![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
CPU hog?
- Thread starter d34dly
- Start date
TheMasterRat
Gawd
- Joined
- Jan 28, 2001
- Messages
- 843
Try a few things first. Linear troubleshooting, for one...
Try Safe Mode?
Does it happen here? If yes, then you're install is lunching itself.
If not, there is definitely a service starting with your system causing the issue. Drivers rarely cause CPU spikes on new installs.
Try Safe Mode w/Networking?
Does it happen here? If yes, you're network card driver is suspect.
If not, then it's not the network ( simply, right?
)
Try VGA Mode.
VGA mode does not load your display driver, but still loads all the things that Safe Mode does not.
BTW, use F8 when starting up to get to these options.
Also, do us ALL a favor and run the following command at a command prompt - ' net start ' (without the single quotes). Do this after booting normally, not in Safe Mode, etc...
Post the output of the net start command here.
Try Safe Mode?
Does it happen here? If yes, then you're install is lunching itself.
If not, there is definitely a service starting with your system causing the issue. Drivers rarely cause CPU spikes on new installs.
Try Safe Mode w/Networking?
Does it happen here? If yes, you're network card driver is suspect.
If not, then it's not the network ( simply, right?
)Try VGA Mode.
VGA mode does not load your display driver, but still loads all the things that Safe Mode does not.
BTW, use F8 when starting up to get to these options.
Also, do us ALL a favor and run the following command at a command prompt - ' net start ' (without the single quotes). Do this after booting normally, not in Safe Mode, etc...
Post the output of the net start command here.
I started windows in Safe Mode, and the problem did not occur. It didn't occur in Safe Mode (networking) but it did occur in VGA.
So I ran net start:
These Windows services are started:
ATI HotKey Poller
Automatic Updates
COM+ Event system
Computer Browser
Cryptographic Services
DHCP client
Event log
Fast User Switching Compatibility
Help and support
IPSEC Services
Kerio Personal Firewall 4
Logical Disk Manager
Machine Debug Manager
Network Connections
Network Location Awareness
Plug and Play
Portable Media Serial Number
Print Spooler
Protected Storage
Remote Procedure Call
Remote Registry
Secondary Logon
Security Accounts Manager
Server
Shell Hardware Detection
SoundMAX agent Service
System Event Notification
System Restore Service
Task Scheduler
TCP/IP NetBIOS Helper
Terminal Services
Themes
Upload Manager
WebClient
Win Init
Windows Audio
Windows Management Instrumentation
Windows Time
Wireless Zero Coniguration
Workstation
So I ran net start:
These Windows services are started:
ATI HotKey Poller
Automatic Updates
COM+ Event system
Computer Browser
Cryptographic Services
DHCP client
Event log
Fast User Switching Compatibility
Help and support
IPSEC Services
Kerio Personal Firewall 4
Logical Disk Manager
Machine Debug Manager
Network Connections
Network Location Awareness
Plug and Play
Portable Media Serial Number
Print Spooler
Protected Storage
Remote Procedure Call
Remote Registry
Secondary Logon
Security Accounts Manager
Server
Shell Hardware Detection
SoundMAX agent Service
System Event Notification
System Restore Service
Task Scheduler
TCP/IP NetBIOS Helper
Terminal Services
Themes
Upload Manager
WebClient
Win Init
Windows Audio
Windows Management Instrumentation
Windows Time
Wireless Zero Coniguration
Workstation
Do a scan for a trojen horse. Norton will not find all types of infections many virus trojen and worm infections go completly missed by it.
Go to trend micro.com do a free scan do a google search for on line trojan and worm scanners and scan the system..
Go to trend micro.com do a free scan do a google search for on line trojan and worm scanners and scan the system..
I
Ice Czar
Guest
was done in the middle of the thread with TDS-3
TheMasterRat
Gawd
- Joined
- Jan 28, 2001
- Messages
- 843
I can almost guarantee the above service is your problem.
Whatever virus/trojan/whatever ( I don't care what the scans say ) has camoflauged itself ( so to speak ) as the above service.
If you try to run a ' net stop "win init" ' ( with the double quotes, not the single ones ) at a command prompt, you will likely get access denied.
The above service is NOT a normal Windows XP service, and doesn't match any legitimate 3rd party services that I know of.
Here's what you you need to do.
Start --> Run --> REGEDIT
Select HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET
Search for "win init" ( without the quotes ).
It should turn up something in the right half of the window under a value called "DisplayName".
Change the value on the right side called "Start" to 0x4 ( Disabled )
Then restart to normal mode. ( The above will be easier in Safe Mode if the system is too sluggish in normal mode )
Report back with results, but I'm fairly confident that is the problem.
Also, in the same folder as the DisplayName "Win Init", give us the data for the value "ImagePath".
ImagePath is where the file being launched is stored. In this case, part of this value will reference SVCHOST.EXE ( or completely, in the case of it being ANYWHERE other than c:\windows\system32, which is the only legitimate location for svchost.exe )
I'm on MSN Messenger @ v_1jamt at hotmail dot com
Feel free to add me to walk ya through it. It may also be easier that way, since I'm not always around the forums, ya know?
I
Ice Czar
Guest
way to go TheMasterRat
could have sworn the system was clean (with the fresh install and all)
see links for removal instructions
more than likely its exploiting your password
use something random and long
could have sworn the system was clean (with the fresh install and all)
see links for removal instructions
more than likely its exploiting your password
use something random and long
TheMasterRat
Gawd
- Joined
- Jan 28, 2001
- Messages
- 843
Originally posted by Ice Czar
way to go TheMasterRat
could have sworn the system was clean (with the fresh install and all)
Thanks. It's my job. Literally.
I've seen these things hide under some very convincing service names.
I didn't bother digging up which virus it was though.
Good research on that Ice.
I
Ice Czar
Guest
as a sysadmin or a whitehat?
a little more (from the last link)
must have been getting reinfected after each install
being on a college LAN is like swimming in a cesspool
TheMasterRat
Gawd
- Joined
- Jan 28, 2001
- Messages
- 843
Sysadmin, I wish. heh.
I'm unfortunately stuck in call center hell for the time being. I do tech support for MS NT Server and W2K Pro. Not as glamorous as it sounds, as I work for an outsource partner, and not MS.
I
Ice Czar
Guest
good learning experience
Ive noted down that little net start troubleshooting process
something I learned today
(I dont moderate this forum )
and my apologizes to diehrd who was correct
I thought we had ruled that out
Spinal, update all your patches on a fresh install and get behind that firewall before reconnecting to the LAN (also scan your "data" for an infector)
alternately disconnect, clean out the worm and update\scan\firewall
and above all change the passwords\logons
like
$p1nVl@{H}aRdForuM
$r3wY0uHaXor$1'veG0TyoUrNum83R
Ive noted down that little net start troubleshooting process
something I learned today
(I dont moderate this forum
)and my apologizes to diehrd who was correct
I thought we had ruled that out
Spinal, update all your patches on a fresh install and get behind that firewall before reconnecting to the LAN (also scan your "data" for an infector)
alternately disconnect, clean out the worm and update\scan\firewall
and above all change the passwords\logons
like
$p1nVl@{H}aRdForuM
$r3wY0uHaXor$
1'veG0TyoUrNum83RTheMasterRat
Gawd
- Joined
- Jan 28, 2001
- Messages
- 843
Debatable... I've been here for 4 years now ( since I was 17.. )
It's all the same stuff anymore. Spyware, virus, etc.
It's a rarity to come across anything here that I haven't already seen at least 3x before.
I
Ice Czar
Guest
well it wont be too long and Longhorn will be out
with a whole new can of worms
anything you might impart regarding Windows 64bit extention?
Issues youve seen or heard about (I know its not offically supported yet)
with a whole new can of worms
anything you might impart regarding Windows 64bit extention?
Issues youve seen or heard about (I know its not offically supported yet)
TheMasterRat
Gawd
- Joined
- Jan 28, 2001
- Messages
- 843
That's the other side of the bad....
This site hasn't gotten any new projects since WXP Home...
Thank you India, you rotten W2K Server project-stealing-towel-heads.... ( Not really, but I still hate them. Well, hate the fact that MS was cheap as everyone else and sent the project there, instead of here )....
I haven't even played with Longhorn or the 64-bit side of things.
I
Ice Czar
Guest
errr...we have quite a few members from India
of course its always open season on Microsoft
of course its always open season on Microsoft
TheMasterRat
Gawd
- Joined
- Jan 28, 2001
- Messages
- 843
Originally posted by Ice Czar
errr...we have quite a few members from India
of course its always open season on Microsoft
Hence the disclaimer about not really hating India.
And it's always open season on MS everywhere. I'd still rather be @ MS, then where I am now.
I
Ice Czar
Guest
Spinal, I know your on a budget, but maybe you can skip a night of debauchery and get a Hardware Router with a NAT Firewall
(Network Address Translation), you could host a LAN party or something to pay for it.
The point is that its important to get your security level up a bit
and that would be one useful component, here is my checklist and current security lineup
basic Security Cut and Paste>
Scanners
NOD32 (Widely considered the best AV going, more VB100% awards than any other progarm)
TDS-3
Execution Protection\Patches
WormGuard
HTAstop (freeware)
DSOstop (freeware)
WSH Anti-Polymorphism Patch (freeware)
AnalogX Script Defender (freeware)
Monitors\firewalls
PortExplorer
Kerio (freeware)
Taskinfo 2003
RegistryProt (freeware)
Filters
SpyBlocker
Proxomitron (freeware)
CookieWall (freeware)
Spyware Removal
AdAware (freeware)
SpyBot Search and Destroy (freeware)
HijackThis (freeware)
Checksum
Filehecker (freeware)
Haxial Hash (freeware)
Local Host Proxy
Naviscope (freeware)
unfortunately I cant find a working link to download from anymore
Security Checklist W2K
depending on what its role is that may include)
install Service Pack and hotfixes
close the vulnerable NetBIOS ports and cleanup bindings
Cofigure IPSec
Retrict access to LSA info
disable unecessary services
disable Guest account
setup my user account
rename Administrator account
create fake Administrator account (disabled)
enable network lockout of the true Administrator account
Limit the number of logon accounts
Remove the "Everyone" group and replace with "Authenticated Users" shares
disable HTML in e-mail
disable ActiveX
rename shscrap.dll to shscrapold;
install DSOstop
Unhide File extensions, protected files, all files and folders
disable default shares
Enable Encrypted File System
Encrypt the Temp Directory
setup to clear the paging file at shutdown
lockdown the registry
disabling or limiting WHS\VB\Java\Java Scripts (install HTAstop, Script Defender)
disable dumpfile creation
remove insecure subsystems (OS/2 and POSIX)
protect or remove: arp.exe \ at.exe \ cacls.exe \ cmd.exe \ Command.com \ cscript.exe \ debug.exe \ edit.com \ edlin.exe \ finger.exe \ ftp.exe \ pconfig.exe \ Issync.exe \ nbtstat.exe \ net.exe \ Net1.exe \ netstat.exe \ netsh.exe \ nslookup.exe \ ping.exe \ posix.exe \ qbasic.exe \ rcp.exe \ regedit.exe \ regedt32.exe \ regini.exe \ rexec.exe \ rsh.exe \ route.exe \ Runas.exe \ runonce.exe \ telnet.exe \ tftp.exe \ tracert.exe \ Tlntsvr.exe \ wscript.exe \ xcopy.exe
remove the .reg file association from the registry editor
Install and schedual trojan scanner, anti virus and intrusion detection
Install and configure Worm Guard and WHS Anti Polymorphisim patch
configure security policy control
enable auditing (logon, object, privilege, account management, policy, system)
set permissions on the security event log
set account lockout policy
assign user rights
set security options
Test
Run Baseline Security Analyzer (freeware)
Run NessusWX (freeware)
>connect to the internet
Do a remote Port Scan
all depending on how paranoid Im am that day
Security Linkfarm Badly in need of an update
'
might also want to check out ProcessGuard, I havent used it, because I employ a strategy that enables me to cross scan from parallel installs, both of which run filecheckers, so theoretically Im much more likely to catch any changes to the security exe's
Habits go along way towards security, but there are those that choose to conduct their security studies with risky behavior by visiting blackhat sites
(best done on a single boxen isolated from any LAN) and others that trial alot of freeware (and sometimes it is compromised)
I happen to fall into both catagories, and yet have not been infected since I adopted my current security protocol over 2 years ago.
as pointed out, to a large extent your habits determine the security level you need, the above is overkill for many, there are a total of six paid programs I wouldnt rush into buying them all till you know you actually need them the 2 scanners would be the most important ones (though many would say other freeware works for them), and many of the freeware aps have overlapping features, but I like they way they specifically do a task or the interface, or they appear similar but are used differently (the checksums for instance)
or they back each other up (all the spyware detectors)
a few more links (where the checklist was largely drawn from)
http://www.wilders.org/securing_your_pc.htm
http://www.uksecurityonline.com/husdg/windowsxp/wxpp2.php
and server level security
http://www.nsa.gov/snac/
(Network Address Translation), you could host a LAN party or something to pay for it.
The point is that its important to get your security level up a bit
and that would be one useful component, here is my checklist and current security lineup
basic Security Cut and Paste>
Scanners
NOD32 (Widely considered the best AV going, more VB100% awards than any other progarm)
TDS-3
Execution Protection\Patches
WormGuard
HTAstop (freeware)
DSOstop (freeware)
WSH Anti-Polymorphism Patch (freeware)
AnalogX Script Defender (freeware)
Monitors\firewalls
PortExplorer
Kerio (freeware)
Taskinfo 2003
RegistryProt (freeware)
Filters
SpyBlocker
Proxomitron (freeware)
CookieWall (freeware)
Spyware Removal
AdAware (freeware)
SpyBot Search and Destroy (freeware)
HijackThis (freeware)
Checksum
Filehecker (freeware)
Haxial Hash (freeware)
Local Host Proxy
Naviscope (freeware)
unfortunately I cant find a working link to download from anymore
Security Checklist W2K
depending on what its role is that may include)
install Service Pack and hotfixes
close the vulnerable NetBIOS ports and cleanup bindings
Cofigure IPSec
Retrict access to LSA info
disable unecessary services
disable Guest account
setup my user account
rename Administrator account
create fake Administrator account (disabled)
enable network lockout of the true Administrator account
Limit the number of logon accounts
Remove the "Everyone" group and replace with "Authenticated Users" shares
disable HTML in e-mail
disable ActiveX
rename shscrap.dll to shscrapold;
install DSOstop
Unhide File extensions, protected files, all files and folders
disable default shares
Enable Encrypted File System
Encrypt the Temp Directory
setup to clear the paging file at shutdown
lockdown the registry
disabling or limiting WHS\VB\Java\Java Scripts (install HTAstop, Script Defender)
disable dumpfile creation
remove insecure subsystems (OS/2 and POSIX)
protect or remove: arp.exe \ at.exe \ cacls.exe \ cmd.exe \ Command.com \ cscript.exe \ debug.exe \ edit.com \ edlin.exe \ finger.exe \ ftp.exe \ pconfig.exe \ Issync.exe \ nbtstat.exe \ net.exe \ Net1.exe \ netstat.exe \ netsh.exe \ nslookup.exe \ ping.exe \ posix.exe \ qbasic.exe \ rcp.exe \ regedit.exe \ regedt32.exe \ regini.exe \ rexec.exe \ rsh.exe \ route.exe \ Runas.exe \ runonce.exe \ telnet.exe \ tftp.exe \ tracert.exe \ Tlntsvr.exe \ wscript.exe \ xcopy.exe
remove the .reg file association from the registry editor
Install and schedual trojan scanner, anti virus and intrusion detection
Install and configure Worm Guard and WHS Anti Polymorphisim patch
configure security policy control
enable auditing (logon, object, privilege, account management, policy, system)
set permissions on the security event log
set account lockout policy
assign user rights
set security options
Test
Run Baseline Security Analyzer (freeware)
Run NessusWX (freeware)
>connect to the internet
Do a remote Port Scan
all depending on how paranoid Im am that day
Security Linkfarm Badly in need of an update
'
might also want to check out ProcessGuard, I havent used it, because I employ a strategy that enables me to cross scan from parallel installs, both of which run filecheckers, so theoretically Im much more likely to catch any changes to the security exe's
Habits go along way towards security, but there are those that choose to conduct their security studies with risky behavior by visiting blackhat sites
(best done on a single boxen isolated from any LAN) and others that trial alot of freeware (and sometimes it is compromised)
I happen to fall into both catagories, and yet have not been infected since I adopted my current security protocol over 2 years ago.
as pointed out, to a large extent your habits determine the security level you need, the above is overkill for many, there are a total of six paid programs I wouldnt rush into buying them all till you know you actually need them the 2 scanners would be the most important ones (though many would say other freeware works for them), and many of the freeware aps have overlapping features, but I like they way they specifically do a task or the interface, or they appear similar but are used differently (the checksums for instance)
or they back each other up (all the spyware detectors)
a few more links (where the checklist was largely drawn from)
http://www.wilders.org/securing_your_pc.htm
http://www.uksecurityonline.com/husdg/windowsxp/wxpp2.php
and server level security
http://www.nsa.gov/snac/
TheMasterRat
Gawd
- Joined
- Jan 28, 2001
- Messages
- 843
Obsess much?
Just playin with ya Ice.
I
Ice Czar
Guest
ahh but they are only paranoid delusions if they arent real
Inside Echelon
The history, structure and function of the global surveillance system known as Echelon (as of 7-25-00)
by Duncan Campbell, author of the European Parliament's 1999 "Interception Capabilities 2000" report
and bear in mind that was before the NSA received a blank check to stop terrorism
TheMasterRat
Gawd
- Joined
- Jan 28, 2001
- Messages
- 843
Originally posted by Ice Czar
ahh but they are only paranoid delusions if they arent real
Inside Echelon
The history, structure and function of the global surveillance system known as Echelon (as of 7-25-00)
by Duncan Campbell, author of the European Parliament's 1999 "Interception Capabilities 2000" report
and bear in mind that was before the NSA received a blank check to stop terrorism
While I'm sure that that is a very interesting and paranoid-inducing article, I don't care to think enough to read it right now.
Besides, if anybody's watching my activities, I feel very sorry for them, as they must be EXTREMELY bored by now
I am gonna look into the Router. My nights of Debauchery don't happen often. I am one of the tames ones.
But the reason for not having one before is that the tech people at the school are wierd about equipment other than the PC itself. The tech guys here are not fun to work with. I have approached them once already about having two machines and they frown on it. I can't wait to move out to an apartment as soon as I have enough hours. But anyway. I am using a lot of the software you pointed me to earlier in the post. the scanners and firewalls and such. I am gonna try and make a habit of a lot of that stuff.
But yeah thanks again. I am gonna look into the router thing.
But the reason for not having one before is that the tech people at the school are wierd about equipment other than the PC itself. The tech guys here are not fun to work with. I have approached them once already about having two machines and they frown on it. I can't wait to move out to an apartment as soon as I have enough hours. But anyway. I am using a lot of the software you pointed me to earlier in the post. the scanners and firewalls and such. I am gonna try and make a habit of a lot of that stuff.
But yeah thanks again. I am gonna look into the router thing.