Windows "system idle process" virus?

I recently had a huge attack of virus's on every windows machine 15 in my facility.  The symptoms were mass port scans our to the internet of which I could view with tcpdump in real time.  After finally getting a handle on all machines I find my primary workstation sending bursts of info on non conventional ports to the other machines (which are locked down) on the internal network.  Further investigation shows that these bursts are tied to the "System idle process" PID.  I have never been aware of this process doing anything other than just giving visual feedback to the viewer that the CPU is not being used.  

Is anyone aware of a virus that attaches to or replaces the "System Idle Process" file and if so... can you point me to further information regarding what it is, how it may have come in, and how to insure it's total removal?

I have run both virus scans using NOC32 and SuperAntiSpyware and neither have identified any exploit.  I am using a program called Process and Port Analyzer which associates the transmitting port with the PID which is clearly showing the "System Idle Process" PID (0) as sending on these unconventional ports.  The ports are incrementing in ascending order from the source side as the previous request sits in a wait state due to no response from the destination and keys in on ports 123, 137, 138, and 445 at the destination side.  

If this is not a virus... can someone tell me if this is normal activity to go out and interrogate other machines while the CPU is idle?

hdokesAsked:
Who is Participating?
 
amaru21Connect With a Mentor Commented:
Is it possible to see the payload of the packets?  I'm not familiar with Process and Port Analyzer, but you may want to try Wireshark to see what's in the packets.

Here is some info on the ports you listed.  I'm not exactly sure why it would be scanning the other machines for these though.

System service name: Eventlog
Collapse this tableExpand this table
Application protocol      Protocol      Ports
RPC/named pipes (NP)      TCP      139
RPC/NP      TCP      445
RPC/NP      UDP      137
RPC/NP      UDP      138

Port 123 is NTP.

You may want to try some other virus/spyware scanners to make sure your computer is clean.  Here are some I use:

http://bitdefender.com
http://housecall.trendmicro.com
http://malwarebytes.com

Hard to remove viruses sometimes require to scan the the hard drive as a secondary drive on a clean machine.  I've also used http://trinityhome.org/Home/index.php?wpid=1&front_id=12 with great success.
0
 
AdamsConsultingConnect With a Mentor Commented:
When your application is not able to get the PID, it's showing 0. PID 0 doesn't actually exist, and is the PID that is shown in the PID column when looking at processes simply to show that it has no associated PID.

More commonly, people get their ports backwards. It's normal for some windows flavors to increment the source port for each new outgoing connection. This traffic looks to me like normal windows network traffic.

My recommendation is to get a better analyzer that matches up the PIDs correctly, or simply run netstat from a command prompt on your worksation.

netstat /banv
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.