Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible trojan, I don't know what one(s)


  • This topic is locked This topic is locked
52 replies to this topic

#1 Wolffuzz

Wolffuzz

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 01 October 2012 - 11:52 PM

I have been working in another topic on trying to find out why my computer was crashing, and possibly related, one of my e-mail accounts was compromised. The "crashing" seems to have been fixed.

I am getting some lag and there seems to be an issue where the Taskbar showed no open applications when there were programs open on the desk top, and it takes a while (10 to 20 min) for the links in the start menu to show up. I can go to "All programs" and find everything, but why would it take so long for those other menu items to show up?

After working with BleepingComputer for a bit, I was asked to start this topic here with DDS and GMER logs. My system is 64 bit, so no GMER.

There were some "little trojans" found to quote the person that was helping me before. I also note that Eset, MBAM and Avast! scans came back clean before and after working on that, but there was something found by some of the other tools possibly, but I am not sure what any of the output in those logs means.

Not sure if it's appropriate but here's a link to the earlier topic.

http://www.bleepingcomputer.com/forums/topic470211.html

Thanks in advance!

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:42 AM

Posted 02 October 2012 - 07:23 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 Wolffuzz

Wolffuzz
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 02 October 2012 - 09:34 PM

I am here, and have subscribed, if that last message didn't go through for some reason. Thanks!

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:42 AM

Posted 03 October 2012 - 05:18 PM

I have read through the previous topic and I would like to see the Combofix logs that were produced during the run(s)

Please go to start -> Run.

Copy and paste the bold line in the run-box and click OK:

cmd /c dir /a/s/b C:\QooBox >log.txt & log.txt

A text file opens up, copy and paste the content to your reply.
Posted Image
m0le is a proud member of UNITE

#5 Wolffuzz

Wolffuzz
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 03 October 2012 - 08:48 PM

Ok, ComboFix was run in January of 2011. Is that what you want?

#6 Wolffuzz

Wolffuzz
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 03 October 2012 - 09:30 PM

Post number 5 on my screen for this topic shows the combofix log from then. It hasn't been run on this machine since then.

http://www.bleepingcomputer.com/forums/topic374321.html/page__p__2099977__fromsearch__1#entry2099977

New symptom. :| seems that "explorer.exe" is using 100 % memory tonight. Icons are back, but task bar is empty again. I checked why i was having trouble getting to find the command prompt and checked task manager, to find 4.0 gb of memory in use. I shut that task down and somehow kept a copy of firefox running. not sure if I will be able to get back to here on this machine. I will check back from another machine if that is the case.

#7 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:42 AM

Posted 04 October 2012 - 06:19 PM

Oh, 2011, we can discount that then.

Please run aswMBR

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Posted Image
m0le is a proud member of UNITE

#8 Wolffuzz

Wolffuzz
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 05 October 2012 - 09:49 AM

Thanks for the help!

Can that Avast! rootkit scan be run in "safe mode with prompt" and be worthwhile? I ran that last night, but didn't have a chance to look at the log to post it here. I will do that after work tonight.

I don't know what is going on but it only takes about 3 min for explorer.exe to take most if not all of the physical memory and then about 5 to 10 after that the computer BSODs. I can start safe mode with prompt and then start processes with the task manager, but explorer.exe (which is in the "windows" folder, where it is supposed to be, as far as I can tell) starts at about 45K and then grows to 3,000 K very quickly.

I can kind of run other programs in that time, but if I try to right click on a program to "run as admin" the cursor turns to the rolling ring and just looks at me.

I don't know if there's a way to replace, or maybe at least scan, that one process somehow? I am finding it very hard to use the machine at all now, because of that.

CPU use is minimal, just memory hog.

#9 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:42 AM

Posted 05 October 2012 - 02:50 PM

Can that Avast! rootkit scan be run in "safe mode with prompt" and be worthwhile?

Yes. Other tools can also be used in safe mode.

I don't know what is going on but it only takes about 3 min for explorer.exe to take most if not all of the physical memory and then about 5 to 10 after that the computer BSODs. I can start safe mode with prompt and then start processes with the task manager, but explorer.exe (which is in the "windows" folder, where it is supposed to be, as far as I can tell) starts at about 45K and then grows to 3,000 K very quickly.


It might be a rootkit that has infected a driver file - the time limit we have allows us to run some tools and try and dig out the problem. It could also be a hardware issue but we won't go there yet.
Posted Image
m0le is a proud member of UNITE

#10 Wolffuzz

Wolffuzz
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 05 October 2012 - 09:42 PM

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-10-04 21:04:08
-----------------------------
21:04:08.459 OS Version: Windows x64 6.1.7601 Service Pack 1
21:04:08.459 Number of processors: 4 586 0x2502
21:04:08.459 ComputerName: ZETA2 UserName: JM
21:04:09.457 Initialize success
21:04:11.127 AVAST engine defs: 12100500
21:04:25.931 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
21:04:25.931 Disk 0 Vendor: TOSHIBA_ GJ00 Size: 476940MB BusType: 3
21:04:25.947 Disk 1 \Device\Harddisk1\DR1 -> \Device\0000006a
21:04:25.947 Disk 1 Vendor: RICOH 02 Size: 476940MB BusType: 0
21:04:25.947 Disk 2 \Device\Harddisk2\DR2 -> \Device\0000006b
21:04:25.947 Disk 2 Vendor: RICOH 02 Size: 476940MB BusType: 0
21:04:25.962 Disk 0 MBR read successfully
21:04:25.978 Disk 0 MBR scan
21:04:26.508 Disk 0 Windows 7 default MBR code
21:04:26.539 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 10733 MB offset 2048
21:04:27.288 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 21983232
21:04:27.335 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 466105 MB offset 22188032
21:04:27.819 Disk 0 scanning C:\Windows\system32\drivers
21:04:48.582 Service scanning
21:05:50.296 Modules scanning
21:05:50.296 Disk 0 trace - called modules:
21:05:50.358 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys iaStor.sys hal.dll
21:05:50.358 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8005331060]
21:05:50.358 3 CLASSPNP.SYS[fffff88001b4443f] -> nt!IofCallDriver -> [0xfffffa80042f3560]
21:05:50.358 5 ACPI.sys[fffff88000f7b7a1] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80042f6050]
21:05:53.244 AVAST engine scan C:\Windows
21:06:02.105 AVAST engine scan C:\Windows\system32
21:08:55.234 AVAST engine scan C:\Windows\system32\drivers
21:09:07.730 AVAST engine scan C:\Users\JM
22:56:58.560 AVAST engine scan C:\ProgramData
23:01:04.993 Scan finished successfully
02:13:01.121 Disk 0 MBR has been saved successfully to "C:\Users\JM\Desktop\MBR.dat"
02:13:01.121 The log file has been saved successfully to "C:\Users\JM\Desktop\aswMBR05oct13.txt"


That seems to be all that is in that log. It was run in safe mode if that matters.

#11 Wolffuzz

Wolffuzz
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 05 October 2012 - 11:16 PM

ok, is it odd that I can get on the other "user account" and NOT see the issue with explorer.exe having a "memory leak"? explorer is a solid 19K on this account,
unless I open large pile of pictures or something.

#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:42 AM

Posted 06 October 2012 - 05:31 AM

Can you run Combofix next

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#13 Wolffuzz

Wolffuzz
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 06 October 2012 - 01:08 PM

Here is ComboFix run from the other (possibly not affected) account with admin privleges, which required password by Windows. I will run it shortly from the admin account and then post it here as well.

Attached Files



#14 Wolffuzz

Wolffuzz
  • Topic Starter

  • Members
  • 98 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 06 October 2012 - 01:38 PM

Here's the log from the other account, the one where explorer.exe has the apparent "memory leak."

Attached Files



#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:42 AM

Posted 06 October 2012 - 06:50 PM

Both logs show no malware problems.

Please run OTL on the one with the suspected memory leak.

  • Please download OTL
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.

Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users