It is currently Tue Nov 21, 2017 6:27 pm


Post a new topicPost a reply Page 1 of 1   [ 14 posts ]
Author Message
 Post subject: SVCHOST at 99% cpu after spyware removed
PostPosted: Wed Nov 30, 2005 3:41 pm 
Hero Member
Hero Member
User avatar

Joined: Fri Sep 09, 2005 3:22 pm
Posts: 644
Spy Sheriff was cleaned up by Spy Sweeper.

SVCHOST has taken over my computer. I have been able to kill the process thru Process Explorer from sysinternals. Then I get my pc back until reboot.

I cannot see who the offending pgm or service is that has launched a copy of SVCHOST for itself.

Does anybody know how to track down this last step ?

Thanks


Top
 Profile  
 
 Post subject:
PostPosted: Wed Nov 30, 2005 4:00 pm 
Administrator
Administrator
User avatar

Joined: Mon Sep 05, 2005 12:59 am
Posts: 625
[color=#aaddff:8c0d8d3eee]Get spybot search and destroy and look at all your startup keys. You gotta run the PC in safe frame (if you can now) and run full scans of spyware and AV to kill anything remaining. Also find any folders and files including your temp files, that were related to the problem and nuke them.
[/color]

_________________
http://www.digital-assault.com


Top
 Profile  
 
 Post subject:
PostPosted: Wed Nov 30, 2005 7:54 pm 
Hero Member
Hero Member
User avatar

Joined: Fri Sep 09, 2005 3:22 pm
Posts: 644
NECROSIS wrote:
[color=#aaddff:b639588aab]Get spybot search and destroy and look at all your startup keys. You gotta run the PC in safe frame (if you can now) and run full scans of spyware and AV to kill anything remaining. Also find any folders and files including your temp files, that were related to the problem and nuke them.
[/color]


Nothing sees this thing but me. I still cannot get into safe mode.

If I could disable the service I could be fine until the holidays and rebuild it better.


Top
 Profile  
 
 Post subject:
PostPosted: Wed Nov 30, 2005 8:03 pm 
Administrator
Administrator
User avatar

Joined: Mon Sep 05, 2005 12:59 am
Posts: 625
[color=#aaddff:266f043ab5]are you not able to get the safe mode menu? or after you get the menu you cannot get it to start?

You could put in your windows CD and do a windows repair...[/color]

_________________
http://www.digital-assault.com


Top
 Profile  
 
 Post subject:
PostPosted: Wed Nov 30, 2005 9:42 pm 
Hero Member
Hero Member
User avatar

Joined: Fri Sep 09, 2005 3:22 pm
Posts: 644
Bingo - I was thinking the same thing. To answer your question it never sees F8 key which is why I tried two keyboards, I have been known to spill green tea on them and it could have been shorted out.

I will try to find a WIN2K CD, boot from it and then either repair or run virus, dont think I will be able to effect the service which is being used and is a valid service, just got itself hijacked.

After that I think there is enough time invested here that I might as well just get a tiny drive and put XP on it, thats much better as far as security I was told, are you inclined to agree ? I wonder if the windows anti-virus product works in win2k? I have read it fixes a few things too.


Top
 Profile  
 
 Post subject:
PostPosted: Thu Dec 01, 2005 1:45 am 
Full Member
Full Member
User avatar

Joined: Thu Sep 08, 2005 4:32 am
Posts: 129
Open up a dos box and type the following:

tasklist /svc


try to find the svchost.exe associated with the one you see in the task manager which is sucking up your CPU. You'll probably need to add the PID column to the display.

Maybe this will help you narrow down what the problem is ..


Top
 Profile  
 
 Post subject:
PostPosted: Thu Dec 01, 2005 4:18 am 
Hero Member
Hero Member
User avatar

Joined: Fri Sep 09, 2005 3:22 pm
Posts: 644
OK here is the dealio guys.

Dont get this one there is no fix :)

Name RpcxSs Trojan. It humps Svchost which is legitimate. The Remote Procedure Call ( RPC ) Extension Service in win2k is vulnerable however the previous fix from Microsoft does not stop it. You cannot start in safe mode either and none of 6 spyware/viri tools could even recognize it.

Hell HijackThis never even saw the same service I could see in SERVICES.

Fuggetabout it. I exported the Registry entry and then DELETED it.

Now if I really need copy/paste or add/remove programs I will put it back in then rip it out again.

This should break a few other things but allow me to continue limping along doing oracle work on my twin 21's without saving 1Terabyte of data and reinstalling the world.

And I seriously doubt QUAKE IV relies on RPC DCOM copy paste etc.

LOL!!!


Top
 Profile  
 
 Post subject:
PostPosted: Thu Dec 01, 2005 1:29 pm 
Hero Member
Hero Member
User avatar

Joined: Mon Sep 05, 2005 1:59 pm
Posts: 1486
This is just a friendly reminder, before you whipe your hard drive remember to backup your data.

Not backing up your wife's files is like Goose ejecting before the canopy was clear. So make a second backup of her stuff. :D

_________________
Image


Top
 Profile  
 
 Post subject:
PostPosted: Thu Dec 01, 2005 5:17 pm 
Hero Member
Hero Member
User avatar

Joined: Fri Sep 09, 2005 3:22 pm
Posts: 644
Commander Keen wrote:
This is just a friendly reminder, before you whipe your hard drive remember to backup your data.

Not backing up your wife's files is like Goose ejecting before the canopy was clear. So make a second backup of her stuff. :D


Actually Keen, she inherited my old machine when I built my first gamer 12 months ago. What I need to do and correct me if I am wrong is the following:

1) Get a DVD burner not just a player
2) Burn tons of pics and movies of my family onto DVD backups instead of CD's
3) Clear all of that off of my machine
4) Put in a small cheap Disk drive on my ailing machine
5) Install xp and crank it up with patches installs and anti-viri
6) Harvest data from infected disk to existing big 2nd disk
7) Totally format infected disk ( then boot=small, 2nd=big&clean, 3rd=big&full)

Her machine:

1) Backup her data to DVD ( not much here, need her in the driver seat )
2) Format and start over, its years old and bloated.


One thing that will make this tuff is that since putting in my 54WG wireless router/firewall the windows machines can no longer see each other. I spent half a day trying to get them to do so. I setup workgroups, I loaded netbios drivers, I opened up the firewall. I have no idea why windows machines on the same network cannot simply connect.

Any ideas ?


Top
 Profile  
 
 Post subject:
PostPosted: Thu Dec 01, 2005 5:25 pm 
Hero Member
Hero Member

Joined: Mon Sep 05, 2005 2:22 am
Posts: 522
Location: Buffalo / Niagara Falls area, NY
What OS are they? Did you enable file and print sharing on both of them (and restrict it to those two machines)? Do you have at least one shared folder on each of those boxes?

My old Win98SE box and my shiny new XP one are on good speaking terms, using the Linksys wireless & VoIP router and USB adapter I bought so I could switch to Vonage.

_________________
Image

Image


Top
 Profile  
 
 Post subject:
PostPosted: Thu Dec 01, 2005 5:39 pm 
Hero Member
Hero Member
User avatar

Joined: Fri Sep 09, 2005 3:22 pm
Posts: 644
The annoying thing is they were sharing the files and printer before the hub/router/firewall upgrade. I have tried everything with the darn config and it does not help but my buddy who recommended it has no problem but I am sure he runs a domain where as I do not.

The error is always 'Network name not found' so they can ping each other but cannot share.


Top
 Profile  
 
 Post subject:
PostPosted: Thu Dec 01, 2005 7:38 pm 
Hero Member
Hero Member
User avatar

Joined: Mon Sep 05, 2005 1:59 pm
Posts: 1486
I wish I had a place to upload a large ISO image I'd introduce you to Bart PE.

Microsoft has an "Preinstallation Environment" or PE that is in its own right an OS. One pioneering dude created a bootable CD-ROM loaded with utilities that could help you clean up your disk without having to do all of that.

I could snail mail one to you I guess, but talking you through making one is almost as tough if not tougher than talking you through loading Linux.

It's just that tough, every time I update my Bart PE image I have to relearn it all over again.

Basically what you get is a CD that boots up to a Start menu like program and allows you to run programs like SpyBOT S&D and Adaware against your hard drive without the Malware being in memory.

Once you get as jacked up as it sounds you are you are right you wil need a way to boot clean and then clense the drive. Bart PE would do that from one CD-ROM.

Here are some links if you want to try and figure it out...

http://www.ubcd4win.com << easier of the 2 but no SpybotS&D

http://www.nu2.nu/pebuilder << the original but tougher

http://www.bootcd.us/BartPE_Plugins_Repository.php << get spybot S&D and more here (hard to follow)

bart PE tutorial

direct link to spybot plugin

Keep in mind you can add the plugin to The "Ultimate BOOT CD" too but these instruction explain how to add it to Bart's CD.

_________________
Image


Top
 Profile  
 
 Post subject:
PostPosted: Thu Dec 01, 2005 7:44 pm 
Hero Member
Hero Member
User avatar

Joined: Mon Sep 05, 2005 1:59 pm
Posts: 1486
Late breaking news...

Microsoft has a free on line tuneup service that's worth a shot...

http://safety.live.com

...let it install and scan on your PC you may get lucky.

_________________
Image


Top
 Profile  
 
 Post subject:
PostPosted: Thu Dec 01, 2005 7:47 pm 
Hero Member
Hero Member
User avatar

Joined: Fri Sep 09, 2005 3:22 pm
Posts: 644
Commander Keen wrote:
Late breaking news...

Microsoft has a free on line tuneup service that's worth a shot...

http://safety.live.com

...let it install and scan on your PC you may get lucky.


Cool I am gonna try that one !


Top
 Profile  
 
Display posts from previous:  Sort by  
Post a new topicPost a reply Page 1 of 1   [ 14 posts ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron


Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
twilightBB Style by Daniel St. Jules of Gamexe.net