Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Possible worm infection or something else?

From: "Osvaldo Casagrande" <ocasagrande () diviserv com>
Date: Tue, 2 Dec 2003 08:26:16 -0300
Hi, I had the same problem on a server and we solve deleting and
re-creating Removable Storage database.
The problem was a services binding to svchost services. Microsoft has a
tool that shows what service are running at each instance of svchost


Osvaldo Casagrande
Gerente de Servicios 
DiviServ SA
ocasagrande () diviserv com
Asuncion - Paraguay
595-21-613828/9
DiviServ SA - Keeping your IT working 7x24 
DiviServ SA - Microsoft Gold Partner for Support and Services 
Protected by Symantec Antivirus 



-----Mensaje original-----
De: Kris Wingard [mailto:krisw () csrinc com] 
Enviado el: Lunes, 01 de Diciembre de 2003 01:31 p.m.
Para: Giancarlo Ballestracci - IT & Technical Support
CC: security-basics () securityfocus com; focus-virus () securityfocus com
Asunto: RE: Possible worm infection or something else?


I would have to agree that you are having a driver conflict if it is ok
in safe mode.  Have you tried selective startup to troubleshoot from
that angle?

-----Original Message-----
From: Firefly Digital Media [mailto:brian () fireflydigitalmedia com] 
Sent: Friday, November 28, 2003 6:48 PM
To: Giancarlo Ballestracci - IT & Technical Support
Cc: security-basics () securityfocus com; focus-virus () securityfocus com
Subject: RE: Possible worm infection or something else?

I had the same problem with an XP machine, it ended up being junky
drivers. (HP junk) Is your system in question a Hewlett Packard?

Brian

-----Original Message-----
From: Giancarlo Ballestracci - IT & Technical Support
[mailto:giancarlo.ballestracci () progenit it]
Sent: Friday, November 28, 2003 3:41 AM
To: security-basics () securityfocus com; focus-virus () securityfocus com
Subject: Possible worm infection or something else?
Importance: High


Hi The Group,
I hope someone get me a good advice about this problem. I have a
notebook with multiboot startup (2 Win2k, 1 WinXP). On the first
partition Win2k, svchost.exe take the 100% of CPU's resources. The
system is regularly patched (SP4 and all the latest Hot Fixes), personal
firewall and Antivirus clients updated. Scans with Symantec and Trend
Micro have nothing found. I've tried to shut down all the services
possible, without good result. I've also removed the last six
applications installed on: nothing happen. Only in safe mode (clear...),
the CPU work fine. It's possible that a (new) worm sleep inside the
client? Initially, I have thought about a Blaster Worm... I've checked
also the system registry, but nothing strange in on RUN key of LOCAL
MACHINE.

Anybody can light me?

Thanks in advance

Giancarlo
IT Manager


------------------------------------------------------------------------
---
------------------------------------------------------------------------
----





------------------------------------------------------------------------
---
------------------------------------------------------------------------
----


------------------------------------------------------------------------
---
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: