Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows7 seems to be hogging ram, malware?


  • This topic is locked This topic is locked
6 replies to this topic

#1 arachan

arachan

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 11 June 2011 - 07:09 AM

Hello,

My specs are:

Intel Core 2 Duo E8400 3GHz
4 GB DDR2 RAM
Radeon HD5700
Western Digital WD15EADS 1.5TB

I dual boot Windows 7 and Ubuntu 11.04. I used to have Windows XP instead of 7. When I first boot to 7 and go to task manager, it says ~2500MB of RAM is free. This seems okay, but then the number decreases until it hovers around 200MB or lower, making playing games impossible (the sole purpose I use windows for). I have run Anti-malwarebytes and ComboFix, both removed some malware.

I know that windows 7 is a resource hog but I would expect it to use ~1000MB at idle. This is roughly what my ubuntu uses and what XP used to use. I have limited my startup programs and disabled many unnecessary services. In XP I managed to run about 16 processes, in Windows 7 I am lucky to have less than 40. I have even disabled aero to save RAM, but all these precautions seem to be in vain.

Although I consider it an unnecessary privacy breach I have attached my combofix log out of desparation.

If anyone could help me I would be very greatful.

Thanks,
Arachan.

Attached Files


Edited by arachan, 11 June 2011 - 07:58 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:30 PM

Posted 19 June 2011 - 06:40 AM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 arachan

arachan
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 19 June 2011 - 08:57 AM

Hello,

Thank you for helping. I do not necessarily need a fix for my problem if it is going to be complicated, I am mostly just curious as to what it is.

Thanks,
Arachan.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:30 PM

Posted 19 June 2011 - 05:41 PM

The Combofix log shows deletions including these two:

HKLM_Wow6432Node-ActiveSetup-{882CFECF-ABDB-1F37-EACB-84BF46B8D13A} - c:\users\Arachan\AppData\Roaming\IJZXZD0IJZX.exe
HKLM_Wow6432Node-ActiveSetup-{9DBADC4B-DAF0-E2BC-46BB-10BB56DFFCEA} - c:\users\Arachan\AppData\Roaming\iexplore.exe


The malware is known to me as Delf and is a backdoor/trojan.

A backdoor trojan allows hackers to remotely control your computer, steal critical system information and download and execute files.

Though the trojan has been identified and killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
Posted Image
m0le is a proud member of UNITE

#5 arachan

arachan
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 20 June 2011 - 01:46 AM

Hello,

Thanks for your help. Is there any way to know if this trojan has files on other partitions, or if it has only infected the Windows 7 boot partition? All my other partitions are using a linux file system (ext3) and are accessed by using a third party in Windows if that makes a difference. I am happy to format my Windows partition and reinstall Windows, but I would rather not reformat the whole drive as I have around 1TB of data that I would need to back up, and then that could be infected etc.

Also do you have any idea how I could have got this trojan? As far as I know I was doing everything I was supposed to do to avoid malware.

Thanks,
Arachan.

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:30 PM

Posted 20 June 2011 - 06:31 PM

Linux systems are not affected by Delf whether you are using a third party in Windows or not. These trojans hook into Windows file systems only.

There's no way of knowing for sure where the infection came from but the various routes are detailed here.
Posted Image
m0le is a proud member of UNITE

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:01:30 PM

Posted 25 June 2011 - 06:09 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users