strange svchost running 50% CPU in command window on logon
- From: "Tim_Mac" <tim@xxxxxxxxx>
- Date: 2 May 2005 12:05:49 -0700
hi,
i have a windows server 2003 enterprise edition, running as a web +
file server.
when i logged on today, there was a command window that opened, titled
"svchost.exe", and it is still taking up around 50% CPU. there are no
start-up scripts, or entries in the RUN section of the windows
registry. all my virus defs are up to date. an output of the tasklist
is included below.
i checked the event log and a new event i hadn't seen before was
present:
Event Type: Error
Event Source: LsaSrv
Event Category: None
Event ID: 6033
Date: 29/04/2005
Time: 19:30:49
User: N/A
Computer: bb
Description:
An anonymous session connected from USAGER-OYH88RV9 has attempted to
open an LSA policy handle on this machine. The attempt was rejected
with STATUS_ACCESS_DENIED to prevent leaking security sensitive
information to the anonymous caller.
The application that made this attempt needs to be fixed. Please
contact the application vendor. As a temporary workaround, this
security measure can be disabled by setting the
\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\TurnOffAnonymousBlock
DWORD value to 1.
This message will be logged at most once a day.
could this a hack attempt? i checked the svchost.exe file and it is
the original MS version so at least it hasn't been replaced with a
worm.
i'm a little concerned!! and really appreciate any tips someone might
have.
thanks
tim
Image Name PID Services
========================= ========
============================================
System Idle Process 0 N/A
System 4 N/A
smss.exe 440 N/A
csrss.exe 528 N/A
winlogon.exe 568 N/A
services.exe 632 Eventlog, PlugPlay
lsass.exe 652 HTTPFilter, NtLmSsp,
ProtectedStorage, SamS
svchost.exe 856 DcomLaunch
svchost.exe 956 RpcSs
svchost.exe 1020 Dhcp, Dnscache
svchost.exe 1072 LmHosts, W32Time
svchost.exe 1104 AeLookupSvc, BITS, CryptSvc,
dmserver,
EventSystem, helpsvc, lanmanserver,
lanmanworkstation, Netman, Nla,
RasMan,
Schedule, seclogon, SENS,
SharedAccess,
ShellHWDetection, TrkWks, winmgmt,
wuauserv
msdtc.exe 1304 MSDTC
avgamsvr.exe 1480 Avg7Alrt
avgupsvc.exe 1524 Avg7UpdSvc
svchost.exe 1596 ERSvc
FileZilla server.exe 1628 FileZilla Server
inetinfo.exe 1684 IISADMIN, SMTPSVC
mdm.exe 1716 MDM
sqlservr.exe 1776 MSSQLSERVER
svchost.exe 208 RemoteRegistry
WMServer.exe 368 WMServer
mssearch.exe 512 MSSEARCH
svchost.exe 1032 W3SVC
sqlagent.exe 2052 SQLSERVERAGENT
svchost.exe 2204 TermService
wmiprvse.exe 1004 N/A
svchost.exe 2512 TapiSrv
cisvc.exe 3080 CiSvc
cidaemon.exe 2544 N/A
cidaemon.exe 192 N/A
cidaemon.exe 2964 N/A
cidaemon.exe 3020 N/A
alg.exe 2600 ALG
logon.scr 3608 N/A
csrss.exe 2664 N/A
winlogon.exe 3524 N/A
rdpclip.exe 2520 N/A
explorer.exe 2460 N/A
avgcc.exe 2384 N/A
FileZilla Server Interfac 3508 N/A
sqlmangr.exe 3084 N/A
cmd.exe 2924 N/A
w3wp.exe 3504 N/A
taskmgr.exe 380 N/A
cmd.exe 3472 N/A
wmiprvse.exe 1912 N/A
tasklist.exe 3852 N/A
.
- Prev by Date: RE: Expand Dynamic Disk (Mirrorred)
- Next by Date: Re: Server 2003 SP1 AdminPak.Msi Installation Error.
- Previous by thread: RE: Expand Dynamic Disk (Mirrorred)
- Next by thread: Perfmon
- Index(es):
Relevant Pages
|
