Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

iexplore.exe --> high CPU/RAM usage + Hacktool.Rootkit

Started by Sergio L , Dec 27 2009 08:43 AM

This topic is locked

#1
Sergio L

Posted 27 December 2009 - 08:43 AM

New Member

Member
8 posts

Hi,

In the past few weeks something must have attacked my laptop. Symptoms:
- After a few mins of using IE, the RAM and CPU go quite high.
- My keyboard lags, if I write at normal speed some letters don't get registered in the screen
- When I click on a link, open a new tab or any action within IE, it takes about 30 secs to a minute to react/execute.
- After reboot things go back to normal, and they seem to remain normal until I start using the internet. Once I open IE, the above starts happening again.

Suspects?
- I've notice sometimes there is an iexplore.exe process with unusual amount of RAM taken and CPU
- Norton reported twice an infection, first on a software that I had installed for many weeks (CheatEngine) which I uninstalled upon report, and more recently a file called A<number>.sys under the system restore point folder. (logged in one of the attached files). I have not taken any further actions and I am not sure this infection is related to the symptoms.

Attached are the required initial logs, I will appreciate your looking at them and help me pinpoint the problem and work to fix it.

Thanks in advance! From what I've seen on other threads you guys rock!

PS: The uploader does not allow me to send you the GMER log... 'file type not prmitted'(?).. these are the contents:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-27 05:52:03
Windows 5.1.2600 Service Pack 3
Running: 05. Rootkit scanner - gmer.exe; Driver: C:\DOCUME~1\<MY USER NAME>\LOCALS~1\Temp\fxldiaog.sys

---- System - GMER 1.0.15 ----

SSDT E236C690 ZwConnectPort

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

Attached Files

Extras.Txt 46.92KB 299 downloads
mbam_log_2009_12_27__02_07_32_.txt 1.86KB 141 downloads
OTL.Txt 73.49KB 165 downloads

Edited by Sergio L, 27 December 2009 - 09:00 AM.

#2
m0le

Posted 02 January 2010 - 06:28 PM

Visiting Staff

Visiting Consultant
341 posts

Hi,

Welcome to Geeks To Go. My name is m0le and I will be helping you with your log.

Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Forum Options box to the top right of and then selecting Subscribe to this forum.
Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.
Please reply to this post so I know you are there.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks

#3
Sergio L

Posted 02 January 2010 - 10:44 PM

New Member

Topic Starter
Member
8 posts

Hi M0le, thanks for replying... I'm here and ready to start working with you.

Cheers
Sergio

#4
m0le

Posted 03 January 2010 - 04:28 PM

Visiting Staff

Visiting Consultant
341 posts

Hi Sergio L,

The event log seems to have logged the Hack Tool invasion and deletion so let's make sure that nothing else came in with it.

Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Then please run Autoruns

Download Autoruns

http://download.sysi...es/Autoruns.zip

Extract the Autoruns Zip file contents to a folder.
Double-click the "Autoruns.exe".
Click on the "Everything" tab
Remove any entries that mention "File Not Found" by right-clicking the entry and select Delete.
Go to File then to Export As.
Save AutoRuns.txt file to the desktop.
Attach to your next reply.

This will confirm that the iexplorer.exe processes are legitimate.

Finally run ConflictInfo, which checks for conflicting hardware

Please download ConflictInfo by aommaster to your desktop.

Double click
Press to begin.
It shall produce a ConflictInfo.txt on your desktop.
Please copy and paste the log in your next reply.

At first glance this looks like damage done by malware that is no longer present. Let's make sure it's gone first.

#5
Sergio L

Posted 03 January 2010 - 06:45 PM

New Member

Topic Starter
Member
8 posts

Hi M0le,

I executed all the steps successfully, please find the requested log files.

Cheers
Sergio

Attached Files

ConflictInfo.txt 143bytes 125 downloads
exehelperlog.txt 414bytes 138 downloads
AutoRuns.txt 116.56KB 132 downloads

#6
m0le

Posted 03 January 2010 - 07:00 PM

Visiting Staff

Visiting Consultant
341 posts

They all look fine.

Let's take a look at some processes.

Please download and run Process Explorer

If Process explorer won't execute rename it Iexplore.exe

Under File and Save As, create a log and post here

Copy and paste the log into your next reply

#7
Sergio L

Posted 03 January 2010 - 08:33 PM

New Member

Topic Starter
Member
8 posts

Hi, here is the log and more info:

- I spent a few mins opening a couple of sessions (google, cnn, regular stuff)... and then 'this thing we are trying to track' kicked in again, right now my keyboard is slow and so on...
- Although the app you asked me to run shows 2 iexplore running (which makes sense as I have two tabs open), the other screenshot I am attaching shows more processes (ghost?) and what I was discribing in the symptoms: a few of them that dont seem to relate to open sessions, also see how one of them has been growing in RAM. I suspect that this growing process (either a cause or a consequence of something else) is what eventually takes up also in CPU and renders the operation of the laptop almost impossible.... just in case it helps direct the search in any way.

PS: Rename the iexplore attachment from .txt to .doc... it's a word doc with a screen capture

Cheers
S

Attached Files

Procexp.txt 3.76KB 135 downloads
iexplore_Processes_and_RAM.txt 300.5KB 129 downloads

#8
m0le

Posted 04 January 2010 - 06:55 PM

Visiting Staff

Visiting Consultant
341 posts

I can't seem to be able to read that .txt file even by renaming it.

Let's see what we can find using Combofix

Please download ComboFix from one of these locations:

* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
Double click on Combofix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Please also try and attach the screenshot again. If you can note down the process name as well for me.

Thanks

#9
Sergio L

Posted 05 January 2010 - 01:01 AM

New Member

Topic Starter
Member
8 posts

Hi there,

I run combofix, it found at least one thing wrong, attached is the log. Yesterday when my computer was a hog, I realized by looking at the running processes that even when I manually killed the iexplore.exe processes, it was the windows explorer (explorer.exe) working at very high CPU consumption... not sure if this adds any value. For now look at the log here and let me know if you want to run more stuff, right now because of the recent reboot by the tool the laptop is working fine.

Thanks again for helping,
S*

Attached Files

ComboFix.txt 15.32KB 165 downloads

#10
Sergio L

Posted 05 January 2010 - 01:05 AM

New Member

Topic Starter
Member
8 posts

Hi again,

I noticed a Qoobox folder created by this run in my C:\
let me know if/when I can delete it...
Cheers
S

#11
Sergio L

Posted 05 January 2010 - 01:09 AM

New Member

Topic Starter
Member
8 posts

Hi yet again, I was looking at the atapi.sys file that was quarantined (under the Qooboox folder) and the one restored by Combofix (under system32\drivers) and they have the same size and timestamp. I am wondering if
a) the file is not infected at all
b) the file used by Combofix to replace the infected one, is also an infected copy, since they look the same...

let me know what you think.
Cheers
S

#12
m0le

Posted 05 January 2010 - 07:14 PM

Visiting Staff

Visiting Consultant
341 posts

Hi yet again, I was looking at the atapi.sys file that was quarantined (under the Qooboox folder) and the one restored by Combofix (under system32\drivers) and they have the same size and timestamp. I am wondering if
a) the file is not infected at all
b) the file used by Combofix to replace the infected one, is also an infected copy, since they look the same...

atapi.sys is a legitimate system file but has been infected by malware. This TDSS variant attacks system files in the system32 folder and keeps timestamps and sizes the same to hide its presence. This is why they are both identical.

Replacing the infected file with a backup copy from elsewhere is safe and and should see some improvement in your PC.

Don't worry about Qoobox, it's related to Combofix and it will go before we're finished.

Please run MBAM on full scan and post the log.

Then go online and use the ESET scanner as below

I'd like us to scan your machine with ESET OnlineScan

Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on to download the ESET Smart Installer. Save it to your desktop.
- Double click on the icon on your desktop.
Check
Click the button.
Accept any security warnings from your browser.
Check
Push the Start button.
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
When the scan completes, push
Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
Push the button.
Push

Let me know how the PC is running and of any notifications from your antivirus during this time.

Thanks

#13
Sergio L

Posted 06 January 2010 - 09:44 AM

New Member

Topic Starter
Member
8 posts

Hi m0le,

Attached is the log for MBAM. ESET run completely for over 3 hours and scanning 101157 files and it did not report any threats (probably that is why the button to show nd export threats is not available) .

Cheers
Sergio

Attached Files

mbam_log_2010_01_05__22_34_38_.txt 886bytes 143 downloads

#14
m0le

Posted 06 January 2010 - 01:54 PM

Visiting Staff

Visiting Consultant
341 posts

That's looking like we're finished here, Sergio.

Just some clearing up to go.

You're clean. Good stuff!

Let's do some clearing up

Uninstall ComboFix

Remove Combofix now that we're done with it.

Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
(For Vista/Windows 7 please click Start -> All Programs -> Accessories -> Run)
Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between "Combofix" and "/")
Please follow the prompts to uninstall Combofix.
You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix and anything associated with it.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.

Download OTC by OldTimer and save it to your desktop.
Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
Then Click the big button.
You will get a prompt saying "Being Cleanup Process". Please select Yes.
Restart your computer when prompted.

------------------------------------------------------------------------------------------------------------------------

Here's some advice on how you can keep your PC clean

Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.

Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Installing this or another recommended program will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Finally, here's a treasure trove of antivirus, antimalware and antispyware resources

That's it Sergio, happy surfing!

Cheers.

m0le

Edited by m0le, 06 January 2010 - 01:54 PM.

#15
m0le

Posted 11 January 2010 - 07:23 PM

Visiting Staff

Visiting Consultant
341 posts

Since this issue appears to be resolved ... this topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.