Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

periodically runs dozens of invisible conhosts that keep PINGing (DDoS bot?)


  • Please log in to reply
1 reply to this topic

#1 Beartooth

Beartooth

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Little blue-green planet 3rd out from Sun
  • Local time:04:42 PM

Posted 26 May 2013 - 08:17 PM

This may be two problems or one.  I use a Windows 7 32-bit box isolated from my professional (computer consultant) net as a sandbox for playing on the web.  Over the past couple of weeks, I've noticed my CPU (both cores) maxing out for significant periods of time.  Some low level investigation shows that scores of conhosts (invisible on desktop) have been created and are each running unending PINGs.   My first thought is that the machine has been enlisted as part of a botnet to deliver DDoS requests.  I have been unable so far to determine who's launching all of the instances of conhost.exe (I've used What's Running, TUT, SysInternals proc tools, and others).  I can wait out the storm, laboriously kill all of the programs, or reboot, and everything is fine for a while, then, in a day or two, it starts again.

 

I am running Microsoft Security Essentials and the internal firewall on this and a hardware firewall in a router between my computer and the cable modem.  BTW, everything on the machine is kept up-to-date on a daily basis.

 

I have tried all of the recommended virus and rootkit scans that are typically listed here (usually assisted by rkill) and have gotten clean runs every time, with one exception. AVAST'S aswMBR.exe (btw, all of my rootkit scanner exe's are renamed to avoid any rootkit detecting one starting up - a good practice) which shows me a line indicating that c:\windows\system32\user32.dll is "suspicious."  Interestingly aswCleaner shows nothing wrong.

 

I also have user32.dll.bak in the same directory and another copy in the c:\windows\winsxs\yada-yada\...\ subdirectory.  The winsxs version and the .bak version show the same MD5 checksum, f1dd3acaee5e6b4bbc69bc6df75cef66, while the active version shows the same size, date, and time, but checksums to 7bd7f45ff37fa0669cd32ca0ef46e22c. I considered the chance that the live version is part of a Windows update, but that doesn't explain the same creation time and size, so I've replaced it for now with the one from ...\winsxs\... this morning.  I haven't seen the conhost/PING problem today, but it is intermittent and (methinks) is only fired up by an external site passing it a URL and telling it to blitz it.  I've also renamed PING.EXE to GNIP.EXE so I can still run it but the rogue conhosts can't find it (the b*st*rd simply substituted TRACERT.EXE instead, so I renamed that, too), but that still leaves the problem of 25 or 30 conhost.exe's eating cycles.

 

I have gone bull-goose-loony with MS support and forums just trying to get them to tell me what are the legitimate MD5 checksums for user32.dll, or even if 7bd7f45ff37fa0669cd32ca0ef46e22c is legit.  All I get in return is an avalanche of advice on different virus and rootkit checkers to try - all of which I have on my collection of security thumb drives and have already tried.

 

I've also monitored i/o with firewall logs, packet sniffers, and such, but can't seem to spot any random external candidate.

 

Any suggestions on finding out whether the MD5 is bogus and, also, how I can isolate which process is instantiating all of the conhosts.  Programs like TUT sometimes show the conhosts in the tree under a copy of csrss.exe and sometimes at the same level. 


Edited by Beartooth, 26 May 2013 - 08:24 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:42 PM

Posted 26 May 2013 - 10:25 PM

Hello having tried all you have I feel we need a deeper look.
Please repost this info along with a DDS log by following the instructions here.

 

 

Preparation Guide

 

 


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users