How likely is it for malicious spyware/viri to hide itself from the system resources?

General Questions
#1

About a minute ago my computer virtually ground to a halt, which for a P4 1GB of ram, with over 4 GB of recently defraged HD space left is pretty unusual. I solved it by ending the process that had eaten up the most memory (explorer.exe). But this highlights a worry I’ve had lately.

I hear a lot of HD read type sound coming from the computer lately, I could be mistaken and it could be a less than perfect fan, but I worry that there is the possibility that some process is running that is causing constant hard-disk activity.

Yet when I ctrl-alt-del and look at the processor usage it is lower than 5% and not much is happening.

So how likely is it for malicious unwanted programs to be doing some resource intensive task and hiding this fact from the system’s sensors?

#2

Possible, but not really likely. The explanation is probably that the indexing service is scanning the drive to make searches faster. Go to start, run, type in “services.msc” and press enter. Find the indexing service in the window that pops up, and click the Stop button and see if the HDD accesses stop.

#3

you got hamster problems too? :smack:
I tell ya Lobs I’m getting sick and tired of this bullshit with the spyware and whatever else has been finding its way onto my computer. I have to clean the harddrive up constantly otherwise it simply shuts down. I’m not up on my tech knowledge anymore so I’m not even sure what to do about it. What really freaks me out is when it’ll be online and yet I’ve either shut it down or never started it in the first place. I can pick up my extension phone in the other room and when I turn it on it’s squelches and squeals like the PC is running. But it’ll be shutdown. WTF is that all about. Am I about to have the Feds. kick my door in or what? :eek:

#4

Have you tried Spybot or Adware? They work great for me but perhaps someone with a bit more knowledge of computers will come along to help.

#5

You might be the victim of a code hook. The site I’ve linked to is instructions on how to create them. AFAIK, there’s no reliable software out there that will let you remove them. They’ve not caught on with a lot of spyware folks, yet.

#6

Several viruses disguise their name as “explorer.exe.” (See this list – anything with an X is bad). It’s not hiding, just using a name that looks like a legitimate process. A hijackthis log would show what it might be.

It would probably be worth your while to go to http://housecall.trendmicro.com and see if their online virus scanner finds anything.

#7

I am a cynical bastard so I suspected their scanner would find things no matter what. I am running it now and it is finding things. If I go to the directories where it finds these ‘viruses’ sure enough the mentioned file is there, but these are directories I have visited recently and those files look waaaay out of place… almost as if they have been put there recently.

Is this scanner ‘plantiing evidence’ so that I am compelled to pay for it’s full version?

P.S. I did adaware and spybot. They found literally nothing (which is wierd because adaware usually finds a few tracking cookies)

#8

If you’re that worried, then check with the folks at Shields Up! and see what their free scans say about your machine. Or do yourself a favor and download the best anti-virus program I’ve ever seen. It also happens to be free.

#9

Every single file is listed as ‘non cleanable’ and the reason given at the end is ‘the file is in use’. This adds to my suspicion as there are quite simple procedures in place for removing files that are in use.

#10

I’ll try that. (my last post was typed before I saw your post)

I have listed the files the housecall scanner found and am going to reboot into dos (if possible) or safe mode (if not) and delete the files. I will then check the offending directories for said files and run housecall again (to see if it ‘finds’ the same files again)

After that I will run Tuckerfan’s suggestion.

#11

FWIW, I don’t run virus protection software because my experience with it is that it is more trouble than it is worth. I do, however, visit the online scanner at Trend Micro every other month or so and I have gotten a clean bill of health every time so I have no reason to believe they plant anything. I’ve been there maybe five or six times.

#12

Like I said I would, I have run the housecall link again, after deleting the files in safe mode. So far it’s not found any viruses and it’s got further than before.
So it turns out my suspicions were wrong. I apologise to those concerned. As I said I am a cynical bastartd, and so I assume foul play every time, where corporations are involved.

#13

Well, Housecall finished with zero viruses.

Again I apologze for doubting the person who first sugested the link. I may add it to my favourites.

#14

Lobsang, how did you delete the files? I’m trying to do it now. I’m running Windows XP.

#15

It says it is in use because…it is! The application is running and you are trying to delete it, can’t happen that way. Start in safe mode then delete.

#16

I wish it was that easy bongmaster. If it was, they wouldn’t make removal tools for these things. I’ve been trying to get rid of these things for a few hours now. No luck.

#17

I know. But I also know that there are mechanisms for removing files that are in use. I know I can’t do it manually. But AV software is supposed to be able to. As a last resort it does this by marking the files for removal on reboot.

x-ray vision You have to reboot in safe mode…

start->run

type ‘msconfig’ and ok.

on the ‘BOOT.INI’ tab select the ‘/SAFEBOOT’ check box.

reboot.

When you’ve finished safe mode follow the above procedure, but uncheck the box.

#18

Do that. Housecall is one of the most useful tools available to detect viruses on a computer – and it is not a scam. Trend Micro is doing it as a public service – well, they also want you to buy their regular software, of course.