Big problem

Tenshodo

Member
Jul 8, 2005
116
0
0
Today I noticed that my CPU temps were topping at 52 degrees celcius witout doing anything. There was a program called FAH502-console.exe and core78.exe that was using 100% of CPU power. I cant even erase them. How do I fix these.

I did some research and saw that they were accociated with a folding progrm but I never installed them.

I seriously need help.
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
1) has anyone besides yourself been using the computer?

2) do you have an antivirus program (if so, what brand and what version)?

3) do you have a firewall? Hardware (router), software, or both?

4) it would be of intense interest to find out whose account the Folding@Home client is doing its work for, who's getting the credit for it. This is reminiscent of the misuse of the Distributed.net client about 4-5 years ago.
 

Tenshodo

Member
Jul 8, 2005
116
0
0
1- Yes, but the users are pretty cluless about how to operate a computer. I blocked all forms of downloading on other accounts except for mine, Which is password protected.
2- I have Norton 2004 Internet Protection and anti virus. I also run AVG free anti, and Spybot'
3. I have the Norton firewall. I used to use the router but it messes with my internet

Bassically, it somehow installed itself onto the computer.

I think its fixed for the moment. I disconnected it using msconfig and deleted it from my processes. I just hope it dosn't come back again. How would I permanently delete it?
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Very interesting.

1) Do the other users use Administrator-class user accounts, as opposed to Limited-class or Guest-class user accounts? Yes = not good, but that's water under the bridge at the moment. But in the future, make them use Limited accounts if they aren't already: info on Limited accounts

2) Can you locate the files that you named? If not, try F-Secure BlackLight beta rootkit eliminator.

3) Start by trying this quick 7-step procedure as directed, to bring a newer, better antivirus scanner to bear on your system without having to actually install/uninstall anything. If it finds bad stuff it will delete it, no questions asked, so make sure you have backups of anything you cannot afford to lose.


FYI, it is not a good idea to use two real-time antivirus programs at the same time (Norton + AVG). Deleting the unwanted program is one goal, but finding out how it arrived is important so you can eliminate the vulnerability.
 

Tenshodo

Member
Jul 8, 2005
116
0
0
1- They all use guest accounts except for me.

I disabled AVG so that it only scans when I tell it to. It takes up almost no reasources, I think.
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Well, the possibilities I can think of, and possible countermeasures, are:

1) someone with Admin-class powers (you) installed the program, possibly without realizing it (like, if it were bundled inside of something else... classic Trojan Horse approach)

2) the system has an exploitable Windows/IE vulnerability that grants SYSTEM-level privilege even to a Guest user, and the exploit was used to deliver the unwanted installation. Is the system at Service Pack 2 level plus all 29 post-SP2 patches? Check with Microsoft Baseline Security Analyzer 2.0. Enable Automagic Updates.

3) the system has an exploitable vulnerability in some other software or service, such as eMule, Microsoft Office, Acrobat Reader, or an IM program, that grants SYSTEM-level privilege to a Guest user, and the exploit was used to deliver the unwanted installation remotely. If you have Office2000, then in addition to MBSA 2.0, also use MBSA 1.2.1 as well, and/or run the computer through Office Update until it comes out clean.

4) the system was successfully attacked by a worm that your antivirus and firewall software don't recognize yet. If possible, figure out what the problem is with your router, put it back in place, and lock it down.

5) the system's hidden Administrator account has a blank password and your system was 0wned by a no-brainer exploit of that weakness. Do this:
(a) Start > Run > cmd to get a command box
(b) net localgroup administrators to get a list of all the Admin-class accounts, hidden or otherwise
(c) for each Admin-class account, run the command net user username strong-password-here to give them strong passwords to prevent this approach from succeeding.


Also, it's generally regarded as a good policy to not use the Guest account, lock it out and use Limited-class accounts.

Anyway, if it were me, that Windows installation would be burned to the ground and redone from scratch, I don't trust a potentially-compromised system any further than I have to.