A couple days ago, my desktop PC build running Windows 7 developed an unusual problem. Every two or three minutes, it freezes up completely and the mouse pointer will not move at all. Keyboard commands are also nonfunctional. The episodes last around 30 seconds, and then the system frees up again. I have been keeping my task manager running, and each time there’s an episode I check the performance monitor, and I see that the CPU was running at 100% during the episode. This is true even if there is nothing running but the task manager itself. After the episodes, it goes back down to 15% or so.
This is totally non standard for my PC. I have an AMD 3.8GHz processor, a terabyte hard drive, and 4GB of RAM. Even when running multiple windows with complicated things going on in each of them, I never, ever have any trouble with resources. I downloaded a utility to do a diagnostic on my processor, and it found no problems. When I look at the list of running processes, I see nothing unusual. Also, the event viewer will not open, even though the service is running. It says, “Event log service is unavailable. Verify that the service is running.” The service and all its dependencies are running.
It occurred to me that it may be a problem with the graphics card, but then why would that tie up the CPU at regular intervals?
So it looks like what’s happening is a periodic burst of frenetic CPU activity which assumes priority over everything else, but I have run out of ideas for catching or identifying it.
Selecting processes tab, show all processes, click on %cpu twice to sort by percent descending, then google the process name. If you are unlucky it will be the generic service and hard to decode
Most likely it’s antivirus. Try turning off av (temporarily) see if that helps.
Well, see, that’s why I’m suspicious. The processes that are running when the CPU zooms up to 100% busy are the SAME processes that are running when it is 16% busy. This happens even when I am doing no active thing at all. None of the processes I generally have running are energy hogs at all. I’m actually kind of a fanatic about that; I have nothing pinned to my taskbar and I regularly pare things off the boot list that don’t need to be there. (i.e., updater agents etc,)
There are a number of possibilities, but my most recent experience of computers doing exactly this was when they were infected with ransomware. The malware chewed up all the resources while it was encrypting the files.
Other possibilities include a failing memory module or disk controller, or assorted driver issues.
drachillix : It seems to be firefox itself. I’m assuming the numbers in the “CPU” column are percentages? Anyway, it goes from a single digit to 70 and above during the episodes. But this is sitting still with no added load on the CPU when it happens.
I downloaded a beta of Malwarebytes Anti Ransomeware, just in case.
if you’re using firefox then turn shockwave flash off. This was consuming my computer in the manner you described.
go to the upper far right button that looks like 3 lines. Click on Add-ons. on the left click on Plug ins. Find Shockwave Flash and choose “ask to activate”. It will be there if you need it but stay off unless you give it permission.
reboot your computer. It should be obvious in 5 or 10 minutes if that’s the problem.
Actually, Mangetout, you were right. I found a list of known ransomeware file formats (I guess these are what your files are renamed to when they’re encrypted) and I went on a deep exploration of the contents of my PC. I didn’t find any of those file formats, but I did find several folders called “Pending Renames” and “Pending Deletes” with literally thousands of numbered files inside of each.
There were also literally hundreds and hundreds of new registry keys, all associated with a certain few words.
I think what has happened is, thanks to your very timely and pertinent advice, I was able to interrupt the process after they had made a comprehensive analysis of my system, thorough cataloguing of my files, and a master list of files to encrypt, but before the actual encryption was done.
I am online now with a completely different OS just to be on the safe side. I had disabled my network adapters while I poked around too. I am experiencing no sudden system freezes at the moment, but what I have to do is figure out how to remove the initial malware.
The Malwarebytes AntiRansomeware helped right away; it reduced the freeze time to a much shorter period. But of course it’s meant to be a prophylactic rather than a cure after the fact. If anyone here has particular knowledge about dealing with specifically ransomeware, I would love to hear what they’ve got to say.
While looking all this up, I saw it emphasized by many sources that this kind of malware is expected to become a prevalent problem.
I wouldn’t be sure of that. You don’t want to blithely assume this and in a year or so find out you were wrong the hard way. This utility may be of assistance. I’m sure there are other similar utilities.
For now, you definitely don’t want to be booting from that drive. Put in a new drive and restore from your last backup. Then hook up the old drive in an external USB caddy and copy over anything still missing.
The best way to get an unpolluted backup of files in the case of ransomware threat is:
Share your documents folder
Connect to that share from another machine. Don’t grant any permissions on the second machine from the first.
Browse the share from the second machine. Copy the files across by ‘pulling’ them from the second machine.
Don’t bring over anything that has executable content, including office macros, html documents (which may contain JavaScript)
This should be safe, because the infected machine can’t write directly to the second machine - so it can’t encrypt the files there.
Or: share the whole disk and use the second machine to image it completely, using driveimage xml or some such.
The danger of ‘push’ backups from the potentially infected machine is that if the backup process can write there directly, the malware probably can too - so it could encrypt your fall back as well as your live data.
We got hit by Zepto at work recently. Six machines were infected, all of them because users had opened attachments or clicked on links in very plausible looking emails that slipped our filter.
The malware encrypted all and any documents that were saved locally (those were gone for good); it also encrypted the documents on network shares that the users had access to (those we restored from image based backup, which is immune to interference from the malware because there is no way for the infected machines to write directly to it)
The weird thing was that the malware itself was really fragile. It was only running in memory - just rebooting the machines stopped it - although the damage had been done).
We got some security experts in to help with the clean-up. We did find a couple of Trojans that had been there for longer. We think the Trojans actually skimmed a bunch of mail traffic, and this data was used to construct the plausible-looking emails that carried in the ransomware - because they weren’t just ‘hey, look at this’ -they described their payload as an invoice to the folks in finance; as an order to the folks in sales; as a software update to us in IT, etc.