This is the mail archive of the
cygwin
mailing list for the Cygwin project.
Re: Cygwin finally croaked
"Larry Hall" <lh-no-personal-replies-please@cygwin.com> wrote in message 6.1.0.6.0.20041025205130.04524c18@pop.prospeed.net">news:6.1.0.6.0.20041025205130.04524c18@pop.prospeed.net...
> At 08:17 PM 10/25/2004, you wrote:
> >"Larry Hall"
>
> <snip>
> Larry Hall http://www.rfk.com
> RFK Partners, Inc. (508) 893-9779 - RFK Office
> 838 Washington Street (508) 893-9889 - FAX
> Holliston, MA 01746
>
>
Larry I think I figured it out and it has nothing to do with Cygwin. I noticed my Task Manager was taking over 50% CPU whenever I had it open. When it wasn't open I did not experience this drain on the CPU. Anyway I decided to defrag my memory using this command using the Windows Scripting Host:
MyString = Space(128000000)
This is in a VBS file I call memory.vbs. It releases memory. It is accessed like this in the Windows Commnd Prompt:
cscript memory.vbs
When I did that I got cscript is not an internal command. That is not good. It meant my ccript.exe was missing. Well sort of. After investigating this I noticed I had a new Service and new user accounts in my Server. Sure enough something was uploaded into my system directory. It is a variant of ServU which is commonly used by hackers. They used it in conjunction with:
hidden32.exe
CsC.exe
ip.exe
jacheck.dll
jastat.dll
nc.exe
WSManager32.exe (camouflaged ServU) (runs as a service)
sec.exe
pwdump2.exe
sc.exe
hxdef100.exe
samdump.dll
uptime.exe
psinfo.exe
kill0103.exe
psloggedon.exe
fport.exe
hxdefdrv.sys
There are two more services that also run. I looked at the ini used to set it all up and so knew where to look. I believe it happened due to the Windows Media Service because now that is broke. I removed it.
I found these because I knew the time the issue above started and I was able to see the new files created in my System directory around that time.
Anyway I noticed the issue with Cygwin at about the same time. I have cleaned these things out and voila Cygwin is fine now.
Thanks for looking into this with me.
--
George Hester
__________________________________
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/