Ummm it seems that something infected me... it seems probably using some :hmmm: windows 2K vunerability...

bleh,,,

what do I know?

Well so far, one instance of svchost.exe bloated to 150MB (in task manager)... looks like that welchia mydoom anti-virus trojan...

Ummm I have sygate firewall, and AVG antivirus (that was updated just now and found no virus on the system)...

and umm that's it so far...

khhhh... anyone here knows other reasons for a bloated svchost.exe?

Thanks///

Originally posted by druga runda
Ummm it seems that something infected me... it seems probably using some :hmmm: windows 2K vunerability...

bleh,,,

what do I know?

Well so far, one instance of svchost.exe bloated to 150MB (in task manager)... looks like that welchia mydoom anti-virus trojan...

Ummm I have sygate firewall, and AVG antivirus (that was updated just now and found no virus on the system)...

and umm that's it so far...

khhhh... anyone here knows other reasons for a bloated svchost.exe?

Thanks///

edit: and now after a day or so... AVG say's it's not there, symantec new "nachi" removal tool doesn't recognise a thing... I am wandering that it might not be the virus that bloats my svchost.exe...

well if it's not a virus what could it be?

Maybe there is another task running thats causing it? This may help if it's not a virus, do "MSCONFIG" from the run command and select Diagnostic start-up while there go over to the start-up panel and un-check what you know is not needed (which is most likly everything but a few).

Originally posted by LiquidX
Maybe there is another task running thats causing it? This may help if it's not a virus, do "MSCONFIG" from the run command and select Diagnostic start-up while there go over to the start-up panel and un-check what you know is not needed (which is most likly everything but a few).

not really, as svchost.exe bloats in the task manager to 150 mb after 12 hours or so running. It's only one of them, as there is 3 running, the other two are normal. The "summer"welchia virus used to bloat svchost.exe... so i sort of hoped that was it, as there is a new version of it making rounds connected to that mydoom virus. However Symantec removal tool (for the new variant) says none present on my PC - both when running normal and in safe mode... AVG anti-virus cannot recognise anything either... and other installations on windows that I have on the same computer are thankfully not affected.

As far as I can tell, it only bloats, and it seem to have screwed up my bandwith monitor... other than that... it's OK but it's only 2 days I had it, so I am not so sure it will be only bloating + it's annoying...

or is it some spyware...

I have dug in a bit deeper, and I have the same symptoms as the person in this thread http://groups.google.co.uk/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&safe=off&threadm=275201c3d48b%24fa95f4a0%243101280a%40phx.g bl&rnum=2&prev=/groups%3Fq%3D1053%2Btelephony%2Berror%26hl%3Den%26 lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26safe%3Doff%26selm%3D275201c3d48b%2524fa95f4a0% 25243101280a%2540phx.gbl%26rnum%3D2

hmmmm...

+ some stuff was setup on my PC to share all my drives upon reboot.

ie... I set them back "do not share" but after reboot they are all promptly shared again...

agh... after this I am not running without a firewall for a day, let alone 10 like I was...


.....


after digging some more
someone seems to have reset my registry values???

according to this
http://support.microsoft.com/default.aspx?scid=kb;EN-US;216358

aiiii....

and voila hopefully I will be able to turn off sharing my folders by default...

btw, could someone get pissed or do those guys do this on a "per thousand" automated basis, so noone will really notice tha whatever tehy were using my PC for is not available (hopefully) :kill:

Best scanner I have ever used:
http://skaner.mks.com.pl/skaner.html

It is in Polish so if you need any help let me know.

Best anti-spyware soft:

http://www.safer-networking.org/index.php?page=mirrors


They are all free.

Well... do you keep Windows up-to-date? I'm strongly opposed to the installation of "virus scanners" like Norton AV, etc. They seem to bog down the system more than the viruses they're supposed to protect you against.
And when a virus like myDoom hits, the first thing it does is disable your AV software.

The best protection for your computer is this:

1) Use the Windows Firewall. In XP SP2, the Windows Firewall will be on automatically and will be much easier to use. But the regular Firewall in XP or XP SP1 is quite nice, and won't hog resources. And it filters IPv6 traffic which some firewalls do not.

2) KEEP WINDOWS UP TO DATE!!! Use the Windows Update site. Install the latest service pack and ALWAYS make sure you have all of the "critical" updates installed! Blaster and CodeRed were fixed 2 months before either of them hit! The only reason they affected anyone was because so many people didn't update their systems! XP SP1 lets you enable automatic background downloading of updates AND installation - at a specified hour (defaults to 3AM). This makes it incredibly easy. All you have to do is turn it on and your computer will always be kept up to date!

3) Don't open e-mail attachments! There are always better ways to transfer files. If you NEED and I mean NEED to use an attachment, ONLY do it if you KNOW who it is coming from, WHEN it is coming, WHAT the email says, and don't transfer executables!

A good idea if you do decide to use a file attachment.... give the sender (on the phone, IM, email, whatever) a "password" to include in the email... this way you can be sure they sent it and not a virus that THEY got from downloading someone else's phoney attachment.



EDIT
Oh, and if somehow you still get hit with a virus/worm like MyDoom or Blaster... Microsoft releases removal tools on their website to get rid of them. Withour running bloatware like Norton or Mcafee.

OK... tx guys.. but it seems that I have been HaX0r3d :lol:

or :kill:

it's a bit long, but all in all, I am pretty convinced that there is some utility that has been deposited on my system that resets the security settings upon every boot.

Umm... I have a few different windows installations on this PC, and ever single one was affected with this "all drives are shared by default" situation, furthermore, I cannot reset the password on the administrator account - ie it is always "no password", can't seem to be able to put one on.

Even more fun is that I have reinstalled win2k, (not formatted, or anything, just have overwritten one of the setups), and voila, straight the same...

well it tells me that the utility that the hacker left is somewhere on the HHD's, and not in the windows directory... the question is what is that thing, how to find it and delete it?


What I know is that 100% it is set during boot.

What I am 99% certain about is that it resets the "security settings" of any windows installation that boots up - so somehow it must be able to read the path- as everyone is a little bit different (it's not just WINNT\etc\etc)...

bah...

I had that nachi worm ta few days ago, AVG picked it up and repaired svchost.exe and a file in the IE temp internet folder, but it did this 3 times in the same day. So I ended up formatting both my Windows partition and my second partition, backing up everything before doing so. Now a couple of days after, I havent had any problems, before I had my connection disconnectio often, and random apps freezing up my system.

and yes, reformatting is on the cards in my case as well...

and the best thing is - clearly the best that I just bought an 8xDVD-RW :banana:

:dance:

so I have almost went trough backing up the data... one more day slowly and that will be it... as at this point I had 152 GB of stuff on there... all accumulated in about 1.5 years since I last reformatted (and a HDD addition in the meantime)... so it's a time for a cleanup... actually I am glad because I was thinking about it for a while, but was always to lazy to actually go and backup everything... now it is clear I don't like someone sniffing around my system., and it is the time to do it.

Btw... I have disconnected from the internet until I clear up... don't want any unwanted guests until I am back fully protected. Hopefully if I have enough time I will have this PC back in operation by the weekend.

It seems like my master boot record was gloriously erased :eek:

erm... my wife just called me from home and told me that the PC has done a BSOD and now it hangs befor the "windows boot screen" - there where you can choose which windows installation you want to get in..

Still I am not worried, actually I am happy right now:afro: as this did not happen before, and just yesterday I finished backing up all my data -all 25 (or 26) DVD's of it as I was readying for a format myself :afro2: ...

Not seeing it all go puff I am just like :udawg: as the whole thing doesn't really affect me... but it could have big time if this was timed to happen earlier...

anyway, it remains for me to see it when I come home, but I will make sure that I do a reformat on both disks - btw - I hope that the "win 2000 default reformat" trully erases everying so that even those extra special hidden files are gone...

As I have 2 discs, I will first reformat 1 - have the other one off line, and than do the other...

and hopefully get rid of this pest + next time I will know that -Administrator account = good password, and router + software firewall - (new router is on the way too) & updating windows holes on regular basis too ... so yeah, I think that from now on I'll try to keep my PC doors and backdoors locked to best of my ability...

All in all I was lucky :nana:

To recover info from a disk that had its MBR or boot sector deleted, use Final Data or GetDataBack.

There's always the possibility that your security hasn't been compromised... you might simply have a failing hard drive.

That could explain why settings changes weren't being saved, and could explain the gradual death of your system.

Enabling SMART might let you know if there's a problem, and Windows Setup *should* identify any glaring problems. One thing to keep in mind is that you should not do a Quick Format if you think your disk may have problems. A full format takes far longer, but will verify disk integrity at the same time.

I'm afrad a big password for your admin account will not do nothing(dont be admin anyway), the attacker gets through on MS vunrabilities in the OS that you dont know about, IE is a good example of this.

http://housecall.trendmicro.com/

thats the virus scanner i use.. since i dun have high file transfers all the time to me game b0x, i only need to scan like once a week max..

tis handy cause i havent found a virus that can disable a web-based VS..

well I reformatted and I am quite happy as it stands... there was as far as I can tell a security breach - which was not hard really, as I was just sloppy for some time before this whole thing... ie... I used keiro for a while to try it out, 30 day run out, which still leaves you with a functional firewall, but I think I crashed my system once and Keiro suffered, so I disabled it... being sloppy to put something on there straight away... A few months before my router failed, and I didn't bother to replace it, as I didn't really need all of my PC's top access the net as it stands... and my admin account was just left at default without password... and no protection and I think someone spotted that, probably sniffed around and got a nice little home on my system. (even though I think I was up to date with critical updates)

So well I tried to figure it out, but to no avail who knows where was this thing hidden, and who knows what was there anyway, as I had lots of clutter on my disks.. and than this thing with no boot... baahh.,,, overall backed up all that was worth on-time - DVDRW :afro: came just in time... and cleared it all, now after some a day or two of reinstalling stuff, I am quite content with what I have, and additional protections will be in place to make me tough to get access to again. I guess I was just not carefull, but it was a matter of time, as I leave this PC on line 24-7 so I was basically asking for it to happen in principle. It is good that I really had no consequences, and this system reformat was overdue anyway.

As for the format - I did the smalled disk with Win2K default NTFS reformat, and the big disk with partitionmagic... so I hope all is erased well... at least it seems to be as I have no signs of former problems. Reading all related stuff on the net I even read that there is some undocumented windows support for some old, or is it current Mac file system, so trully good hackers can deposit files on your system that are allegedly functional for them but you can't even see them from windows... allegedly only way to catch those is by monitoring your network traffic :eek:... one way or another... proper reformat deletes all AFAIK... and that is what I have done so
:afro: