cmd.exe and net.exe exhausing CPU

[Martin Copland]

Hi

I am a newbie and apologise if this is a dumb question.

My computer is networked to 2 others but commonly operates as a stand alone.
As a stand alone I notice that my system (2000 pro)degrades shortly after
start up. When I look at the task manager I see large numbers of cmd.exe,
net.exe and occasional ping.exe being executed. The task manager in the
tool bar indicates hat the CPU is fully occupied.

Any help will be greatly appreciated.

Martin

 

[Harry Bates]

Sounds like you may some sort of malware. I would gues it was a trojan and
something is trying to use your box to DDoS another server from the use of
cmd and ping. Most viruses are hard coded instead of using ping and cmd to
do the work for them. I would download a trial version of F-Secure antivirus
from www.f-secure.com and scan your drives or update your antiviurus
software. If nothing comes up, make sure you try a different brand antivirus
to confirm. Like I said though, I would recommend F-Secure. When it finds
the malware you have please let us know which one you were infected by.

-Harry Bates
Lockheed-Martin

 

[Martin Copland]

You were absolutely right

C:\WINNT\MEMORY.DMP - BAT.Noshare.B trojan. Deleted.
C:\WINNT\Displays.dll - IRC.Flood trojan. Deleted.

and C:\WINNT\system32\nwcfgexe 2,262,016 bytes
contains an archive with:

Number of infections: 6
Number of infected files not cleaned/deleted/renamed: 6
C:\WINNT\system32\Nwcfg.exe>TAPI.DLL (IRC.Flood trojan)
C:\WINNT\system32\Nwcfg.exe>rconnect.exe (Win32.IRCFlood trojan)
C:\WINNT\system32\Nwcfg.exe>safe.bat (BAT.Noshare.B trojan)
C:\WINNT\system32\Nwcfg.exe>scan.ocx (IRC.Flood trojan)
C:\WINNT\system32\Nwcfg.exe>secure.exe (Win32.IRCFlood trojan)
C:\WINNT\system32\Nwcfg.exe>explorer.exe (Win32.IRCFlood trojan)

I dumped nwcfgexe and found that it ends with:

"Valhalla =- Assembled 1997 .. Activated 07.2002 - devoted for peace and
harmony in universe against war, racism,terrorism and cruel brutality ..
remember .. life is the most important thing -not money .. it's time for a
revolution NOW ...."

It contains otherfilenames:

clbcatex.exe, clearel.exe, hidden32.exe, libparse,exe, logonui.exe,
psexec.exe, spoolsv.exe, wget.exe.

driver.bat, go.bat, wnlib20.bat and regkey.bat

moo.dll, cnb.dll, shlwapi.dll, bootdrv.dll, cnb.dll etc

system.ocx

names.ini, pirc.ini and servudaemon.ini

At least the latter it will write to the ...\system32 directory.


Thanks all

Martin