Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Explorer Hangs Related to Qmgr00/01 infection


  • This topic is locked This topic is locked
19 replies to this topic

#1 superoe

superoe

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 15 October 2010 - 07:55 PM

hi,
I'm probably infected with a some sort of trojan\Rootkit.
I'm experiencing windows explorer hangs, at first i related it into drive fragmentation or temp files, eventually i started doing some deep scans with some anti virus software(avira and kaspersky), and then resorted into malwarebytes, superantispyware and finally combofix, combofix took a very long time to scan(over an hour), and a very long time to produce logs after a reboot.
Combofix led me into the right path as it found and deleted files located in C:\Documents and Settings\All Users\Application Data\Microsoft\downloader\ called Qmgr01/00.dat. which lead me to this forum after googling the files names. ( found a thread of someone being instructed into clearing those files with avenger)
This files are not microsoft native and i havnt seen them on any other machine(im a sys admin in a 140 PCs based network).
This files keep coming back everytime i reboot, even after a combofix scan.
Please tell me what should i do to get rid of this annoying malware.
Thanks,

Roy

Hi
I've taken some steps to at least make my pc useable while we get this fixed.
I've disabled all startup entries and all non microsoft services.
ran combofix twice whicn returned no results, though it ran for a very long time(over 2 hours) and also log generation was pretty log(more then an hour).
im attaching the combofix log and an hijackthis log.
please advise what other scans you need.
Thanks,

EDIT: Posts merged ~BP

Attached Files


Edited by Budapest, 17 October 2010 - 04:27 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:05 PM

Posted 26 October 2010 - 11:32 AM

Hello ,
And :welcome: to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Quick Scan button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download Rootkit Unhooker and save it to your Desktop
  • Double-click on RKUnhookerLE to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth and uncheck the rest
  • Click OK
  • Wait until it's finished and then go to File > Save Report
  • Save the report to your Desktop
Copy the entire contents of the report and paste it in a reply here.

Note - you may get this warning it is ok, just ignore: "Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • RKU log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 superoe

superoe
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 30 October 2010 - 07:27 AM

Hi Elise,
thank you for the feedback.
Ill start with steps i've taken to try and remove it myself since i posted the request.
I've installed various malware removal tools, including:rootkit unhooker,rootkit revealer, regrun, unhackme, winpatrol and comodo security suite.
initially i had only avira free av and malwarebytes.
i also installed kaspersky pure trial to scan.
i ended up removing all programs exluding kaspersky, rootkt revealer, rootkit unhooker , comodo and malwarebytes.

regarding the logs, the quick scan of otl didnt generate an "extra" report, so i ran also the normal scan which also didnt produce it, i hope it still helps.
the version of rootkit unhooker that i downloaded from here caused my machine to hang and didnt produce any output soo i used my version of rootkit unhooker(3.7). i tried using your version(3.8) both in sade mode(didnt ran cause of the driver issue) and in a clean boot but it would still just hang.

the main issue im having is probably the stealth code hooks showen in rootkit unhooker(i've taken all exluding the file scan).
another issue im having now is curropted tcpip stack which i can handle after we get this rootkit out of the way :)

*im getting size limitation error while trying to upload the rootkit unhooker log soo ill upload it in the following post

Thanks,
Roy

Edit: cant upload the rootkit unhooker log either by post or attached file, if you could clear out the attached files after you're done with them soo i can upload the rkunhooker log that would be great :)
Thanks !

Attached Files


Edited by elise025, 30 October 2010 - 08:57 AM.


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:05 PM

Posted 30 October 2010 - 08:06 AM

Just paste the RKU log into the reply box.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 superoe

superoe
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 30 October 2010 - 08:43 AM

the RKU log is bigger then the maxsium char for post.
if you want i upload it into a single click host(rapidshare,megaupload) and post the link.
would that be ok ?

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:05 PM

Posted 30 October 2010 - 08:57 AM

Hi, I removed one of the OTL logs, see if you can attach it now.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 superoe

superoe
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 30 October 2010 - 09:13 AM

Used 242.04K of your 512K global upload quota (Max. single file size: 269.96K)

Guess not,
i zipped it, renamed it into .txt and uploaded it, when you download it just rename into report.rar and extract it.
Thanks :)

Attached Files



#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:05 PM

Posted 30 October 2010 - 09:23 AM

Please try to run the following steps from Safe Mode with Networking.

COMBOFIX
---------------
Please download ComboFix from one of these locations:
Bleepingcomputer
ForoSpyware
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 superoe

superoe
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 30 October 2010 - 10:38 AM

Combofix log attached.
Thanks,

Attached Files

  • Attached File  log.txt   30.2KB   1 downloads


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:05 PM

Posted 30 October 2010 - 11:27 AM

This files keep coming back everytime i reboot, even after a combofix scan.

Qmgr is a native microsoft file, however, I don't see combofix reporting it. What files are you talking about exactly?
Often these files are detected when you are on a private network.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 superoe

superoe
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 30 October 2010 - 11:36 AM

hi,
the qmgr files are no longer the issues.
the issue is that i have memory hooked into procesess that i cant allocate into a file.
in the rootkit unhooker report you can see there's stealth code running and it cannot say which process is running it.
the main issue is windows explorer hangs(even after a clean boot), and maily rootkit unhooker reports alot of hooked applications(not only by the hips applications,kaspersky and comodo).

Hope this helps,
Thanks,

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:05 PM

Posted 30 October 2010 - 11:59 AM

Those hooks are nothing to worry about. There is no rootkit activity or otherwise hidden stuff here.

Let me know how things are after the following fix:

OTL FIX
------------
We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"
    :otl
    SRV - File not found [On_Demand | Stopped] -- C:\DOCUME~1\Royh\LOCALS~1\Temp\WWENABJO.exe -- (WWENABJO)
    SRV - File not found [Auto | Stopped] -- C:\roy17660r\PEV.cfx -- (PEVSystemStart)
    SRV - File not found [On_Demand | Stopped] -- C:\DOCUME~1\Royh\LOCALS~1\Temp\NRMJUEHITOD.exe -- (NRMJUEHITOD)
    SRV - File not found [On_Demand | Stopped] -- C:\DOCUME~1\Royh\LOCALS~1\Temp\HS.exe -- (HS)
    
    :commands
    [emptytemp]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 superoe

superoe
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 30 October 2010 - 12:03 PM

hi elise,
thank you for the feedback , im currently imaging my hard drive.
i will do those steps as soon as im finished.
a couple of notes for the files you're asking otl to delete, as i've already inquired about them using process hacker
SRV - File not found [On_Demand | Stopped] -- C:\DOCUME~1\Royh\LOCALS~1\Temp\WWENABJO.exe -- (WWENABJO) - its a file created by rootkit revealer
SRV - File not found [Auto | Stopped] -- C:\roy17660r\PEV.cfx -- (PEVSystemStart) - probably a left over by combofix
SRV - File not found [On_Demand | Stopped] -- C:\DOCUME~1\Royh\LOCALS~1\Temp\NRMJUEHITOD.exe -- (NRMJUEHITOD) - its a file created by rootkit revealer
SRV - File not found [On_Demand | Stopped] -- C:\DOCUME~1\Royh\LOCALS~1\Temp\HS.exe -- (HS) - i have no idea what that is :)

that said and done, ill be performing the fix promptly.

Thanks :)

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:05 PM

Posted 30 October 2010 - 12:07 PM

OTL is not deleting the files, since they are not there, it will just remove the orphaned services.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 superoe

superoe
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:09:05 AM

Posted 30 October 2010 - 05:47 PM

good shoot on that fix :)
after running it it was possible running rku 3.8 which still showed some unknowen code hooks ( probably cause they were hidden from windows api).
im attaching 2 kinds of reports from rku, one is of the inital rport of everything exluding the files, the other one is from an attempt to unhook one unknowen code, which followed with alot of unknown code hooks.
waiting for your advice.

Thanks,
Roy

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users