Possible Virus/Malware?

Hi,

I am not positive that this is virus/malware related, but some Googling implies that it might be.

I am continuously getting high memory usage (315,421 kb right now) by explorer.exe. Every so often, CPU usage for explorer.exe will jump to 99% - occasionally it will stay high, sometimes it will drop down. I haven't noticed a pattern.

I've scanned with AdAware, AdWatch, Spybot and AVG but haven't come up with anything.

I am attaching a HJT log - (I am running xp64 and apparently can't run DDS).

I would appreciate any advice from somebody more knowledgeable then myself.

Thanks,

DC

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Thanks and again sorry for the delay.

First,

Download GMER Rootkit Scanner from here.

• Extract the contents of the zipped file to the desktop.
• Double click GMER.exe and if you are asked if you want to allow gmer.sys driver to load, please allow it to do so.
• If it gives you a warning about rootkit activity and asks if you want to run scan, please click on NO.
• In the right panel you will see several boxes that have been checked. Uncheck the following the following checkboxes:
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Now click on the Scan button and wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in ark.txt and save it to your desktop

Please note that rootkit scans often produce false positives. Do not take actionon any of the files found in this log without my supervision

Next,

We need to see some information about what is happening in your machine. Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.com
  • DDS.scr
  • DDS.pif
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explaination about the tool. No input is needed, the scan is running.
• Notepad will open with the results, click no to the Optional_Scan
• Please save the DDS.txt and the Attach.txt file to your desktop. Then post the contents of the DDS.txt file as a reply to this topic, and in the same reply attach the Attach.txt and the Ark.txt, from the previous gmer run, to your reply. More information on how to attach a file can be found here.
• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

If I do not hear back from you within 5 days, I will unfortunately need to close this topic. You are more than welcome to open a new topic if you continue to have problems.

Thank you for your response.

First off, I am running Windows XP64. When I try and run dds.scr I get a message "This tool does not support your operating system...press any key to continue", at which point it shuts down. So I cannot provide you with the results of that tool.

Second, when I start GMER I first get an error: "System\CurrentControlSet\Services\gmer: The handler is invalid". After that error the application starts up, however all options, except for Services, Registry, Files, [Drive Letter], and ADS are greyed out and are unselectable.

Nevertheless, I have attached the results from GMER, using the boxes that were checkable.

Thanks again for your help,

DC

Not seeing anything. I do notice that you have Windows search installed. These spikes could be caused by the program indexing your data. What happens if you disable windows search indexing. Does that help?

Disabling the Windows Search service was one of the first things I tried. It hasn't made any difference. Explorer is currently using 342,896KB memory.

I really have no idea what to try to get Explorer to stop eating up memory. It's making navigation slow; folder contents don't display immediately, the desktop will freeze temporarily. I've killed all unnecessary processes - no effect. Done a bunch of Googling but haven't come up with anything.

I'm wondering if it's hardware related or something. Could a bad drive make explorer do this?

Thanks for you help,

DC

No, I do not think so. Plus if it was a bad drive you would see errors in your event log when the drive becomes unresponsive.

Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

After running ComboFix, please post the ComboFix log as a reply to this

I guess Combofix doesn't work on Windows XP 64. I get the error: "Incompatible OS. ComboFix only works for Windows 2000 and XP".

Error message attached.

Now what?

Thanks,
DC

• Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
• Double click on RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Hi,

Now I get an error when I run RSIT:

"Error parsing function call"

After I get this error, the program quits. Screenshot of the error attached.

I did run Malwarebytes' Anti-Malware, which I read from another post. Did a "quick scan". I have attached the log from that.

And also a log from OTViewIt

Thanks,
DC

Edited by dietcheese, 10 January 2009 - 11:05 PM.

Not seeing anything strange.

Do me a favor and do a search for explorer.exe and lsass.exe. Where are these files located?

Whats in this folder? If empty, please delete it.

C:\32788R22FWJFW

Also can you open this file and post it's contents?

C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini


Any idea what this is?

C:\Documents and Settings\Administrator\Desktop\Administrator.exe

Hi,

I have windows search disabled for now but I will turn it back on and do a search.

I couldn't find C:\Documents and Settings\Administrator\Desktop\Administrator.exe. Hidden files are set to "show". I don't know what that is.

I have uploaded a screenshot of the contents of C:\32788R22FWJFW. I also see this same-named directory, with the same contents on my G: Drive. Could this have been created by ComboFix?

All that said, yesterday I disabled the PerfectDisk agent and I haven't had any issues with explorer eating up memory so I'm beginning to think that is the cause.

Thanks,
DC

I have uploaded a screenshot of the contents of C:\32788R22FWJFW. I also see this same-named directory, with the same contents on my G: Drive. Could this have been created by ComboFix?

Go ahead and delete that folder and the DCBC2A71_70D8_4DAN_EHR8_E0D61DEA3FDF.ini file.

OTViewit said administrator.exe is from TrendMicro, so prob not an issue.

Not seeing anything here that would indicate malware.