所以我的服务端主机突然占用了我的 100% CPU,我想找出哪个服务导致了这种情况。有没有办法区分在单个 SvcHost 中运行的多个服务产生的负载?
我已经运行了病毒扫描并且结果干净,但我的工具已经过时并且过时了所以没有发现任何东西。
我尝试逐步检查这些服务,并逐一停止它们,但我找不到罪魁祸首(请注意,某些服务也会自动重新启动,但我不想禁用它们)。
更新:我用了进程探索器昨晚检查了一下,但有问题的 SvcHost 中有许多服务,其中一些无法停止。今天我按照 heavyd 的建议再次检查了一下,很幸运,因为今天有问题的 SvcHost 中只有两个服务。
DcomLaunch——DCOM 服务器进程启动器
TermService——终端服务
两者都无法阻止。我已经更新了 Windows 更新。打算再运行一次病毒扫描,尽管昨晚什么也没发现。也许是时候重新开始了(此安装是 2004 年的某个时候)。
更新:肯定是病毒。上次重启后 CPU 使用率下降了,但我在启动时收到一些奇怪的“已安装安全软件”消息,正在运行名称奇怪的进程(例如555573478785.exe
),并添加了HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
昨晚不存在的可疑密钥。
Symantec AntiVirus Corporate 8.1.0.825 发出了一些警告,但似乎并没有捕获到所有问题 :-(
Malwarebytes' Anti-Malware 1.44
Database version: 3763
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
2/19/2010 12:12:58 PM
mbam-log-2010-02-19 (12-12-58).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 290960
Time elapsed: 1 hour(s), 23 minute(s), 54 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 25
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 6
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\kbabjtm.dll (Trojan.Hiloti) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: kbabjtm.dll -> Delete on reboot.
Folders Infected:
C:\Documents and Settings\All Users\Application Data\55533526 (Rogue.Multiple) -> Quarantined and deleted successfully.
Files Infected:
C:\WINDOWS\kbabjtm.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\Temp\~TM17.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\~TM466.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\mach\Local Settings\Temporary Internet Files\Content.IE5\2WE7TOVW\load[1].exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\mach\Application Data\avdrn.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\mach\Start Menu\Programs\Startup\monnid32.exe (Trojan.Bredolab) -> Delete on reboot.
第二次扫描结果:
Malwarebytes' Anti-Malware 1.44
Database version: 3763
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
2/19/2010 1:54:07 PM
mbam-log-2010-02-19 (13-54-07).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 290753
Time elapsed: 1 hour(s), 18 minute(s), 34 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\System Volume Information\_restore{0D9A148D-2E7E-411F-8807-407114206A75}\RP2138\A0129104.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{0D9A148D-2E7E-411F-8807-407114206A75}\RP2138\A0129105.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
更新:经过几次扫描后,我的电脑似乎不再有病毒。
感谢大家!
答案1
我建议抓住Microsoft/SysInternals 进程浏览器。使用进程资源管理器,您可以打开特定的 svchost 进程并查看该进程正在运行哪些服务。然后,您可以使用进程详细信息中的“服务”选项卡停止单个服务以查找罪魁祸首。
答案2
只要多个服务在单个 svchost.exe 中运行,您就无法区分负载。但有一种简单而安全的方法可以将它们拆分到单独的 svchost.exe 中:
SC Config Servicename Type= own
在命令行窗口中执行此操作或将其放入 BAT/CMD 脚本中。此操作的条件是:
SC
执行命令时的管理权限。- 重启电脑。之前不生效。
- “=”后面的空格。
可以通过以下方式恢复原始状态:
SC Config Servicename Type= share
例如:制作Windows 管理规范在单独的 SVCHOST.EXE 中运行:
SC Config winmgmt Type= own
我在 Windows XP 系统上使用了以下序列。它可以直接粘贴到命令行窗口中。
rem 1. "Automatic Updates"
SC Config wuauserv Type= own
rem 2. "COM+ Event System"
SC Config EventSystem Type= own
rem 3. "Computer Browser"
SC Config Browser Type= own
rem 4. "Cryptographic Services"
SC Config CryptSvc Type= own
rem 5. "Distributed Link Tracking"
SC Config TrkWks Type= own
rem 6. "Help and Support"
SC Config helpsvc Type= own
rem 7. "Logical Disk Manager"
SC Config dmserver Type= own
rem 8. "Network Connections"
SC Config Netman Type= own
rem 9. "Network Location Awareness"
SC Config NLA Type= own
rem 10. "Remote Access Connection Manager"
SC Config RasMan Type= own
rem 11. "Secondary Logon"
SC Config seclogon Type= own
rem 12. "Server"
SC Config lanmanserver Type= own
rem 13. "Shell Hardware Detection"
SC Config ShellHWDetection Type= own
rem 14. "System Event Notification"
SC Config SENS Type= own
rem 15. "System Restore Service"
SC Config srservice Type= own
rem 16. "Task Scheduler"
SC Config Schedule Type= own
rem 17. "Telephony"
SC Config TapiSrv Type= own
rem 18. "Terminal Services"
SC Config TermService Type= own
rem 19. "Themes"
SC Config Themes Type= own
rem 20. "Windows Audio"
SC Config AudioSrv Type= own
rem 21. "Windows Firewall/Internet Connection Sharing (ICS)"
SC Config SharedAccess Type= own
rem 22. "Windows Management Instrumentation"
SC Config winmgmt Type= own
rem 23. "Wireless Configuration"
SC Config WZCSVC Type= own
rem 24. "Workstation"
SC Config lanmanworkstation Type= own
rem End.
答案3
我建议你给阿维拉试试杀毒软件。它的检测率比任何主流杀毒软件都要高。我绝对推荐它。
答案4
我的情况也一样。这是我这边的病毒。但毫无疑问,没有杀毒软件可以治愈它,因为服务端主机本身已被注入并感染。SvcHost 就无法被删除或终止。
然后,找到正在运行的 SvcHost 服务
without a parent
。因为每个服务都svchost.exe
必须由 加载services.exe
。或者,您可以通过以下方式找出Parent
进程:双击它 >> “图像”选项卡 >> “父级”标签。
此外,如果您感染的病毒与我感染的病毒相同(感染所有html
带有 VBScript 的文件),您应该执行以下步骤。
清除所有文件(或)从每个文件
.html
中删除代码。.html
清理
.html
文件后,对于我来说,在这种情况下,我肯定会通过使用启动来替换SVCHOST.EXE
Windows XP 安装 CD 中的。Recovery Console