0

I'm not sure if this is a malware, or a mis-config...
but what happens is this:

http://lh6.ggpht.com/-UgZ3wjjfkkI/UwBhDk9LihI/AAAAAAAAF_0/lssTEhz4cQ4/s1007/Screenshot%202014-02-16%2001.54.44.png

a new explorer.exe process is created and terminated every minute,
causing the first (highlighted process) to eat nearly 4GB of memory.
(this is built up after a while of letting it run)

aside from that, even at low memory usage, I'm experiencing lag and long-load times for everything.
anyone know what might be the cause of this??

before-hand I did experience a wierd event as I was working in MS-Paint, labeling something...
my compy decided to randomly restart in the middle of everything,
when it turned back on, about every minute I'd get a light-blue web-page leading to a fake search engine.
(I don't remember what it was called, but the page was a perrywinkle color with brown boxes, and would redirect upon load)
the page would fully overlay both my monitors and cover all my apps, but an easy "Alt+F4" took care of it.

I did a system restore to "Yesterday", and that didn't solve anything...

then I ran MBAM and the pages stopped, but then I got random IE8 download dialogs for "lo.mp4" which was some low quality fastlane talk-show or something...

and that's when I found out the explorer.exe process ran in a loop like that...
(MBAM did NOT remove whatever is initializing explorer.exe to run in this manner)
^ I'm not sure if it's an integrated process as this was a full scan with MBAM

anyone know what this is??

Edited by DarkPikachu

5
Contributors
33
Replies
71
Views
3 Years
Discussion Span
Last Post by gerbil
Featured Replies
  • 1

    I would grab a copy of hijackthis which is a malware detector that will show you all of the hooks into your system through registry entries and help you track down the culprit. Read More

1

I would grab a copy of hijackthis which is a malware detector that will show you all of the hooks into your system through registry entries and help you track down the culprit.

Votes + Comments
very nice reccomendation
0

oh I like the sound of that =o
thanks :)

EDIT:
OMG I love this program =D
nice reccomendation, I'll have to post this on my forum ;)
+1

Edited by DarkPikachu

0

odd...
looks like the issue may have fixed itself...

I stopped explorer.exe entirely (no task bar or windows)
and put my compy on Hibernate.
booted my compy in the morning, started the process... nothing
logged off, logged on... nothing

I'm still leary it's on my system,
so I'll notify on this thread if it happens again, and see if I can fix it. :)

thanks again.

0

well... hijackthis can't get the hook on this issue,
and JRT just crashes. (the window just flashes)

so I'm using SharpEnviro, which I've fallen in love with,
but it still calls explorer for file browsing...
I'm gonna see if I can find something to replace the browser... heh
(as long as explorer.exe is running, it makes copies like that)

0

ah, CubicExplorer is a really good replacement.
alot of new features to offer and a much better interface.

of course it's free XD
I don't pay for software. :P
(reason being, it's just text compiled into ASM)
^ in other words binary-text which is not much different.

in other terms:
HTML is free to view, so programs should be free to use.
(horrible example, but the point is what matters)

Edited by DarkPikachu

0

For a start, HijackThis is pretty much out of its depth with W7. And malware is generally too smart now to appear in a simple scanner like HT, which has not been maintained/updated for years. A waste of time.
Your multiple explorer.exes... I see that you are running BitTorrent - that will do it if you have it set to open a folder for each torrent instance. Closing BT won't end those processes, but they will throttle back the amount of memory that they are using.
Bit of a worry that JRT won't run... try running RogueKiller first, then without rebooting, JRT. If that works for JRT, then you have malware. Well-hidden malware.

Edited by gerbil

0

well, that didn't fix it... heh... (JRT still flashes)
it could be that I'm using XP64 instead of XP86, and it's causing a conflict.. heh

however, your mention of BitTorrent DID give me an idea...
I've was told that if I leave my downloaded torrents alone, they'll seed...
I've never done that before, so naturally, I didn't understand what that meant...
I figured it out later that BT adds my compy to the list of peers and forewards my DL to them.

I thought of this as a good idea, since I'm naturally entirely for sharing data if anyone needs it...
I didn't realize it could impact my compy like this IF this is the case that's causing it.

I have about 11 torrents stored for seeding... could this be overloading explorer.exe and causing this??

if so, thanks, and I'll watch out for this next time. :)

Edited by DarkPikachu

0

Naw... JRT runs on 64 bit machines.
And yes, that's how torrents work. You get credit for seeding.
If you glance at your screenshot above, you can see that Opera is running as your torrent client, and the explorer processes are spawned by it.

Edited by gerbil

0

AH ok.
I never realized that the position actually had something to do with the process above it...
interesting.

yes, I'm still a noob at the software I use. XD

thanks again

0

Hey, you're welcome.
This forum is where I learnt a lot of stuff; you look at people's problems and find solutions. I find that the most interesting way to learn. It imprints it, like hands-on does.

Edited by gerbil

0

so I've tried tackling this again for the sake of solving it for others to learn from, and I think I may have found a lead...

when I open a folder with explorer.exe: (I've killed bittorrent before-hand)
the main process starts
about a minute later, a sub-process starts and hangs for about a minute (averaging at 14MB RAM), then dies.
another minute later, another sub-process starts and takes about a minute to eat 25% RAM.

I've checked the properties of this process to get the threads, and I was quite astounded at the amount:
http://lh6.ggpht.com/-xO_wkqN239c/UwQByNoJ6OI/AAAAAAAAGA0/hH1g7Br8q6Y/w646/Screenshot%25202014-02-18%252019.17.03.png
(the green means new threads)

once I found that out, I went back and checked the threads of the initial startup: (re-opened the folder and immediately checked)
http://lh6.ggpht.com/-LTfPw63smok/UwP29rIkpAI/AAAAAAAAGAY/-AXWwuA2ez8/w646/Screenshot%25202014-02-18%252019.03.58.png

0

Urk. Something is really working kernel32.dll. I cannot tell what, but all threads start from the same memory address. Dclick a few of those threads, and compare the stacks that pop. Post a couple. Note that with Process Explorer you only get snapshots of activity.
Something else... you could try a Safe Mode check on explorer.exe, or use msconfig to do a clean start ( go to the Services tab, check to hide all Microsoft services, then Disable all remaining Apply and restart).

Edited by gerbil

0
ntoskrnl.exe+0x31315
ntoskrnl.exe+0x3125c
ntoskrnl.exe+0x27529
ntoskrnl.exe+0x42555
ntoskrnl.exe+0x1f7f0
ntoskrnl.exe+0x277d2
ntoskrnl.exe+0x29f24
ntoskrnl.exe+0x2844ca
ntoskrnl.exe+0x28427e
ntoskrnl.exe+0x2e5bd
ntdll.dll+0x3085a
kernel32.dll+0x2cffb

geeze... my poor computer... D=

every thread seems to have some range of ntoskrnl.exe with the last 2 DLLs

I didn't get to check if the DLL addresses were the same or not, cause this thing eats 4GB in less than a minute >.<

0

Urg. That is not an interesting stack list you have there - your system has no debug capability, so no functions called are shown, just locations. The stack shows that ntdll.dll is calling ntoskrnl.dll at various memory locations, but it does not say what functions are being run.
ntoskrnl.dll deals with process and memory management and scheduling amongst other functions.
To go further along this path you need Windbg and the SDK symbols ... go here for instructions http://blogs.msdn.com/b/vijaysk/archive/2009/04/02/getting-better-stack-traces-in-process-monitor-process-explorer.aspx?Redirected=true
and here for the debugging tool http://msdn.microsoft.com/en-us/windows/hardware/hh852365 (halfway down, Windows 7 Standalone Debugging Tools) - follow those instructions and install the debugger. Then in Process Explorer, go to Options tab, Configure Symbols and fill the details as in the web page. The symbol pathname C:\symcache in the Symbol Path you can replace with one of your choice.
Else... did you check how explorer performed in safe mode, or with no third party services loaded?
Go back a bit... run the JRT in Safe Mode while you're in there.

Edited by gerbil

0

And... if you have the latest M$ C++ 2010 distribution you will have to uninstall that to get the debugger installed, and then you may reinstall it. The SDK installer won't work with the latest version... so much for compatibility... of their own products. But M$ never did promise that, anyway.
Honestly, getting the debugger installed may not help much. It will list the functions called, and I will struggle with more than a few of those, but may be able to identify what is the purpose of them. Honestly, we are motoring out to a place where I will be over my head.
I hope someone else can help?

0

eh... more of that garbage again... oh well...
it's to be expected since MS has their heads shoved so far up their A's it'll take eternities to undo even 1 loop.
(I'm sure with the time it's taken they'd have necks long enough to lasso the earth)
XDD

trust me, if you want a rat for MS, I'm your guy :P
Bill Gates was the ONLY good MS had, which wasn't much but enough...
it's such a shame he retired for MS to destroy themselves.

anyways... I'm doing development while fixxing minor menu and shortcut issues with SharpEnviro...
I don't feel like going into the install>restart>install>restart loop MS LOOOOOOOOVES to put their users through...
I'll let you know when I have this working, and I'll share my findings then. :)

at least I was able to install the WDK stuff for now.

I think my .NET conflict might be an x86 interface on an x64 OS,
so I have an installer for .NET 4.0 x64 on hand...

I'll get the other 3 installers later on, since I read that 4.0 is all I really need for 2010.

thanks for your help so far :)

Edited by DarkPikachu

0

Hmm. okay. With your Opera torrent client disabled and the explorer instances multiplying, do they use the network at all? Check in Resource Monitor.

0

Ah... let's go after the pest. Some exploration:
==Download TDSSkiller from this link, save it to your desktop:
http://support.kaspersky.com/downloads/utils/tdsskiller.exe
=Start TDSSKiller,(((( click Change Parameters. Under Additional options check both boxes, Verify Driver Digital Signature and Detect TDLFS file system; click OK. ))))
-click Start scan;
-choose Skip for unsigned files;
-leave or set at Cure if TDSSKiller finds a rootkit and prompts a Cure or Delete [a reboot may be required];
-do not Delete or Quarantine any files.
Post the log from C:.

==Download aswMBR from http://www.bleepingcomputer.com/download/aswmbr/
Start it, press Scan [it will download virus definitions from Avast], wait the 3 or 4 minutes until it says Scan completed then press Save Log. Post that, please. Do NOT fix anything at this stage.
An MBR.dat file will appear on your desktop, it is a copy of your MBR. Do not delete it.

0

as for the logs:

23:22:40.0468 3284  TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42
23:22:48.0843 3284  ============================================================
23:22:48.0843 3284  Current date / time: 2014/02/19 23:22:48.0843
23:22:48.0843 3284  SystemInfo:
23:22:48.0843 3284  
23:22:48.0843 3284  OS Version: 5.2.3790 ServicePack: 2.0
23:22:48.0843 3284  Product type: Workstation
23:22:48.0843 3284  ComputerName: TCLL5850-PRI
23:22:48.0843 3284  UserName: Administrator
23:22:48.0843 3284  Windows directory: C:\WINDOWS
23:22:48.0843 3284  System windows directory: C:\WINDOWS
23:22:48.0843 3284  Running under WOW64
23:22:48.0843 3284  Processor architecture: Intel x64
23:22:48.0843 3284  Number of processors: 2
23:22:48.0843 3284  Page size: 0x1000
23:22:48.0843 3284  Boot type: Normal boot
23:22:48.0843 3284  ============================================================
23:22:52.0031 3284  BG loaded
23:22:52.0578 3284  Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000048
23:22:52.0609 3284  Drive \Device\Harddisk1\DR1 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000048
23:22:52.0609 3284  Drive \Device\Harddisk2\DR2 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000048
23:22:52.0625 3284  Drive \Device\Harddisk6\DR9 - Size: 0x78400000 (1.88 Gb), SectorSize: 0x200, Cylinders: 0xF5, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
23:22:52.0625 3284  ============================================================
23:22:52.0625 3284  \Device\Harddisk0\DR0:
23:22:52.0687 3284  MBR partitions:
23:22:52.0687 3284  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x12A18800
23:22:52.0687 3284  \Device\Harddisk1\DR1:
23:22:52.0687 3284  MBR partitions:
23:22:52.0687 3284  \Device\Harddisk1\DR1\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x3A384C02
23:22:52.0687 3284  \Device\Harddisk2\DR2:
23:22:52.0687 3284  MBR partitions:
23:22:52.0687 3284  \Device\Harddisk2\DR2\Partition1: MBR, Type 0x6, StartLBA 0x3F, BlocksNum 0x74705982
23:22:52.0687 3284  \Device\Harddisk6\DR9:
23:22:52.0687 3284  MBR partitions:
23:22:52.0687 3284  \Device\Harddisk6\DR9\Partition1: MBR, Type 0x6, StartLBA 0x2F, BlocksNum 0x3C1FD1
23:22:52.0687 3284  ============================================================
23:22:52.0859 3284  C: <-> \Device\Harddisk0\DR0\Partition1
23:22:52.0859 3284  E: <-> \Device\Harddisk1\DR1\Partition1
23:22:52.0859 3284  ============================================================
23:22:52.0859 3284  Initialize success
23:22:52.0859 3284  ============================================================

-

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2014-02-19 23:28:46
-----------------------------
23:28:46.812    OS Version: Windows x64 5.2.3790 Service Pack 2
23:28:46.812    Number of processors: 2 586 0x602
23:28:46.812    ComputerName: TCLL5850-PRI  UserName: 
23:28:47.812    Initialize success
23:34:18.437    AVAST engine defs: 14021900
23:36:44.671    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\nvgts641Port0Path0Target0Lun0
23:36:44.671    Disk 0 Vendor: ST316081 3.AA Size: 152627MB BusType: 3
23:36:44.687    Disk 1  \Device\Harddisk1\DR1 -> \Device\Scsi\nvgts642Port1Path0Target0Lun0
23:36:44.687    Disk 1 Vendor: Hitachi_ ST3O Size: 476940MB BusType: 3
23:36:44.687    Disk 2  \Device\Harddisk2\DR2 -> \Device\Scsi\nvgts642Port1Path1Target1Lun0
23:36:44.687    Disk 2 Vendor: ST310005 CC38 Size: 953869MB BusType: 3
23:36:44.687    Disk 6  \Device\Harddisk6\DR9 -> \Device\0000008a
23:36:44.687    Disk 6 Vendor:   Size: 953869MB BusType: 0
23:36:48.796    Disk 0 MBR read successfully
23:36:48.796    Disk 0 MBR scan
23:36:48.843    Disk 0 unknown MBR code
23:36:48.843    Disk 0 MBR hidden
23:36:48.843    Disk 0 Partition 1 00     07    HPFS/NTFS NTFS       476937 MB offset 63
23:36:48.890    Disk 0 scanning C:\WINDOWS\system32\drivers
23:36:48.890    Service scanning
23:37:06.093    Modules scanning
23:37:06.093    Disk 0 trace - called modules:
23:37:06.093    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys SCSIPORT.SYS hal.dll nvgts64.sys 
23:37:06.093    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffadfa53ba060]
23:37:06.093    3 CLASSPNP.SYS[fffffadf9b0918c9] -> nt!IofCallDriver -> \Device\00000064[0xfffffadfa60b5b40]
23:37:06.093    5 ACPI.sys[fffffadf9b26fdf9] -> nt!IofCallDriver -> \Device\Scsi\nvgts641Port0Path0Target0Lun0[0xfffffadfa5b67050]
23:37:06.562    AVAST engine scan C:\WINDOWS
23:37:06.578    AVAST engine scan C:\WINDOWS\system32
23:37:06.578    AVAST engine scan C:\WINDOWS\system32\drivers
23:37:06.578    AVAST engine scan C:\Documents and Settings\Administrator
23:37:06.578    AVAST engine scan C:\Documents and Settings\All Users
23:37:06.578    Scan finished successfully
23:37:17.203    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
23:37:17.203    The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"

Edited by DarkPikachu

0

Have you got the tail of that TDSSKiller log? It's missing all the good stuff.
If that screenshot is from your latest TDSSKiller run, then rerun it, but...
- still skip cmuda3
- delete the TDLFS, and
- default action (cure or delete) for the rootkit.

From your ASWMBR log:

9.   23:36:44.671    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi
and..
17.  23:36:48.796    Disk 0 MBR read successfully
18.  23:36:48.796    Disk 0 MBR scan
19.  23:36:48.843    Disk 0 unknown MBR code
20.  23:36:48.843    Disk 0 MBR hidden

That would be the worry. Any reason your bootdisk MBR is non-standard, and hidden? Anyway, the TDSSKiller run should repair it; in any event ASWMbr can write a new one.
Rerun ASWMBR after the TDSSKiller fix is complete.

Edited by gerbil

0

o.o
thanks for pointing that out, but there's not much to the tail

23:22:52.0687 3284  ============================================================
23:22:52.0859 3284  C: <-> \Device\Harddisk0\DR0\Partition1
23:22:52.0859 3284  E: <-> \Device\Harddisk1\DR1\Partition1
23:22:52.0859 3284  ============================================================
23:22:52.0859 3284  Initialize success
23:22:52.0859 3284  ============================================================
00:01:29.0375 1036  Deinitialize success

hmm...
should I run my CD and start a repair session??

perhapse that's the reason for my hibernations frequently corrupting lately >.>
looks like that little explorer problem really DID go alot deeper... heh
(as to be expected with a rootkit)

should I try a restore to before I updated my drivers??
(before I searched torrents and such)

0

Lord, no, don't run a Repair, that would blast your sys back to the stone ages... it takes the registry from \Windows\repair and if you have not done a System State Backup lately, well, that folder dates from installation. Check the dates on the reg files in there.
By all means run sfc, but note that both TDSSKiller and ASWMBR check important system file signatures.
Likewise, your Backup files may be compromised.... when you are sure your system is clean and functioning well you should remove them all and make a fresh one. May I recommend ERUNT?
Anyway, as to the fix, it should continue because something dropped that bootkit in there, and likely it's still lurking. If a trojan, it could be a downloader (of the rootkit files etc). So...
- RogueKiller, again, then
- run MBAM again.
- run JRT again
- eSet Free Online Scanner

Edited by gerbil

0

I see... thanks for the info :o

the stone ages part doesn't bug me as I save every installer I ever use. ;)
including the over 40 MS-update installers I ran to get this far...
(I need to build a BAT, and DL even more updates)
^ and figure out how to get a BAT to continue after restart >_>

and just to note, I have MBAM set on a startup schedule.
I do need to get eSet again though >.>

0

good news, I ran JRT last, and it didn't crash. :)

log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.1 (02.04.2014:1)
OS: Microsoft Windows XP x64
Ran by Administrator on Thu 02/20/2014 at 15:05:11.17
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\powerpack



~~~ Files



~~~ Folders





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 02/20/2014 at 15:09:35.04
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

also, eSet and MBAM both report a few of my Kegens as threats...
(I looove Keygen music)

I always ignored MBAM's reports because they never seemed to do any harm...
but now that eSet reported 3/4 of them, I've moved them to my own quarentine.
(I'mma try to break them to where they ONLY play the music)

so here's the eSet report:
Part1: http://lh5.ggpht.com/-D47h4k8SlRc/UwZjLZEd7aI/AAAAAAAAGB0/eKSdvUhIfg4/s612/Screenshot%25202014-02-20%252014.44.08.jpg
Part2: http://lh4.ggpht.com/-QfwPBpNIZzg/UwZjLbRQHYI/AAAAAAAAGBs/7svAVtUYlxk/s612/Screenshot%25202014-02-20%252014.45.37.jpg

and the Keygens in question:
http://lh3.ggpht.com/-PQF_rzmwwyo/UwZjLaZTxdI/AAAAAAAAGBw/oYF5eboeR9M/s800/Screenshot%25202014-02-20%252015.04.07.jpg
(the RAR (actively selected) one is the one listed as "multiple threats")

I must note, I've had these keygens for nearly 3-4 years now, and do listen to them quite often... heh
they're certainly not the cause of my problem, since I've ran them many times on other OS's, but I'm not saying they don't have trackers and such. >.>

0

just now tried the explorer.exe thing.
it no longer creates sub-processes :)

looks like the thing worked :D

hopefully this article will help anyone else now who needs it.
I now mark this issue Solved!

thanks for your help gerbil :)

0

Keygen music... ha ha... yeah, there's some interesting loops out there. You find a good cracking group or two, their stuff is safe cos they want to protect their reputations. :) They badge their stuff. It's a weird world, still.
Okay, clear your Restore points, make a new one, consider ERUNT, and off you go.
Cheers.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.