Jump to content

Recommended Posts

Hi,

Actually mbam.exe does run for a while, it asks me if I want to update something.

I answer no since that PC is not connected to the net. Then mbam.exe spins at

100% of the CPU but never does anything. I watched using procmon and mbam.exe

did not print any events.

When I start procmon before mbam.exe I see mbam doing normal startup events

(e.g. loading DLLs), then lots of registry access.

The malware I am dealing with does lots of registry scanning using lsass, svchost, and explorer.

Those processes could be doing some normal registry access also, but the overall amount is

very excessive and pins the CPU.

My DDS looks like this:

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Administrator at 18:57:34.42 on Wed 04/06/2011

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_18

.

============== Running Processes ===============

.

C:\WINDOWS\system32\spoolsv.exe

c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\hpnra.exe

C:\WINDOWS\System32\alg.exe

F:\dds.scr

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\svchost.exe -k netsvcs

.

============== Pseudo HJT Report ===============

.

uStart Page = about:blank

BHO: AutorunsDisabled - No File

TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [sprint SmartView] "c:\program files\sprint\sprint smartview\SprintSV.exe" -a

mRun: [HP Network Registry Agent] c:\windows\system32\hpnra.exe

uPolicies-explorer: NoSMHelp = 01000000

uPolicies-explorer: NoActiveDesktop = 01000000

mPolicies-explorer: PreXPSP2ShellProtocolBehavior = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxdev.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

Hosts: 255.255.255.255 broadcasthost

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\8w4ab44n.default\

FF - prefs.js: keyword.URL -

FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

.

============= SERVICES / DRIVERS ===============

.

R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86

R? Rts516xIR;Realtek IR Driver

R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0

S? L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller

S? RSUSBSTOR;RTS5121.Sys Realtek USB Card Reader

S? SASDIFSV;SASDIFSV

S? SASKUTIL;SASKUTIL

S? something;something

.

=============== Created Last 30 ================

.

2011-04-06 21:25:16 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2011-04-06 21:25:16 -------- d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com

2011-04-06 21:24:21 -------- d-----w- c:\program files\SUPERAntiSpyware

2011-04-06 21:12:16 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes

2011-04-06 21:11:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-04-06 21:11:46 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2011-04-06 21:11:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-04-06 21:11:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.

==================== Find3M ====================

.

.

============= FINISH: 19:01:11.82 ===============

Bottom line is that superantispyware, and malwarebytes don't do anything other than startup and then

chew up the CPU. They don't get rid of the malware and I don't think anything will, except reinstalling

the OS.

Thanks in advance for any suggestions.

Link to post
Share on other sites

Just did a reinstall of MBAM in safe mode. Unfortunately the malware also runs in safe mode. The reinstall did everything it did before, then started mbam.exe as I asked it to, then mbam.exe asked me if I want to update something that is 107 days old, I said no because I'm not on the network for obvious reasons. Then it went into the spin forever at 100% of the cpu while doing nothing mode (procmon shows no events from mbam.exe)

Link to post
Share on other sites

Maybe not malware, just 100x slower registry access? I've been running different programs and they all work, just slower or much slower or much much slower than normal. The much much slower ones are registry intensive like deinstalling SQL server (didn't realize it was installed until I saw it in the list above) So I will have to look more broadly for a solution.

Link to post
Share on other sites

  • 3 weeks later...
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.