We help IT Professionals succeed at work.

Windows "system idle process" virus?

hdokes asked
Medium Priority
Last Modified: 2013-12-04
I recently had a huge attack of virus's on every windows machine 15 in my facility.  The symptoms were mass port scans our to the internet of which I could view with tcpdump in real time.  After finally getting a handle on all machines I find my primary workstation sending bursts of info on non conventional ports to the other machines (which are locked down) on the internal network.  Further investigation shows that these bursts are tied to the "System idle process" PID.  I have never been aware of this process doing anything other than just giving visual feedback to the viewer that the CPU is not being used.  

Is anyone aware of a virus that attaches to or replaces the "System Idle Process" file and if so... can you point me to further information regarding what it is, how it may have come in, and how to insure it's total removal?

I have run both virus scans using NOC32 and SuperAntiSpyware and neither have identified any exploit.  I am using a program called Process and Port Analyzer which associates the transmitting port with the PID which is clearly showing the "System Idle Process" PID (0) as sending on these unconventional ports.  The ports are incrementing in ascending order from the source side as the previous request sits in a wait state due to no response from the destination and keys in on ports 123, 137, 138, and 445 at the destination side.  

If this is not a virus... can someone tell me if this is normal activity to go out and interrogate other machines while the CPU is idle?

Watch Question

Is it possible to see the payload of the packets?  I'm not familiar with Process and Port Analyzer, but you may want to try Wireshark to see what's in the packets.

Here is some info on the ports you listed.  I'm not exactly sure why it would be scanning the other machines for these though.

System service name: Eventlog
Collapse this tableExpand this table
Application protocol      Protocol      Ports
RPC/named pipes (NP)      TCP      139
RPC/NP      TCP      445
RPC/NP      UDP      137
RPC/NP      UDP      138

Port 123 is NTP.

You may want to try some other virus/spyware scanners to make sure your computer is clean.  Here are some I use:


Hard to remove viruses sometimes require to scan the the hard drive as a secondary drive on a clean machine.  I've also used http://trinityhome.org/Home/index.php?wpid=1&front_id=12 with great success.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
When your application is not able to get the PID, it's showing 0. PID 0 doesn't actually exist, and is the PID that is shown in the PID column when looking at processes simply to show that it has no associated PID.

More commonly, people get their ports backwards. It's normal for some windows flavors to increment the source port for each new outgoing connection. This traffic looks to me like normal windows network traffic.

My recommendation is to get a better analyzer that matches up the PIDs correctly, or simply run netstat from a command prompt on your worksation.

netstat /banv
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.