Tons of "Memory Processes" reported by Microsoft AntiSpyware

I have recently been infected by some extremely clever virus that managed to get past two server computers screening the network for viruses using two different pieces of anti-virus software and also Grisoft's AVG on the client computer (recently as in 10 hours ago, at about 1:00 in the morning on July 8, 2005).  It stayed around long enough to send a copy of itself to everyone who was in my MS Outlook's e-mail account by replying to all of them with a copy of itself inside it.  After a scan using all of the above, it was removed; I think.  However, something worrysome happened this morning when I was running Microsoft's AntiSpyware program.  It said that 1400 something memory processes were scanned.  This does not, to me, sound like a feasible number, especially considering that all the services, processes, and drivers that are running put together only total to around 300.  I did notice while the scan was going that when it was reporting the name of the processes, it would put [PID <insert number here> processname] up on display.  What does PID mean in this case?  Is this number reported by MS's AntiSpyware just some way of deep scanning that I am unfamiliar with, or is something still really wrong?
ragnarok416Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

blue_zeeCommented:

You should immediately use these spyware/malware scanners:

First of all, download NOW this Winsock fix (FREE):
http://downloads.subratam.org/WinsockFix.zip
If you lose internet access after the cleanup, run this tool.
This is a precautionary tool only.

After that, download the fully functional trial version of Spy Sweeper:
http://www.webroot.com/downloads/?WRSID=595f27d74dd2795a56af83b763c321e1
Install, UPDATE and run.
You may need to reboot and run again to clean all the nasties that cannot be deleted at once ('in use').

Download Ad-Aware (FREE) from here:
http://lavasoft.element5.com/support/download/
Install, UPDATE and run.
You may need to reboot and run again to clean all the nasties that cannot be deleted at once ('in use').

Also excellent is SpyBot Search & Destroy (FREE) available here:
http://www.spychecker.com/download/download_spybot.html
Install, UPDATE and run.
You may need to reboot and run again to clean all the nasties that cannot be deleted at once ('in use').
You should also apply the 'immunize' function, since it blocks roughly 2000 known 'bad' runs/apis/apps.

Even if Ad-Aware and SpyBot S&D are similar, they do clean different things. You should have both of them and use REGULARLY.

You can also install 'preventive' software that will help you control these nasties:

SpywareBlaster (FREE):
http://www.javacoolsoftware.com/spywareblaster.html
Prevents the installation of Active-X based spyware, malware, dialers, etc
Currently protects you against 3500+ nasties.
Advantage: no system resources used!!!
Just download, install and UPDATE.

All of them extremely useful but you must keep them UPDATED.

Suggestion: Make sure you can see all files and folders and run Ad-aware and Spybot S&D in Safe Mode.

These will cover the most common nasties around.

Zee
blue_zeeCommented:

PID = Process Identifier
The Process ID, which is a number that uniquely identifies one specific process (this number is valid only during the lifetime of that process). The PID of a newly launched process can be determined via the Run command. Similarly, the PID of a window can be determined with WinGet. The Process command itself can also be used to discover a PID.

These may help understand it:

http://windows.about.com/od/tipsarchive/l/bltip685.htm
http://www.beyondlogic.org/solutions/processutil/processutil.htm

Zee
ragnarok416Author Commented:
Well, I ran all of those antispyware things, and got nothing, surprisingly.  Thanks for the info blue ee, that was informative.  I ran pulist.exe, and it came up with this:

C:\Program Files\Resource Kit>pulist
Process           PID  User
Idle              0
System            4
smss.exe          716  NT AUTHORITY\SYSTEM
csrss.exe         796  NT AUTHORITY\SYSTEM
winlogon.exe      828  NT AUTHORITY\SYSTEM
services.exe      872  NT AUTHORITY\SYSTEM
lsass.exe         884  NT AUTHORITY\SYSTEM
svchost.exe       1036 NT AUTHORITY\SYSTEM
svchost.exe       1112
svchost.exe       1152 NT AUTHORITY\SYSTEM
svchost.exe       1196
svchost.exe       1316
spoolsv.exe       1564 NT AUTHORITY\SYSTEM
ati2evxx.exe      1908 NT AUTHORITY\SYSTEM
avgamsvr.exe      1928 NT AUTHORITY\SYSTEM
avgupsvc.exe      2004 NT AUTHORITY\SYSTEM
HPConfig.exe      188  NT AUTHORITY\SYSTEM
HPWirelessMgr.exe 244  NT AUTHORITY\SYSTEM
alg.exe           676
explorer.exe      1844 HOME\matt
carpserv.exe      504  HOME\matt
ONETOUCH.EXE      1068 HOME\matt
SynTPLpr.exe      1284 HOME\matt
SynTPEnh.exe      1300 HOME\matt
CM20.EXE          1336 HOME\matt
avgcc.exe         1380 HOME\matt
avgemc.exe        1396 HOME\matt
gcasServ.exe      1412 HOME\matt
qttask.exe        1432 HOME\matt
iTunesHelper.exe  1468 HOME\matt
iPodService.exe   1688 NT AUTHORITY\SYSTEM
gcasDtServ.exe    1784 HOME\matt
iexplore.exe      2196 HOME\matt
wuauclt.exe       2748 HOME\matt
iexplore.exe      3632 HOME\matt
rundll32.exe      3364 HOME\matt
iexplore.exe      1460 HOME\matt
OUTLOOK.EXE       3424 HOME\matt
WINWORD.EXE       1948 HOME\matt
calc.exe          1996 HOME\matt
GIANTAntiSpywareMain.exe 2604 HOME\matt
cmd.exe           2220 HOME\matt
pulist.exe        2968 HOME\matt

I don't see anything suspicious, and I sure don't see 1400 processes.  Is Microsoft's Anti-Spyware just being weird?
Starting with Angular 5

Learn the essential features and functions of the popular JavaScript framework for building mobile, desktop and web applications.

r-kCommented:
"Is Microsoft's Anti-Spyware just being weird?"

Possibly. If you run a scan again does it still show that many processes? (normal number should be 50 or 60)
ragnarok416Author Commented:
Yeah, it's still showing a bunch of them (1820 to be exact).  What in the world, that makes no sense.  What it does when it scans is it says "Scanning Proccess: PID <whatever #>: C:\<whatever path name>" but the weird thing is that it will scan one PID (say PID 1320) and then act like there's about fifty .dll's under that one PID.  That's not possible, is it?
r-kCommented:
Actually, that is possible, though very strange. Multiple services can be hosted by one copy of svchost, e.g.

To verify this, from a command prompt, run:

 tasklist /svc

and see what it shows.

I am assuming you have Win/XP
blue_zeeCommented:

Process Explorer may also be useful:

http://www.sysinternals.com/Utilities/ProcessExplorer.html

Zee
ragnarok416Author Commented:
Well, nothing out of the ordinary with the tasklist /svc thing, although it's a handy thing to know, so thanks for the help.  And you too Zee, I've been needing a free process monitor for a while now.  But I'm still not seeing 1944 processes (that's what it's up to now -.- it keeps growing).  I captured a video file to show what the MS Antispyware is showing... it's really weird, but I'm beginning to think there's something to it because in the 30 minutes that it has been since I captured that video, it has grown again from 1800 to 1900 :S  This is worrysome.  Here's a link to a temp ftp site I set up real quick to provide a link to the file.  The .txt file is an export from that handy lil Process Explorer thing.

ftp://tempfixingcomp.homeip.net
Login: Anonymous

ragnarok416Author Commented:
Greeeaaaatttt, now a network computer has the same symptoms -.- *upgrades point value to 900* I'm now scanning all the rest of the computers on the network to see what else has this.  Cutting off access to my server from everything except my router so it don't get infected, I'd really be peeved abou that
ragnarok416Author Commented:
Excuse me, 500, typo lol.
ragnarok416Author Commented:
Oh my gosh.  I just checked all my network computers; they're all doing the same thing.  I just called one of the people that got a blank e-mail from me that I didn't send; his is doing the same.  I have no idea what is happening, but it's getting a bit scary.
blue_zeeCommented:

Better run some online virus scanners, at least 2 of these:

Panda ActiveScan
http://www.pandasoftware.com/activescan 

Bitdefender
http://www.bitdefender.com/scan/Msie/index.php 

McAfee FreeScan
http://us.mcafee.com/root/mfs/default.asp 

Symantec Security Check
http://security.symantec.com/sscv6/ 

Pc-Cillin (Trend Micro Housecall)
http://housecall.antivirus.com/housecall/start_pcc.asp 

PcPitstop
http://pcpitstop.com/antivirus/default.asp 

RAV
http://www.ravantivirus.com/scan/ 

Zee


ragnarok416Author Commented:
Just finished right then running all of them.  I found about 2 things that were appearently inert, but nothing that made the process number when scanning with MS AntiSpyware grow any smaller.  Perhaps it is a brand new virus?  Hopefully it's ths the software being dumb...
r-kCommented:
I am inclined to think it's some bug (or new feauture) in the MS antispyware. As far as I can tell, those dll's are all legit. You might want to do a spot check of a few of those dll's. By that I mean you should locate them on disk with Windows Explorer, and check their last modified date. If they have recent dates that should be a red flag.

Also, make sure you have the latest version of MS Antispyware. Mine is v1.0.614.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ragnarok416Author Commented:
Well, I sincerely hope it is, but I've got one more piece of info that is disturbing...

I thought that I had finished all of the scans, but I was wrong on one of them, the Panda Software one was still running.  And it still is.  It's presently on file 324000 something.  I reloaded Windows on this laptop two days ago, and installed MS Office, AVG Free edition, Microsoft AntiSpyware, and a mouse driver on it.  Where in the world did three hundred thousand files come from.  Also, if I do select all in the root of C and do properties, i get thirty thousand something files--a much more feasible number.  All hidden and system files are visible.  What the heck.  The Panda software thing is roughly (I have to estimate since it's a bar) 35% done.  Does that mean there are 925000 files on my computer?  Argh, this is way over my head; I hope it's just software eccentricities.
r-kCommented:
Here's a couple of suggestions: (after Panda is done)

(1) Run diagnostics on your disk (Right click on disk, Properties -> Tools -> Error checking)

(2) Download and run RootkitRevealer from:

 http://www.sysinternals.com/Utilities/RootkitRevealer.html

and use that to scan your disk. It will show any hidden files that may be missed by normal means.
rossfingalCommented:
Try running "Ewido" (free) from:
http://www.ewido.net/en/download/
Note: This is for Windows 2000 and Windows XP ONLY! Ewido does not work with any other versions of Windows.

Please download, install, update and scan your system with the free version of Ewido trojan scanner:

   1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
   2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
       This will be fixed in a moment.
   3. From the main ewido screen, click on update in the left menu, then click the Start update button.
   4. After the update finishes (the status bar at the bottom will display "Update successful"),
       click on the Scanner button in the left menu, then click on the Start button.
       This scan can take quite a while to run, so time to go get a drink and a snack....
   5. If ewido finds anything, it will pop up a notification.
       You can select "clean" and check the boxes "Perform action with all infections" and
       "Create encrypted backup" before clicking on OK.
   6. When the scan finishes, click on "Save Report". This will create a text file.

Check out this file to see if anything is "hiding".

RF
ragnarok416Author Commented:
Well, since I had just recently reloaded my laptop, I decided to perform an experiment.  I reformatted and reinstalled it, and then I isolated it from the network by unplugging everything from my main router (except my laptop) and disabling the wireless function on it.  I then connected directly to it, fired up the newly loaded windows XP and went directly to Microsoft's site and downloaded their Anti Spyware program.  I then ran the "deep scan" and it gave me 800 and something "processes scanned."  So, it looks like it's some quirk or new feature or different terminology than I'm used to, or something.  But I don't think that it's a problem.  At least I don't think it could be, considering my test.  Thanks everyone for their help!  It looks like r-k was the most right in this case, but I'll split the points with blue zee since he answered my PID question.  Thanks everyone!
r-kCommented:
Thanks for the feedback and points.

I think I can put your mind further at ease. I was troubled by this discrepancy, so decided to try all the options in the MS anti-spyware. Turns out that if I do a scan with the default options, it does a quick scan and just shows the 60 or so processes as before, but if I go into the "Scan Options" and select "Full System Scan", the number of memory processes suddenly jumps to 2000+. Looking at the display, it would seem that in this case the program not only scans programs in memory, but also scans (from disk) any dll that is linked to each program, counting each as a separate "process".

This is no doubt what you are seeing, Definitely an odd way to count "memory processes", but there you have it.

As an aside, it incorrectly reported one of my screensavers as being a "Back Attack Trojan". It's a screen saver for which I have the source code, and which I compiled myself, so I know for 100% that MS anti-spyware is wrong in this case. Definitely an agressive scanner from MS. May return false positives sometimes...
blue_zeeCommented:

Thank you!

Zee
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.