подозрение на вирус.. svchost

подозрение на вирус.. svchost

foxbat

Старожил

Сообщения: 402
Благодарности: 8

Добрый час. Ситуация такая:
На серванте (2х2 камня) под winsvr 2003, с недавних пор наблюдается такая проблема:
svchost.exe постоянно грузит проц на 25 процентов, памяти жрёт до 1.8 Гб (!), бывает меньше...
После перезагрузки проблема исчезает на некоторое время.

Process explorer указывает что проблема в службе C:\WINDOWS\system32\svchost.exe -k DcomLaunch (запуск серверных процессов DCOM).
А именно в потоке 3948, стартовый адрес !MulDiv+0x120.

Process monitor показал следующее по этому потоку:

Код:

10:07:02,2279568,"svchost.exe","684","RegQueryValue","HKLM\SOFTWARE\Microsoft\m1133","NAME NOT FOUND","Length: 144","3948"
10:07:02,2279639,"svchost.exe","684","RegCloseKey","HKLM\SOFTWARE\Microsoft","SUCCESS","","3948"
10:07:02,2279785,"svchost.exe","684","CreateFile","C:\","SUCCESS","Desired Access: Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: None, AllocationSize: n/a, OpenResult: Opened","3948"
10:07:02,2279933,"svchost.exe","684","QueryNameInformationFile","C:\","SUCCESS","Name: \","3948"
10:07:02,2280019,"svchost.exe","684","QueryInformationVolume","C:\","SUCCESS","VolumeCreationTime: 09.04.2008 17:06:11, VolumeSerialNumber: A47D-2982, SupportsObjects: True, VolumeLabel: SYSTEM","3948"
10:07:02,2280093,"svchost.exe","684","CloseFile","C:\","SUCCESS","","3948"
10:07:02,2280335,"svchost.exe","684","RegQueryValue","HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutodial","NAME NOT FOUND","Length: 144","3948"
10:07:02,2280419,"svchost.exe","684","QueryStandardInformationFile","C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat","SUCCESS","AllocationSize: 32В 768, EndOfFile: 32В 768, NumberOfLinks: 1, DeletePending: False, Directory: False","3948"
10:07:02,2280499,"svchost.exe","684","RegOpenKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings","NAME NOT FOUND","","3948"
10:07:02,2280739,"svchost.exe","684","RegOpenKey","HKU\S-1-5-18","SUCCESS","","3948"
10:07:02,2280869,"svchost.exe","684","RegCloseKey","HKU\.DEFAULT","SUCCESS","","3948"
10:07:02,2280967,"svchost.exe","684","QueryStandardInformationFile","C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat","SUCCESS","AllocationSize: 32В 768, EndOfFile: 32В 768, NumberOfLinks: 1, DeletePending: False, Directory: False","3948"
10:07:02,2281039,"svchost.exe","684","QueryStandardInformationFile","C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat","SUCCESS","AllocationSize: 32В 768, EndOfFile: 32В 768, NumberOfLinks: 1, DeletePending: False, Directory: False","3948"
10:07:02,2281098,"svchost.exe","684","QueryStandardInformationFile","C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat","SUCCESS","AllocationSize: 32В 768, EndOfFile: 32В 768, NumberOfLinks: 1, DeletePending: False, Directory: False","3948"
10:07:02,2281210,"svchost.exe","684","RegCreateKey","HKLM\Software\Microsoft\DownloadManager","SUCCESS","","3948"
10:07:02,2281351,"svchost.exe","684","RegQueryValue","HKLM\SOFTWARE\Microsoft\DownloadManager\CacheOk","NAME NOT FOUND","Length: 144","3948"
10:07:02,2281429,"svchost.exe","684","RegCloseKey","HKLM\SOFTWARE\Microsoft\DownloadManager","SUCCESS","","3948"
10:07:02,2282417,"svchost.exe","684","QueryOpen","C:\WINDOWS\Temp","SUCCESS","CreationTime: 09.04.2008 17:06:19, LastAccessTime: 27.06.2010 10:01:11, LastWriteTime: 27.06.2010 10:01:11, ChangeTime: 27.06.2010 10:01:11, AllocationSize: 0, EndOfFile: 0, FileAttributes: DNCI","3948"
10:07:02,2282577,"svchost.exe","684","RegOpenKey","HKLM\Software\Microsoft","SUCCESS","","3948"
10:07:02,2282712,"svchost.exe","684","RegQueryValue","HKLM\SOFTWARE\Microsoft\m1131","NAME NOT FOUND","Length: 144","3948"
10:07:02,2282786,"svchost.exe","684","RegCloseKey","HKLM\SOFTWARE\Microsoft","SUCCESS","","3948"
10:07:02,2282854,"svchost.exe","684","RegOpenKey","HKLM\Software\Microsoft","SUCCESS","","3948"
10:07:02,2282967,"svchost.exe","684","RegQueryValue","HKLM\SOFTWARE\Microsoft\m1132","NAME NOT FOUND","Length: 144","3948"
10:07:02,2283038,"svchost.exe","684","RegCloseKey","HKLM\SOFTWARE\Microsoft","SUCCESS","","3948"
10:07:02,2283105,"svchost.exe","684","RegOpenKey","HKLM\Software\Microsoft","SUCCESS","","3948"
10:07:02,2283218,"svchost.exe","684","RegQueryValue","HKLM\SOFTWARE\Microsoft\m1133","NAME NOT FOUND","Length: 144","3948"
10:07:02,2283288,"svchost.exe","684","RegCloseKey","HKLM\SOFTWARE\Microsoft","SUCCESS","","3948"
10:07:02,2283429,"svchost.exe","684","CreateFile","C:\","SUCCESS","Desired Access: Synchronize, Disposition: Open, Options: Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: None, AllocationSize: n/a, OpenResult: Opened","3948"
10:07:02,2283574,"svchost.exe","684","QueryNameInformationFile","C:\","SUCCESS","Name: \","3948"
10:07:02,2283659,"svchost.exe","684","QueryInformationVolume","C:\","SUCCESS","VolumeCreationTime: 09.04.2008 17:06:11, VolumeSerialNumber: A47D-2982, SupportsObjects: True, VolumeLabel: SYSTEM","3948"
10:07:02,2283729,"svchost.exe","684","CloseFile","C:\","SUCCESS","","3948"
10:07:02,2283963,"svchost.exe","684","RegQueryValue","HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutodial","NAME NOT FOUND","Length: 144","3948"
10:07:02,2284047,"svchost.exe","684","QueryStandardInformationFile","C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat","SUCCESS","AllocationSize: 32В 768, EndOfFile: 32В 768, NumberOfLinks: 1, DeletePending: False, Directory: False","3948"
10:07:02,2284127,"svchost.exe","684","RegOpenKey","HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings","NAME NOT FOUND","","3948"
10:07:02,2284364,"svchost.exe","684","RegOpenKey","HKU\S-1-5-18","SUCCESS","","3948"
10:07:02,2284494,"svchost.exe","684","RegCloseKey","HKU\.DEFAULT","SUCCESS","","3948"

Проверялся NOD32 (2.7 версии) ничего не нашёл. Куда дальше копать не знаю, идеи кончились. Как то это выглядит что что то пытается с инетом соединиться, у меня файр стоит. Автообновление отключено. Может кто чего скажет по этой проблеме ?
По сетевой активности (tcpview) вот этот проц:
Код:
svchost.exe 684 UDP server:1274 *:*

что значит *:* ? на все адреса на все порты ??

Отправлено: 12:42, 27-06-2010

icotonev

Старожил

Сообщения: 288
Благодарности: 90

Профиль | Отправить PM | Цитировать

foxbat, Опять же - извините за неудобства....!

Отправлено: 14:06, 28-06-2010 | #11

Для отключения данного рекламного блока вам необходимо зарегистрироваться или войти с учетной записью социальной сети.

Если же вы забыли свой пароль на форуме, то воспользуйтесь данной ссылкой для восстановления пароля.

Drongo

Будем жить, Маэстро...

Сообщения: 6694
Благодарности: 1393

Профиль | Сайт | Отправить PM | Цитировать

Цитата foxbat:

я уже сам поправил это дело »

Если не сложно, напишите, как вы исправили это дело, от ошибок не застрахован никто, мало ли? Вдруг придётся кому-то рекомендовать восстановление. Хотелось бы знать как это исправить.

Спасибо.

-------
Правильная постановка вопроса свидетельствует о некотором знакомстве с делом.
3нание бывает двух видов. Мы сами знаем предмет — или же знаем, где найти о нём сведения.
[Quick Killer 3.0 Final [OSZone.net]] | [Quick Killer 3.0 Final [SafeZone.cc]] | [Парсер логов Gmer] | [Парсер логов AVZ]

http://tools.oszone.net/Drongo/Userbar/SafeZone_cc.gif

Отправлено: 16:14, 28-06-2010 | #12