question re:wimprvse

i don't know if this is the right place for help, but for the past 3 days, it seems that wmiprvse.exe and csrss.exe have been taking up a large amount of CPU (30-50%) - i have run trend virus scan, spybot, and adaware, all of which have come up empty. i am concerned that there may be something amiss , as i have also had random processes popup with XXX#X#.exe names, none of which seem to be found when i search for their name on the web (unlike all the other processes running).

any help would be greatly appreciated.

thanks.

mike

 

If you suspect Malware then I would recommend following the steps below.

http://www.majorgeeks.com/images/grenade.gif Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support


http://www.majorgeeks.com/images/grenade.gifAfter doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

http://www.majorgeeks.com/images/grenade.gif Downloading, Installing, and Running HijackThis

• Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around..

 

i've gone through the whole shebang on the instructions. log files included below. i still think that there's too much activity being performed by csrss and wmiprvse. log files attached below and in a separate post for the rest. any help would be appreciated.

thanks.

mike

 

the remainder of the log files.

 

i now have a new process that has appeared spontaneously (YZ49DB). a new hijackthis log is attached.

thanks.

mike

 

Before we can procede you must disable TeaTimer and relocate HijackThis. Relocate HJT to a safer location such as C:\Program Files\HJT.

Once you have completed the above, attach a fresh HJT log.

 

sorry. here's the new file

 

Please make sure the Viewing of Hidden Files & Folders is enabled per the READ ME.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

YZ49DB.EXE

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O16 - DPF: {46CF8BCA-84A1-4437-847A-DC29496E01A5} (ISiteNonVisual Control 3.3) - http://172.16.120.40/iSite3_3.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/nike/nikegridiron/install.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -

Again, make sure ALL browser windows are closed when you click FIX.

Now, Please boot into Safe Mode, be sure you have the Viewing of Hidden Files & Folders Enabled per the tutorial. Now, navigate to and DELETE the following if they should remain:

C:\WINDOWS\TEMP ← Delete everything in this folder!

Next, run CCleaner to clean up cookies and temp files.

FINAL STEP

Reset Web Settings & Default Security Settings:

To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

After you complete the above, reboot and let me know how things are running.

 

i did everything you suggested. it seems that the previous file (YZ....) has been replaced by a new one (UP74BB). a new hijackthis file is attached

 

still having problems. have deleted several other files, still having the same thing happen. here is a new HJT log. thanks for your help.

 

Let's start this the below removal tool.

• Download Gromozon Removal Tool from Pevx1 to your desktop.
• Disconnect from the internet by unplugging the cable and disable your antivrus
• Run prevxremovaltool.exe from the Desktop by double clicking on it.
• Click the scan and follow the intructions on screen,
• once complete reboot and make sure you AV is reenable

Next, pleae download Sophos Anti-Rootkit 1.1 and save to your desktop. Run a scan and if it finds anything try to remove them.


Now, let's run one more scan using advanced rootkit technology.

• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please post contents of the BlackLight log.

Once you have completed the above scan, I need the results from all scans and logs from all if possible.

 

ran all three scans - they all came up empty. i still am having the same problems. here are the most recent log files.

 

here's the fourth log.

 

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

Please make sure the Viewing of Hidden Files & Folders is enabled per the READ ME.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

TR3FD7.EXE

Next, run CCleaner to clean up cookies and temp files.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Now, Copy and Paste C:\WINDOWS\TEMP\TR3FD7.EXE into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above, reboot and attach a fresh HJT log.

 

this thing sucks. it's still around, just a different name. there's a pre-fetch file with the name in it, and a /temp file named this (which disappears if i endprocess the process) - and if i do so, about 15 minutes later, a new process starts up with a different name. very frustrating. thanks for your continued efforts.

mike

 

Let's try another tool, this is from Symantec.

Removal Tool

Once downloaded, see the site below on how to run it properly.

http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2006-092316-4153-99

 

still no luck. ran the program per the instructions x2, both of which came up with nothing found. tried again deleting the temp and prefetch files in safe mode. still having the same problem. still using 15-30% CPU, mostly in the csrss and wmiprvse processes....

mike

 

also, if it helps, it seems that some of the HP processes are running at 2-5% consistently.

 

so one more piece of information, in case it helps. this time, i logged in under my wife's logon rather than mine. when i ran CCleaner, it _saw_ the bad .exe file, but couldn't stop it. when i ended the process, it no longer could see it. i then manually deleted the prefetch file associated with the bad .exe file. on restart, it showed up again. here is the HJT log file (this time from my wife's logon)...

mike

 

Run this Getting Uninstall Programs List From The Registry and attach the log.

 

here's the logfile. thanks.

 

We are going to try a manual removal for this. This may take some time but should work.

First, download Rootkit Revelear, once installed do a system scan and attach that log.

 

here's the new logfile. not much there.

 

Your logs are not showing what they should, attach a fresh HJT log.

 

here's a new HJT log

 

I have researched this rootkit for a long time, you should have more in your logs. Let's try this....download the tools below.

Removal Tool 1

Removal Tool 2

Once you have downloaded them, rename both of them to something stupid like "football" and "baseball". Once renamed reboot into Safe Mode and pull your internet cable, close everything and run the tools.

Run them one at a time, after both tools are done, be sure you have hidden files and folders enabled along with the box for hidden system files unchecked. Now go into C:\WINDOWS\Temp and delete everything in here.

Now, reboot back to normal mode, reconnect and attach the logs from both tools.

 

i did what you suggested. i had run those scans previously. the new log files, as well as a new HJT log are attached.

 

it's not letting me attach the gromozon log. as such, here is the text contained in the file...

Removal tool loaded into memory
Gromozon rootkit component not detected - searching for other components
Scanning: C:\WINDOWS
Scanning: C:\Program Files\Common Files


Trojan.Gromozon does not exist - your system is clean.

 

This doesn't make sense, honestly. This rootkit is not showing in anything we try and it should show at least a DLL.

I want to try SS on this rootkit.

Download the following 3 files, save to your desktop.

Remove links!

Do not run the program just yet, the file you downloaded "masters.mst", copy this file to the directory below.

C:\Program Files\Webroot\Spy Sweeper\Masters

Once you have copied the file, run Spy Sweeper and click on Options on the left. Next click on Sweep Options and under "What To Sweep" check all the boxes, be sure "Sweep for Rootkits" is checked.

Now run a full sweep and remove every trace found. After the scan is complete reboot and attach the log.

 

did the SS scan. doesn't look hopeful. i watched SS scan the offending .exe file, and not recognize it. i also noted that right before i rebooted the computer, the mem usage in the task mgr was way up on the .exe file, as well as the csrss and several others (in the 20-30 MB range).

here's the SS and a new HJT log.

the only other thing that i would question is if it matters when i'm in safe mode if i log on as the adminstrator or as my name (in regular mode, i run the scans as my login; in safe mode, i have been doing all scans as administrator, but i don't think it should matter, since the windows folder is shared by everyone)

thanks for your continued help with this frustrating problem

mike

 

First, uninstall Spy Sweeper. You did check "Sweep for rootkits" before scanning right?

Please download RegSrch.zip

Unzip the archive to your desktop and double click on the VBS file.
(If your AntiVirus alerts, allow the script to run.

Now enter default.inf and post back with the results in this thread (call it regsrch.txt).

 

This does not make any sense at all, this infection is related to Link Optimizer and installed with a rootkit called Gromozon. Blacklight, Rootkit Remover, Sophos AntiRootkit at least one should detect something.

Try this one more time....

Let me know the results of the scan!

 

i ran the VBscript. "no instances of 'default.inf' found.

do you have any suggestions as to how to disable my trend OfficeScan - itwon't let me unload it without a password.

 

If you can shut down the program then end task from task manager.

 

is that the TmListen process?

 

Yes, that's it.

 

thanks. i'll run this in a bit - gotta go take an exam for the next 7 hours. thanks so much for your help with this.

 

Not a problem, we will figure this out. I'm lost with this because nothing is showing anything. That tool should at least show a file name.

Anyway, will be awaiting your results.

 

i disabled the trend AV at startup and ran both gromozon finders that i have. still no luck. log can't be attached (says i already included this in the thread), so here is the text:

Removal tool loaded into memory
Gromozon rootkit component not detected - searching for other components
Scanning: C:\WINDOWS
Scanning: C:\Program Files\Common Files


Trojan.Gromozon does not exist - your system is clean.

should i be loading prevx1 onto my system also (i'm given this option after the scan is done)?

 

I doubt your AV has anything to do with this but let's give this a try before we change our approach.

Shutdown your AV completely and then procede.

• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please post contents of the BlackLight log.

Also, please download the TrendMicro AntiSpyware Scanner and the manual update. Create a new folder on your desktop and save both files there. Next, extract the contents of the ZIP file to the same folder and then run the file "tmas-web-scan.exe". Run this scan and attach the results to your next post.

 

blacklight didn't find anything. here's the trend results.

 

Now run CCleaner, reboot and attach a fresh HJT log.

 

so it looks like chaslang was right - when i unloaded TM, the process went away. that having been said, i'm still where we started - with 15-25% CPU usage by wmiprvse, csrss, and HPTLBXFX +/- spoolsv constantly. my usage never goes down to 0-5%, which is where it used to be. the most recent HJT log (run when TM was unloaded) is attached below. also, i could not get rid of morpheus - when i click on the change/remove button, a window pops up for an instant then disappears (it's completely unreadable) - searching my computer for "morpheus" yields no results.

mike

 

thanks for all of your help. eliminating that HP process seems to have fixed the problem. you guys are the best.

mike