help! possible virus activity - look at my task mngr

e-nation

my system resources are recently (like today, or yesterday) being seriously hogged by something. i use Avast! antivirus, and i also ran the "Stinger" scan from, mcafee, (or where ever that stinger thing comes from). neither find anything. i even did a boot time scan w/ avast. (the stinger scan was about a week ago. i guess i could stand to do that again as a shot in the dark).

take a look at the last file in the list. i investigated it recently when it was trying to access the network via shareaza-- i blocked it w/ sygate, of course, but it was determined to gain access-- tried repeatedly, even for a short time after shareaza shut down. i saw when i googled that it is associated w/ a virus (or worm, i forget), but i also saw elsewhere that it is a valid system file. i followed the instructions at symantic, but i didn't have the entries in my registry, so i thought perhaps i'm not infected.

anyone care to take a stab at what's going on here? why all of those svchost's running?

kryyst

I wouldn't worry about that process sinse it's not hogging any CPU usage. I'd worry about what is using the 100% show us that process.

If your system is running well the you CPU ussage should be very low and if you list your processes in order of CPU ussage then System Idle should be at the top showing the largest percentage.

e-nation

the image above shows every process, as you can see by the number of processes indicated by task manager at the bottom, and the number of processes shown (if you count them, it's the same number).

explorer.exe is hogging the most. actually, i posted a topic in another forum www.winforums.org (a friendly, helpful forum for tech questions. i ususally go there when my problem seems to be a windows snag). i was having trouble deleting a particular file. windows claimed this AVI was in use, but although it is in my Shareaza downloads folder, it was not being accessed by any media player, and Shareaza had not been opened, so i ruled out the posibility that shareaza needed it for an upload. even if i booted into a different drive, and looked at the "slave" drive, it wouldn't let me delete the file (at least the one time that i tried that approach). finally, it worked as i managed to get in there and delete it as soon as possible upon boot-up.

but then it happened again. same folder, same type of file. this time explorer was using 100 - 200MB of memory, according to task manager, and roughly 90% of cpu. the folder didn't want to close, but i didn't select "end" when i got the pop-up to terminate the nonresponsive process-- the window finally did close on its own, but everything was still very sluggish.

upon a fresh boot into that drive / OS, system response is sluggish. this is unusual. according to what i read about the wmiprvse.exe at one site, it is deployed by W32/Sonebot-B worm. another site mentioned a trojan, and yet other sites say it's a valid system file, unless it's in the root of c:\windows\system32 (it's proper place is a sub folder, c:\windows\system32\wbem\ , the same place it resides on my system, so i venture to guess that you are correct in your guess about it not hogging resources according to my screen capture), then it is a valid file.

what then might be causing explorer.exe to hog the resources... even upon fresh boot? i don't have any "on startup" scans running, or anything of that nature, but the performance is as if i have a virus scan, and a defragmenter running at the same time. it's that unusally slow.

you can see in the screen shot above that explorer.exe was at 99% cpu usage at that moment. the mem usuage above was not that bad when i captured the screen-- since this problem occurred, on average it has been more mem usage than what is shown.

kryyst

Yeah I missed the 99% when I first scanned the list.

I noticed you have apache running as well as mail serv and a few other web/mail server services. Is this a primarily a web server or what is this rig for? Also you are running symantic's security suite which is a stupid pig on resources. I'd ditch it and just use it's anti-virus and if you still feel unsafe use zone alarm for a firewall. Even better ditch norton AV and use AVG it's much less of a resource pig.

However I don't think any of that is causing this problem. Are you using a modified hosts file at all? At work I've had this happen on many machines after I put in a killer hosts file they just cripple themselves periodically for some reason even if they aren't accessing the net. So I strip out the hosts file to just the bare minumm and the problem stops.

You've got a shit load of stuff running though that are only needed if you are running a server and even then much of it is only needed if you are a domain server for a LAN. wmiprvse for example should never need to be active on a single machine.

http://www.neuber.com/taskmanager/process/wmiprvse.exe.html

It almost looks to me like you are running 2k server or 2003 server edition as your OS. You have enough processes running on there for 3 machines to be handling.

e-nation

actually, i don't use norton. i use Avast. i just have that systemworks thing on there for the "one-button-scan" cleanup thing. i forgot it was even on here. i should get rid of that. Regscrub is probably better anyway, and i have that.

for one thing, i have too many hard drives w/ too many different things going on. this is my "apache/ PHP/ mysql" develpment machine. i have one w/ coldfusion, and one w/ IIS and MS SQL, etc. i hadn't been using this for a long time, but i wanted to learn PHP, so i've been using this one all the time now. you're probably seeing stuff there that i don't even remember putting on here. you're right, a lot of stuff that i probably don't need... but, i'm pretty sure there is no MS server stuff on here at all. not even IIS. far as i recall/ know, it's only got apache and MySQL. it did have coldfusion at one point, but i took that off.

what do you see that indicates that? what do you recommend i look for (to possibly remove) in add/ remove programs?

oh, and the weirdest thing is that it is no longer being slow. i did some boot time scans (w/ this both as slave, and as master), but i don't think it found anything, although the problem seems to have gone away. weird, huh?
scans were Spyware Doctor, and Avast Home boot-time. i used to be AVG all the way, but i think Avast actually might be better. seems to have more user features (can you even do a boot-time w/ AVG?). i recommend any AVG user try Avast, and see what you think.