Log in

View Full Version : Malware fight


naides
May 1st, 2007, 16:02
I am not sure if this question belongs in Malware analysis per se, so I am going to place it here for starters.
Mostly because I am not 100% sure if I am dealing with malware or malfunction. Here it goes:

I am fighting with a computer at work, which all of the sudden became very slow. I monitored it with task manager and process explorer and this is more or less what I think is going on:

After boot and logon, every thing goes smoothly, except for some 4-5 short episodes in which regedit.exe process is invoked. ? (Should regedit be used by any startup program???)

eventually the problem starts when services.exe activates an instance (among many) of scvhost.exe. After that this svchost process effectively takes over the CPU and hugs 90 to 99% of the CPU resources. if I suspend or kill the process, the computer recovers and functions more or less smoothly.

The problem is finding out which of the service(s) associated with this instance of svchost is the one hijacking the CPU. Process Explorer gives me a list, but all of them appear legit.

I have scanned the computer with the usual tools (Hijack this, antispyware, antivirus rootkit detector) and came out empty handed.

What would be the next step??

Kayaker
May 1st, 2007, 16:23
Hi,

I was just comparing the info ProcessExplorer gives vs that given by TopToBottomNt. Maybe the latter might help as well.

If you've really got a cpu-sucker on your hands shouldn't ProcessExplorer tell you that right off under CPU Usage? You can also right click the svchost process and select properties and watch the Performance graph for a while maybe..

As for TopToBottomNt perhaps some of the data there might point something out, for example under Counters / IoCounters is info on read/write transfers. One of the svchost processes might show hugely disproportionate numbers for something like that if it's caught in a loop or something.

Keep us aprised..

Maximus
May 1st, 2007, 17:21
no tool EVER uses regedit.
It's your malware.
Solution:
1) copy&save regedit.
2) ebfe the entry of regedit
3) check who has launched it, by examining info.
4) boot from UBCD
5) kill it and restore regedit^^

naides
May 1st, 2007, 18:25
Thank you, as always you are gr8!

The problem with Process Explorer is that it only reports the global CPU use of the svchost process, not each service individually.
By right clicking on it I got a list of the services belonging to the instance, but not a breakdown of the CPU use. Ummhhh.
The threads tab showed me the thread with more cpu usage, but looking at its module it appeared to be kernel32.dll???

The stack info showed me .dll belonging to the windows automatic download service.
stopped the service and viola. . . CPU is free ( I had recently updated that creature, so is plausible it is mafunctioning)

Still I don't understand what is the deal with regedit. I will try maximus approach tomorrow and see what gives


Thanks again. You are the real deal!

disavowed
May 1st, 2007, 19:00
Try antivirus software
And if that doesn't work, try AutoRuns to help determine why RegEdit was being launched.

Maximus
May 1st, 2007, 19:01
Well, the idea is that such malware might call somehow regedit.
Depending the on way it creates it (shell, createprocess), you might be able to intercept the father/child creation and gather some more information's.

Of course, if winpudate caused some problem, only gods know wtf.

LLXX
May 2nd, 2007, 03:51
I've seen regedit being used on startup to... put back the startup entries for the malware itself *and* the startup entry that launches regedit to put those entries back (disguised under some legit-looking name).

blabberer
May 2nd, 2007, 05:14
want to find services of svchost

start --> run --> cmd --> tasklist /svc /fi "imagename eq svc*"

Code:

C:\>tasklist /svc /fi "IMAGENAME eq SVC*"

Image Name PID Services
========================= ====== =============================================
SVCHOST.EXE 764 RpcSs
SVCHOST.EXE 868 AudioSrv, BITS, Browser, CryptSvc, Dhcp,
dmserver, ERSvc, EventSystem, helpsvc,
lanmanserver, lanmanworkstation, Messenger,
RasMan, Schedule, seclogon, SENS,
ShellHWDetection, srservice, TapiSrv,
TermService, Themes, TrkWks, uploadmgr,
W32Time, winmgmt, WmdmPmSp, wuauserv, WZCSVC
SVCHOST.EXE 992 Dnscache
SVCHOST.EXE 1004 LmHosts, RemoteRegistry, WebClient
SVCHOST.EXE 1640 stisvc

C:\>

naides
May 3rd, 2007, 16:28
Definitely I know that something is wrong with the Windows Automatic Update system. I think is a bug, or is awaiting a file that got corrupt or is missing.

I traced for a while with syser (Wow it works great), and saw wuauclt.exe, a child process from svchost.exe spinning the wheels with wuauserv.dll.

I am a little at lost about how to repair this problem.
I guess I will call M$oft for help

LLXX
May 3rd, 2007, 18:46
Just disable the service completely.

naides
May 3rd, 2007, 20:14
Yes LLXX. If I disable the automatic update I regain control of the system, but the problem is that even manual update uses the same files and processes, and trying to update the computer manually send it into the spiral of death.

Unless I fix this thing, the computer in question, which drives a rather expensive piece of equipment and has to be hooked to the network for technical reasons, will fall behind in downloading the endless stream of WinXP security patches and fixes.

I guess I will reinstall the OS. . . for the 10th time??

Kayaker
May 3rd, 2007, 21:23
I was going to suggest using Softice to see what process was running during the hang. I knew you probably couldn't install Sice on that particular computer, but I see you were able to use Syser instead, cool.

I've had terrible problems on my work comp ever since the DST patch. It now takes literally 5-10 minutes to shut down or reboot the computer. Softice tells me sfc_os.dll is the slowpoke. I usually just turn off the power button now.

It's not the DST patch per se, but probably some strange combination of selected security updates the IT people decided to install, while not installing *every* update, plus whatever other firewall/network proggys that are also running.

There just seems to be no way that you can count on all programs + MS updates to work together flawlessly. At some point it seems inevitable there will be a bad alignment of planets and your system becomes b0rked.

/end diatribe


Anyway, your problem with wuauserv.dll sounds just like this one...

http://www.anetforums.com/posts.aspx?ThreadIndex=64190

And maybe referenced in this recent KB article:

http://support.microsoft.com/kb/931852

dELTA
May 6th, 2007, 17:01
1.
Regedit is used whenever a .reg file is applied in e.g. a login script. This is most likely completely unrelated and benign.

2.
The following is with 99% certainty your problem (and solution):
http://support.microsoft.com/kb/916089/

I hope you didn't reinstall yet.

seven
June 27th, 2007, 19:43
Naides u can also uze Security Task Manager , perfect proggy .

Aimless
June 28th, 2007, 10:44
Alternatively, try this:

1. Type msconfig in the run box and check programs running at startup.

2. Boot off the xp cd. Enter recovery console. Delete explorer.exe in c:\windows and copy the exe from the dllcache folder off the hdd.

Have Phun

blabberer
June 28th, 2007, 12:53
Quote:

Delete explorer.exe in c:\windows and copy the exe from the dllcache folder off the hdd.


whats the purpose ?
malwares normally modify memory and not the copy in disk
and while sfc is functioning modifying disk copy is tedious for a simple malware aka vb bloat drag drop cut paste b's

JMI
June 28th, 2007, 14:51
Just in case anyone is wondering, blabberer originally posted this Thread in Off Topic, and believing it should be in this Forum, I "moved" it here, not realizing it's title was the same as this existing Thread and vBulletin simply "merged" them together.

Unfortunately, there is no "un-merge" command to separate them again.

Blabber, If you repost this again in this forum, but with a different title, I'll delete these two posts from the end of this Thread.



Regards,

Silkut
June 29th, 2007, 09:31
Hey,
I have a question regarding regedit.exe, Maximus said no legit tools are using this binary at startup, only malwares as LLXX added.
I heard somewhere that Windows verify the registry key section for any unwanted modification, or even about last recent document or software. In this case, which process/binary Windows is using ?
Thanks for any answer.

naides
June 29th, 2007, 17:03
On that vein, have you tried to delete, rename or modify Regedit.exe in Windows XP?

I tried in at least 4 computers, and the damn file refuses to be deleted and is recreated. If I change it with OLLY to place a spinning jump at the EP, same story, the original file is recreated. This is very symptomatic of malware.

Either I have an infection epidemics here at my work place, or Windows protects this file from deletion.

Could someone check if this is happening in your computers? (save a copy first )

Mine is dated 12/2/04, 143 Kd and

MD5 = 783AFC80383C176B22DBF8333343992D

LLXX
June 30th, 2007, 01:19
Yes, WinXP does have system file protection, unless you've disabled it already (simple 2-byte patch if I remember correctly).

The regedit.exe on my WinXP system is 134144 bytes and modified 2001 August 23:Thursday 12:00:00 PM

blabberer
June 30th, 2007, 04:20
Quote:

Blabber, If you repost this again in this forum, but with a different title, I'll delete these two posts from the end of this Thread.


jmi it looks like my skull has become more thicker couldnt simply get what should i post where

naides
you cannot delete,modify,change or whatever those system files
thats what i meant if sfc is active it is tedious for simple malwares to modify diskcopy

LLXX
why patch ??
you can disbale sfc legally as well without patching how do you think hotpatch works / kernel debugging driver replacement works ?

silkut,

on a clean install none of the autostart contain an entry to execute regedit
on old w98 system there used to be a legit scanreg.exe that scannned registery on os > nt there isnt any legit registry scan

the windows always copy a clean copy of registry that could be used in
recovery mode some where in ////...//sam// folder i forgot
that copy will be used if you hit f8 and use boot from last known good configuration option

Silkut
June 30th, 2007, 06:51
So yes, there is a check of registry base at startup which is not using regedit, but is implented in sfc.

Thanks for kind replies.

LLXX
July 1st, 2007, 04:46
Quote:
[Originally Posted by blabberer;66829]LLXX
why patch ??
you can disbale sfc legally as well without patching how do you think hotpatch works / kernel debugging driver replacement works ?
Simplest solution, once and it's done.