Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent Malware?


  • Please log in to reply
4 replies to this topic

#1 dave89

dave89

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 16 August 2015 - 12:58 AM

Hello, apologies if I posted in the wrong section.

 

A few days ago I noticed that my computer had been acting funny, I would get DNS errors while browsing, programs I normally use without any problems started crashing and leaving memory errors, and I was running out of memory frequently even without many applications open. When I checked task manager, I noticed that the process "System" was taking up nearly half a gigabyte in memory. I ran a few scans and came up with nothing, then I decided to try out malwarebytes anti-rootkit scanner. The first time I ran it, whatever it was that infected my system auto-closed it and left a memory error window. The program was corrupted when I attempted to open it again. So I installed it again in safe mode and ran it, it turned up with 4 infected files which I removed. (I would list them here, but I lost them after reformatting my computer).

 

I hoped that was the end of it, but the system process was still swelling up and the errors were still persistent so I decided to use the reset function on my computer. When my computer finished resetting it ended up with a boot error so I formatted the drive and reinstalled windows via a bootable usb. This normally would solve all my problems, but my System process is still bloating up to nearly a gigabyte and my laptop fan is going crazy even though there are no CPU/memory intensive programs running.

 

How do I go about removing this? The laptop shows no signs of infection other than what I have posted above. I am using Windows 10 and I can post whatever information is necessary.

 

Thank you in advance.


Edited by dave89, 16 August 2015 - 12:59 AM.


BC AdBot (Login to Remove)

 


#2 Slurppa

Slurppa

  • Malware Study Hall Senior
  • 578 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:07:02 PM

Posted 16 August 2015 - 04:33 AM

Hello dave89

 

High memory usage is known "issue" in Windows 10. It is feature where System uses more memory to optimize itself. It works by using free memory for it's own operations

and usually frees it when other programs require it. You can read more about it here:

 

http://superuser.com/questions/952141/windows-10-system-process-taking-massive-amounts-of-ram

 

You can also try disabling Superfetch(second post there):

 

By going into services.msc (via Win+R) and disabling Superfetch completely solves this.

 

Also, what are your CPU temperatures? You can check them for example with Open Hardware Monitor

http://openhardwaremonitor.org/


Member of the Bleeping Computer A.I.I. early response team!


#3 dave89

dave89
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 16 August 2015 - 09:12 AM

Thanks for the reply Slurppa.

 

I disabled superfetch and the memory seems to be fine for now, but I still want to be 100% certain that my laptop is free from infection. Before the format I had superfetch disabled by default since I am using a SSD and I had the same problem.

 

Currently my CPU temperature is hovering between 44-50° C but I was running a game just a few minutes ago. I know the temperature shouldn't have been high when I first posted since the fan was blowing out cold air.

 

Small detail I omitted from the first post, but I created the bootable USB on the infected laptop using http://windows.microsoft.com/en-us/windows-10/media-creation-tool-install?ocid=ms_wol_win10.



#4 Slurppa

Slurppa

  • Malware Study Hall Senior
  • 578 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:07:02 PM

Posted 16 August 2015 - 03:29 PM

Have you tried running malwarebytes again?

 

If you are really worried about this you should probably post to Malware remove logs section. They have more sophisticated methods

for these kinda things.

Please read this before you do:

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/


Member of the Bleeping Computer A.I.I. early response team!


#5 dave89

dave89
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:02 PM

Posted 16 August 2015 - 04:27 PM

I tried the rootkit scanner again and it picked up 6 objects:

 

HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.exe (Trojan.Agent) -> Delete on reboot. [48f58bb2413bd3639637ea0a51b2c739]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MsMpEng.exe (Security.Hijack) -> Delete on reboot. [a697102d74083ff7ac3a54a041c20cf4]
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\svchost.exe (Security.Hijack) -> Delete on reboot. [330acc71d7a5f2441cea9364d92ab749]
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.exe (Trojan.Agent) -> Delete on reboot. [e558fc4199e358dedcf109eb5fa427d9]
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MsMpEng.exe (Security.Hijack) -> Delete on reboot. [0c31d568bdbf0f2781656d87fa09e818]
HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\svchost.exe (Security.Hijack) -> Delete on reboot. [9ba2d568265688aeaa5c8a6da55ea858]
 
These were all removed but the malware is still there somehow.
 
The process System is bloating up again even with superfetch disabled. Guess I'll go check out that section. Thanks again for your help.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users