Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cscript.exe And Cmd.exe, Virus Or Not?


  • This topic is locked This topic is locked
8 replies to this topic

#1 1Hz

1Hz

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:39 PM

Posted 16 June 2008 - 11:35 PM

For the past few days I've been getting pop-ups from my firewall (Comodo) about cscript.exe trying to access the internet, and I haven't been sure what to do, so I've been blocking these attempts. I usually get one pop-up every 10 minutes. The problem is, whenever I block cscript, I get random hangups and complete freezes on my computer, the only thing to do next is to reboot Windows (XP). When I don't block cscript, my computer runs fine.

One thing to note is that before I started getting these firewall alerts, I was accidently messing with my firewall settings and deleted a rule (which I re-added later), so maybe these alerts are normal and there because I re-added the firewall rule? I've done multiple scans with my spyware/adware/anti-virus programs and I have found nothing.

I've googled cscript and cmd, and I haven't found any specific malware threats associated with them. Right now as I post this, I have cscript allowed to access the internet so my computer doesn't randomly freeze on me. From my firewall alerts, the cscript and cmd executables look legit (eg. the date created for them is the day I formatted my computer), should there be anything to worry about?

Right now I think it was just my firewall's newly re-added rule giving me these alerts, but just checking if anyone knows anything else.

EDIT: My computer just froze again, even after I allowed cscript to work, so...Oh yeah, when my computer freezes, I can't open anything, the Task Manager is no exception. According to my firewall alert, cmd.exe is the parent app, trying to get cscript.exe to work. Both applications are in my System32 folder.

Edited by 1Hz, 17 June 2008 - 01:04 AM.


BC AdBot (Login to Remove)

 


#2 cornzey

cornzey

  • Members
  • 156 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:39 PM

Posted 17 June 2008 - 07:58 AM

I think cmd.exe is the Command Prompt.

As for cscript.exe I haven't heard about it but I googled it and it showed some kind of Microsoft Script Host.

Does your computer just 'freeze' or do you get anything such as an error message?

I have also found an article which talks about a worm risk of cscript.exe, take a look at the link below.

cscript info

Hope this helps.

Posted Image

If I'm giving you help and I don't reply within 24 hours PM me with the topic link.



Avast Anti-Virus - Zone Alarm Firewall
Stay Protected.


#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:39 PM

Posted 17 June 2008 - 11:05 AM

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file. However, it then places itself in a different location on your computer. A file's properties may give a clue to identifying it. Right-click on the file, Properties and examine the General and Version tabs.

You can download and use Process Explorer or System Explorer to investigate all running processes and gather additional information to identify and resolve problems. These tools will show the process CPU usage, a description and its path location. If you right-click on the file in question and select properties, you will see more details about the file.

Anytime you come across a suspicious file which you cannot find any information, the file has a legitimate name but is not located where it is supposed to be, or you want a second opinion, submit it to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
-- Then post back with the results of the file analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 1Hz

1Hz
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:39 PM

Posted 18 June 2008 - 02:12 AM

Thanks for the quick support. From my searches, the cmd.exe and cscript.exe applications *look* legitimate, based on their locations (system32 folder) and date of creation/modification (August, 2001).

Today I found two executables in my C drive (the hard drive I don't use), they were created just recently. They were dirhost.exe and rtsecar.exe; I deleted them, one of them froze my computer when I clicked on it, so I restarted in safemode and deleted it then. As of yet, my computer has stopped freezing...with an exception.

Cscript is still trying to access the net (my firewall is blocking it), but I'm getting a lot of cmd.exe processes in my task manager, no doubt trying to access cscript. When I try killing the processes, one of them freezes my computer like previously, so right now I'm just leaving the multiple cmd.exe processes alone.

I also find MDM.exe in my processes when I start up Windows; through searching on the web, it also looks legitamate in its location, but I kill that process too just to be safe (no negative effects from doing it so far). MDM has something to do with Visual Basic Scripting.

I'll see how things go for the next 1-2 days, but I'm sure something is wrong if cscript and cmd are continuously trying to do something, so I'm leaning more to malware now. If things are still shaky, I'll try the help you suggested, quietman7.

By the way, I used AVG Anti-Spyware to check the locations of my running processes, is this sufficient? Also, I'm wondering if malware files can change the dates of their creation/modifications to blend in?

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:39 PM

Posted 18 June 2008 - 08:42 AM

Mdm.exe is Microsoft's Machine Debug Manager program which is included in Microsoft Visual Studio .NET, Microsoft Office 2007, Microsoft Office 2003, and a Microsoft Office XP post-Service Pack 3 release to provide support for program debugging. The Script Debugger is actually a JScript debugger used by programmers and advanced users when debugging programs; testing scripts developed using an ActiveX script engine; debug scripts developed with VBScript and JScript, ActiveX components and Java applets. It allows viewing and modifying program source code, variables, and values, or controlling the flow and pace of how the script works and allows debugging Internet Explorer errors by using a script interface tool.

This process starts when script debugging is enabled in Internet Explorer. It runs as a service with the local system account and is loaded when the computer starts but sometimes tends to slow system performance. This is a non-essential process and if you do not use your computer for debugging purposes, you can safely turn off the Machine Debug Manager.

To reconfigure script debugging options and Disable Machine Debug Manager:
  • Click on Start > Run and type: iexplore.exe.
  • On the Tools menu, click Internet Options > Advanced tab.
  • Click the "Advanced tab" and scroll down to "Browsing".
  • Put a check mark next to "Disable Script Debugging (IE)".
  • Put a check mark next to "Disable Script Debugging (Other)".
  • Uncheck "Display a notification about every script error".
  • Click "OK" and close Internet Explorer.
To disable the service:
  • Click on Start > Run and type: services.msc
  • Press OK.
  • Click the "Extended tab" at the bottom to view all the info on your services.
  • Scroll down the list and find the service called Machine Debug Manager.
  • When you find the service, double-click on it or right-click and choose "Properties".
  • In the Properties Window > General Tab that opens, click the "Stop" button.
  • From the drop-down menu next to "Startup Type", click on "Disabled".
  • Click Apply, then OK and close any open windows.
Screenshot with an example of how to do this if needed.

Note: If another application like Microsoft Visual Studio or .NET reinstalls Mdm.exe, or if Mdm.exe /Regserver is run on a computer that is running Window XP, Mdm.exe is re-added to the RunServices registry key. If the Detect and Repair feature within some Microsoft applications runs, this will also cause Mdm.exe to be re-registered on the system and reappear in Task Manager.

I can find no information on dirhost.exe so I suspect it was bad. rtsecar.exe is related to malware. See here and here.

Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge. Read Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Although the backdoor Trojan was identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the backdoor Trojan has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read "When should I re-format? How should I reinstall?" and "Help: I Got Hacked. Now What Do I Do?".

Should you decide not to follow that advice, we will do our best to help clean the computer of any infections but we cannot guarantee it to be trustworthy or that the removal will be successful. Let me know how you wish to proceed.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 1Hz

1Hz
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:39 PM

Posted 18 June 2008 - 04:58 PM

Hmm, well I haven't backed anything up in a while and I'm not in a position to reformat for the next while. So if it wouldn't be too much trouble, I'd like to know how to clean the computer (the 2nd option), thanks.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,141 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:39 PM

Posted 19 June 2008 - 06:36 AM

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log" and complete all the steps. There are instructions for downloading and running Deckard's System Scanner (DSS) which will create a hijackthis log for you, or automatically download and install the most current version of HijackThis if it's not already installed on your computer.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 1Hz

1Hz
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:04:39 PM

Posted 20 June 2008 - 02:50 AM

Alright, I'll get to it asap.

In the meantime, my hangups were becoming more frequent again yesterday, so today I did a full system scan on my AVG and found multiple copies (10 copies!) of two virii;

Virut
Backdoor.Ircbot.Buc
(AVG's name), specific file called 8475_redworld[1].exe and a 2 in one of them that replaces the 1.

What puzzles me is that I scanned my computer last week and found a single copy of each, I deleted them (had system restore off), and when I restarted my computer they were still gone.

But they came back (and in multiple copies), and it looks like they keep finding a way into my system...how can I prevent this?

I did a google search and it looks like the two virii are related; something about Virut downloading the second one.

Right now I have closed all ports on my firewall and set traffic only to outgoing.

#9 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,856 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:39 PM

Posted 28 June 2008 - 09:02 PM

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?


You MUST completely disconnect this machine from the internet. Physically detach the internet cable or cord connections to your computer. The infection on your machine can send out and disperse your sensitive information to the bad guys. If per chance you have protected information on the computer, medical records, school records etc. you must report the security breach to the proper authorities so steps can be taken to protect that information.

Now that your log is posted here: http://www.bleepingcomputer.com/forums/t/154692/unknown-malware-causing-problems/ you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic. Good luck with your log.

The BC Staff
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users