explorer.EXE intercept? I/O other always increasing

Hi AVZ,

I have a problem with explorer.EXE.

in task manager, the "I/O Other bytes" always increases by 4k every time task manger refreshes. all the time.


if I disconnect from the internet, it stops. the I/o is not reported or visible as network but I'm sure that is where its going. I suspect a hidden device sends my computer information out to the internet. this looks like a hidden trojan, but I am not an expert. but I am technically advanced.

my system is pretty clean except for uphclean which is resident. I have unloaded that and the problem still exists.

as long as the machine is connected to the internet, or a switch, or a router, the i/o other keeps increasing.

I have run with no page file and no restore. same problem.

problem does not happen in safe mode.
problem does not happen in safe mode with networking.

I followed all your instructions.
also scanned with mcafee stinger.
scanned with spybot 1.5 and ad-aware 2007 free.
I cant find it.

please give me a hand, I'm out of ideas.
Thank you,
James

Hello
Do you know this domain?
[QUOTE]O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jewelconsulting.org
O17 - HKLM\Software\..\Telephony: DomainName = jewelconsulting.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jewelconsulting.org[/QUOTE]
If not - fix these records over Hijackthis.
I couldn't find any really bad thing in your logs.
Pls. run this script
[CODE]begin
QuarantineFile('C:\WINDOWS\system32\Drivers\uphcleanhlp.sys','');
RebootWindows(true);
end.[/CODE]
after reboot load the quarantine here up: [url]http://virusinfo.info/upload_virus_eng.php[/url]

Yes, that is my domain, jewelconsulting.org.
The win2k3 Domain Controller is in the next room.
This computer {polaris} is a domain member.

Many times I run with the DC off, so I set a different DNS IP on polaris,
and sometimes, even though I set dhcp leases to permanent, polaris does not keep the assigned ip, so i just just set a manual static IP. Thats how polaris operates without the domain, as a standalone computer.
{the dc runs dns}.

An interesting thing happened. I changed the shell to blackbox bblean, and made it the default shell. it also shows "i/o other" increasing by just under 4k every refresh!! odd, dont you think? I have a couple of jpg screen shots of just task manager showing the problem, would you like them?

Thanks,
James

[size="1"][color="#666686"][B][I]Добавлено через 8 минут[/I][/B][/color][/size]

Uphclean is from microsoft. it allows registry keys in use to be remapped if they are being unloaded, as when the machine is shutting down. this is a very common problem with XP and is why settings arent saved. the hive is busy when shutting down so it goes back to the previous version.
Uphclean is a kernel mode util that intercepts unloadkey. close enough.
I uninstalled it and the problem remains. I prefer to have my settings saved so i reinstalled it.

[QUOTE=James007Long;210871] I have a couple of jpg screen shots of just task manager showing the problem, would you like them?[/QUOTE]Yes, it would be interesting. You can upload the pictures to your webspace and link them here, can't you?

I pasted that script to custom scripts and ran it.
the quarantine folder was created but no file appeared there.

I must be Own3d. here are the links.

[URL]http://i150.photobucket.com/albums/s89/computerpros/taskmgr1.jpg[/URL]

[URL]http://i150.photobucket.com/albums/s89/computerpros/taskmgr2.jpg[/URL]

look at i/o other. these two screen shots are only a few seconds apart.
the machine was idle except to copy to clip, paste, and save the files.

Thanks,

James

I cannot find any anomaly in these sreenshots :)

I uploaded "program files" contents for uphclean folder and the installer.


if you do the math subtracting for system overhead,
you will see i/o other for explorer has increased much more than systm overhead required to generate and save the two screenshots.

If I shell a copy of explorer (as in unix) so it runs as a separate process,
the shelled copy generates i/o other count, and the first copy does not.

If I go to safe mode, I/o other is not generated by explorer at all period.
I have been watching task manager all the way back to windows 95
and I am just letting you know there is an abnormal increase in the
number of i/o other bytes being generated,
AND its taking 2 cpu now. it was ALWAYS at zero.

I wish you could sit here and watch this thing climb steadily. there is
no end to it. it will go into the terrabyte range in a day.
this never used to happen.

I can think of one other instance where I saw this problem.
a long time ago I hacked a few xp installations to make a new
key and if the key was not right, this would happen.
maybe i'm insane but I look for stuff like this. it lets me know
the system is not straight.:(


Thanks,
James

@ [b]James[/b]:

Don't you think that could be related to your Graphics Editing Program (LViewPro)? In screenshot #2 I see it's using 90% of your system resources.

Paul

No, It's not related to lview pro. that was invoked to paste the clip into and then saved from. I've had lview pro for years and when it is not running there never was a problem before this new problem of i/o other started about 2 months ago.

the i/o other constantantly increases when nothing is running. no lview, no outlook. the drive is defragged to the max and even the pagefile is contiguous. this is an older dell laptop with bigger pipes and is still very snappy under xp pro. like i said, in safe mode, io other is dead stopped
while running task manager unless you go for files or folders.

been to myspace a lot lately on this box. yep what have I been smokin.
i'm sure thats part of the problem.

to clean up this box i do things most users dont have a clue about
and I fix pc's for a living. but this little spy has me stumped.

another problem - I can't run sysinternals regmon.
it reports its already running.

I looked thru the registry and found a legacy regmon701 and deleted it.
also deleted all other references to regmon in the registry,
then deleted it from the drive and redownloaded it and ran it again and it says the same thing. so thats probably related.

in procmon from sysinternals, if i watch registry activity for Explorer.EXE
{IS THAT FILENAME CORRECT?? note the case} the registry is pretty much stuck on the DHCP and TCPIP parameters of my card all the time while idle. dont make sense to me.


I made a manual full memory dump and i'll do a kernel dump.
but even though i know assembly language (I was a game programmer),
I dont know what I'm looking for and I dont know the windows api.
all i know well was the bios,vectoring interupts and ship like that.
it was before windows. so even getting the symbols and stepping thru all that is probly not going to enlighten me quicky.

but its definately here. i know these boxed by feel. and its talkin to the world. it just bypasses the normal route. i do in fact realize that all the protocols necessary to such a thing are in the box and that since the patriot act and even before, information is the holy grail.

all I want is my box to act normal, root kit or no. maybe some lamer programmer should have done a better job. I can always reload and
hope I dont stumble into that one again.

now this f**cker is on all my boxes and is on my win2k3 server but not as bad, only 200 bytes at a time there.

I appreciate all the help so far and thany you all very much
and am really open to more help and glad to answer every question.

James

[size="1"][color="#666686"][B][I]Добавлено через 14 минут[/I][/B][/color][/size]

no matter which utility i would use to get a screen shot, and save it,
it would be additive to i/o other.

just looking at another box i have, its explorer.exe i/o other count is up to 60 meg and its been on for 2 hours.

@ [b]James[/b]:

OK. A couple of ideas (actually I don't think you have malware):

* It seems to me that regmon's driver was not unloaded - it's still in your system and active in memory, although you may not see it in the Task Manager. AVZ didn't flag it because it's in the Trusted Database. I believe the driver is called [b]REGSYS701.SYS[/b]. I suggest you do a search for that one in Safe Mode (probably system32 folder) and kill it. Only then should you delete any sysmon registry keys (they're probably still there).

* Did you try inserting your XP install disc and 'Start' - 'Run' - cmd - [b]sfc /scannow[/b]?
Explorer might be corrupted, you know. Sometimes this happens after people install IE7.

* [url=http://www.bleepingcomputer.com/combofix/how-to-use-combofix]Combofix[/url], for example, might be able to fix this (link to instructions).

P.S.: UPHClean is certainly not to blame. I'd suggest putting that back. ;)

Paul

No its definately not malware. It's spyware/rootkit/idontknow.
It's hooked in good, but there it is in front of my face.

Thanks for the info on the regmon driver. I had to kill the file then rekill the legacy driver entry in the registry and make myself a debugger user and reboot before it would work. And now it does! Thank you for that. one less thing in the suspect list.


I considered {heavily} explorer was damaged in some way. through some research I was able to determine there are multiple versions of explorer. mine is a version which was issued to solve some race condition with notification balloons. I am able to verify size date time version... for my copy but can't verify its internal ntegrity...checksum or md5 or other means.

I ran that scf /sannow and It does not have a clue where to get files from. my stuff is in servicepackfiles and there is no reason to go for the cd. My cd is original before sp1 and Im not going that way ever again.

The closest I would come is to reinstall sp2.


I ran the combo fix but never got a log in an applet as they indicate,
what I got looked like boot.ini in a text file named CF-RC.txt.
That was clean. Combo-fix created some new folders with a bunch of
stuff in them, AND I now have a restore console from safe mode.
nifty. Also inherited two side affects, the clock format changed,
and it disabled the nic card. Those were easily fixed.
I didn't feel like joining another forum for that because
I've already described it all right here.

Thanks
James

@ [b]James007Long[/b]

OK. I still have some ideas left, although I'm pretty sure AVZ would have spotted spyware/rootkits. It's my guess that it's some genuine program running in memory, and probably having some explorer-extension of some kind.

Could you please run [url=http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx]Rootkit Revealer[/url]? Download link down the page. Show the log, please.

I see you have the Ad-aware program in your system - I suggest you remove that one; don't want to offend anyone, but except for cookies it doesn't catch anything. Removing its service will do your system good. A more than worthy replacement would be SUPERAntiSpyware, which you can find here:
[url]http://www.superantispyware.com/[/url]
Pick the [b]free version[/b] on the left. Install, update and do a full scan. Show the log, please.

Generally, it's not a good idea to have anti-spyware programs in memory running all the time - manual scans are good enough. That's why I would like you to disable *ANY* real-time options in the program (same goes for Spybot Search & Destroy). Just update your database regularly and the same applies to scanning your system - manually and manually only. A solid cookies and scripts policy in your browser is much more effective than two, three, or more anti-spyware programs, believe me.

To check hashes you could use Hash by Robin Keir - no install needed. You can find it here:
[url]http://keir.net/hash.html[/url]

And why don't you send explorer.exe or explorer.EXE, whatever to different anti-virus labs? Or check it on virustotal.com?

Did you try any general-purpose cleaning tools like [url=http://www.ccleaner.com/download/builds/downloading-slim]CCleaner[/url]? (direct download link to a version *without* the dreadful Yahoo Toolbar)

Paul

Paul

HKLM\SECURITY\Policy\Secrets\SAC* 2/28/2006 9:21 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 2/28/2006 9:21 PM 0 bytes Key name contains embedded nulls (*)
C:\$AttrDef 2/28/2006 12:41 PM 2.50 KB Hidden from Windows API.
C:\$BadClus 2/28/2006 12:41 PM 0 bytes Hidden from Windows API.
C:\$BadClus:$Bad 2/28/2006 12:41 PM 27.95 GB Hidden from Windows API.
C:\$Bitmap 2/28/2006 12:41 PM 894.24 KB Hidden from Windows API.
C:\$Boot 2/28/2006 12:41 PM 8.00 KB Hidden from Windows API.
C:\$Extend 2/28/2006 12:41 PM 0 bytes Hidden from Windows API.
C:\$Extend\$ObjId 2/28/2006 12:41 PM 0 bytes Hidden from Windows API.
C:\$Extend\$Quota 2/28/2006 12:41 PM 0 bytes Hidden from Windows API.
C:\$Extend\$Reparse 2/28/2006 12:41 PM 0 bytes Hidden from Windows API.
C:\$LogFile 2/28/2006 12:41 PM 64.00 MB Hidden from Windows API.
C:\$MFT 2/28/2006 12:41 PM 50.19 MB Hidden from Windows API.
C:\$MFTMirr 2/28/2006 12:41 PM 4.00 KB Hidden from Windows API.
C:\$Secure 2/28/2006 12:41 PM 0 bytes Hidden from Windows API.
C:\$UpCase 2/28/2006 12:41 PM 128.00 KB Hidden from Windows API.
C:\$Volume 2/28/2006 12:41 PM 0 bytes Hidden from Windows API.

------------------------

HKU\.DEFAULT\Control Panel\International 4/5/2008 11:25 PM 0 bytes Security mismatch.
HKU\.DEFAULT\Control Panel\International\Geo 4/5/2008 11:25 PM 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International 4/5/2008 11:25 PM 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International\Geo 4/5/2008 11:25 PM 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 2/28/2006 9:21 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 2/28/2006 9:21 PM 0 bytes Key name contains embedded nulls (*)


firsrt of all I should tell you I already did this. the first set does not have the metafiles hidden. according to popular opinion, SAC and SAI are supposed to show up. The international and GEO im going to guess because the default clock format was changed, and now I have it some other way.


I agree that Ad-Aware (free 2008) has become lame and does nothing more than delete a few cookies. Hasta La Vista.

working on the other log for you now {scanning} and i'm taking the rest of your advice. oh yes; you could not pay me to take the google toolbar.
or any other freekin bar. computers dont drink, so no bars.

Thank you
James

[quote=James007Long;211574]HKLM\SECURITY\Policy\Secrets\SAC* 2/28/2006 9:21 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 2/28/2006 9:21 PM 0 bytes Key name contains embedded nulls (*)
C:\$AttrDef 2/28/2006 12:41 PM 2.50 KB Hidden from Windows API.
C:\$BadClus 2/28/2006 12:41 PM 0 bytes Hidden from Windows API.
C:\$BadClus:$Bad 2/28/2006 12:41 PM 27.95 GB Hidden from Windows API.
C:\$Bitmap 2/28/2006 12:41 PM 894.24 KB Hidden from Windows API.
C:\$Boot 2/28/2006 12:41 PM 8.00 KB Hidden from Windows API.
C:\$Extend 2/28/2006 12:41 PM 0 bytes Hidden from Windows API.
C:\$Extend\$ObjId 2/28/2006 12:41 PM 0 bytes Hidden from Windows API.
C:\$Extend\$Quota 2/28/2006 12:41 PM 0 bytes Hidden from Windows API.
C:\$Extend\$Reparse 2/28/2006 12:41 PM 0 bytes Hidden from Windows API.
C:\$LogFile 2/28/2006 12:41 PM 64.00 MB Hidden from Windows API.
C:\$MFT 2/28/2006 12:41 PM 50.19 MB Hidden from Windows API.
C:\$MFTMirr 2/28/2006 12:41 PM 4.00 KB Hidden from Windows API.
C:\$Secure 2/28/2006 12:41 PM 0 bytes Hidden from Windows API.
C:\$UpCase 2/28/2006 12:41 PM 128.00 KB Hidden from Windows API.
C:\$Volume 2/28/2006 12:41 PM 0 bytes Hidden from Windows API.

------------------------

HKU\.DEFAULT\Control Panel\International 4/5/2008 11:25 PM 0 bytes Security mismatch.
HKU\.DEFAULT\Control Panel\International\Geo 4/5/2008 11:25 PM 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International 4/5/2008 11:25 PM 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International\Geo 4/5/2008 11:25 PM 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 2/28/2006 9:21 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 2/28/2006 9:21 PM 0 bytes Key name contains embedded nulls (*)[/quote]
Nothing out of the ordinary there. :)

Paul

Paul

SUPERAntiSpyware Scan Log
[URL]http://www.superantispyware.com[/URL]
Generated 04/06/2008 at 05:16 AM
Application Version : 4.0.1154
Core Rules Database Version : 3432
Trace Rules Database Version: 1424
Scan type : Complete Scan
Total Scan Time : 00:44:12
Memory items scanned : 282
Memory threats detected : 0
Registry items scanned : 3838
Registry threats detected : 0
File items scanned : 14395
File threats detected : 2
Adware.Tracking Cookie
C:\Documents and Settings\JLong\Cookies\jlong@yadro[1].txt
Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\W01C4433.INI

these things always find some bs the first time just to impress us.

I like spybot and the resident feature. been using that for a long time.
one side affect- using the SD Helper bad download protecter-
this make your host file huge and does slow you down, even
getting folders on your own machine.

doing a ccleaner now.


Thanks
James

[quote=James007Long]Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\W01C4433.INI[/quote]
This may be a false positive. Could you check the contents of that .ini file? You can open it in Notepad. Might be a hidden file. If you deem it appropriate, you may copy and paste the contents here.
I also advise you to check your computer for any autorun.* files (ANY drives, especially of the removable type).

Paul

Hey CCleaner is nice!

superspywarecleaner toasted that file, and rebooted me.

no autorun.ini is present on my thumb drive or hard drive.

autoruns.exe in my utilities folder
a hidden AutorunsDisabled in c:\documents and settings\all users\start menu\programs\startup
autoruns.exe in systinternals
autorunsc.exe in sysinternals
autoruns.chm in sysinternals
and they show up in the zip again.


Analyzing explorer.exe v 6.0.2900.3156 now.
ok its virus free.
I checked it against the one in dllcache using HASH. (NICE!) TY. identical.

I have the 6.0.2900.3156 gdr version. dont have an off system one to check against here,
they all exhibit same behavior.
close enough for me.
explorer does whats its supposed it- its extensible.
my boxes all have the same same hook.


Thanks Paul,
James

[size="1"][color="#666686"][B][I]Добавлено через 1 час 25 минут[/I][/B][/color][/size]

ok I use task manager on fast update. if I used "normal" or "slow"
the amount that is added to i/o other bytes for explorer.exe would be
even bigger.

I invite everyone to look at this and tell me its normal.

[URL]http://i150.photobucket.com/albums/s89/computerpros/taskmgr3.jpg[/URL]

look at i/o other bytes (column) for explorer.exe. The machine had been
up long enough to do the work in the preceding message above. I'd say about 2 hours.

Thanks,
James

[quote=James007Long;211613] I invite everyone to look at this and tell me its normal.

[URL]http://i150.photobucket.com/albums/s89/computerpros/taskmgr3.jpg[/URL]

look at i/o other bytes (column) for explorer.exe. The machine had been
up long enough to do the work in the preceding message above. I'd say about 2 hours.[/quote]
It doesn't seem that high to me - actually my rate is a lot higher (my machine has been up for quite some time now - something like 8 hours). I suspect that's Norton GoBack, my recovery program... :)
So, it *must* be one of your legitimate drivers communicating intensively with its I/O Manager, otherwise AVZ would have spotted it.

Paul

well it isnt any service, I can stop all those {sans rpc and a very few}
and the problem still persists.

Would you believe I've aleady been here too? got a bootlog of everything loaded and startup state. but could use a tool that sees which drivers
are actually used and then I can decide if I want to disable them...pretty dangerous, but hey I now have a recovery console to re-enable any that were needed...

was all over msinfo32

and performance counters

thought about autoruns but it shows them all even if not used on this box.

The feeling I get is a driver slaps data outbound to the internet; Because having disconnected the connection it stops dead right there, and the cpu useage of explorer.exe goes back to zero as well.

I agree that AVZ is a very well writen tool. I've never seen _anything_ do what it does before.

let me ask you something. you say your i/o other count is close. but is it dynamically updating while
you watch it, while the machine is idle, other than the task manager?
mine did not used to. only when I went for files/folders or invoked things did it change,
but never sitting there doing nothing.

my windows is a build 2600.xpsp_sp2_gdr.070227-2254.






Thanks
James


James

@ [b]James007Long[/b]

Maybe it makes sense to have a look at your Windows services? For example, I see you have the Application Layer Gateway Service (alg.exe) running. On SP2 it is no longer needed, but it keeps at least one port open...
To answer your question about I/O - Yes, it's updating while I'm watching it in the task manager. Maybe you need a tool like [url=http://download.sysinternals.com/Files/ProcessExplorer.zip]Process Explorer[/url] (a more than nice replacement for the Windows Task Manager) to see what is linked to explorer.exe - at least there you can see all the threads and handles displayed in the process properties. It *must* be an application that has a driver + an extension in explorer.exe, I'm pretty sure about this...

Paul