How to Fix: Remove SystemTask.exe / SystemTaskInfo.exe Virus (100% CPU Usage)

Dennis Faas's picture

Infopackets Reader Michael B. writes:

" Dear Dennis,

Thank you so much for helping me to patch my Windows 2003 Server against the SMB attacks and for removing Windows_Update.exe virus a few weeks back. A have yet another problem that is causing high CPU usage! In Task Manager of Windows Server 2003, I see two processes that are eating 50% of my CPU each, namely: SystemTask.exe and SystemTaskInfo.exe. If I try and delete either process, it simply comes back and starts eating my CPU again, which makes everything else on the server painfully slow. Can you please help? "

My response:

I asked Michael if he would like me to connect to his server using my remote desktop support service, and he agreed.

Off the top of my head, I don't know of any legitimate Windows / Windows Server process named SystemTask or SystemTaskInfo, so I knew that most likely Michael was infected with malware. This is the kind of stuff that happens when you continue to use an old and unsupported operating system (such as: Windows XP, Server 2003, Vista) - your system can become infected instantaneously as long as it is connected to the Internet or another network, for that matter.

The reason this happens is because viruses and malware can sneak right into the system (even with a firewall or antivirus enabled) because it is the operating system that is not receiving security updates which allows the infection to occur. That's also why I recommended to Michael (again) that he upgrade his server immediately to avoid becoming infected repeatedly.

How to Fix: Remove SystemTask.exe / SystemTaskInfo.exe Virus (100% CPU Usage)

Both SystemTask.exe and SystemTaskInfo.exe were located in the Windows folder. They were marked as hidden, system files which made them invisible under normal circumstances.

To mitigate the attack, I wrote a batch script to reset file attributes, kill the tasks, and rename the executable files with a non-executable extension so that they would not propagate any further. After that, I uploaded both SystemTask.exe and SystemTaskInfo.exe to virustotal.com to see what kind of malware I was dealing with. I discovered that Michael was infected with malware designed to steal CPU cycles in order to mine for bitcoins. If successful, the malware creators are paid money for each bitcoin created.

Here are the steps to remove the virus:

  1. Click Start and type in "cmd" (no quotes); wait for "CMD.EXE" or "Command Prompt" to appear in the list, right click it, and select "Run as Administrator".
     
  2. Highlight the text below using your mouse:

    C:
    cd \windows
    del SystemTask.virus
    del SystemTaskInfo.virus
    attrib +a +r +h +s SystemTask.exe
    attrib +a +r +h +s SystemTaskInfo.exe
    attrib -a -r -h -s SystemTask.exe
    attrib -a -r -h -s SystemTaskInfo.exe
    taskkill /F /IM SystemTask.exe
    rename SystemTask.exe SystemTask.virus
    taskkill /F /IM SystemTask.exe
    rename SystemTask.exe SystemTask.virus
    taskkill /F /IM SystemTaskInfo.exe
    rename SystemTaskInfo.exe SystemTaskInfo.virus
    taskkill /F /IM SystemTaskInfo.exe
    rename SystemTaskInfo.exe SystemTaskInfo.virus
    echo this is a dummy line
     
  3. Right click over top of the highlighted text above and select "Copy" from the dialogue menu. Go back to the command prompt you opened up in Step #1 and right click in the middle of the window and select "Paste" from the dialogue menu. The text you highlighted in the previous step should now be output onto the command line and the virus should now be neutralized for the time being.
     
  4. Manually patch your system against the SMB exploits if you are running an unsupported operating system such as: Windows XP, Windows Server 2003, Vista, etc. If you are running a newer, supported operating system (Windows 7, 8, 10, for example) and you've become infected, then you need to make sure you are still receiving Windows Updates, that you do not have a lot of failed updates (here's how to check) and that your Windows Updates are up to date.

    It's worth mentioning that I already patched Michael's system against the SMB exploits a few weeks back, yet he's managed to become infected again. That means one of two things: (1) there's another operating system exploit in the wild and currently no patch available - and there may never be a patch. Or, (2) Michael got infected by running a malicious program inadvertently. I am leaning more towards method (1) since Michael's first infection was also a bitcoin mining malware variant and this variant is only a few weeks old according to virustotal.
     
  5. If you are using an older, unsupported operating system, it's time to retire it and move onto something newer that receives security updates regularly - otherwise you will become infected again. Note that the script I wrote (above) only removes the virus from executing - it does not prevent it from coming back!

    That said: if you need help migrating your system - whether it's Windows Server 2003 or Windows Vista, I can help with that - details below.

I hope that helps.

Additional 1-on-1 Support: From Dennis

If your system is infected with the "SystemTask.exe" virus or "SystemTaskInfo.exe" virus (or something similar) and you are not able to remove it, I can help using my remote desktop support service. If you need help migrating to another operating system because you are running an obsolete system, I can help with that as well. Simply contact me, briefly describing the issue, and I will get back to you as soon as possible.

Got a Computer Question or Problem? Ask Dennis!

I need more computer questions. If you have a computer question -- or even a computer problem that needs fixing -- please email me with your question so that I can write more articles like this one. I can't promise I'll respond to all the messages I receive (depending on the volume), but I'll do my best.

About the author: Dennis Faas is the owner and operator of Infopackets.com. With over 30 years of computing experience, Dennis' areas of expertise are a broad range and include PC hardware, Microsoft Windows, Linux, network administration, and virtualization. Dennis holds a Bachelors degree in Computer Science (1999) and has authored 6 books on the topics of MS Windows and PC Security. If you like the advice you received on this page, please up-vote / Like this page and share it with friends. For technical support inquiries, Dennis can be reached via Live chat online this site using the Zopim Chat service (currently located at the bottom left of the screen); optionally, you can contact Dennis through the website contact form.

Rate this article: 
Average: 5 (7 votes)

Comments

ecash's picture

So the firewall only protects from Incoming Links/connections??
NOT outgoing??

Is this server for a restricted/(only certain people) setup or can be accessed by anyone??
Or is this JUST the OS he is running?

Just Curious..

jonathan.griffitts_9693's picture

Just this weekend I found the same sequence of problems as you describe but that wasn't the end of it.

My client complained that their old Server 2003 domain controller was running painfully slowly. There was an obvious slew of Windows_Update.exe tasks that were eating the machine. After that there was the more subtle SystemTaskInfo.exe thing that you describe. I discovered these pages while working the problems.

However, a few hours after the SystemTaskInfo fix, file c:\windows\system32\smss.exe disappeared, which caused Windows to crash and fail to reboot, with a SESSION3_INITIALIZATION_FAILED blue-screen. I had to boot from a CD to restore smss.exe, and windows booted OK but promptly deleted smss.exe again! I restored it again, marked it read-only, and things seemed to be running. However there was *still* something eating one whole core of the CPU. It was "Services.exe" which is *not* the normal "services.exe" (notice the capitalization? I didn't for a long time) and I tracked it down using procexp. It was living in directory C:\WINDOWS\Fonts\gaibscmd\Services.exe. Both the directory and the .exe were marked hidden and system, and the fact that it was in Fonts means I had to attack it from the command-line rather than GUI. There were also ACL problems which I had to overcome by forcing ACL inheritance down from the font folder. After that minor struggle I renamed Services.exe, then noticed that there was another rogue file C:\WINDOWS\Fonts\aambtcqdmd\Conime.exe, so I renamed that one also. Afterward I went into the registry and cleaned up the references to all these malware files so the system wouldn't try to schedule those tasks and services.

As far as I can tell, things are good now. I installed ClamWin virus scanner (which still supports Windows 2003) and it found the renamed windows_update and SystemTaskInfo but not the ones hidden in the Fonts folder. I'm just waiting for the next shoe to drop!

(For some time I've been talking to the client about the need to update their servers. Maybe the hours I bill for this will convince them that it's time. . . )

IsilZha's picture

For various reasons, it's going to be a while before we can move them off this server. It very much looks like a wild, unpatched exploit. The files are created by the service account. Logged the file creation back to a specific svchost process, so it the vulnerability is coming from one of these services: https://i.imgur.com/OLdlPLC.png

There are only 2 ports open to this server, and we're making arrangements to have none open to it. Until then, got a full packet capture running to see what is being targeted.