Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Old problem, new solution. Svchost high CPU.


  • Please log in to reply
10 replies to this topic

#1 daverolland

daverolland

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 25 March 2014 - 10:43 AM

A friend of mine recently encountered a problem he wanted me to fix for him.  Svchost would eventually eat up all his RAM & run at, or near, 100% cpu, rendering things useless.

 

I found that a virus had patched a system file called RPCSS.

 

I renamed the infected file & copied a legit version from another PC.  Problem solved.

 

Don't know why MBAM never found it.


Edited by hamluis, 25 March 2014 - 12:08 PM.
Moved from xP to AV/AM Software - Hamluis.


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 56,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:12:46 PM

Posted 25 March 2014 - 12:07 PM

A friend of mine recently encountered a problem he wanted me to fix for him.  Svchost would eventually eat up all his RAM & run at, or near, 100% cpu, rendering things useless.

 

I found that a virus had patched a system file called RPCSS.

 

I renamed the infected file & copied a legit version from another PC.  Problem solved.

 

Don't know why MBAM never found it.

 

AFAIK...neither MBAM nor any other single program...is capable of detecting all of the various instances of malware.  I know that many like to believe such to be the case...but it just isn't so, IMO.

 

Louis



#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,717 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:07:46 PM

Posted 25 March 2014 - 01:10 PM

A friend of mine recently encountered a problem he wanted me to fix for him.  Svchost would eventually eat up all his RAM & run at, or near, 100% cpu, rendering things useless.

 

I found that a virus had patched a system file called RPCSS.

 

I renamed the infected file & copied a legit version from another PC.  Problem solved.

 

Don't know why MBAM never found it.

 

Can you submit the infected file to VirusTotal.com and report the link back here? Thanks.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,717 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:07:46 PM

Posted 25 March 2014 - 01:17 PM

 

A friend of mine recently encountered a problem he wanted me to fix for him.  Svchost would eventually eat up all his RAM & run at, or near, 100% cpu, rendering things useless.

 

I found that a virus had patched a system file called RPCSS.

 

I renamed the infected file & copied a legit version from another PC.  Problem solved.

 

Don't know why MBAM never found it.

 

AFAIK...neither MBAM nor any other single program...is capable of detecting all of the various instances of malware.  I know that many like to believe such to be the case...but it just isn't so, IMO.

 

Louis

 

 

Not only your opinion hamluis, there's mathematical proof that this is impossible.

 

Fred Cohen proved that there can't be a program that can detect all malware. His mathematical proof showed that deciding if a program is malware or not, can be reduced to the halting problem.

https://en.wikipedia.org/wiki/Fred_Cohen

https://en.wikipedia.org/wiki/Halting_problem


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:01:46 PM

Posted 25 March 2014 - 03:17 PM


Not only your opinion hamluis, there's mathematical proof that this is impossible.

 

Fred Cohen proved that there can't be a program that can detect all malware. His mathematical proof showed that deciding if a program is malware or not, can be reduced to the halting problem.

https://en.wikipedia.org/wiki/Fred_Cohen

https://en.wikipedia.org/wiki/Halting_problem

 

 

Great info as usual Didier, TYVM!



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:46 PM

Posted 25 March 2014 - 03:38 PM

These are the common detections:
Win32/Patched rpcss.dll
Win64/Patched rpcss.dll

Patched rpcss.dll - Zekos reported 01/10/14
Zekos four random system folder files implicated with the zekos.patched rpcss.dll infection reported 01/13/14

How to remove Zekos with RogueKiller
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,086 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:06:46 PM

Posted 25 March 2014 - 04:52 PM

Yup, Zekos was making the rounds before those report too. It's nothing new now, and some tools can automatically deal with them. Including MBAM's rootkit scanner (sometimes it would fix it, sometimes not), but replacing the file manually is how many people have dealt with it. Zekos is just difficult to deal with automatically, hence why not many tools claim to do so.

xXToffeeXx~

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:46 PM

Posted 25 March 2014 - 05:26 PM

OTM, Avenger, BlitzBlank, CFScript should do the job too.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 daverolland

daverolland
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 26 March 2014 - 01:53 PM

Glad to see it's nothing new.  MBAM is the one tool I lean on most heavily, so I accepted it's response of "nothing detected", especially since nearly all the posts I saw dated from 2010 or earlier. 

 

Would it still be beneficial to submit the infected file?



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:46 PM

Posted 26 March 2014 - 03:34 PM

Would it still be beneficial to submit the infected file?

The more samples they get, the more the lab resarchers can analyze them.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,717 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:07:46 PM

Posted 26 March 2014 - 04:46 PM

Glad to see it's nothing new.  MBAM is the one tool I lean on most heavily, so I accepted it's response of "nothing detected", especially since nearly all the posts I saw dated from 2010 or earlier. 

 

Would it still be beneficial to submit the infected file?

 

Yes, please submit.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users