Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Basics: RE: Possible worm infection or something else?

RE: Possible worm infection or something else?

From: Osvaldo Casagrande <ocasagrande_at_diviserv.com>
Date: Tue, 2 Dec 2003 08:26:16 -0300

Hi, I had the same problem on a server and we solve deleting and
re-creating Removable Storage database.
The problem was a services binding to svchost services. Microsoft has a
tool that shows what service are running at each instance of svchost

Osvaldo Casagrande
Gerente de Servicios
DiviServ SA
ocasagrande_at_diviserv.com
Asuncion - Paraguay
595-21-613828/9
DiviServ SA - Keeping your IT working 7x24
DiviServ SA - Microsoft Gold Partner for Support and Services
Protected by Symantec Antivirus

-----Mensaje original-----
De: Kris Wingard [mailto:krisw_at_csrinc.com]
Enviado el: Lunes, 01 de Diciembre de 2003 01:31 p.m.
Para: Giancarlo Ballestracci - IT & Technical Support
CC: security-basics_at_securityfocus.com; focus-virus_at_securityfocus.com
Asunto: RE: Possible worm infection or something else?

I would have to agree that you are having a driver conflict if it is ok
in safe mode. Have you tried selective startup to troubleshoot from
that angle?

-----Original Message-----
From: Firefly Digital Media [mailto:brian_at_fireflydigitalmedia.com]
Sent: Friday, November 28, 2003 6:48 PM
To: Giancarlo Ballestracci - IT & Technical Support
Cc: security-basics_at_securityfocus.com; focus-virus_at_securityfocus.com
Subject: RE: Possible worm infection or something else?

I had the same problem with an XP machine, it ended up being junky
drivers. (HP junk) Is your system in question a Hewlett Packard?

Brian

-----Original Message-----
From: Giancarlo Ballestracci - IT & Technical Support
[mailto:giancarlo.ballestracci_at_progenit.it]
Sent: Friday, November 28, 2003 3:41 AM
To: security-basics_at_securityfocus.com; focus-virus_at_securityfocus.com
Subject: Possible worm infection or something else?
Importance: High

Hi The Group,
I hope someone get me a good advice about this problem. I have a
notebook with multiboot startup (2 Win2k, 1 WinXP). On the first
partition Win2k, svchost.exe take the 100% of CPU's resources. The
system is regularly patched (SP4 and all the latest Hot Fixes), personal
firewall and Antivirus clients updated. Scans with Symantec and Trend
Micro have nothing found. I've tried to shut down all the services
possible, without good result. I've also removed the last six
applications installed on: nothing happen. Only in safe mode (clear...),
the CPU work fine. It's possible that a (new) worm sleep inside the
client? Initially, I have thought about a Blaster Worm... I've checked
also the system registry, but nothing strange in on RUN key of LOCAL
MACHINE.

Anybody can light me?

Thanks in advance

Giancarlo
IT Manager

------------------------------------------------------------------------ 

---
------------------------------------------------------------------------
----
------------------------------------------------------------------------
---
------------------------------------------------------------------------
----
------------------------------------------------------------------------
---
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
----------------------------------------------------------------------------
Received on Dec 02 2003
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos