Host Bloat's back... and this time it's got friends!

Anyone remember the svchost bloat problem (100% CPU usage) I was having? (http://www.windowsbbs.com/showthread.php?s=&threadid=28028) Just when I thought it was gone for good, another Win2K machine pops up with it! It went away first time round when I installed SP4, but this one already has it installed. This is probably the most annoying problem I've ever come across (unless you like waiting 10 minutes for the volume control to load... ) Has nobody else seen this problem and killed it successfully?

Also, sometimes I get bloat shared between netsvc and vsmon (part of ZoneAlarm). Shutting down ZoneAlarm helps the problem, until I disconnect from the net... and the CPU rockets back up to 100% again.

AND, the one that originally had the svchost problem has another problem... Some programs shut down after about 10 seconds (worryingly it's only AVG and regedit!) Virus scans fish out nothing, and I'm not caught in a massive onslaught of spyware either. I'm scanning this one remotely - from the one with the Host Bloat, so it should take a few hours. No, really.

What's with all these problems I'm suddenly getting?

 

Have a look at this page. It tells you how to find out what services are being run by each svchost.exe process. Also mentions a couple of virus possibilities.

http://www.mvps.org/sramesh2k/svchost.htm

 

I think I've found something!
explore.exe in winnt\system32. I don't think it's supposed to be there. It doesn't have the usual icon and I see two copies of 'explorer' in the Task Manager. Shutting one down restarts the taskbar and stuff. Normal. I'm not allowed to shut the other one down. This has to be it, doesn't it? Process Explorer says the system32 one is using a lot of TCP... But killing it didn't solve the problems because it keeps reopening itself! This HAS to be it...

 

If you have any copies of explore.exe on a 2K box (at least I assume that is your OS), you have worse problems than you've mentioned.

If you meant explorer.exe then having one in system32 is a bad sign. I checked about a half-dozen 2K servers and all had:

C:\WINNT\explorer.exe (238 KB)
C:\WINNT\$NtServicePackUninstall$\explorer.exe (238 KB)
C:\WINNT\system32\dllcache\explorer.exe (238 KB)

 

explore.exe was definitely the problem - it created a service called 'Video' which I disabled. Problem gone. (Should I delete this file now?) However, as to the svchost problem, I'm still looking. It's obviously a service of some kind, and probably an evil one. I terminate it with Process Explorer (how'd I manage without this thing?!) but it comes back about a minute later. Any dodgy services I should check for? Comparing the list of Started services on the bloated PC with a list on the healthy one I just found one new one - Still Image Monitor (stisvc) but this one seems fine.

EDIT: Got something! system32\Zsoft32.exe. Not on the clean system. If I terminate it, something brings it back. But if I terminate the mutant svchost, they both go away. It hasn't come back yet so I can't check the filename.

 

AAGH!

Okay, now things are really ******* up. It won't let me logon! Something's been messing with my priveliges, I'm sure of it. Lucky for me this system's got a dual boot...

EDIT
No, the second time it was me. It's the option 'Deny logon locally'. I thought it meant users who were allowed to do this not the users it affected! (sobs in the corner) But there was an option in the Services section that I wasn't allowed to do anyway.

 

was it called Videol_32
the number will/might vary

Post more details so we can search
have you ran preferably both anti spyware programs Adaware and SpyBot ?

 

zsoft32.exe????

http://www.sophos.com/virusinfo/analyses/w32agobotdw.html

==========
I didn't mean to leave you spinning in the wind but there are so many variencies I was busy trying to decide what should be done first. The relatively newly dated varient "DW "_Goabot didn't seem to have any hits other than Sophos so I tried a generic search:

http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=+W32.HLLW.Gaobot&btnG=Google+Search

As you can see that produced way to many hits (over 5,000). I didn't even try the other two Alias names Sophos listed this as using.

Perhaps the Symantec generic cleanup tool would help:
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.removal.tool.html

==============
I keep pecking away at this. Even though you've scanned there may be any number of reasons why you may not have detected or cleaned this thing for good if you have it or had it.

 

That describes it exactly, but there's just one teeny problem... the only user name has been locked out!!

 

If I understand you correctly, you can't logon to XP. If this is so, can you boot to safe mode and logon as Administrator?

 

Well hello Lonny,

I just checked out your file "videol-32 ". Surprise surprise...Guess what? this is also related to Sophos virus list as yet another varient of the same suspected Trojan:

http://www.sophos.com/virusinfo/analyses/w32agobotdm.html

Hmmmm...

 

I've had Agobot 8.E and 9.F. It just won't leave me alone.

But what about the user lockout problem? I don't have to reinstall Windows, do I?

 

Have you tried the F8 safemode startup and log in as administrator?

 

Did you try logging on in safe mode as administrator?

 

Yes
Administrator is the only username and it's blocked. I can still use a 98 dual boot but almost all of the software is installed for win2k.

 

Sorry Wiffles,

I've been reduced to a spectator for now. I am not familiar with win2000. I don't know what your recovery options are. Someone will help soon, I'm sure, hang in there.

 

Try ca "s Free online scan

http://www3.ca.com/virusinfo/virusscan.aspx

"I am not familiar with win2000" Me also Sorry

 

Pooh,
I just checked into this forum for the first time today and I see your still sitting in here. Maybe if you tacked a help cry up in the win2000 forum asking for help on your admin login profile recovery and added a link to this post in the security forum someone who knows win2000 could help.

I'm not sure if this boards policy allows circumvention of an admin lockout but you could try.

Alternatives was on-line scanning or downloading the agobot (goabot) fixtool from symantec (I think) and running it from the c prompt if possible or scanning from within win98 and include your win2000 drive and hope for the best. This won't get any reg keys involved but it may help. It certainly can't hurt.

======

This Trojan can be quite harmful dependant upon the variant and the maliciousness of the hacker. I wonder if you might not be better off looking for personal file backup alternative and reinstalling clean.

You really need to tighten up on your "security do's" if you keep getting tagged by this Nasty. I have a great link somewhere on this thing. I'll see if I can find it and will tack it up.

Good Luck....

 

AFAIK, agobot hasn't hosed these systems down yet. One had ZoneAlarm Pro protecting it, and the other one had only been on the net in win98. (Since 98 didn't have the slowdown problems I'm assuming the troj hadn't been loaded.)

As for the lockout problem, I'll just give up and reinstall. Still, if anyone finds a way to circumvent all three logon deny methods at once (yeah, it was a very stupid thing to do...) then hats off to you.