detect the malware while it is not
active. As you don't know where in the HD the malware has patched in
(that's what you are scanning to find out), it's best to run no code
off the HD at all. Then you *know* the malware's inactive and it's
safe to identify it, if not necessary to delete it. You also have
more confidence that a negative result doesn't just mean the malware
has found a way to hide itself via some runtime duck and jive.

Once you know what you are dealing with (and can believe the results),
you can look up reference info on the malware to see whether it's safe
to clean it, or whether particular caveats apply.

Trouble is, there's no maintenance OS for NTFS - the only OS that can
read NTFS without any compatibility FUD is NT, and NT can only run
from the ?infected HD. MS has what could be a maintenance OS (the PE
disk) but it's so tightly held that techs who need it can't get it,
and with such a tiny market, av vendors won't write products to run
from it. Bart's PE builder is an alternative, but once again it's an
uncertain market for av vendors to develop for.

"cquirke (MVP Win9x)" wrote this sig:




-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
-------------------- ----- ---- --- -- - - - -


  #79  
Old April 18th 04, 02:10 PM
Rocket J. Squirrel
external usenet poster
 
Posts: n/a
Default SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)

Perhaps you should alert the folks at Symantec (for example.) According to
you, they've completely missed the boat.

I've been using Norton AntiVirus since 1997 and never once has my computer
been infected. Talk about a string of luck!

Rocky

"cquirke (MVP Win9x)" wrote in message
...
On Fri, 16 Apr 2004 16:19:40 -0400, "Rocket J. Squirrel"

Interesting sig ("Running Windows-based av..."). Could you explain why

you
feel that way?


Basically, whichever code runs first has the potential to assert "air
superiority", i.e. is in a position to block other code from running,
monitor its files and threads to detect attempts to kill itself, and
take punitive action, e.g. a "poison-pill" effect.

There are two easy ways for malware to take countermeasures against
antivirus software. The first - which is routine these days - is to
watch for known av process names. It's a little bit like a virus
scanning for antivirus software, and a lot easier for the malware to
do - given there are far more viruses (that the av successfully looks
for) than there are antivirus programs for the malware to look for.

The second is to be self-aware, i.e. to watch the malware's own
startup and integration settings and files. If these vanish, it can
re-assert them, or take revenge. Some malware spawn multiple threads,
which watch each other; when one thread is terminated, the other acts.

For this reason, it's safest to detect the malware while it is not
active. As you don't know where in the HD the malware has patched in
(that's what you are scanning to find out), it's best to run no code
off the HD at all. Then you *know* the malware's inactive and it's
safe to identify it, if not necessary to delete it. You also have
more confidence that a negative result doesn't just mean the malware
has found a way to hide itself via some runtime duck and jive.

Once you know what you are dealing with (and can believe the results),
you can look up reference info on the malware to see whether it's safe
to clean it, or whether particular caveats apply.

Trouble is, there's no maintenance OS for NTFS - the only OS that can
read NTFS without any compatibility FUD is NT, and NT can only run
from the ?infected HD. MS has what could be a maintenance OS (the PE
disk) but it's so tightly held that techs who need it can't get it,
and with such a tiny market, av vendors won't write products to run
from it. Bart's PE builder is an alternative, but once again it's an
uncertain market for av vendors to develop for.

"cquirke (MVP Win9x)" wrote this sig:




-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
-------------------- ----- ---- --- -- - - - -


  #80  
Old April 20th 04, 01:37 PM
cquirke (MVP Win9x)
external usenet poster
 
Posts: n/a
Default SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)

On Sat, 17 Apr 2004 16:58:58 -0400, "Rocket J. Squirrel"

I've been using Norton AntiVirus since 1997 and never once has my computer
been infected. Talk about a string of luck!


That's what you'd expect a good av to do - *prevent* malware from
going active by detecting and killing it beforehand!

As long as your av is already running at the time the malware tries to
run, the av has the upper hand and should manage the problem fine.

When the av fails to detect the malware - usually because it's a new
variant that doesn't match the known detection tests - the opportunity
to stop the malware cold has been lost. If the malware then goes
active, I would not use the same av that has already failed to detect
the malware to chase after it while it's running.

Instead, I might use the "rescue" facility of that av to tackle it
formally. Most Windows-based av have a "rescue' facility that
basically prepares boot and av diskettes for formal scanning, but
obviously two problems come to mind:

1) Your file system may be incompatible with the rescue disks

Rescue disks tends to be DOS-based, and while a DOS mode diskette from
Win95 SR2 or later can read FAT32, they can't read NTFS

2) You can't really trust av disks prepared within infected OS

Many malware will knock down your resident av, or block the ability to
update it - so you should prepare the diskettes on another, clean PC.

Because of (2), it's often more practical to download and use an
arbitrary free DOS-based av, rather than the "rescue" facility of your
installed av, if the clean PC you use doesn't use the same av.



-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
-------------------- ----- ---- --- -- - - - -

  #81  
Old April 20th 04, 01:37 PM
cquirke (MVP Win9x)
external usenet poster
 
Posts: n/a
Default SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)

On Sat, 17 Apr 2004 16:58:58 -0400, "Rocket J. Squirrel"

I've been using Norton AntiVirus since 1997 and never once has my computer
been infected. Talk about a string of luck!


That's what you'd expect a good av to do - *prevent* malware from
going active by detecting and killing it beforehand!

As long as your av is already running at the time the malware tries to
run, the av has the upper hand and should manage the problem fine.

When the av fails to detect the malware - usually because it's a new
variant that doesn't match the known detection tests - the opportunity
to stop the malware cold has been lost. If the malware then goes
active, I would not use the same av that has already failed to detect
the malware to chase after it while it's running.

Instead, I might use the "rescue" facility of that av to tackle it
formally. Most Windows-based av have a "rescue' facility that
basically prepares boot and av diskettes for formal scanning, but
obviously two problems come to mind:

1) Your file system may be incompatible with the rescue disks

Rescue disks tends to be DOS-based, and while a DOS mode diskette from
Win95 SR2 or later can read FAT32, they can't read NTFS

2) You can't really trust av disks prepared within infected OS

Many malware will knock down your resident av, or block the ability to
update it - so you should prepare the diskettes on another, clean PC.

Because of (2), it's often more practical to download and use an
arbitrary free DOS-based av, rather than the "rescue" facility of your
installed av, if the clean PC you use doesn't use the same av.



-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
-------------------- ----- ---- --- -- - - - -

  #82  
Old April 20th 04, 01:37 PM
cquirke (MVP Win9x)
external usenet poster
 
Posts: n/a
Default SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)

On Sat, 17 Apr 2004 16:58:58 -0400, "Rocket J. Squirrel"

I've been using Norton AntiVirus since 1997 and never once has my computer
been infected. Talk about a string of luck!


That's what you'd expect a good av to do - *prevent* malware from
going active by detecting and killing it beforehand!

As long as your av is already running at the time the malware tries to
run, the av has the upper hand and should manage the problem fine.

When the av fails to detect the malware - usually because it's a new
variant that doesn't match the known detection tests - the opportunity
to stop the malware cold has been lost. If the malware then goes
active, I would not use the same av that has already failed to detect
the malware to chase after it while it's running.

Instead, I might use the "rescue" facility of that av to tackle it
formally. Most Windows-based av have a "rescue' facility that
basically prepares boot and av diskettes for formal scanning, but
obviously two problems come to mind:

1) Your file system may be incompatible with the rescue disks

Rescue disks tends to be DOS-based, and while a DOS mode diskette from
Win95 SR2 or later can read FAT32, they can't read NTFS

2) You can't really trust av disks prepared within infected OS

Many malware will knock down your resident av, or block the ability to
update it - so you should prepare the diskettes on another, clean PC.

Because of (2), it's often more practical to download and use an
arbitrary free DOS-based av, rather than the "rescue" facility of your
installed av, if the clean PC you use doesn't use the same av.



-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
-------------------- ----- ---- --- -- - - - -

  #83  
Old April 20th 04, 01:37 PM
cquirke (MVP Win9x)
external usenet poster
 
Posts: n/a
Default SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)

On Sat, 17 Apr 2004 16:58:58 -0400, "Rocket J. Squirrel"

I've been using Norton AntiVirus since 1997 and never once has my computer
been infected. Talk about a string of luck!


That's what you'd expect a good av to do - *prevent* malware from
going active by detecting and killing it beforehand!

As long as your av is already running at the time the malware tries to
run, the av has the upper hand and should manage the problem fine.

When the av fails to detect the malware - usually because it's a new
variant that doesn't match the known detection tests - the opportunity
to stop the malware cold has been lost. If the malware then goes
active, I would not use the same av that has already failed to detect
the malware to chase after it while it's running.

Instead, I might use the "rescue" facility of that av to tackle it
formally. Most Windows-based av have a "rescue' facility that
basically prepares boot and av diskettes for formal scanning, but
obviously two problems come to mind:

1) Your file system may be incompatible with the rescue disks

Rescue disks tends to be DOS-based, and while a DOS mode diskette from
Win95 SR2 or later can read FAT32, they can't read NTFS

2) You can't really trust av disks prepared within infected OS

Many malware will knock down your resident av, or block the ability to
update it - so you should prepare the diskettes on another, clean PC.

Because of (2), it's often more practical to download and use an
arbitrary free DOS-based av, rather than the "rescue" facility of your
installed av, if the clean PC you use doesn't use the same av.



-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
-------------------- ----- ---- --- -- - - - -

  #84  
Old April 20th 04, 01:37 PM
cquirke (MVP Win9x)
external usenet poster
 
Posts: n/a
Default SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)

On Sat, 17 Apr 2004 16:58:58 -0400, "Rocket J. Squirrel"

I've been using Norton AntiVirus since 1997 and never once has my computer
been infected. Talk about a string of luck!


That's what you'd expect a good av to do - *prevent* malware from
going active by detecting and killing it beforehand!

As long as your av is already running at the time the malware tries to
run, the av has the upper hand and should manage the problem fine.

When the av fails to detect the malware - usually because it's a new
variant that doesn't match the known detection tests - the opportunity
to stop the malware cold has been lost. If the malware then goes
active, I would not use the same av that has already failed to detect
the malware to chase after it while it's running.

Instead, I might use the "rescue" facility of that av to tackle it
formally. Most Windows-based av have a "rescue' facility that
basically prepares boot and av diskettes for formal scanning, but
obviously two problems come to mind:

1) Your file system may be incompatible with the rescue disks

Rescue disks tends to be DOS-based, and while a DOS mode diskette from
Win95 SR2 or later can read FAT32, they can't read NTFS

2) You can't really trust av disks prepared within infected OS

Many malware will knock down your resident av, or block the ability to
update it - so you should prepare the diskettes on another, clean PC.

Because of (2), it's often more practical to download and use an
arbitrary free DOS-based av, rather than the "rescue" facility of your
installed av, if the clean PC you use doesn't use the same av.



-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
-------------------- ----- ---- --- -- - - - -

  #85  
Old April 20th 04, 01:37 PM
cquirke (MVP Win9x)
external usenet poster
 
Posts: n/a
Default SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)

On Sat, 17 Apr 2004 16:58:58 -0400, "Rocket J. Squirrel"

I've been using Norton AntiVirus since 1997 and never once has my computer
been infected. Talk about a string of luck!


That's what you'd expect a good av to do - *prevent* malware from
going active by detecting and killing it beforehand!

As long as your av is already running at the time the malware tries to
run, the av has the upper hand and should manage the problem fine.

When the av fails to detect the malware - usually because it's a new
variant that doesn't match the known detection tests - the opportunity
to stop the malware cold has been lost. If the malware then goes
active, I would not use the same av that has already failed to detect
the malware to chase after it while it's running.

Instead, I might use the "rescue" facility of that av to tackle it
formally. Most Windows-based av have a "rescue' facility that
basically prepares boot and av diskettes for formal scanning, but
obviously two problems come to mind:

1) Your file system may be incompatible with the rescue disks

Rescue disks tends to be DOS-based, and while a DOS mode diskette from
Win95 SR2 or later can read FAT32, they can't read NTFS

2) You can't really trust av disks prepared within infected OS

Many malware will knock down your resident av, or block the ability to
update it - so you should prepare the diskettes on another, clean PC.

Because of (2), it's often more practical to download and use an
arbitrary free DOS-based av, rather than the "rescue" facility of your
installed av, if the clean PC you use doesn't use the same av.



-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
-------------------- ----- ---- --- -- - - - -

  #86  
Old April 20th 04, 01:37 PM
cquirke (MVP Win9x)
external usenet poster
 
Posts: n/a
Default SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)

On Sat, 17 Apr 2004 16:58:58 -0400, "Rocket J. Squirrel"

I've been using Norton AntiVirus since 1997 and never once has my computer
been infected. Talk about a string of luck!


That's what you'd expect a good av to do - *prevent* malware from
going active by detecting and killing it beforehand!

As long as your av is already running at the time the malware tries to
run, the av has the upper hand and should manage the problem fine.

When the av fails to detect the malware - usually because it's a new
variant that doesn't match the known detection tests - the opportunity
to stop the malware cold has been lost. If the malware then goes
active, I would not use the same av that has already failed to detect
the malware to chase after it while it's running.

Instead, I might use the "rescue" facility of that av to tackle it
formally. Most Windows-based av have a "rescue' facility that
basically prepares boot and av diskettes for formal scanning, but
obviously two problems come to mind:

1) Your file system may be incompatible with the rescue disks

Rescue disks tends to be DOS-based, and while a DOS mode diskette from
Win95 SR2 or later can read FAT32, they can't read NTFS

2) You can't really trust av disks prepared within infected OS

Many malware will knock down your resident av, or block the ability to
update it - so you should prepare the diskettes on another, clean PC.

Because of (2), it's often more practical to download and use an
arbitrary free DOS-based av, rather than the "rescue" facility of your
installed av, if the clean PC you use doesn't use the same av.



-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
-------------------- ----- ---- --- -- - - - -

  #87  
Old April 20th 04, 01:37 PM
cquirke (MVP Win9x)
external usenet poster
 
Posts: n/a
Default SVCHOST & LSASS hogging CPU, no virus found. I'm completely stuck! (detailed)

On Sat, 17 Apr 2004 16:58:58 -0400, "Rocket J. Squirrel"

I've been using Norton AntiVirus since 1997 and never once has my computer
been infected. Talk about a string of luck!


That's what you'd expect a good av to do - *prevent* malware from
going active by detecting and killing it beforehand!

As long as your av is already running at the time the malware tries to
run, the av has the upper hand and should manage the problem fine.

When the av fails to detect the malware - usually because it's a new
variant that doesn't match the known detection tests - the opportunity
to stop the malware cold has been lost. If the malware then goes
active, I would not use the same av that has already failed to detect
the malware to chase after it while it's running.

Instead, I might use the "rescue" facility of that av to tackle it
formally. Most Windows-based av have a "rescue' facility that
basically prepares boot and av diskettes for formal scanning, but
obviously two problems come to mind:

1) Your file system may be incompatible with the rescue disks

Rescue disks tends to be DOS-based, and while a DOS mode diskette from
Win95 SR2 or later can read FAT32, they can't read NTFS

2) You can't really trust av disks prepared within infected OS

Many malware will knock down your resident av, or block the ability to
update it - so you should prepare the diskettes on another, clean PC.

Because of (2), it's often more practical to download and use an
arbitrary free DOS-based av, rather than the "rescue" facility of your
installed av, if the clean PC you use doesn't use the same av.



-------------------- ----- ---- --- -- - - - -

Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
-------------------- ----- ---- --- -- - - - -

 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off






All times are GMT +1. The time now is 02:27 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.