Urgently Need ideas to solve system cr4awl 1

[dholbrook]

I have two systems driving me nuts. Symptom is that when looking at the processes, we have 100% CPU, with 90%+ of that under Services.exe. System will not run any applications, too slow (try 5 minutes to refresh the screen).

One system is Win2k, one is XP Pro. In both cases there are no launched programs causing the issues. I have run the latest version of CWShredder, SpyBot S&D 1.3 and AdAware (plus some other tools) to try to remove any hijacking software. All come clean except CWShredder.

When the most current version CWSchredder is launched, it claims that is is being attacked by a SmartServer.2 variant, causing CWShredder to go into its name change role to run. Instead of taking a minute or so to run, Cwshredder requires over one hour to finish (remember we are immediately jumping from 10-20% CPU to 100% CPU use when this application is launched, almost all of it under Services.exe). When it finishes, CWShredder does not find or fix any SmartServer problem. The systems will eventually return to low 10-20% CPU once the application is closed, but it takes about 10 minutes. It does not matter if this is run in safe mode or not, result is the same, very, very slow system. ANY program launched immediately jumps the Services.exe process to 90+%, pushing the CPU to 100% use. Task manager grabs 7-12% itself, so there is nothing left for the applications except a momentary small %once in awhile.

I have run Hijackthis and can not see anything funny running in the log results either, and nothing I can identify as related to SmartServer at all. I can not tell if the system is being hijacked to go anywhere else, because in addition to killing all applications with the 100% CPU once any are launched, any and all attempts to connect to the DSL link are impossible to complete, as they time out before completing the authentication.

Things in common for these systems, they are both at all the current Microsoft patches and security fixes, both run ZoneAlarm firewalls and have current upto date antivirus installed. Two different Antivirus sweeps of the systems does not find any virus problems. Win2k is running SP4 plus the security patches, the XP is at SP1 with all other current patches in place.

These two systems both began these problems last week, and are on two different networks on different DSL links. The Win2k system DSL link is fine for all the other four systems on it, so the hub, modem, cables, etc., are ok, the problem is in the software somewhere.

I am going nuts with this, and am ready to totally rebuild the win2k system to clean it up (a really nasty job because off the VPN and other pieces), but I really would like to find out what is causing the problem, as it is not unique to one systems.

I would really appreciate some good ideas????

Thanks,

David

 

[RallyPC]

I can't tell you why it's doing that but if your having speed issues which it sounds like you are you might want to try defraging you hard drive cause if your any of your files are scattered around your hard drive defraging should get them all in one place making execution faster. That usually works for me, when it doesn't I wipe my hard drive but you should get more suggestions before doing that.

 

[dholbrook]

Thanks for the thoughts, but the XP system has 40 GB of free space, defragmentation is not the issue.

As for the Win2k system, I have installed another boot on a different drive, and I am moving my mail, etc to the new system, which works correctly. All the system hardware is functioning correctly, but it appears that what ever this problem is, it is related to the netcard driver files. I suspect the hijack has overwritten a netcard driver, which is really scarry if it turns out to be true, as it was not necessary to do anything to cause this problem to occur.

My next step is to boot to the original system, totally remove the network, reboot, and let the systems find the card again, then re-run SP4 to see if the network drivers can be fixed (remember the net card works just fine on the new install of Win2k on the same hardware). If this fails, I will compare the driver files between the two systems to see if I can locate any differences,

 

[RallyPC]

Oh well, good luck with your system!

 

[GlenJohnson]

Have you checked into
Services.exe

Good luck.

Glen A. Johnson
If you're from Northern Illinois/Southern Wisconsin feel free to join the Tek-Tips in Chicago, Illinois Forum.

TTinChicago
Johnson Computers

 

[aznluvsmc]

Hmmm... from Glens' post, it seems that maybe a reinstallation of the SP will resolve the issue. Have you checked the system logs for anything peculiar?

Steven S.
MCSA
A+, Network+, Server+, i-Net+, Security+

 

[ricpinto]

Did you just upgrade ZoneAlarm firewall? Thread924-491759

 

[dholbrook]

The ideas are all good, however I am already using the latest SP and have re-applied it with no change. Zone Alarm is still the original install and has not been updated, so I do not think it is involved. According to Microsoft, this patch is part of SP4, which is the current patch onthe system.

I can still access the system, and I am going to try removing the network totally, then re-installing on reboot to see if this is possibly the issue. I will force the new install from new files if possible, by running SP4 after the network removal and before reboot. Let you all know what happens.

David

 

[hardluckmike]

I believe I have the solution to the CWShredder freezing. Mine was freezing at CWS.Boot.conf.
The solution is not really mine, it was posted at this site.
When I read the "solution" posted at

http://64.233.167.104/search?q=cach...90++"hosts.new"+spybot&hl=en&start=1&ie=UTF-8

I thought he meant to delete the hosts file and then run CWShredder.  I tried that and it did it did not work, as CWShredder still froze at CWS.Boot.conf.
He did not explain himself clearly. I just experimented  and made it work.

What really tipped me off to the problem was the size of a file at in C:\Windows\System32\Drivers\ETC\hosts.new
 
My Hosts.new file was 131,798,106, which is a *huge* file.
I figured if I could edit it and make it smaller, then CWShredder would run OK.
So I tried that, but CWShredder still froze up.

Next, I deleted Hosts.new, and edited my Host file. I left in all the # comment lines in the Hosts file. When I ran CWShredder, it still locked up, with CPU going to 99%-100%. After 5 seconds I killed CWShredder.  Something had rebuilt Hosts.new and the file size was now only 60,000 (after 4 seconds).

So next I deleted Hosts.new, and edited Hosts file, and took out all the #  (comment lines).  Now the Hosts has no entries, not even comments (i.e, blank hosts file).

When I ran CWShredder, it work fine, and completed normally.
And my computer is faster.
I used a Hosts Manager program to make the hosts file deletion, but you can do the same thing with notepad or WordPad.

The #  in the Host file must be the thing that CWS variant looks for, and then copies the hosts to hosts.new.

So the key appears to be deleting Hosts.new, and deleting all entries (even the # comment lines) from the host file.

I figure that the evil programmer that wrote the CWS.bootconf variant decided to copy the existing hosts file to hosts.new file endlessly to prevent CWShredder from running.

 

[dholbrook]

Thank you hardluckmike!

This might just be the answer I need! I will check it out later when I get home. The problem acts like a netcard issue, but this host file directs everything to the 127.0.0.0 location (also used by SPYBot S&D to null out the bad hijacks), which effectively involves the netcard interface.

The real question is where is the program file that is causing this modification to the hosts file? Until that is removed, (and it must be a run at boot to do all this) I do not think that the problem will really go away. I need the hosts file for my VPN link to work, so I need to find the real problem, but you have been a big help in finding the direction to go, I think. I will also try removing all the # in the hosts file too.

Many thanks,

David

 

[hardluckmike]

You ask "what is the program file causing the modification to the host file"?

Well, the answer is the *nothing* is modified in the Hosts (no extension) file. The modifaction is to the hosts.new file. The culpritn is the CWS variant (not CWShredder program).

Your hosts file (no extension) will look normal, but hosts.new file will be huge.

I also used Spybots Hosts file on my computer.
I had my computer set up to the same as yours: "127.01.01 localhost" on the top line and then after that 127.01.01 and the site names to block.

The problem with CWShredder will go away when you delete both the hosts file (no extension) and the Hosts.new file and run CWShredder to completion.

This procedure has worked for at least two people, myself and an online friend. Both of us had the same problem with CWShredder freezing, not running to completion and 100% CPU usage.

What really tipped me off to the problem was when I went to the folder
C:\windows32\Drivers\ETC to looked at the Hosts file (no extension) and looked around in that directory at the other files in that folder.

If you see an *enormous* file called hosts.new, then that is a bad file. Just open with NotePad it an look at it. Does that look normal?
In that directory, you will see others file like the Spybot Hosts backup file; it looks simiar to this:
hosts-20040708-114153-backup.backup (the date-timestamp is after the host-) and that file is OK.
Your Hosts no extension)file and will look normal.


I believe the problem is that the CWS variant is constantly copying one of the lines in you Hosts file (no extenstion) to the file called Hosts.new.
I looked on the internet and could find no extensions listed for any file called .new, so immediatley was suspicious.

To test my procedure:
1) delete only hosts.new file (or you can edit as many lines as you can out of it).
I tried editing it and deleting lines, and then ran CWShredder. CWShredder locked up and took 100% CPU; When I looked at hosts.new file I found that it now had 20,000 more lines.
I believe the CWS variant writes to the hosts.new file continously. If you look at the hosts.new file you will see the same line writen over and over.

2) now delete hosts.new and all of the hosts (no extension) execpt leave in the # lines and "127.01.01 local hosts".
Now run CWShredder again and see what happens.
When I did this, CWShredder again locked up, took 100% CPU, and many lines were written to the hosts.new file. So something (probably the CWS variant) created that hosts.new file.

3) Now make a backup of you Host (no extension) file (not the hosts.new file).

4) Delete the hosts.new file and delete everything out of the hosts (no extension) even the comment lines. The hosts (no extension) file will now be compeltey blank.
Then run CWShredder.
When I did this CWShredder ran to completion, and I had no problems. No host.new file was created.

5) Since you deleted you hosts file (no extentsions) previously, you can restore it.
Make sure the first line of the Hosts file (no extentions) is "127.01.01 local host".

6) Run CWShredder again to test it and see if all is OK.

7) check to see there is no hosts.new file being creadted.

My theory is that the CWS variant looks in the Hosts file (no extenstion)for a # (comment line) and writes it to the hosts.new forever;when you elimninate the # out of the Hosts file (no extension), then CWShredder works OK and CPU is normal. This only soves the CWShredder lockup problem.

Let me know if it works for you.