inetinfo.exe sucking up cpu -- what is it. what to do?

[Richard]

Hi,

Almost all of my cpu usage seems to be sucked up by inetinfo.exe. I'm
running Win2000ProSP4, which ran fine for years until today. I used to run
McAfee antivirus, but after my subscription expired, I couldn't get the
update to install. Since then I've been relying on MailWasherPro to block
flaky email and greater care in what I install.

Does anyone know what inetinfo.exe is. I tried to stop it using
TaskManager, but TM said the process couldn't be stopped. I'm running a
search on the entire system for that file, but since the search is being
starved for cpu resources, it may take a day, maybe more, to find it.

I'd appreciate any suggestions about how to get info on this process or how
to deal with it.

TIA,
Richard

 

[Steven L Umbach]

That is used by Web Services If you are not running a website on your
computer the uninstall Web Services. Go into add/remove programs, then
add/remove Windows components, and uncheck Internet Information Services.
You really need to get an up do date virus scanner on your computer to do a
scan, use a firewall, and keep your critical upates current at Windows
Update. --- Steve

http://www.microsoft.com/security/protect/

 

[Richard]

Hi All,

I figured out what's wrong. I didn't think IIS was being used on this
workstation. I thought it was only being used on my server. So I started
deleting files/folders in <windir>. I thought I might be in trouble when
some files were "in use," but I was undetered.

I managed to stop inetinfo.exe by running Visual Studo to debug the process,
whereupon I was able to set a breakpoint. Then the search was able to
complete. Then I restored the deleted files/folders from the Recycle Bin.
Finally, I killed the debugger and checked the renegade process. It is
quiescent now. Whew!

Thanks for any help you might have offered. I'm fine now.

Regards,
Richard

 

[Richard]

Thanks, Steve.

In a response I posted that crossed paths with yours, you will note I solved
my problem by figuring out that the renegade routine was associated with
IIS, recalled that I had just deleted files from the InetPub and thus
restored them.

Nevertheless, your advice is on target and I will follow up with your
suggestions. However, probably nothing will stop me when I'm hell-bent on
destroying my system

Regards,
Richard

 

[Karl Levinson [x y] mvp]

Wait a minute. The high volume of IIS activity on your computer that wasn't
hosting any IIS files tells me that you probably had a virus or an intruder.
You might want to try to figure out what vulnerability was on your computer
and what was done using it. For example, I'm guessing that you don't have
antivirus or that your antivirus isn't set to download updates automatically
every week, and it sounds like you may not have a firewall, and haven't
installed all the latest patches on your computer.

Any one of these things could cause your computer to develop similar
problems somewhere else in the future. www.grisoft.com is free antivirus,
www.kerio.com or www.sygate.com are free firewalls, and
http://windowsupdate.microsoft.com should be visited more or less once a
month to get all the latest updates. You might also want to consider the
hardening checklists at
www.microsoft.com/technet/security and
http://securityadmin.info/faq.asp#harden

Going to the following site might help you confirm what was done and that
everything malicious has really been removed:

http://securityadmin.info/faq.asp#hacked

 

[Richard Muller]

Hi Karl,

Wait a minute.

Thanks for taking the trouble to go an extra mile in looking into my
problem, especially for the www.grisoft.com link, and the other security
links as well. I didn't know about the existence of most of them.

... you probably had a virus or an intruder.

I thought that was the likely cause of my symptom until:
(i) I discovered that the file soaking up the cpu cycles was located in
inetpub; and
(ii) I recalled that I have recently deleted a number of files from that
folder thinking that I wasn't using IIS on this workstation, only on my
Win2000AS server.
(iii) The problem disappeared immediately after I restored the files I had
foolishly deleted

For example, I'm guessing that you don't have antivirus

Quite true. I had been running McAfee, which I thought did a great job.
However, when I purchased the right for another year's downloads of
upgrades, their software got hosed and their tech support was anable to
provide useful advice. So I canned it, started relying on MailWasherPro and
a cautious approach to downloads.

... or that your antivirus isn't set to download updates automatically

every week
I do get automatic indication that a relevant critical update is available
for download/install. I don't know if the frequency is "every week,"
however.

... you may not have a firewall

I do: my cable modem feed a LinkSys router that has all ports shut down
against any traffic that not responsive to a message that my network
originated.

... haven't installed all the latest patches on your computer.

I think I am up-to-date on that score.

www.grisoft.com is free antivirus

That was great to learn. I have installed it and it confirmed that subject
workstation is virus-free.

www.kerio.com or www.sygate.com are free firewalls

Do you aqree that they're unnecessary in light of the LinkSys router at the
"gateway" to my network.

http://windowsupdate.microsoft.com should be visited more or less once a
month to get all the latest updates.

Thanks for this suggestion. I assumed that the automatic warnings were
enough. From now on, I'll start doing that for every computer on the first
of the month (along with sending in my mortgage payment) at the first of
every month.

You might also want to consider the hardening checklists at
www.microsoft.com/technet/security and
http://securityadmin.info/faq.asp#harden

I'll start checking this out. I looked at them initially: they look great.

Going to the following site might help you confirm what was done and that
everything malicious has really been removed:
http://securityadmin.info/faq.asp#hacked

Ditto.

So, again, many thanks for all your guidance.

Best wishes,
Richard Muller

 

[Rich Matheisen [MVP]]

Wait a minute. The high volume of IIS activity on your computer that wasn't
hosting any IIS files tells me that you probably had a virus or an intruder.
You might want to try to figure out what vulnerability was on your computer
and what was done using it. For example, I'm guessing that you don't have
antivirus or that your antivirus isn't set to download updates automatically
every week, and it sounds like you may not have a firewall, and haven't
installed all the latest patches on your computer.

Any one of these things could cause your computer to develop similar
problems somewhere else in the future. www.grisoft.com is free antivirus,

Doesn't their set of restrictions limit the usefulness of the free
product in any environment that runs IIS or any server?

"AVG Free Edition offer is valid for all SINGLE HOME users only."

"AVG Free Edition CAN NOT BE INSTALLED ON SERVERS FOR ANY REASON. IT
CAN NOT BE INSTALLED IN ANY NETWORKED ENVIRONMENT!"

 

[Richard Muller]

Hi Rich,

Doesn't their set of restrictions limit the usefulness of the free
product in any environment that runs IIS or any server?

"AVG Free Edition offer is valid for all SINGLE HOME users only."

"AVG Free Edition CAN NOT BE INSTALLED ON SERVERS FOR ANY REASON. IT
CAN NOT BE INSTALLED IN ANY NETWORKED ENVIRONMENT!"

It was useful for me because I had only one workstation that I was worried
about, and it is my home machine (I'm an independent software developer.)

Regards,
Richard

 

[Karl Levinson [x y] mvp]

I do: my cable modem feed a LinkSys router that has all ports shut down
against any traffic that not responsive to a message that my network
originated.

Well, if your Linksys doesn't block outbound traffic [which many of their
NAT routers and firewalls don't], then it would not have alerted you to a
virus on your computer. And if you have to open ports [such as TCP 80]
inbound, then a virus that spreads via HTTP can freely enter and exit your
firewall.

Do you aqree that they're unnecessary in light of the LinkSys router at the
"gateway" to my network.

Not necessarily. It's all up to you and your security needs. Plenty of
people run firewall software in addition to or instead of firewall devices.
Software firewalls do at least one thing that firewall devices will never be
able to do: tell you which executable generated a particular packet, tell
you whether that executable has changed since the last time it generated a
packet, and block that traffic per executable instead of per port. So,
firewall software can allow Internet Explorer to use TCP 80 outbound while
generating an alert when another app tries to do the same.