RE: Could malware cause DPC problems?

Mark,

Have been following your accounts of problems with Deferred Procedure Calls. How are you identifying these as the problem with CPU usage?

I dumped Zone Alarm a long time ago because it was eating up machine cycles on my w2k box -- and I'm NAT'd, so it wasn't Internet traffic that was nailing me, but I do run a small test network. I think ZA was overreacting to LAN traffic.

From ZA I went to Comodo's Personal Firewall -- a superior product, but it was much too "chatty", always asking for permission to allow this or that. I grew weary of the constant interruptions.

I left AVG long ago -- they just weren't scoring well enough in independent testing. I went to NOD32 for my AV solutions and Sysinternal's Rootkit Revealer, combined with Rootkit Unhooker. I dropped Spybot S&D when they went to their new version, which tries to use the host file to blacklist sites. A lame move; it crippled all my browsers. Instead I ran Spyware Blaster and Winpatrol -- S&D only protects Micro$oft's browser, btw, and I don't use Micro$oft. I stayed with the newest Ad-Aware.

Notice that I've been speaking in past tense. All that has been removed. I'm now using ESET's Security Suite. It covers all those bases, and more. I was impressed with their NOD32 and upgraded to ESS. They have excellent tech support, provided by folks with English as a first language. I dropped half a dozen programs for a single solution, and reduced the number of running processes, improving performance while improving protection. That's a win-win in my book.

You probably found the issues affecting your computer by now. I just fixed a similar problem n my PC. It came packaged with a host of virusses (W32.blackbird.exe & Win32.agent??? amongst them). hese kept my anti virus (PC-cillin) programme busy while it apparently installed a number of hidden files on my PC. These included nethlpr.exe, aiqpbter.chm, NDIS, ndisaluo.sys and ntio922.sys. I don't run windows from my C-drive, but nethlpr.exe was installed there and did run under XP. Spybot and a number of other programmes did not pick them up and a normal XP search didn't find them either. After a number of days of searching for a suitable programme, I found PREVXCSI. This found the 5 files mentioned earlier. I kept WIN98SE on my system, so rebooted in safemode in 98SE and the files (except NDIS) were visible here. I deleted them, rebooted in XP and there was no activity unless I initiated it. I found nethlpr.exe by running cmd.exe netstat -b, which shows you the initiating process of active connections. I also had a lot of sync_??? processes running when it was infected. All gone now. It appears that static.reverse.ltdomains.com was the culprit and I have the feeling it was generating spam from my machine, but I'm not sure. How can I kill the compromised NDIS driver/protocol without harming my machine?

Thanks, Willem