cmd.exe - cpu usage 70% - 90%
Visu pirma su sventem visus!
O dabar prie reikalo. Situacija tokia maziausiai pora kart per diena kompas pradeda stipriai stabdyt, tampa praktiskai visiskai neveiklus, task manager rodo kad “cmd.exe” naudoja mzdg tarp 70% ir 90%. Taigi siek tiek pasiknisus stai ka pavyko rasti:
Kazkuriuo metu temp direktorijoje atsiranda failas 001.bat kurio turinys stai toks:
:l1
del “C:\WINDOWS\system32\rundll32.exe”
if EXIST “C:\WINDOWS\system32\rundll32.exe” goto l1
del %0
taigi kaip suprandu cmd.exe sias komandas ir vykdo, o kadangi windows’ai neleidzia trinti “rundll32.exe” failo tai jis kartoja siuos veiksmus iki begalybes ko pasekoje ir gaunamas toks cpu usage. 001.bat istrinimas arba cmd.exe nukilinimas padeda, bet tik tam kartui. Antivirusine AVG nieko neranda, Ad-aware taip pat, kas idomiausia pagooglines radau vos keleta forumu kur si problema pamineta, bet nei vienam sprendimo nerasta. Jei turit kokiu minciu, pasidalinkit.
http://www.biteplius.lt/klubai/2forum.showPosts/336884.461-=(271781286
Pirmas postas - hijackthis logas - čia …
Logfile of HijackThis v1.99.1
Scan saved at 13:11:43, on 2006.12.26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
D:_camper\stuff\programs\winamp\winamp.exe
D:_camper\stuff\programs\uTorrent\utorrent.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:_camper\stuff\programs\Opera\Opera.exe
C:\Documents and Settings\camper\Desktop\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM…\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM…\Run: [IntelliPoint] “C:\Program Files\Microsoft IntelliPoint\point32.exe”
O4 - HKLM…\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM…\Run: [DAEMON Tools] “C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033
O4 - HKLM…\Run: [AtiPTA] atiptaxx.exe
O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU…\Run: [AtiTrayTools] “C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe”
O4 - HKCU…\Run: [Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.ca
b
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
RunDll32 panašu kad ir bus virusuotas. Koks jo dydis? …
Dydis 32,5 KB
“no virus found” su visom antivirusinem 
Padaryk logą, kai prasidės bezabrazija…
netikusi apsauga nuo virusų. skenuok on-line. sėdi kažkas kompe ir sukuria tą 001.bat …
Na stai, po keletos dienu be lago (matyt dare kaledine pertrauka 
) siandien ir vel pasireiske tie patys simptomai. Iskart postinu hijackthis log’a:
Logfile of HijackThis v1.99.1
Scan saved at 17:46:14, on 2006.12.28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
D:_camper\stuff\programs\Opera\Opera.exe
D:_camper\stuff\programs\uTorrent\utorrent.exe
D:_camper\stuff\programs\winamp\winamp.exe
C:\Documents and Settings\camper\Desktop\Filemon.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\camper\Desktop[ desktop stuff ]\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM…\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM…\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM…\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM…\Run: [IntelliPoint] “C:\Program Files\Microsoft IntelliPoint\point32.exe”
O4 - HKLM…\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM…\Run: [DAEMON Tools] “C:\Program Files\DAEMON Tools\daemon.exe” -lang 1033
O4 - HKLM…\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM…\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM…\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKCU…\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU…\Run: [AtiTrayTools] “C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe”
O4 - HKCU…\Run: [Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.ca
b
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Beje pasinaudojau criminal patarimu pasekti 001.bat faila su File monitor. Is log’u matau, kad 001.bat sukuria ir paleidzia rundll32.exe, toliau procesa perima svchost.exe, kuris kelis kart atidaro ir nuskaito duomenis is 001.bat ir galiausiai darbo imasi cmd.exe, kuris vykdo 001.bat esancias eilutes.
Tai gal turinį to bat failo gali papastinti …
Pirmam poste rasiau, turinys vat toks:
:l1
del "C:\WINDOWS\system32\rundll32.exe"
if EXIST "C:\WINDOWS\system32\rundll32.exe" goto l1
del %0
Į sheduled tasks neįmesta? Loge vistiek nieko nėra …
[quote]RTR rašė:
Beje pasinaudojau criminal patarimu pasekti 001.bat faila su File monitor. Is log’u matau, kad 001.bat sukuria ir paleidzia rundll32.exe, toliau procesa perima svchost.exe, kuris kelis kart atidaro ir nuskaito duomenis is 001.bat ir galiausiai darbo imasi cmd.exe, kuris vykdo 001.bat esancias eilutes.
[/quote]
Pasižiūrėk, kokius PID numerius rodo prie tų rundll32.exe ir svchost.exe. Tada "tasklist /svc" komandos pagalba sužinosi, kokie servisai slepaisi viduje tų exe failų. Taip bus galima po vieną tuo servisus atjunginėti ir surasti blogietį.
pas mane tas pats su cmd.exe, bet tik tada kai siunciuosi su C++ 
Na tokia mintis ir man buvo kilus, bet ne nieko nera.
Prie rundll32.exe rodo 3128, per "tasklist /svc" nieko tokiu PID nerodo. Prie svchost - 996, kas yra "AudioSrv, CryptSvc, Dhcp, dmserver, EventSystem, lanmanserver, lanmanworkstation, Netman, Nla, RasMan, Schedule, SENS, SharedAccess, ShellHWDetection, srservice, TapiSrv, Themes, winmgmt, wscsvc, WZCSVC". Ir galiausiai prie cmd.exe 3044 tokiu PID taipogi nieko nerodo.
O su windowsupdate kaip bendrauji? Kažkaip nesimato iš logo …
Visi update’ai yra (tiek kiek M$ autoupdate’u dave).
Dabar beieskant info kilo tokia ideja. Ka jeigu istrynciau savo rundll32.exe ir expandinciau ji is Windows’u CD, ar visgi rundll32.exe cia niekuo detas?
[quote]RTR rašė:
Prie rundll32.exe rodo 3128, per "tasklist /svc" nieko tokiu PID nerodo. Prie svchost - 996, kas yra "AudioSrv, CryptSvc, Dhcp, dmserver, EventSystem, lanmanserver, lanmanworkstation, Netman, Nla, RasMan, Schedule, SENS, SharedAccess, ShellHWDetection, srservice, TapiSrv, Themes, winmgmt, wscsvc, WZCSVC". Ir galiausiai prie cmd.exe 3044 tokiu PID taipogi nieko nerodo.
[/quote]
Štai jis, bjaurybė: wscsvc. Kaip atsikratyti yra parašyta čia: http://www.viruslist.com/en/viruses/encyclopedia?virusid=133793