What Virus does this? (Please Read)

[chaosmonkey]

First of all let me say that I switched to AVast after I got a message on my AVG update on SEPT 10, of all dates, that my license had expired. I was never told that would happen, and seeing how it was the day before an expected internet attack on 911, I said "screw em", and googled to find AVast. My version says I have 52 days left. Everybody talks about the free version. I would like that, but I will buy it if I have to. (I know people are pissed off at the USA these days, please don't take it out on the good people in the US who are trapped in a corrupt system.)

Any way, the problem I have may be a virus, of a trojan, I don't know. I know about enough of this security stuff to get me in trouble. The problem is that myhard drive will seem to "fill up" and my processor usage will go up to 100% and basically stay that way until I shut off my machine and reboot. Then everything is back to normal. Sounds to me like my security has been compromised and that somebody is using my machine as a bidge to do something else. AVast found 4 viruses that AVG never found deep inside system32 and winNT.

I have heard about anti trojans will this help.

Currently I am running Windows 2000. I share a DSL connection with another win 2000 box, (which is a teenager machine with AOL messenger and Kazaa Lite. Am I infected from teenage machine's AOL Messanger?)

I have Tiny Personal Firewall, Avast, Net Nanny, and AdAware on both machines.

The problem usually starts after I have been on a while, like someone get notified that another box is available for there nefarious intent.

My worst fear is that my machine is being used to hack into secure sites, or even worse, transmit porn. With the Stupid anti-freedom PATRIOT Act that the US passed, I could end up in a military prison because my machine might be infected with some crap that is not mine. Of course that is a worst case scenario, but I heard about a guy who went to jail because he made a when George Bush came to his town, that "Maybe a Burning Bush would inspire us all."

Anyway, thanks for reading. Sorry it was so long.

Anyanswers to my "virus/Trojan"?

I wonder if the Windows updates themselves are the cause. I am totally spooked by this. I think I need to get a Linux Box.

[raman]

What Programm uses the 100% CPU usage? You may take a look into the Taskmanager. Do Is there any special Internet/Network traffic, you may type "netstat -an" in a dosbox or use tcpview from http://www.sysinternals.com/ntw2k/source/tcpview.shtml . What Viruses did Avast find in the Systemfolders? Do you have any open shares in the Network, maybe the traffic /Harddisk traffic comes from the other PC. Have you installed all Patches and Servicepacks for Win2000 from Microsoft. To get a second opinion you could use the onlinescanner from RAV: http://www.rav.ro/scan/

[chaosmonkey]

Avast found something call Star.exe plus 3 other exetensions.

Thanks for the tip on the TCP monitor I'll do that.

As for something on my nachine using 100% of my CPU, well, I've rendered in 3DS MAX and have seen that. And 3D Games do it, but that is it.

Thanks again.

[Hornus Continuum]

chaosmonkey,

Can you clarify what you mean by "seems to fill up?"  Do you mean heavy disk activity, or is there some other indication like an increasing byte count?

Referencing raman's question, I don't believe he was asking what programs have done this in the past but specifically which one is hogging the CPU when the problem occurs.  To find out, bring up Task Manager, click the Processes tab, then click the CPU column twice to sort the list by CPU usage in descending order.

I recall reading on the Internet about some shareware comes bundled with an application that cooperates in a distributed computing network.  IIRC it was a peer-to-peer file/music sharing application which includes a package from Brilliant Digital.

Regards,
Hornus

[chaosmonkey]

Thanks for everybody's help.

Yes I used task manager the first time to try to see what processes I had running.

I also check to see if my firewall had let something through.

The "filling up" specifically was my hard drive would. for example read, 1.45 free space, then seconds later 1.01 free space, 788 MB free space, and so on until it was full. Also, my processor was pegged at 100%.

Yes I think it was some "freeware". I run my anti-spy ware almost daily now.

My daughter had been using my machine for a project,(as I am rebuilding her machine and awaiting parts), I let her use an online webpage builder, geocities I think.

This morning I found a link to a casino on my desktop. Sound like spyware to me.

Also, I found my firewall had let in MIRC. Thing is, I have denied access to MIRC, but it keeps showing up.

And in TCP View I have a few connections I cannot identify or delete. Does anyone know what this is?

System:8   TCP   0.0.0.0:445   0.0.0.0:0   LISTENING

Or this?
svchost.exe:472   TCP   0.0.0.0:135   0.0.0.0:0   LISTENING

Anyway, thanks again to all who help.

I used to work at a place where the system admin guy had everybody going through a Linux Box to get to the net. We never had any problems. When the company MADE him switch to Windows 2000 server we had all kinds of problems.

Is it time for me to learn Linux and use that kind of box as a server/firewall?   
   

[Hornus Continuum]

chaosmonkey,

The first line shows the system process listening for a connection request on MICROSOFT_DS to establish a NetBIOS session.  The second line shows the svchost (Service Host - generic host for services) process listening for a connection request on DCOM to handle RPC requests.

Regards,
Hornus

[raman]

Hm? Isn´t that vice versa? Port 135-139= Netbios, Port 445= div. Windows-services like Dcom?

[Hornus Continuum]

raman,

You're correct, but there is a lot of overlap.

The following is from a service port list compiled from multiple sources, including Microsoft and IANA (Internet Assigned Numbers Authority).  Each entry details the port number, the name(s) it's known by, and common uses.


TCP:

135 - DCOM, Microsoft RPC end point to end point mapping, epmap, DCE endpoint mapper, loc-srv, locator service, Client/Server Communication, DCOM (SCM uses TCP/UDP to dynamically assign ports for DCOM), DHCP Manager, Exchange Administrator, RPC, Microsoft Message Queue Server, RPC user manager, RPC service manager, RPC port mapper, SQL session mapper; WINS Manager

137 - NETBIOS_NS, NETBIOS Name Service, nbname, WINS Registration

139 - NETBIOS_SESSION, NETBIOS Session Service, netbios-ssn, nbsession, Common Internet File System (CIFS), DNS, Administration, Login Sequence, NetBT service sessions, Pass Through Verification, Printer sharing session, SQL session

445 - MICROSOFT_DS,Microsoft-DS, Microsoft Common Internet File System (CIFS)

UDP:

135 - DCOM, Microsoft RPC end point to end point mapping, epmap, DCE endpoint mapper, loc-srv, locator service, Client/Server Communication, DCOM (SCM uses TCP/UDP to dynamically assign ports for DCOM)

137 - NETBIOS_NS, NETBIOS Name Service, nbname, browsing requests of NetBIOS over TCP/IP, File shares lookup, Login Sequence, NetBT name lookups, Pass Through Verification, Printer sharing name lookup, SQL Named Pipes encryption over other protocols name lookup, SQL RPC encryption over other protocols lookup, WINS NetBIOS over TCP/IP name service, WINS Proxy

138 - NETBIOS_DGM,NETBIOS Datagram Service, nbdatagram, browsing datagram responses of NetBIOS over TCP/IP, Login Sequence, NetBT datagrams, NetLogon, Pass Through Verification

445 - MICROSOFT_DS, Microsoft-DS, Microsoft Common Internet File System (CIFS)


MICROSOFT_DS (445) is used when the SMB (Simple Message Block) protocol uses the NetBT (TCP/IP NetBIOS Helper, or NetBIOS over TCP/IP) service to support file sharing.

Regards,
Hornus

[raman]

Thanks for the info. I know that it is a bit in confusion, but so much!