Over Christmas, trusty, aging Compaq 1750NX got into trouble. First darling daughter, home for the holidays, websurfed somewhere evil and infected him with a rootkit. After blowing said rootkit away with TDSSkiller, and a second one with Combofix, poor old desktop still ran SLOW. In good shape he used to boot up in 45 seconds. Now he was taking two minutes. And every thing ran SLOW. The audio stuttered while doing the Windows warmup "Ka Ching" sound. Task Manager was showing 80 90 percent CPU usage when nothing was running.
I finally tracked it down and fixed it. I ran Process Explorer, a fancier version of task manager. Process Explorer showed me that hardware interrupts were sucking up all the CPU time. A quick google (Hard ware interrupt virus) got a lot of hits, from which I learned that Windows was shooting itself in the foot.
The disk drive is supposed to transfer disk data to main memory using "direct memory access" (DMA) whereby blocks of data are moved into memory without CPU work. For nostalgia sake there is a primitive mode called programmed I/O (PIO) whereby the CPU has to move disk data byte by byte, (one move instruction per byte) and interrupt the CPU when each byte is ready to move. PIO was used back in the dawn of computing, and the PIO mode is a historical curiosity. Somehow, the disk drive software had put the disk into PIO mode, slowing the entire computer.
How to fix.
Start Device Manager. (Start->Settings->ControlPanel-. System->Hardware->Device Manager). Click on IDE ATA/ATAPI controllers. Click on "Primary IDE Channel". Click on "Advanced Settings". If "Transfer Mode" shows as "PIO", that's your trouble. The three boxes ought to read "Device Type Auto Detect" : "Transfer Mode DMA if available" : "Current transfer mode Ultra DMA mode 5".
If the boxes are wrong, you can fix it by forcing Windows to remove and reinstall the driver. Click on the "Driver Tab". Then click "Uninstall". Windows will then ask to reboot. Let it. That's it. All fixed.
You don't need to get into Process Explorer, that was just the aid that tipped me off to what was happening. Just go to Device manager and inspect the IDE ATA/ATAPI controllers.
This is NOT a virus, it's a bug in Windows.
This blog posts about aviation, automobiles, electronics, programming, politics and such other subjects as catch my interest. The blog is based in northern New Hampshire, USA
Showing posts with label Process Explorer. Show all posts
Showing posts with label Process Explorer. Show all posts
Friday, January 3, 2014
Sunday, February 24, 2013
Virus Hunting
Where do you look for virii? Simple, you look in computer memory (RAM). Computer programs of any kind have to be loaded into memory to work at all. Windows uses the name "Process" for each piece of programming loaded into RAM. Process Explorer is a freeware program that lists all the processes loaded into memory. It can be downloaded from the web. Just Google for "Process Explorer" to find a site to down load it from.
When running, Process Explorer displays a list of all programs loaded in memory, and thus runnable. A typical computer will have about 30 processes loaded. Most of these processes are parts of Windows and are supposed to be there. But if you have a virus, it will show up in the Process Explorer.
So how does one tell the harmless and necessary parts of Windows from virii? Just right click on the process name and Process Explorer will Bing (Microsoft's Google competitor) the internet for information on the program name. Cool. You will get dozens of hits on every process name.
You want to read a number of them. Many of the hits are from websites offering magical Windows Washing programs. I don't trust magical Windows Washers, they can be virii themselves, or they can break your computer. But postings from Microsoft.com, Da Tech Guy, Bleeping Computer, CNET and many others are reliable. Take a preponderance of evidence. If all the posts say it's part of windows, or all the posts say it's a virus, you know where you are at. If most of the posts are wishy-washy, and the single post that calls it a virus sounds like a rant, then it means no one really knows what it is.
So what do you do when you find a virus lurking in RAM? It only gets into RAM by loading itself off disk at boot time. You have to use Windows Explorer to find it on disk and zap it. In fact just to make sure it's really gone, I'd empty the trash after deleting the file.
This is hand-to-hand virus fighting. You only need get into this sort of thing after your anti virus program[s] have failed to kill.
When running, Process Explorer displays a list of all programs loaded in memory, and thus runnable. A typical computer will have about 30 processes loaded. Most of these processes are parts of Windows and are supposed to be there. But if you have a virus, it will show up in the Process Explorer.
So how does one tell the harmless and necessary parts of Windows from virii? Just right click on the process name and Process Explorer will Bing (Microsoft's Google competitor) the internet for information on the program name. Cool. You will get dozens of hits on every process name.
You want to read a number of them. Many of the hits are from websites offering magical Windows Washing programs. I don't trust magical Windows Washers, they can be virii themselves, or they can break your computer. But postings from Microsoft.com, Da Tech Guy, Bleeping Computer, CNET and many others are reliable. Take a preponderance of evidence. If all the posts say it's part of windows, or all the posts say it's a virus, you know where you are at. If most of the posts are wishy-washy, and the single post that calls it a virus sounds like a rant, then it means no one really knows what it is.
So what do you do when you find a virus lurking in RAM? It only gets into RAM by loading itself off disk at boot time. You have to use Windows Explorer to find it on disk and zap it. In fact just to make sure it's really gone, I'd empty the trash after deleting the file.
This is hand-to-hand virus fighting. You only need get into this sort of thing after your anti virus program[s] have failed to kill.
Subscribe to:
Posts (Atom)