Usage pikes and persistent pop-ups

[trickyricky]

Further to my report earlier today about a FP with Multibot
Pro, I have seen repeated spikes in CPU usage of 40% to 50%
every 12 seconds since the false positive was identified by
MSAS. The processes responsible for this are gcasServ.exe
and gcasDtServ.exe.

Secondly, I have had to disable allowed alerts in settings,
because MSAS was popping up an alert to tell me I had
allowed Multibot Pro to run and have ignored it every 12
seconds.

As I said earlier, if I allow MSAS to fix the problem, it
doesn't, and nothing else can find any problem on my PC, so
MSAS has decided to have a bit of fun, or so it would appear.

 

[trickyricky]

[later]
Disabling the System Agents in the Real Time Protection
stops the spikes, so I guess I'll try to nail which of
these 25 system agents is causing the trouble. Unless of
course anyone knows the answer already.

 

[trickyricky]

[even later]
OK, fount it - when I disable Windows Directory Trojans the
usage spikes stop. And the winlogon.exe file which is the
trademark of the Multibot Pro trojan never appears...

 

[Bill Sanderson]

Check on the size of errors.log, typically found in c:\program
files\microsoft antispyware.

If it is large, shut down Microsoft Antispyware by right-clicking on the
notification area icon. Once it is shut down, delete the errors.log file.

 

[trickyricky]

Errors.log is only 12Kb, so that's not the problem.

I forgot to say that I did see another post earlier on in
this group with a similar problem and that user was asked
to update the VB6 runtimes, so I applied that patch as
well, but it made no difference.

 

[Andre Da Costa]

Bills method is recommended if it does get out of hand.

 

[Bill Sanderson]

You can turn off all real-time protection, via the workaround para in this
kb article
http://support.microsoft.com/kb/892375 End users may be prompted to allow or
block administrative actions that originate from a central management tool
after they install Windows AntiSpyware (Beta) on a computer that is managed
by Systems Management Server 2003

but that seems like overkill.

Have you tried shutting down Microsoft Antispyware, and doing an update
reinstall--control panel, add or remove programs, microsoft antispyware,
change, update.?
--

 

[Bill Sanderson]

That's cool! So--you've killed the messenger. What are you going to do
about the infection? (or have I got this wrong somehow?)

What does, say, an online scan with

http://housecall.trendmicro.com

have to say about it?
--

[even later]
OK, fount it - when I disable Windows Directory Trojans the
usage spikes stop. And the winlogon.exe file which is the
trademark of the Multibot Pro trojan never appears...

-----Original Message-----
Further to my report earlier today about a FP with Multibot
Pro, I have seen repeated spikes in CPU usage of 40% to 50%
every 12 seconds since the false positive was identified by
MSAS. The processes responsible for this are gcasServ.exe
and gcasDtServ.exe.

Secondly, I have had to disable allowed alerts in settings,
because MSAS was popping up an alert to tell me I had
allowed Multibot Pro to run and have ignored it every 12
seconds.

As I said earlier, if I allow MSAS to fix the problem, it
doesn't, and nothing else can find any problem on my PC, so
MSAS has decided to have a bit of fun, or so it would appear.
.

 

[trickyricky]

Surely you can turn off real-time protection from within
MSAS itself? I did when this first happened but then I
re-enabled it as I wanted the added protection of the
real-time elements.

I did an update of MSAS as suggested, but nothing's changed
and I was on version 1.0.509 before the update.

As soon as I re-enable Windows Directory Trojan protection,
I get a green pop-up telling me about the Multibot trojan
again. What on earth is MSAS looking at to see an illusion
of that trojan when it's plainly not there?

Baffling...

 

[trickyricky]

There is no infection. According to F-Prot, Kaspersky,
Trend Housecall, Pest Patrol, A-Squared, Spybot, Ad-Aware
and my own examination with HijackThis and other tools,
this is definitely a false positive thrown up by MSAS.

What I would like to find out is why MSAS is pushing up a
pop-up dialog every 12 seconds to warn me of a security
risk that simply isn't there? What is bothering it so much
that it has to drive me nuts?

Nothing else seem to see anything where MSAS is looking.
What else can I try/do?

I appreciate your help so far with this. I just wonder what
an "average user" would have made of it... (I'm an IT
Support Professional myself).

-----Original Message-----
That's cool! So--you've killed the messenger. What are you going to do
about the infection? (or have I got this wrong somehow?)

What does, say, an online scan with

http://housecall.trendmicro.com

have to say about it?
--

[even later]
OK, fount it - when I disable Windows Directory Trojans the
usage spikes stop. And the winlogon.exe file which is the
trademark of the Multibot Pro trojan never appears...

-----Original Message-----
Further to my report earlier today about a FP with Multibot
Pro, I have seen repeated spikes in CPU usage of 40% to 50%
every 12 seconds since the false positive was identified by
MSAS. The processes responsible for this are gcasServ.exe
and gcasDtServ.exe.

Secondly, I have had to disable allowed alerts in settings,
because MSAS was popping up an alert to tell me I had
allowed Multibot Pro to run and have ignored it every 12
seconds.

As I said earlier, if I allow MSAS to fix the problem, it
doesn't, and nothing else can find any problem on my PC, so
MSAS has decided to have a bit of fun, or so it would appear.
.

.

 

[Bill Sanderson]

In fact, the kb article workaround para is the only effective way to achieve
the desired result with this beta product--regardless of what the UI might
have you believe.

OK - so you are certain you don't have the real critter--all you are seeing
are the popups? And those don't allow you go drill down and see
details---hmmm.....

I think you should get a log entry in Microsoft Antispyware on either
choice--any useful information in the logs?

tools, real time protection, view security agent events. If you highlight
an event on the left, it is possible to cut and paste the right pane,
fwiw.(ctrl-a, right-click, copy)
Internet Explorer Trusted Sites alert

Occured on: 5/23/2005 at 4:59:46 PM

The user Bills, has decided to allow the trusted site badsite.com to
Internet Explorer.

About Internet Explorer Trusted Sites: Trusted Sites are web sites that you
trust not to damage your computer. Internet Explorers security is based upon
a set of zones. Each zone has different security in terms of what scripts
and applications can be run while using that zone. It is also possible to
add domains (sites) to particular zones, so that if you are browsing in a
web site that is part of a zone that has low security, then you will be
allowed to run scripts, potentially dangerous ones, from that web site.

--

 

[trickyricky]

Yes, I'm certain I don't have the trojan. I wish I did,
because than I could zap it and get on with life

The log isn't at all informative about this "threat":

--------snip-------
8756

Occured on: 26/05/2005 at 18:49:45

A known spyware threat MultiBot Pro has been allowed to run
becuase the user has decided to previously ignore this threat.
--------snip--------

There's even a typo there, so all's not in vain.

Is there anywhere else that I can look to see exactly what
it is that's triggering the alert? I looked on the Giant
and Pest Patrol web sites and they gave details of what
would be on an infected PC and I can find none of it on
this PC.

 

[trickyricky]

Here's an earlier event from when I was removing the threat
and it was still returning every 12 seconds:

--------snip--------
Remove spyware threat MultiBot Pro.

Occured on: 25/05/2005 at 23:49:27

The user Richard, has decided to remove the spyware threat
MultiBot Pro that has been detected by real-time protection
trying to run the program C:\WINDOWS\winlogon.exe.
--------snip--------

I have to add that there was no such file in the Windows
directory.

 

[Bill Sanderson]

typos are being fixed en masse, so they don't need reporting, unfortunately.

The approved item is really hidden in the UI--Options, settings, spyware
scan in the left column, look in the right panel for a list of ignored
stuff.If you hover over one, it gives some description, but not much detail.
--

 

[Bill Sanderson]

I've seen similar issues posted here before, but never had the chance to
actually dig into what's happening--see my other reply.
--

There is no infection. According to F-Prot, Kaspersky,
Trend Housecall, Pest Patrol, A-Squared, Spybot, Ad-Aware
and my own examination with HijackThis and other tools,
this is definitely a false positive thrown up by MSAS.

What I would like to find out is why MSAS is pushing up a
pop-up dialog every 12 seconds to warn me of a security
risk that simply isn't there? What is bothering it so much
that it has to drive me nuts?

Nothing else seem to see anything where MSAS is looking.
What else can I try/do?

I appreciate your help so far with this. I just wonder what
an "average user" would have made of it... (I'm an IT
Support Professional myself).

-----Original Message-----
That's cool! So--you've killed the messenger. What are you going to do
about the infection? (or have I got this wrong somehow?)

What does, say, an online scan with

http://housecall.trendmicro.com

have to say about it?
--

[even later]
OK, fount it - when I disable Windows Directory Trojans the
usage spikes stop. And the winlogon.exe file which is the
trademark of the Multibot Pro trojan never appears...


-----Original Message-----
Further to my report earlier today about a FP with Multibot
Pro, I have seen repeated spikes in CPU usage of 40% to 50%
every 12 seconds since the false positive was identified by
MSAS. The processes responsible for this are gcasServ.exe
and gcasDtServ.exe.

Secondly, I have had to disable allowed alerts in settings,
because MSAS was popping up an alert to tell me I had
allowed Multibot Pro to run and have ignored it every 12
seconds.

As I said earlier, if I allow MSAS to fix the problem, it
doesn't, and nothing else can find any problem on my PC, so
MSAS has decided to have a bit of fun, or so it would appear.
.

.

 

[trickyricky]

I checked there and it told me virtually nothing. I've
removed it from the ignored items, and nothing has happened
because I still have the Windows Directory Trojan agent
disabled. What does that particular agent look for? I
clicked on the "learn about this checkpoint" link to be told

"The Windows Directory Trojans Agent monitors spyware
threats that can load a particular file when Windows starts."

So I'm none the wiser. What does it actually look for? I
can see no running processes that shouldn't be there and
there's nothing added to my start-up locations. Where else
can I look?

 

[Bill Sanderson]

Can I take you at your word that there was no such file--i.e. you've checked
with attrib at a cmd prompt, and perhaps as well used a tool such as
f-secure's blacklight or sysinternals rootkitrevealer (just in case!)?

This doesn't sound like a false positive--if a startup item is attempting to
load a file with that name from that location--it's bad. Even if the file
no longer exists, the startup item is worth getting rid of, I'd think.

If you want to dig into this more--and we've come this far--why not? You
could perhaps use some other tools--hijackThis, and or silentrunners.vbs are
ones I can think of, to analyze startup items. Detailed analysis of that
sort is getting out of my depth--I can do it on my own machines, but I can't
just glance at stuff and see things stand out.

I'd recommend looking harder at the startup items--silentrunners.vbs does
that and only that, and is small and cheap--

http://www.silentrunners.org/

I would shut down Microsoft Antispyware before running this or any script.

 

[trickyricky]

Sounds good to me. I have to go now - it's 8:30pm in
London, but I'll persue this further and report back,
hopefully within the next 24 hours, possibly sooner. Thanks
for the help so far.

 

[Bill Sanderson]

Anytime--good luck!

 

[trickyricky]

Good Morning Bill

Well, after running Rootkitrevealer which threw up nothing,
I tried HijackThis again, which also revealed nothing. So I
then ran Startuplist and Silentrunners, which amazingly
showed nothing nasty either.

After launching a command-line session again, I stumbled on
a DIRECTORY called winlogon.exe containing a text file
called Readme.txt, in the c:\windows directory. The text
file contained this:

------snip------
DO NOT DELETE THIS FOLDER
This folder has been created by SmartCOP Anti-Virus to
immunize against W32.NetSky.C virus.
SmartCOP Anti-Virus
www.s-cop.com
------snip------

So the directory was created by SmartCop Antivirus Scanner
which I tried out a few days ago and rejected.

So I deleted the winlogon.exe directory, re-started the
Windows Directory Trojan agent in MSAS's real-time
protection and haven't seen any alerts since.

To summarise, MSAS was seeing a directory called
c:\windows\winlogon.exe and putting up an alert saying that
a trojan called Multibot Pro was trying to start the file
c:\windows\winlogon.exe. Yet when I asked MSAS to remove
the trojan, it obviously couldn't remove the directory, so
it popped up the same warning over and over.

Scanning with MSAS produced no such warning, so only MSAS's
real-time protection was being fooled by that directory.
And scanning with every other antivirus and anti-spyware
app also found nothing. The perplexing thing for me was
that MSAS was telling me that something was trying to run
that file, yet there is no such process or start-up item
running on this PC.

I conclude that it's still a false positive, since no other
app found any trace of malware on this PC. MSAS also
decided that since there was winlogon.exe in the Windows
directory (even though it was a directory and not a file)
something was trying to "run" that file, which is also
erroneous.

If you want the logs from HJT and Silentrunners for
confirmation, I can post them here or email them to someone.