Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
To: cygwin AT cygwin DOT com
From: "George Hester" <hesterloli AT hotmail DOT com>
Subject: Re: Cygwin finally croaked
Date: Fri, 29 Oct 2004 16:05:57 -0400
Organization: Home
Lines: 68
Message-ID: <clu8pu$7tb$1@sea.gmane.org>
References: <clgd13$p30$1 AT sea DOT gmane DOT org> <6 DOT 1 DOT 0 DOT 6 DOT 0 DOT 20041024172159 DOT 041420c8 AT pop DOT prospeed DOT net> <clh8p5$ph6$1 AT sea DOT gmane DOT org> <6 DOT 1 DOT 0 DOT 6 DOT 0 DOT 20041024181115 DOT 0415edb0 AT pop DOT prospeed DOT net> <clhflc$67v$1 AT sea DOT gmane DOT org> <6 DOT 1 DOT 0 DOT 6 DOT 0 DOT 20041025101504 DOT 045a3008 AT pop DOT prospeed DOT net> <clk533$3cu$1 AT sea DOT gmane DOT org> <6 DOT 1 DOT 0 DOT 6 DOT 0 DOT 20041025205130 DOT 04524c18 AT pop DOT prospeed DOT net>
Reply-To: "George Hester" <hesterloli AT hotmail DOT com>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
X-Complaints-To: usenet AT sea DOT gmane DOT org
X-Gmane-NNTP-Posting-Host: alb-24-195-115-198.nycap.rr.com
X-Newsreader: Microsoft Outlook Express 5.50.4807.1700
X-IsSubscribed: yes
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by delorie.com id i9TKNLRZ021763

"Larry Hall" <lh-no-personal-replies-please AT cygwin DOT com> wrote in message news:6 DOT 1 DOT 0 DOT 6 DOT 0 DOT 20041025205130 DOT 04524c18 AT pop DOT prospeed DOT net...
> At 08:17 PM 10/25/2004, you wrote:
> >"Larry Hall" 
> 
> <snip>
> Larry Hall                              http://www.rfk.com
> RFK Partners, Inc.                      (508) 893-9779 - RFK Office
> 838 Washington Street                   (508) 893-9889 - FAX
> Holliston, MA 01746                     
> 
> 

Larry I think I figured it out and it has nothing to do with Cygwin.  I noticed my Task Manager was taking over 50% CPU whenever I had it open.  When it wasn't open I did not experience this drain on the CPU.  Anyway I decided to defrag my memory using this command using the Windows Scripting Host:

MyString = Space(128000000)

This is in a VBS file I call memory.vbs.  It releases memory.  It is accessed like this in the Windows Commnd Prompt:

cscript memory.vbs

When I did that I got cscript is not an internal command.  That is not good.  It meant my ccript.exe was missing.  Well sort of.  After investigating this I noticed I had a new Service and new user accounts in my Server.  Sure enough something was uploaded into my system directory.  It is a variant of ServU which is commonly used by hackers.  They used it in conjunction with:

hidden32.exe
CsC.exe
ip.exe
jacheck.dll
jastat.dll
nc.exe
WSManager32.exe (camouflaged ServU) (runs as a service)
sec.exe
pwdump2.exe
sc.exe
hxdef100.exe
samdump.dll
uptime.exe
psinfo.exe
kill0103.exe
psloggedon.exe
fport.exe
hxdefdrv.sys

There are two more services that also run.  I looked at the ini used to set it all up and so knew where to look.  I believe it happened due to the Windows Media Service because now that is broke.  I removed it.

I found these because I knew the time the issue above started and I was able to see the new files created in my System directory around that time.

Anyway I noticed the issue with Cygwin at about the same time.  I have cleaned these things out and voila Cygwin is fine now.

Thanks for looking into this with me.

-- 
George Hester
__________________________________


--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/