Sign in with
Sign up | Sign in
Your question
Solved

Possible network hijack [Suspect: sqlserver]

Last response: in Windows 7
Share
October 17, 2012 1:09:35 PM

Recently I noticed that my D-link Router, has problems with wireless connection loss (to laptops) and needed occasional restarting.

Also I have noticed I get the Malware on network detected, please type in the captcha from certain websites lately (unfortunately I cant find one that can reproduce that page now )

Yesterday, I noticed a very large drop in network speed (on all computers), (from 11mpbs to 0.5mpbs).

The problem persisted today, so I looked at what my system was running, Windows task manager did not show any unusual processes running or any network activity.

I opened Process Explorer, and there I see the process sqlservr.exe using a lot of memory (comparable to Firefox's) - around 113 000 kb.

I looked at its origin and the filepath is:
c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe

As far as I know, I have not ever seen this process running before or need it running, also I am suspicious of the process (as the file names are misspelled etc...), EX: Bin is spelled Binn and the server process is misspelled as well.

I have tried to kill the process, that too failed. Deleting the files too met with similar failure. Access denied, (I ran process explorer as Admin, when I tried to kill the process).

I also have Hijack this installed, tried scanning using its ADS spy utility (to check for hidden data streams) It didn't even scan the program file section.

Scan on its normal scan utility, has given me this: http://www.mediafire.com/?xu9ux3jc4uhcc49 log life, but again no mention of the process in question


What is the best course of action? I believe this network slowdown, at least in part is caused by this, My questions are this:

1) Is there any way I could remove this process/file from my pc (without damaging anything) and seeing if I regain performance?

2)If in fact this is either malware disguised as a normal process, how do I go about getting rid of it?
- I would really love to avoid a format (as a lot of important stuff is stored in this HDD, with no way to backup most of it - not enough storage devices)
Also would it be possible to do a format/reset on my router since it it is a network related problem?



Thank you
a b $ Windows 7
October 17, 2012 1:17:14 PM

Well, that is Microsoft SQL server and the folder structure looks about right, except that it is \binn\, I feel like it should be bin. You do not remember ever installing SQL Server Express?

And it is only using 112mb, not over the top for SQL Server, I think you need to look elsewhere for a network issue. If you think it is a virus then your best bet is to run malware bytes and another solid anti-virus in safemode.

Is your router secured? If it is not, then there could be other users on your network, or if you are using a weak security method, it could have been broken.
m
0
l
a b 8 Security
a b $ Windows 7
October 17, 2012 2:18:40 PM

sql express version could be install with some other software that required it. You should be able to disabled it from starting in the services.
m
0
l
Related resources
October 17, 2012 9:48:28 PM

Hm, I used to have an (expired and outdated) copy of Kaspersky 2010. Since about 2 months ago I have been running Microsoft Security Essentials (with the latest updates).

Also I have admin access to my router (password protected), and in the DHCP in the Connected DHCP clients list and the reservations list I only see my own computers.

I don't believe I have much else in the way of network security, I have not been able to find how to enable WEP or a similar form of security, all it filters by currently are the MAC addresses, and the aforementioned DHCP reservations.

Also, at the time of this posting the the sqlsrvr process isn't anywhere to be found (although I still see it on my HDD).

==

I do live in an apartment, is it possible someone else wireless device is causing interference? However please note this problem is affecting my computers connected through cable, and the router to modem connection is cable as well.

I also notice, the routers lights (Local Network LEDs and status light) start to flash at a much faster than normal rate after a while and only stabilize on a restart.

Router Model: Dlink DIR-615

Is it possible the router is failing? It is less than a year old however. Restarts even extended ones (3-4 hours) have had no noticeable effect
- Would a complete router reset help? I am unwilling to do this however, since the previous time I did this it wiped out all the network reservation settings etc....

On the chance, it could be a software issue, with malware. Any specific Hijack this settings/tools I should use to attempt to find and remove it?


Thanks,


m
0
l
a b $ Windows 7
October 17, 2012 10:47:16 PM

Have you by chance tried plugging straight into the modem or is your wireless router integrated into the modem from the provider? That will tell whether the router is an issue. I know you have "admin access" to the router with a password is good, but when you connect a device wirelessly do you have to enter a security key? If so, look for the security options in your admin menu and see what type it is, if it is WEP that is a bit of a an old tech and could be hacked.

Also, there could be interference from other peoples routers, you may be able to switch the channel which might help. I would look up your router but am just leaving my comp.
m
0
l
October 17, 2012 10:57:32 PM

chugot9218 said:
Have you by chance tried plugging straight into the modem or is your wireless router integrated into the modem from the provider? That will tell whether the router is an issue. I know you have "admin access" to the router with a password is good, but when you connect a device wirelessly do you have to enter a security key? If so, look for the security options in your admin menu and see what type it is, if it is WEP that is a bit of a an old tech and could be hacked.

Also, there could be interference from other peoples routers, you may be able to switch the channel which might help. I would look up your router but am just leaving my comp.



Also if his router is WPS enabled (most modern routers have this) it's a major security flaw and it can allow people to bypass wpa/wpa2

EDIT: Yup his router has WPS.
m
0
l
October 18, 2012 12:09:40 AM

No luck, I connected my brand new laptop (Purchased early September) and rarely connected to the network, onto it. No difference.

I tried both the pc and laptop (separately) directly connected to the modem, without the router. Still no difference.

I am assuming this means its most likely a problem with either the modem or my ISP?

I live in Toronto, Ontario and my ISP is Tek savvy solutions, Did a bit of searching and apparently there has been some problems recently,

http://www.dslreports.com/forum/r27619264-Current-Outag...

My area is not mentioned but it probably is a related problem.

Thanks for everything, I was getting very worried :) 
m
0
l

Best solution

a b $ Windows 7
October 18, 2012 1:41:56 PM

Ahhh, so it has just been a recent problem. It definitely sounds like a router or service problem, I had an ISP that sent me the oldest crappiest modem I'd ever seen, it would hardly let me play online games. I complained to the ISP because I found that the modem was discontinued on the manufacturer website and they offered no service for it, and the ISP said that "oh all ISP's just use their old modems until they break!" which I found hard to believe because I can't imagine that the larger ISP's didn't have dozens of old modems sitting around that they wouldn't use. Give them a call and let them know your issue, if it isn't a network issue then I would ask for a new modem.
Share
October 18, 2012 7:47:30 PM

Best answer selected by boarnoah.
m
0
l
!