WG?

Discussion in 'WormGuard' started by Rilla927, Dec 3, 2005.

Thread Status:
Not open for further replies.
  1. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Hi everyone,

    I was trying a few registry cleaners and I noticed when I installed RegSupreme Pro I looked at the shell extensions and seen some VBE extensions as well as VBS. Don't know what VBS is.

    Right before that I found a log made from Notepad in windows and when I opened it, there was a bunch of sheduled tasks which I never made from Dec 1st.

    I also wanted to mention the last two weeks I have been having problems (one of them) with all my CPU being used. Network Services in task manager is eating 50% or more and this has never happened before, I was blaming it all on Spyware Doctor because it's at 50% or more usage, so between the two the system wouldn't do anything until the CPU'S were released.

    If this is not a worm, I don't know what would cause all the CPU usage like that.

    I will give a screen shot, if someone can tell me if this is definitely a worm and what to do, I sure would appreciate it.

    Thank you,

    Rilla927
     

    Attached Files:

    Last edited by a moderator: Dec 4, 2005
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there,
    Since you posted in the WormGuard forum, are you using WormGuard too? If not, could you disable all protection during install and enable WormGuard, reboot, and see if it shows anything?
    Also either there are conflicting programs on your system for instance scanning each other or there could be an infection.
    So also a startup file could be usefull like AutoStartViewer from the www.diamondcs.com.au products page (free) of a HiJackThis logfile. See if you see anything unusual in them.

    VBS is visualbase script.

    If the new behavior started after installing another program i would look into that and see if uninsgtalling or temporary disabling that program stops that behavior, but if you had it all this way longer and no settings were changed - for instance rules in your firewall or such - then i would think of an infection.
     
  3. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    I'm sorry, yes I have WG on. This is a fresh install once again of XP, I always delete the old partion and re-create as a rule. With out connecting to the internet at all; I installed WG, BOClean, Kaspersky Personal Suite, then I went to microsoft to get updates.

    This Network Services (task manager) that runs very high at times doesn't do it all the time, but I pulls a lot of resources when it does. That's why I reformatted, then I started thinkin.... everything I put on is from a disk, so I gathered all the disks and scanned them, they came out okay. These are all my usual programs I install all the time when I do a reformat.

    Jooske can you tell me if those entries from screenshot should be in registry?

    I will try the AutoStart Viewer and I did have a hijack this log looked at because of this same problem before I reformatted and they found nothing.

    Maybe because of a compromise at a earlier stage I need to change my password to my FW on my router...... but then the fellows at kasperky helped me step by step with the FW for rules. They blocked ports 137-139 (inbound and outbound) and then I used the DCOMBOBULATOR from grc.com to disable port 135.

    Maybe I should mention what I found in Spyware Doctor log: it found 12 infections related to the host file, so I posted the log at Blue Tack because I use Host Manager and they said they were legitamate, to leave a lone. A lot were related to ads, but then some were related to Trojan Wayphisher. I will attach for you to take a look. And truthfully all this crap started when this stuff was found in spyware doctor. Doing a total fresh install and installing everything from disk (if this is the culprit) how would this be getting back on my computer....... maybe I need to change all passwords.

    Jooske I will let you know what happens with the AutoStart Viewer.

    Thanks as always;)
     

    Attached Files:

    Last edited by a moderator: Dec 4, 2005
  4. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Hi Jooske,

    here is the shot from Autostart Viewer.
     

    Attached Files:

    • log1.png
      log1.png
      File size:
      42.3 KB
      Views:
      115
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I see you have the real Spyware Doctor fortunately
    (http://www.spywarewarrior.com/rogue_anti-spyware.htm the trusted ones among yours way down that long list)

    Can't you just delete those finds?
    And are you able to lock your HOSTS file with one of your programs so it won't be edited again?

    For the AutoStartViewer:
    Left top you see Main and rightclicking there you can select for all three options; in the same afrea you will be able to save the output as a text file which is easier for you to post.
    Now is Gavin the ASViewer specialist so hope he will pass by and shine his light over this.

    Normally i would say disable everything except Windows itself and look at the resources, one for one enable and see when the high resources start. It could be a conflict or a setting, something scanning too much which can be reduced, something like that.
    For example it could be (i don't say it is this, just an example) your BoClean does not like Kaspersky, or a combination with Port Explorer or ProcessGuard (i don't see you having that installed btw) and then it is a balansing of settings to find out what it is.

    Infections you know you can get anywhere.
     
    Last edited: Dec 3, 2005
  6. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    I put the entries on the ignore list, I will go back in and try to delete from there. If it won't let me I will have to do another scan, it takes 3 hours (I've only let it run a few times upon installation, so maybe that's the problem) because the host file is protected and scan for the first time when you install.
    okay, good to know.
    okay
    When his originally started a few weeks back Kav wasn't installed, I had Nod32 on. I just installed Kav in the past week when I done the reformat to try it.

    Here's what's really strange, I have three computers and two of the three have these symptoms, the other is fine and they have same programs.

    I'm not a high risk user: don't go to warez sites, d/l music, d/l videos. All of our music is bought on CD. This one will really rock the boat; the third computer I mentioned that has no problems is used by my hubby for porn, figure that one out.

    I go to sites that I know are legitamate, if I do a search in google and I don't recognize some of the sites that are offered, I won't click on them. I will find what I need through one of the legitamate forums then.

    Jooske just a thought..... everytime I would do a reformat I never let spyware doctor run because it took so long (because of host file) and I had other software to install and I remember I would always find it running then I would cancel it. Now that I have actually let it scan all the way through I will keep an eye on resources.

    I don't know but something is pulling 50% or more in spikes of resources: svchost.exe Network Service 16,000-21,000K in mem usage, then there is another instance of this running at 6,000K.
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Just to make sure:
    you have one software for resident protection all time or are there more? I mean Boclean is a resident protector, and do you have KAV or any other to protect the same things at the same time?

    You have Port Explorer installed:
    You can see which application in on that svchost.exe, rightclick on it in Port Explorer and you can look with the socket spy what is actually sent, if there are unwanted connections, that kind of things. If there is not much traffic or only local on your system you really have to look at settings.
    Port Explorer is marvelous to see such things.

    Why do you think WormGuard is involved?


    EDIT:
    You say the HOSTS file takes 3 hours scanning? So it is large.
    Could you have a look if your DNS client service is set to automatic? With such large hosts files it should be disabled.
    http://www.mvps.org/winhelp2002/hosts.htm

    Does this help?
     
    Last edited: Dec 3, 2005
  8. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Rilla927,

    Do all three systems have all have the same programs or same security programs? Although the discussion is focusing on security related applications, they may not be the direct cause.

    I'm not an autostart expert, but what is shown (is that the entire listing?) looks fine.

    The hosts file entries flagged by Spyware Doctor actually look fine.

    If you bring up the Windows Task Manager, select View on the main menu bar, select Select Columns, and check CPU Time - if one process is sucking the life out of your machine, it should be obvious from this entry. Click the CPU Time column heading in Task Manager twice to sort the processes in descending order of net CPU time charged. The System Idle Process should dominate, BOClean will look to be fairly high (mine runs at about 30 seconds per hour of Idle Time.) Provide a screen shot if possible (if you do this - either uncheck User Name or obscure the named users on the system for purposes of privacy).

    Blue
     
  9. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Kav Trial Version, BOClean, Spyware Doc, Microsoft AntiSpyware, Attack Shield WS, all the rest of prgrams are utilities. When all this originally started I had Nod32 installed in place of Kav.

    I even uninstalled Spyware Doc, MA, Attack Shield WS, and BOClean (this is with Nod32 and Kav) individually and it made no difference.
    I did what you said and these are what stuck out. \o_O\c:csrss.exe and \o_O\c:winlogon.
    Since I have the WG program I remembered some of the extensions that it blocked. I new .VBE was one of them, so it kind of threw me when I was installing a few different registry programs and came across these .VBE files that Reg Supreme Pro found on my computer and I thought well maybe it's related to what's been happening to the puter's lately.

    Possibly, if this is a worm I wondered why WG didn't catch it.

    In the begining when this started (with one laptop & desktop) three weeks ago I had Nod32 and Windows Firewall with a few hardening tools, Spyware Doc, MA, WG, BOClean, Attack Shield WS, rest of programs are utilities.

    A week ago I reformatted again and put the Kav Personal Suite, Spyware Doc, MA, BOClean, Attack Shield WS, rest are utilities and I still have the same problem.
    Mine was set to automatic, so I disabled it like you said.

    Remember I told you there was always two instances of schost.exe-Network Service in task manager and one of the two always ate the resources. Well, finally I got so frustrated waiting for pages to open in firefox I killed the process through the task manager and it hasn't broke anything and it's been four hours and hasn't re-appeared and I have my resources back. I hope I don't speak to soon. I guess it wasn't needed, ay!

    Like you said we will know more when Gavin stops by.

    Thanks for your help Jooske;)
     
    Last edited by a moderator: Dec 4, 2005
  10. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Yes with Nod and Kav exchanged but all the rest of programs were the same.
    Hey, thanks Blue didn't know that. I did kill the process that was eating all the resources through task manager, and so far so good. Like I told Jooske, I guess it wasn't needed. Still will give a screen shot.

    Thanks for the help Blue;)
     

    Attached Files:

    Last edited by a moderator: Dec 4, 2005
  11. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Rilla927,

    Did they really show up exactly like this? With the executables in the root directory? These are valid application names, but not if they are in the root directory.

    See the following links: Buchon email worm

    Now, do you see a file named c:\csrss.bin? You AV should be seeing this, that's a little bothersome.

    From a previous screen shot, it appears you run TuneUp Utilities 2006. You can use this to remove these entries from the HKLM\..\Run registry key. Just launch Tune-Up Utilities, select TuneUp Startup Manager from the Customize and Analyze section. Before you do anything, select View>Select Columns and check Target. This is just to confirm that the entries are in the root folder. If so, delete the two entries c:\csrss.exe and c:\winlogon.exe, close TuneUp, and then restart.

    Blue
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    They didn't show up in the AutoStartViewer? o_O
    OK, that was incomplete maybe.

    Nice find Blue!
     
  13. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Jooske I found those entries through PE. I did what you told me to do. I'm sorry I posted in Blue's post. That's what happens when you don't get any sleep.

    I knew something wasn't right when I seen it. Here, I take screen shots of everything just in case, you can see for yourself. Thank god I put PE on and know how to use it now, he,he!
     

    Attached Files:

  14. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Jooske it never showed up in Autostart Viewer.
     
  15. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Rilla927,

    Those entries are as they should be. Versions in the root directory (c:\) indicate a problem; c:\windows\system32 is the location of the valid versions of these files.

    All other entries in the screen shot are fine as well.

    Blue
     
  16. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    yes.
    Blue I did look at the link but I never found the key it registers itself under in the registry or the bin file.
    Well Blue I'll let you in on something. When I done the fresh reformat a week ago and had not connect what so ever to the internet before I installed and configured Kav, installed BOClean, WG. I tried installing Attack Shield this time but something wouldn't let it install (it protects 9 different parts of Windows System) so I thought it was a conflict with Kav and let it go.

    It sounds like Attack Shield couldn't install because the worm was on there. Previously when this happened Attack Shield was already installed, so I guess that didn't help me.

    Kav gave me a warning about an .exe change in OE (my mail). I thought it was because I did all the windows updates. It did ask me if I wanted to block this file and check it first for virus and the other choice was if you did an update that could be the change in OE. So I didn't block it.

    I have been going to the web to get my mail through SBC because I hadn't installed Thunderbird or Mailwasher Pro or Benign yet, I had done this on both computers. And yes I did accidently click on an email an opened when intended to open something else, so maybe that's how it via both computers. But it still puzzles me with a fresh reformat how it could be there, even though I kill the old partion and create new.

    I also got the same warning from Kav when I installed Ashampoo Burning Suite which I did do an update once connected so I didn't think twice about it. When you do updates it probably shouldn't change the .exe ha, my fault, not Kav's.
    I would like to really be able to pinpoint where it came from.

    I just bought the Tune Up Utilities two days ago, really haven't got into it yet except for the welcome, boot screens.
     
  17. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Are you saying the screenshot in post #13 with arrows are valid or invalid?

    Edit: I did do what you said in Tune Up Utilities and there is no sign of what were looking for.
     
    Last edited: Dec 4, 2005
  18. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Rilla927,

    The specific key is [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]. What you're looking for is a value under this key which is a fully qualified filename, in the case is will appear as "c:\csrss.exe". Not sure if the value name will be the same as listed in the link. Use TuneUp to deal with it and the other value in question. Remember, you're deleting a value, not a key; manual mucking with the registry can create problems for the unwary so go as conservative as possible.

    It won't survive a format, but there are other infection routes. For example, if you use OE, it could be something as trivial as having the preview pane enabled and the questionable e-mail still available.

    Well, a program update may change the exe's involved. Hard to tell on that basis.

    It's a nice app, easy to use, haven't seen problems with it.

    Blue
     
  19. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Yes, the one's with arrows are valid. Do not delete these.

    Blue

    PS - at least as far as location is concerned.....
     
  20. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You could scan the files on online scanners like at Kaspersky's or Jotti's sites.
    And looking in their properties you might be able to see if there is a recent modification date.
    Do a search on your system it there are more files with those names in other locations.

    And of course everybody will ask for your email if it's still somewhere.
    If still in OE you should copy it to another place (outside OE) and if it has an attachment that separate from the email to be scanned all correctly (i would zip it though) als also that checked online and with your other programs.
    If it was a script, some malicious code or double extension and WormGuard was installed it would block it, even in the email.
     
  21. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    the "\??\C:" is just a symbolic link to that place, so not really a problem. You know, every once in a while I will reformat and a service or two will not be installed right, or something, and I will see an instance of a system file, usually svchost.exe running as Network Service, will continually use high CPU. Sometimes this just happens. I've been able to fix it a couple times, but more often than not I have to just reformat. Honestly, this kind of sounds to me like whats happening here. I've also had this happen later on, after getting everything set up.

    Get Process Explorer from www.sysinternals.com, run it, double click on the instance of svchost.exe that is causing all the CPU usage, and look at the "Services" tab. When this happens to me, it's usually hosting Plug and Play, and one other (which I can't remember). At any rate, get that and take a look.. if nothing else, we may be able to see which service is causing it and go from there. It may also be that NOD32 didn't uninstall completely.

    The VBS registry entries are just showing that you've used something like Secure-It that changes it so that when you run a script file it will open notepad, instead of running. This means that if you got some malware that tried to use a script, instead of taking malicious action you would just see notepad open up with the script contents.


    From the book "Windows Internals":
    In other words, it's using \??\C:\Windows\System32 so that it can call C:\Windows\System32 and always get the right thing, even if you're on a business network with a setup that is not typical.
     
    Last edited: Dec 4, 2005
  22. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    The ASViewer log is clean. It seems to me that the system is fine :)
     
  23. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    There's really nothing to scan cuz I was going straight to SBC server to check my mail and I have ran Kav numerous times and it comes up with nothing.

    Jooske I thought the screen shot I posted in #13 with the arrows is what you were looking for (for a worm). So I guess everything is okay. I have never encountered that before.

    With all the symptoms it pointed to something nastie. Jooske maybe I'm just two paranoid, but when it happened to two computers out of the three and identical symptoms to boot.

    That Spyware Doctor I bought is getting tossed, that is the most intrusive program I have ever seen.

    Thanks for all your help Jooske,
    Happy Holidays!

    Rilla927
     
  24. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Very interesting, I had no idea.

    Okay I will d/l it so I can get the feel of it, but since I killed the svchost that was using all the resources everything has been okay so far.

    I was testing the Kav Personal Suite for my desktop, but I'm doing the testing on laptop until I can get mine back from the depot once again. Once I seen the problem with the DEP and LnS I didn't want to put it on there, cuz I don't want to turn DEP off to put one specific program on my computer. According to one thread it was said there may never be a fix for this.
    I'm glad you brought that up. The times I did use Secure It & Harden It everything worked fine except one thing: Real Arcade. I was so mad cuz I couldn't get all my games. For some reason they don't work together.
     
  25. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Thanks for taking a look Gavin!
     
Thread Status:
Not open for further replies.