SVCHOST.EXE = 98%CPU

  • Foxy
  • Guru
  • Guru
  • User avatar
  • Posts: 1038
  • Loc: places..

Post 3+ Months Ago

*sigh* this came outve the blue, its slowed down the comp majorly... and its a brand new installation/format in windows 2k Pro..
this came outve the blue today and now it slows down majorly, too much to even shutdown anything.
it cant be spyware.. well.. I hope not, unless PHP/MYSQL/SETI provide spyware, which they dont. Pretty much all I have installed on the comp..

also noticed, its taken three times longer to startup.. and yes I checked startup for "suspicious stuff"


also safe mode is slow... >-<

feels like 1ghz running at 10mhz :/
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23455
  • Loc: Woodbridge VA

Post 3+ Months Ago

Where is the svchost.exe program that's running reside. Several viruses/trojans use that, but put it elsewhere, like this relatively new one for example:

http://securityresponse.symantec.com/av ... pcspy.html

Notice how it set that one up in %ProgramFiles%\System
  • Foxy
  • Guru
  • Guru
  • User avatar
  • Posts: 1038
  • Loc: places..

Post 3+ Months Ago

this is odd, I took out the ethernet plug, and boom, its fast.. put it in.. Extra extra extra slow:/
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23455
  • Loc: Woodbridge VA

Post 3+ Months Ago

Yeah -- you have a connection going on that's probably a backdoor trojan or something connecting to an external server. Time to break out the old spyware tools.
  • Foxy
  • Guru
  • Guru
  • User avatar
  • Posts: 1038
  • Loc: places..

Post 3+ Months Ago

ATNO/TW wrote:
Yeah -- you have a connection going on that's probably a backdoor trojan or something connecting to an external server. Time to break out the old spyware tools.


0 spyware - Ad aware PRO SE

0 Spybot -

grr.. :/


perhaps take a lookie at my loggie?
Logfile of HijackThis v1.98.2
Scan saved at 5:58:42 PM, on 10/7/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Dynu Systems\Enterprise Server\dynuctrl.exe
C:\Program Files\Dynu Systems\Enterprise Server\dynuftp.exe
C:\Program Files\Dynu Systems\Enterprise Server\dynuimap.exe
C:\Program Files\Dynu Systems\Enterprise Server\dynupop3.exe
C:\Program Files\Dynu Systems\Enterprise Server\dynuprxy.exe
C:\Program Files\Dynu Systems\Enterprise Server\dynurly.exe
C:\Program Files\Dynu Systems\Enterprise Server\dynusmtp.exe
C:\Program Files\Dynu Systems\Enterprise Server\dynuweb.exe
C:\WINNT\System32\svchost.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\HHVcdV5Sys\VC5SecS.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\HHVcdV5Sys\VC5Play.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dynu Systems\Enterprise Server\esconfig.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\gkniko.exe
C:\WINNT\System32\Nisuxm.exe
C:\WINNT\System32\command32.exe
C:\WINNT\System32\gplmgrseyd.exe
C:\Program Files\Abyss Web Server\abyssws.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SETI@home\SETI@home.exe
C:\Program Files\Abyss Web Server\abyssws.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [VC5Player] "C:\Program Files\HHVcdV5Sys\VC5Play.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dynu Enterprise Server Manager] C:\Program Files\Dynu Systems\Enterprise Server\esconfig.exe -hide
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Compliant] gkniko.exe
O4 - HKLM\..\Run: [Norton Personal Firewall] Nisuxm.exe
O4 - HKLM\..\Run: [candy] command32.exe
O4 - HKLM\..\Run: [WindowsRegKey update] gplmgrseyd.exe
O4 - HKLM\..\RunServices: [Windows Compliant] gkniko.exe
O4 - HKLM\..\RunServices: [Norton Personal Firewall] Nisuxm.exe
O4 - HKLM\..\RunServices: [candy] command32.exe
O4 - HKLM\..\RunServices: [WindowsRegKey update] gplmgrseyd.exe
O4 - HKCU\..\Run: [AbyssWebServer] C:\Program Files\Abyss Web Server\abyssws.exe
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [Windows Compliant] gkniko.exe
O4 - HKCU\..\Run: [WindowsRegKey update] gplmgrseyd.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

Quote:

I dont know about this norton, I never installed any norton related programs.. and this DYNUs was a ftp program.. that wont uninstall..
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23455
  • Loc: Woodbridge VA

Post 3+ Months Ago

I was just going to ask about Dynu. So you are saying you aren't using it anymore? At first glance it 's almost looking like you're running a web server.

If you are no longer using it, kill those tasks using JrzyCrim's taskill method in this thread:
http://www.ozzu.com/mswindows-forum/highjackthis-and-spyware-removal-resources-and-tips-t31034.html

Then try uninstalling it.

These are the tasks you want to end:

C:\Program Files\Dynu Systems\Enterprise Server\dynuctrl.exe
C:\Program Files\Dynu Systems\Enterprise Server\dynuftp.exe
C:\Program Files\Dynu Systems\Enterprise Server\dynuimap.exe
C:\Program Files\Dynu Systems\Enterprise Server\dynupop3.exe
C:\Program Files\Dynu Systems\Enterprise Server\dynuprxy.exe
C:\Program Files\Dynu Systems\Enterprise Server\dynurly.exe
C:\Program Files\Dynu Systems\Enterprise Server\dynusmtp.exe
C:\Program Files\Dynu Systems\Enterprise Server\dynuweb.exe

C:\mysql\bin\mysqld-nt.exe

C:\Program Files\Abyss Web Server\abyssws.exe
C:\Program Files\Abyss Web Server\abyssws.exe
(both instances)

I would also suggest disabling SETI while you are working through this.

If it still won't let you uninstall -- try uninstalling in safe mode.


I'm thinking that is your culprit.
  • Foxy
  • Guru
  • Guru
  • User avatar
  • Posts: 1038
  • Loc: places..

Post 3+ Months Ago

k, I think I fixed it. Altho, nothing picked it up, no anti virus protection progra, spyware programs, nothing...

thank god The firewall I installed detected it (gkinko.exe) trying to contact "t4yl0r.zapto.org" which is crazy suspicious of me, I think its a sortve worm that got thru my NAT..
also, I blocked command32.exe , the gg.......exe program... everything except my Web Server, MYSQL, Good Open source ftp,

oh, I booted in safemode, and deleted dyn...

is it safe to delete this gkniko.exe cant find it on the net. so.. im changing it to gkniko.exe.bak and see if it tries to access... sites.. and.. slow comp...

ok it was those programs!grr... gkniko should up.. 10times in msconfig... and gp....exe.... also was a bad file.. yup.. its a bad bad bad program.. Im thinking its a worm. * Hm. should i report this to my anti-virus ppl? or.. something :/
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23455
  • Loc: Woodbridge VA

Post 3+ Months Ago

Probably safe. Let's do it the right way though. Give me a few minutes to check a couple things.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23455
  • Loc: Woodbridge VA

Post 3+ Months Ago

Well, zapto.org looks like a legit Dynamic DNS service, but the subdomain "t4yl0r" (taylor in plain English -- looks like somebody found an open port on your system and was trying to take advantage of it.) Give me a couple more minutes, but now that you uninstalled Dynu, post a fresh log so I can see what changed -- I want to check a couple more things before we clean up the rest.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23455
  • Loc: Woodbridge VA

Post 3+ Months Ago

Looks like you picked up the Gaobot worm. Let me see your current log and we'll clean up the remainder. I need to know also are you networked? This worm spreads through network shares and other computers may be infected.

Here's additional info on the worm if you want to read up on it. There's a couple dozen variants which Symantec lists most as a category two.

http://uk.trendmicro-europe.com/enterpr ... XQ&VSect=T
  • Foxy
  • Guru
  • Guru
  • User avatar
  • Posts: 1038
  • Loc: places..

Post 3+ Months Ago

ATNO/TW wrote:
Looks like you picked up the Gaobot worm. Let me see your current log and we'll clean up the remainder. I need to know also are you networked? This worm spreads through network shares and other computers may be infected.

Here's additional info on the worm if you want to read up on it. There's a couple dozen variants which Symantec lists most as a category two.

http://uk.trendmicro-europe.com/enterpr ... XQ&VSect=T


Uh, the rest of the network are apple computers. One is windows 2k, but it has a firewall prior to this. and well. it doesnt "share"

is Ago new? since. No program could pick it up.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23455
  • Loc: Woodbridge VA

Post 3+ Months Ago

No not new -- some variants are though.

As soon as you post your log, I'll tell you what else to do to get rid of the rest.
  • Foxy
  • Guru
  • Guru
  • User avatar
  • Posts: 1038
  • Loc: places..

Post 3+ Months Ago

Logfile of HijackThis v1.98.2
Scan saved at 7:27:45 PM, on 10/7/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\HHVcdV5Sys\VC5SecS.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\command32.exe
C:\Program Files\Abyss Web Server\abyssws.exe
C:\Program Files\Abyss Web Server\abyssws.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [candy] command32.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\RunServices: [Windows Compliant] gkniko.exe
O4 - HKLM\..\RunServices: [Norton Personal Firewall] Nisuxm.exe
O4 - HKLM\..\RunServices: [candy] command32.exe
O4 - HKLM\..\RunServices: [WindowsRegKey update] gplmgrseyd.exe
O4 - HKCU\..\Run: [AbyssWebServer] C:\Program Files\Abyss Web Server\abyssws.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm


----

ok, yea, I checked MY router logs.

and I had.. a 2hr DOS attack last nite and "Unkown commands" it reported. psh..

seems it got access... somehow..
--
"Sygate Had detected a Application HiJack trying to contact t4yl0r.zapto.org " Nixusm.exe, Gkinko.exe, command32.exe
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23455
  • Loc: Woodbridge VA

Post 3+ Months Ago

Kill this task:
C:\WINNT\System32\command32.exe

Then delete it from System32

Check and Fix the following

O4 - HKLM\..\Run: [candy] command32.exe
O4 - HKLM\..\RunServices: [Windows Compliant] gkniko.exe
O4 - HKLM\..\RunServices: [candy] command32.exe
O4 - HKLM\..\RunServices: [WindowsRegKey update] gplmgrseyd.exe


That should get you back to normal.

Afterwards repost the new log just to make sure.

//edit -- yeah -- given what I saw here, not suprised at all to read about your DoS in your logs.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23455
  • Loc: Woodbridge VA

Post 3+ Months Ago

Also -- just to be on the safe side afterwards, run regedit and look for the following keys. Make sure they don't exist. If they do, delete them:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
CurrentVersion\Run
Win Command = "command32.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
CurrentVersion\RunServices
Win Command = "command32.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
Win Command = "command32.exe"
  • Foxy
  • Guru
  • Guru
  • User avatar
  • Posts: 1038
  • Loc: places..

Post 3+ Months Ago

is command32.exe "command" inside system32?
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23455
  • Loc: Woodbridge VA

Post 3+ Months Ago

NO .

Make sure you have explorer set to view hidden files and uncheck the option to hide common file extensions.

You need to find command32.exe (not command) and it will probably be hidden (and probably read only).
  • Foxy
  • Guru
  • Guru
  • User avatar
  • Posts: 1038
  • Loc: places..

Post 3+ Months Ago

ATNO/TW wrote:
NO .

Make sure you have explorer set to view hidden files and uncheck the option to hide common file extensions.

You need to find command32.exe (not command) and it will probably be hidden (and probably read only).


yea.. i tried to find it, it couldnt be found ...
and not in regestry keys..


anyways heres log



Logfile of HijackThis v1.98.2
Scan saved at 7:56:31 PM, on 10/7/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\HHVcdV5Sys\VC5SecS.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINNT\Explorer.exe
C:\Program Files\Abyss Web Server\abyssws.exe
C:\Program Files\Abyss Web Server\abyssws.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\RunServices: [Norton Personal Firewall] Nisuxm.exe
O4 - HKCU\..\Run: [AbyssWebServer] C:\Program Files\Abyss Web Server\abyssws.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23455
  • Loc: Woodbridge VA

Post 3+ Months Ago

Looks like you got it nice and tidy sweetie. (what a difference between that and your first log post, eh?*lol) Cheers!
  • Foxy
  • Guru
  • Guru
  • User avatar
  • Posts: 1038
  • Loc: places..

Post 3+ Months Ago

ATNO/TW wrote:
Looks like you got it nice and tidy sweetie. (what a difference between that and your first log post, eh?*lol) Cheers!

thankx! :D
strangly. my ftp server Now works for the first time :|

Post Information

  • Total Posts in this topic: 20 posts
  • Users browsing this forum: No registered users and 34 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
cron
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.