WinXP/TFTP/CPU overload

[neogeek]

Over the past 36 hours, I've been dealing with a problem which seemed to point to the MSBLAST or Welchia Worm. CPU usage shoots up to 100% after my Firewall issues the following Alert: "TFTP App v5.1.2600.0 located in C:\WINDOWS\system32\ has tried to access the Internet"; the CPU usage surge (and subsequent slowdown) occurs as soon as the Alert appears and my "Yes" or "No" has no effect on its behavior. If I stay offline, I'm fine; if I go online, this can take anywhere from 2 to 45 minutes to happen.

I've performed searches of all processes running, done "Find" in my Registry and done a "File Search" in Windows for any indications of infection and found nothing anywhere. I have both scvhost.exe and dllhost.exe where they should be: in my System32 Folder and not in System32\Wins Folder (which would indicate infection, I gather); in fact, my Wins Folder is empty. Nonetheless, I've downloaded the MS XP patches for DCOM/RPC Exploit and WebDAV Exploit. All this has happened since I ran the SFC utility to try to correct a desktop problem I was having; before doing that, I'd never seen a TFTP Alert. I believe this doesn't make sense but it's what has happened. One added curiousity: I've located an scvhost.exe and dllhost.exe in C:\WINDOWS\lastGood.Tmp\system32 and haven't been able to find anything written on this.

I have McAfee VirusScan and am always updated, have run a full manual Scan, have an active Firewall as well as Ad-Aware and Spybot S&D. This system is a Dell Dimension 8100 P4 1.3 GHz w/ 640 RDRAM.

PS.Since starting this thread, I've received a TFTP request twice and since the first one, my performance has slowed to half and I have a scvhost.exe (SYSTEM) running up to 99% of my CPU resources.

Any ideas?

 

[gpalmer711]

If the file that is using 99% resources is scvhost.exe and not svchost.exe then you cetainly have a virus installed.

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.sdbot.n.html

is a good example, but there are several more that use the name scvhost.exe.

I would recommend using a couple of good Online scanners such as the ones suggested in smah's faq FAQ760-3862.

I personally prefer the Trendo micro one.

Greg Palmer
Free Software for Adminstrators

http://www.palmersoft.co.uk

 

[neogeek]

Greg:

Thank you so much for your quick reponse and profuse apologies for my typo: All running processes in Windows Task Manager read "svchost.exe" (and NOT scvhost.) Nonetheless, I'm going to try Trendo.

John. (neogeek)

PS. And apologies to anyone else I've misled by my typo.

 

[neogeek]

UPDATE:

I have just finished running an online System Scan for viruses with Trend Micro One and all partitions/drives are clean!

Here's some old info that I didn't think was relative but perhaps....

Until 6 weks ago, I had been running WinXP with a BIOS version designed for pre-XP Systems. As a result, I suffered from System instablity after about 9 trouble free months. I didn't know about the BIOS/WinXP conflict and discovered it by looking in my Events Viewer. I saw that I was experiencing an acpi problem that was accumulating instability to the point that I would finally notice it.
Upon becoming aware of this, I updated my Dell BIOS from A06 to XP2; this should have been done before I did the original clean install upgrade from WINMe to WInXP but everything seemed fine until I start having my desktop icons occasionally blink out momentarily when I'd click on one of them. This led me to try running the SFC utility. The rest is documented in my original post at the top of this thread.

WHEW! Sorry for the verbosity; just trying to be thorough. Thanx for any help!

John.

 

[bcastner]

I would have bet a substantial amount of money this is a virus issue.

Run the Panda online scan from smah's FAQ. (Greg Palmer provided the link above).

Then see and apply:

http://www.microsoft.com/security/incident/sasser.mspx

http://www.microsoft.com/security/incident/blast.asp

 

[gpalmer711]

Also take a look at

http://www.experts-exchange.com/Operating_Systems/WinXP/Q_20947897.html

and

http://www.nibbleguru.com/probs/100/399

they all point to virus infection but also offer some alternatives.

Greg Palmer
Free Software for Adminstrators

http://www.palmersoft.co.uk

 

[neogeek]

Absolutely fascinating at nibbleguru!

I may have solved my problem and thanx very very much to Greg. Although I never found any evidence, I certainly did have all the symptoms so I followed all the advice, instructions and links to possible solutions I could. I went to Microsoft and downloaded every critical/security update I could find (including old ones I assumed I had: eg. KB823980), did the online Scan with Trend micro (said I was clean as did my updated McAfee), downloaded and ran McAfee Stinger and Norton FixBlast. I've been online for 3 1/2 hours now and there's no sign of the "Trivial File Transfer Protocol" Alert that signaled CPU 100% Usage episode onsets.

I can only assume it was most likely a virus that I couldn't I.D. or a WinXP glitch that one of the miriad of downloads addressed. I'll hold some of my breath for a couple of days and then....celebrate? I'm still concerned that something maybe not even new could get in. And I'd still love to learn what truly happened. Am I being unrealistic? Should I just be glad to be out of the woods? Well, I am BUT...."enquiring minds want to know" as they say.

I'll report back with a confirmation. Is there anything I can do to be of service? Should I be more detailed in all the steps I took/followed?

Again, thank you all so very much.
John.

 

[neogeek]

I've just returned from being out of town and I want to thank everyone so very very much for all the help I got. My little P4 is running like a top! These tips and links will certainly enable me to know what to do in any similar situations in the future as well as help others who haven't had the opportunity that being a member affords.

And I know the answer to my question of "What can I do?" It's time to support.