Wolf in Sheep's Clothing
June 27, 2011 3:02 PM   Subscribe

My PC is running slow. So I went to ProcessLibrary.com to check the programs running in task manager. I've also got Malwarebytes and AVG Anti-Virus running. But these programs aren't impenetrable. Consequently, I've learned there are many legitimate programs that have double identities.

One, for example, is svchost.exe. In one case, it is a legitimate Windows file that is the Generic Host Process for Win32 Services. But it also has nine other identities, all of which are spyware, malware, whatever. But of course, I don't know which is which.

How do I delete malicious programs with the same name as Windows essential programs without crashing my computer or making it otherwise inoperable?
posted by CollectiveMind to Computers & Internet (14 answers total) 10 users marked this as a favorite
The problem with svchost is that it is, as the name implies, a host for a service. There may well legitimately be multiple copies of it running to host various services. However, some of those copies may host malicious services. I could be wrong but I think any services that svchost can run will have to show up in the service control panel under windows.

IOW, it's not that other programs are also named svchost, it's that svchost is running both good things and bad. At least in Win7, you can click on "open file location" and that will tell you if it's actual Windows SVCHOST running or some differently-pathed lookalike.
posted by KathrynT at 3:18 PM on June 27, 2011 [1 favorite]

What KathrynT said -- you CAN have more than one svchost.exe running. I like KT's idea of opening the file location to determine where it's hiding out.
posted by Heretical at 3:21 PM on June 27, 2011

Chances are really good that you will have multiple instances of svchost.exe running legitimately.

Do a full scan with Malwarebytes.

Do a full scan with AVG.

Download CCleaner. CCleaner is your friend. On the front page of CCleaner run "Analyze" and then "Run Cleaner". After that go to the Registry page, run "Scan for Issues" and clean up anything it finds. Go to the Tools page, then the Startup page, and see what programs are starting with Windows. Research which ones you can turn off and turn them off.

Then Defrag your computer.

Those programs won't find everything that could be wrong, but they will find 99.9999% of them.
posted by Benny Andajetz at 3:22 PM on June 27, 2011 [2 favorites]

Also check out Deezil's profile for a great set of tools and instructions for malware removal.
posted by samsara at 4:07 PM on June 27, 2011

Run msconfig (start -> run -> msconfig). Uncheck everything on the "Startup" tab. Close msconfig. Reboot.
posted by blue_beetle at 4:17 PM on June 27, 2011

You did not give any specs on your system, age, cpu, memory. Although Deezils list is pretty comprehensive, maxing out the memory will give you the biggest bang for the buck.
posted by sammyo at 4:28 PM on June 27, 2011

...also, rather than open individual processes in Task Manager, Choose View => Select Columns => Image Path Name

Review for anything that looks suspicious or randomly named.
posted by nicktf at 4:29 PM on June 27, 2011

You'll find a lot of good tips at the Black Viper website. He suggests a whole bunch of services you can disable, and other things that will generally improve performance.
posted by tumid dahlia at 5:43 PM on June 27, 2011

The freeware Process Explorer will help you investigate which svchost.exe process has loaded questionable .dll files, which is a good clue to what kinds of malware may be compromising your system.
posted by paulsc at 6:21 PM on June 27, 2011

Do you think that your computer is running slow because it is infected? I propose that it is running slow, because of the various software packages that you have installed. The combination of AVG and MalwareBytes should be good enough to find at least something out of the ordinary. Most Malware (all?) is not perfect in its behaviour, there is always another symptom besides just running slow. As mentioned above things like svchost aren't bad programs but can be utilized by bad programs. If you want to add another layer of security, use Firefox with the Noscript extension (But beware every single web page will then require fromyou to make a decision if it's safe.).
If you really think that your security softwareis missing an especially stealthy program, get a virusscanner that boots from its own CD or USB stick. This way the malicious code can't be running to hide things from the virus scanner. The AntiVir Rescue Disk is one possibles solutionthat getsupdatedat least once a day.
posted by mmkhd at 6:59 PM on June 27, 2011 [3 favorites]

I'm not an expert, but have found that all the time I've spent trying to track down viruses has ultimately kept me from the final solution of wiping the drive and reinstalling windows. I end up doing it ever 6 months. Just did it and I'm back to normal.

One note: I find that Zone Alarm firewall slowed my computer down excessively. Got rid of it. YMMV.

I use Acronis backup home, when I reinstalled windows last time, I carefully installed the programs I wanted before putting any documents on my computer, then made a bootable archive of my operating system and programs. So if my computer gets slow, I just backup my docs on an external drive and use acronis to reinstall my OS with my programs. Oh yeah, I made a partition on my harddisk that's just a little bigger than the OS, and keep the Acronis file on that. Works pretty sweet.

Acronis isn't the most intuitive program in the world but it seems to work pretty well.
posted by sully75 at 8:14 PM on June 27, 2011

Response by poster: Thanks, all.
posted by CollectiveMind at 8:48 PM on June 27, 2011

(You don't need to defrag your computer unless your disk got near to full)
posted by devnull at 12:10 AM on June 28, 2011

Not exactly. Defragging is helpful to do bi-weekly if working with lots of small files. The reason why is due to how fragmentation causes the drive head to skip around the platter in order to fully read larger files. This can over time work the drive a lot harder and shorten its life, on top of slowing read times down. However, fragmentation usually is only responsible for moderate slowing.

What you'll want to run to get help get to the bottom of the slowness is run a sysinternals program called Process Monitor. This application is similar to the one linked above by paulsc, and can be used to troubleshoot excessive I/O. At the top of this program are 3 selector buttons for registry, file, and process I/O. Monitor each of those independently to see if there's a particular application or process that stands out.

Some questions:
- Do you have a security suite installed? Many of these suites are overkill, and the ones packaged with internet providers are notoriously bad. Try removing if installed.
- How much physical memory does your PC have? (right-click My Computer - Properties)
- How much memory is "committed" to applications? (CTRL+SHIFT+ESC - Commit Charge)
- Have you checked for rootkits? GMER and TDSSKIller are good starts.
posted by samsara at 5:40 AM on June 28, 2011

« Older But at least I'm not from...   |   How to come across well in a PhD interview over... Newer »
This thread is closed to new comments.