PG saved my butt from a worm! (I think)

Discussion in 'ProcessGuard' started by Freegoo, Nov 20, 2005.

Thread Status:
Not open for further replies.
  1. Freegoo

    Freegoo Registered Member

    Joined:
    Oct 1, 2005
    Posts:
    16
    Was using my computer yesterday, not even actively browsing the Internet when PG popped up a dialog asking for permission to start "scrsave.scr". Not knowing what it was I said deny and promptly got about 5 more dialogs. I then checked the remember this checkbox and went about doing my thing. Today I get on and notice my computer is running extremely sluggish and I check PG and every 3 seconds the file is trying to run. I google it and come up with this. Also task manager shows "System" using a huge amount of system resources. I logged into my admin account and killed it, and although it auto restarted it didn't go back to hogging cpu resources.

    I dug around a bit, but the system wasn't really acting "well" so I just did a restore from a backup (only 1 day old - thank you Acronis!) and all looks well so far. Online virus scanners coming up clean on my computer and one downstairs. Just got to check the one more. Not sure if Nod32 was going to catch it or not, I can't find the file anywhere on my computer, before or after the restore. Kind of weird.

    But if not for PG, I may not have been aware of anything fishy at all. :eek:
     
  2. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Yup, sounds like a self spreader got in.. no NAT router to protect you ?

    Check you have patches installed, you should check all your shares and user accounts as well
     
  3. Freegoo

    Freegoo Registered Member

    Joined:
    Oct 1, 2005
    Posts:
    16
    Yeah we have a Belkin Router. But think there are some ports opened right now for Bit Torrent. 3 computers total on the Lan, so far haven't found any infections on the other 2. Done Online Trend Micro virus scans on all of them and Bit Defenders online scan on mine.

    Microsoft Windows update doesn't show any updates except for a couple optional software updates that I don't need. I think this is a result of having those ports open on the router, and they're closed now.

    I think I dodged a bullet. Kudos to Process Guard.

    Is this something Port Explorer might have picked up on as well?
     
  4. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Freegoo it's always great to hear reports like this, thanks for taking the time to write in. :)

    You certainly would be able to see the process in Port Explorer if it uses network access, yes, and if that's the case you can then also use Port Explorer's Socket Spy to see what it's transmitting/receiving.

    Additionally, more often than not if it's a worm or trojan you'll see the sockets highlighted in RED in Port Explorer, indicating that the process owning the socket(s) is hidden - that is, it has no visible on-screen components, as is the case with virtually all worms/trojans etc.

    Best regards,
    Wayne
     
Thread Status:
Not open for further replies.