Link to home
Start Free TrialLog in
Avatar of GWitek
GWitekFlag for United States of America

asked on

Help reading a log....Where to go from here?

1. Receieved this computer running VERY sluggish
2. Started in Safemode
3. Found that the regedit microsft\currentversion\run was FILLED with about 1800 entried of random letter/number combinations.
4. There was a scheduled task that was created that ran every hour, not quite sure what it did.
4.5. Deleted all those entries and installed AVG
4.75. MS Antivirus 2009 was also installed but Malware Malbytes took it out.
5. AVG is now barking about winlogon\PEpatch.AO and win32/PEPatch.AO but the files are in the "white-list" so I can prevent it from showing up.
6. All of my system restores were infected.
7. How should I proceed?
8. Hijackths is below


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:32:28 AM, on 2/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [InetChk] C:\DOCUME~1\NETWOR~1\LOCALS~1\Temp\ms1235428513.exe work (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [InetChk] C:\WINDOWS\TEMP\ms1235345159.exe work (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [InetChk] C:\WINDOWS\TEMP\ms1235345159.exe work (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O16 - DPF: {149e45d8-163e-4189-86fc-45022ab2b6c9} (SpinTop DRM Control) - file://C:\Program Files\TextTwist 2\Images\stg_drm.ocx
O16 - DPF: {cc450d71-cc90-424c-8638-1f2dbac87a54} (ArmHelper Control) - file://C:\Program Files\TextTwist 2\Images\armhelper.ocx
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: qbbmzu.dll nxtmft.dll vrixxu.dll qlythg.dll hinzvc.dll awcclt.dll mrzyoz.dll mzxmtv.dll fsjtnt.dll mcrxqg.dll cnnhda.dll kwhuji.dll slpwmq.dll pqfidp.dll nlnpaj.dll fjbiop.dll vqrzaa.dll yprmcx.dll dqhgqe.dll vmkkdw.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image


O4 - HKUS\S-1-5-20\..\Run: [InetChk] C:\DOCUME~1\NETWOR~1\LOCALS~1\Temp\ms1235428513.exe work (User 'NETWORK SERVICE')  
O4 - HKUS\S-1-5-18\..\Run: [InetChk] C:\WINDOWS\TEMP\ms1235345159.exe work (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [InetChk] C:\WINDOWS\TEMP\ms1235345159.exe work (User 'Default user')
O20 - AppInit_DLLs: qbbmzu.dll nxtmft.dll vrixxu.dll qlythg.dll hinzvc.dll awcclt.dll mrzyoz.dll mzxmtv.dll fsjtnt.dll mcrxqg.dll cnnhda.dll kwhuji.dll slpwmq.dll pqfidp.dll nlnpaj.dll fjbiop.dll vqrzaa.dll yprmcx.dll dqhgqe.dll vmkkdw.dll


Hi,
Fix the above entries in Hijackthis and run either one of the tools below and show us the log please.

Download Malwarebytes' Anti-Malware to your desktop, check for the tool's Updates before running a scan.
http://www.malwarebytes.org/mbam.php

If you can't access the above link then use this link and rename the file before saving to your desktop.
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button


Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall
.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Sorry, missed to see that you've already run MalwareBytes, did you update it before you scanning?
Let's worry about the System Restore later, all infected files in that folder are harmless right now and it's easy to delete them later on by turning off system Restore.
Can you run Combofix and show us the log?


Avatar of GWitek

ASKER

Here is the combo fix log
ComboFix 09-02-25.02 - Robert 2009-02-26  8:28:34.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1014.603 [GMT -6:00]
Running from: c:\documents and settings\Robert\Desktop\ComboFix.exe
 * Created a new restore point
 
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
c:\documents and settings\Robert\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Robert\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\setup.exe
c:\windows\system\oeminfo.ini
c:\windows\system32\bknuvhxj.ini
c:\windows\system32\fxqleaxb.ini
c:\windows\system32\koefsjrv.ini
c:\windows\system32\octvshbq.ini
c:\windows\wiaserviv.log
 
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
-------\Legacy_IPRIP
-------\Legacy_new_drv
-------\Legacy_SYSREST.SYS
-------\Service_Iprip
 
 
(((((((((((((((((((((((((   Files Created from 2009-01-26 to 2009-02-26  )))))))))))))))))))))))))))))))
.
 
2009-02-25 17:13 . 2009-02-25 17:13	<DIR>	d--------	c:\program files\Alwil Software
2009-02-23 22:13 . 2009-02-23 22:13	552	--a------	c:\windows\system32\d3d8caps.dat
2009-02-23 21:44 . 2009-02-23 21:44	<DIR>	d--------	c:\program files\Malwarebytes' Anti-Malware
2009-02-23 21:44 . 2009-02-23 21:44	<DIR>	d--------	c:\documents and settings\Robert\Application Data\Malwarebytes
2009-02-23 21:44 . 2009-02-23 21:44	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-23 21:44 . 2009-02-11 10:19	38,496	--a------	c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-23 21:44 . 2009-02-11 10:19	15,504	--a------	c:\windows\system32\drivers\mbam.sys
2009-02-19 18:33 . 2009-02-20 08:53	<DIR>	d--------	c:\documents and settings\Robert\Shared
2009-02-19 18:33 . 2009-02-24 07:46	<DIR>	d--------	c:\documents and settings\Robert\Incomplete
2009-02-19 18:32 . 2009-02-19 19:41	<DIR>	d--------	c:\documents and settings\Robert\Application Data\LimeWire Music
2009-02-15 09:46 . 2009-02-15 09:46	<DIR>	d--------	c:\documents and settings\All Users\Application Data\GameHouse
2009-02-15 09:45 . 2009-02-15 09:45	<DIR>	d--------	c:\program files\TextTwist 2
2009-02-15 09:45 . 2009-02-15 09:45	<DIR>	d--------	c:\documents and settings\Robert\Application Data\SpinTop
2009-02-15 09:45 . 2009-02-15 18:29	<DIR>	d-a------	c:\documents and settings\All Users\Application Data\TEMP
2009-01-28 17:09 . 2009-02-17 18:02	0	--a------	c:\windows\system32\drivers\e164f576.sys
2009-01-28 17:08 . 2009-01-28 17:08	2	--a------	C:\1155048582
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 03:26	---------	d-----w	c:\program files\Common Files\Symantec Shared
2009-02-21 04:00	---------	d-----w	c:\program files\Spybot
2009-02-21 03:54	---------	d-----w	c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-21 03:21	---------	d-----w	c:\program files\Trend Micro
2009-02-21 03:17	---------	d-----w	c:\program files\LimeWire
2009-02-20 00:30	---------	d-----w	c:\documents and settings\Robert\Application Data\LimeWire
2008-12-13 02:08	16,384	----a-w	c:\windows\DCEBoot.exe
2008-07-02 02:51	0	----a-w	c:\documents and settings\Robert\jagex_runescape_preferences.dat
2001-05-21 15:54	3,932	------w	c:\documents and settings\Robert\Application Data\CMLayout.dat
2008-09-08 13:41	32,768	--sha-w	c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090120080908\index.dat
2008-09-15 23:02	49,152	--sha-w	c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090820080915\index.dat
2008-09-22 13:54	49,152	--sha-w	c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091520080922\index.dat
2008-09-23 01:20	32,768	--sha-w	c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092220080923\index.dat
2008-09-24 23:25	32,768	--sha-w	c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092420080925\index.dat
2008-09-26 04:30	32,768	--sha-w	c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092520080926\index.dat
2008-09-27 01:49	32,768	--sha-w	c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092620080927\index.dat
2008-09-27 21:34	32,768	--sha-w	c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092720080928\index.dat
.
 
------- Sigcheck -------
 
2008-04-13 18:12  14336  27c6d03bcdb8cfeb96b716f3d8be3e18	c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe
2004-08-10 09:00  17408  83bf18aab3e169d2a78dd2672d1525bb	c:\windows\system32\svchost.exe
 
2008-04-13 18:12  507904  ed0ef0a136dec83df69f04118870003e	c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
2004-10-16 00:18  506368  3fafcdd4cc0af9ab3ee695cd8e901b89	c:\windows\system32\winlogon.exe
 
2004-08-10 09:00  1034752  619bdce4bcd0331da1d982e07e5a9414	c:\windows\explorer.exe
2007-06-13 05:26  1033216  7712df0cdde3a5ac89843e61cd5b3658	c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2008-04-13 18:12  1033728  12896823fb95bfb3dc9b46bcaedc9923	c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
 
2008-04-13 18:12  108544  0e776ed5f7cc9f94299e70461b7b8185	c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\services.exe
2004-08-10 09:00  110592  f34dcda03b10b32c1402110e196d7097	c:\windows\system32\services.exe
 
2008-04-13 18:12  13312  bf2466b3e18e970d8a976fb95fc1ca85	c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe
2004-08-10 09:00  14848  b54c37eadae349b737240915774b9666	c:\windows\system32\lsass.exe
 
2005-06-10 18:17  57856  ad3d9d191aea7b5445fe1d82ffbb4788	c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2008-04-13 18:12  57856  d8e14a61acc1d4a6cd0d38aebac7fa3b	c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\spoolsv.exe
2004-08-10 09:00  58880  58d43b5a04410e765fdf1753b0b6038e	c:\windows\system32\spoolsv.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-06-20 17:11 73728 c:\windows\system32\VESWinlogon.dll
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= c:\progra~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
 
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-09-01 226304]
S1 5738137;5738137;c:\windows\system32\drivers\5738137.sys [2008-09-09 0]
S1 e164f576;e164f576;c:\windows\system32\drivers\e164f576.sys [2009-01-28 0]
S3 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc	REG_MULTI_SZ   	p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder
 
2009-02-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
- - - - ORPHANS REMOVED - - - -
 
MSConfigStartUp-avast! - c:\progra~1\ALWILS~1\Avast4\ashDisp.exe
 
 
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: trymedia.com
FF - ProfilePath - c:\documents and settings\Robert\Application Data\Mozilla\Firefox\Profiles\n457tnyv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1269415&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - P2P_Energy Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net
.
 
**************************************************************************
 
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-26 08:32:08
Windows 5.1.2600 Service Pack 2 NTFS
 
scanning hidden processes ...  
 
scanning hidden autostart entries ... 
 
scanning hidden files ...  
 
scan completed successfully
hidden files: 0
 
**************************************************************************
 
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EvtEng]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
 
- - - - - - - > 'winlogon.exe'(1004)
c:\windows\system32\VESWinlogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-02-26  8:38:37 - machine was rebooted
ComboFix-quarantined-files.txt  2009-02-26 14:38:16
 
Pre-Run: 51,395,051,520 bytes free
Post-Run: 51,402,395,648 bytes free
 
158	--- E O F ---	2009-02-25 20:02:55

Open in new window

Avatar of GWitek

ASKER

Running a Malwarebyte's scan causes AVG to report this. The malware scan comes up with no infections however.
AVGReports.JPG
Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the bold text below into Notepad:

Driver::5738137e164f576FCopy::c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe | c:\windows\system32\svchost.exec:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe | c:\windows\system32\winlogon.exec:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe | c:\windows\explorer.exec:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\services.exe | c:\windows\system32\services.exec:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe | c:\windows\system32\lsass.exec:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\spoolsv.exe | c:\windows\system32\spoolsv.exeFile::c:\windows\system32\drivers\e164f576.sysC:\1155048582c:\windows\system32\drivers\5738137.sys

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
Avatar of GWitek

ASKER

In the middle of the Combofix it warned about Windows File Protection. Then it manually rebooted itself.

You've got to be kidding me...
It's going through an endless boot cycle now.
Avatar of GWitek

ASKER

*Sorry not manually. It automatically rebooted itself.
Safe Mode produces the same results, just keeps rebooting...
Avatar of GWitek

ASKER

This is very urgent!
Looks like it cooked the registry. I have no idea how to go about getting this fixed and need help ASAP!
It didn't like the files that were replaced.

Boot up with the Windows XP CD and choose to run the recovery console since it wasn't installed when you ran ComboFix. See the below for more instructions on how to enter the recovery console:

http://pcsupport.about.com/od/fixtheproblem/ss/rconsole.htm

Once you are in and at the command prompt, type in each of the following lines and hit ENTER key after each line below:

ren c:\windows\system32\svchost.exe c:\windows\system32\svchost.exe.old
ren c:\windows\system32\winlogon.exe c:\windows\system32\winlogon.exe.old
ren c:\windows\explorer.exe c:\windows\explorer.exe.old
ren  c:\windows\system32\services.exe  c:\windows\system32\services.exe.old
ren c:\windows\system32\lsass.exe c:\windows\system32\lsass.exe.old
ren c:\windows\system32\spoolsv.exe c:\windows\system32\spoolsv.exe.old
move C:\Qoobox\Quarantine\C\WINDOWS\system32\svchost.exe.vir c:\windows\system32\svchost.exe
move C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon.exe.vir c:\windows\system32\winlogon.exemove C:\Qoobox\Quarantine\C\WINDOWS\explorer.exe.vir c:\windows\explorer.exemove C:\Qoobox\Quarantine\C\WINDOWS\system32\services.exe.vir c:\windows\system32\services.exemove C:\Qoobox\Quarantine\C\WINDOWS\system32\lsass.exe.vir c:\windows\system32\lsass.exemove C:\Qoobox\Quarantine\C\WINDOWS\system32\spoolsv.exe.vir c:\windows\system32\spoolsv.exeexit

Remove the Windows CD and see if it will boot up properly now. If so, post the log file for ComboFix at C:\ComboFix\ComboFix.txt
Avatar of Dooflegna
Dooflegna

What is the exact error you're getting?

F8 on boot -> Disable automatic restart on failure.  Look at the stop codes and report back with what they are.  You're looking for long numbers / characters, something like this:

0x0000007b
0x0000000a
c000021a
I don't believe there are any error codes at this point. It's going through that "infinite" restart loop where it tries to boot to Windows and fails, then automatically restarts itself.
Avatar of GWitek

ASKER

greynight,
I can't rename the files because they are don't appear to be in the directory, if I try and access the \Qoobox it says access is denied.

Dooflegna,
I tried that and the screen just goes black and sit there. No error codes.


Avatar of GWitek

ASKER

It's also saying they move command is not supported in the recovery console. Can I "copy"?
Avatar of GWitek

ASKER

Update:
Since it appears like the files were deleted, I performed the following command
expand d:\i386\winlogon.exe c:\windows\system32
Then check the c:\windows\system32 files and Wha-la! The file was there!

The computer doesn't reboot automatically anymore! I get a cursor and black screen! Could this be light at the end of the tunnel? I'm going to keep going down this route for the files that greynight listed above and will update.
Yes, you may use copy, but you will need to rename to remove the .vir extension. Try to locate the directory where the backups are made. They should be in qoobox directory followed by the path to the removed files (c:\windows\system32\svchost.ext = c\windows\system32\svchost.exe.vir).

It should allow you access to that folder. Make sure you start from the root c: folder first:

cd\
....followed by the other commands to run
Avatar of GWitek

ASKER

when I do a "dir" at c:\ I get the list but a lot of the folders have a size of 0 and a d------- in the attributes.
What does this mean?

I'm still getting "access is denied"
Avatar of GWitek

ASKER

Restrictions and limitations of the Recovery Console
When you use the Windows Recovery Console, you can use only the following items:
•    The root folder
•    The %SystemRoot% folder and the subfolders of the Windows installation that you are currently logged on to
•    The Cmdcons folder
•    The removable media drives such as the CD-ROM drive or the DVD-ROM drive
Note If you try to obtain access to other folders, you may receive an "Access Denied" error message. Also, when you are using the Windows Recovery Console, you cannot copy a file from the local hard disk to a floppy disk. However, you can copy a file from a floppy disk or from a CD-ROM to a hard disk, and you can copy a file from one hard disk to another hard disk.


I'm going to use BARTPE
http://www.nu2.nu/pebuilder/
Avatar of GWitek

ASKER

Sorry for all of the updates:
I restored the files using BartPE. Awesome awesome news.

Here's the lastest combofix. Let's try this again.


ComboFix 09-02-26.02 - Robert 2009-02-27 10:49:38.3 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1014.599 [GMT -6:00]
Running from: c:\documents and settings\Robert\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
 * Created a new restore point
 
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
 
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
c:\windows\system\oeminfo.ini
.
---- Previous Run -------
.
C:\1155048582
c:\windows\system32\drivers\5738137.sys	
c:\windows\system32\drivers\e164f576.sys
 
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
 
-------\Service_5738137
-------\Service_e164f576
 
 
(((((((((((((((((((((((((   Files Created from 2009-01-27 to 2009-02-27  )))))))))))))))))))))))))))))))
.
 
2009-02-27 10:45 . 2009-02-27 10:45	<DIR>	d--------	c:\windows\LastGood
2009-02-27 03:37 . 2004-08-10 09:00	58,880	--a------	c:\windows\system32\spoolsv.exe
2009-02-27 03:36 . 2004-08-10 09:00	14,848	--a------	c:\windows\system32\lsass.exe
2009-02-27 03:35 . 2004-08-10 09:00	110,592	--a------	c:\windows\system32\services.exe
2009-02-27 03:34 . 2004-08-10 09:00	1,034,752	--a------	c:\windows\explorer.exe
2009-02-27 03:32 . 2004-08-10 09:00	17,408	--a------	c:\windows\system32\svchost.exe
2009-02-27 03:25 . 2004-10-16 00:18	506,368	--a------	c:\windows\system32\winlogon.exe
2009-02-26 12:00 . 2009-02-26 13:18	<DIR>	d--h-----	C:\$AVG8.VAULT$
2009-02-26 08:48 . 2009-02-26 08:48	10,520	--a------	c:\windows\system32\avgrsstx.dll
2009-02-26 08:47 . 2009-02-27 10:42	<DIR>	d--------	c:\windows\system32\drivers\Avg
2009-02-26 08:47 . 2009-02-26 08:47	<DIR>	d--------	c:\program files\AVG
2009-02-26 08:47 . 2009-02-27 09:38	<DIR>	d--------	c:\documents and settings\All Users\Application Data\avg8
2009-02-26 08:47 . 2009-02-26 08:47	325,128	--a------	c:\windows\system32\drivers\avgldx86.sys
2009-02-25 17:13 . 2009-02-25 17:13	<DIR>	d--------	c:\program files\Alwil Software
2009-02-23 22:13 . 2009-02-23 22:13	552	--a------	c:\windows\system32\d3d8caps.dat
2009-02-23 21:44 . 2009-02-23 21:44	<DIR>	d--------	c:\program files\Malwarebytes' Anti-Malware
2009-02-23 21:44 . 2009-02-23 21:44	<DIR>	d--------	c:\documents and settings\Robert\Application Data\Malwarebytes
2009-02-23 21:44 . 2009-02-23 21:44	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-23 21:44 . 2009-02-11 10:19	38,496	--a------	c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-23 21:44 . 2009-02-11 10:19	15,504	--a------	c:\windows\system32\drivers\mbam.sys
2009-02-19 18:33 . 2009-02-26 12:13	<DIR>	d--------	c:\documents and settings\Robert\Shared
2009-02-19 18:33 . 2009-02-24 07:46	<DIR>	d--------	c:\documents and settings\Robert\Incomplete
2009-02-19 18:32 . 2009-02-19 19:41	<DIR>	d--------	c:\documents and settings\Robert\Application Data\LimeWire Music
2009-02-15 09:46 . 2009-02-15 09:46	<DIR>	d--------	c:\documents and settings\All Users\Application Data\GameHouse
2009-02-15 09:45 . 2009-02-15 09:45	<DIR>	d--------	c:\program files\TextTwist 2
2009-02-15 09:45 . 2009-02-15 09:45	<DIR>	d--------	c:\documents and settings\Robert\Application Data\SpinTop
2009-02-15 09:45 . 2009-02-15 18:29	<DIR>	d-a------	c:\documents and settings\All Users\Application Data\TEMP
 
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 03:26	---------	d-----w	c:\program files\Common Files\Symantec Shared
2009-02-21 04:00	---------	d-----w	c:\program files\Spybot
2009-02-21 03:54	---------	d-----w	c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-21 03:21	---------	d-----w	c:\program files\Trend Micro
2009-02-21 03:17	---------	d-----w	c:\program files\LimeWire
2009-02-20 00:30	---------	d-----w	c:\documents and settings\Robert\Application Data\LimeWire
2008-12-13 02:08	16,384	----a-w	c:\windows\DCEBoot.exe
2008-07-02 02:51	0	----a-w	c:\documents and settings\Robert\jagex_runescape_preferences.dat
2001-05-21 15:54	3,932	------w	c:\documents and settings\Robert\Application Data\CMLayout.dat
2008-09-08 13:41	32,768	--sha-w	c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090120080908\index.dat
2008-09-15 23:02	49,152	--sha-w	c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090820080915\index.dat
2008-09-22 13:54	49,152	--sha-w	c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091520080922\index.dat
2008-09-23 01:20	32,768	--sha-w	c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092220080923\index.dat
2008-09-24 23:25	32,768	--sha-w	c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092420080925\index.dat
2008-09-26 04:30	32,768	--sha-w	c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092520080926\index.dat
2008-09-27 01:49	32,768	--sha-w	c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092620080927\index.dat
2008-09-27 21:34	32,768	--sha-w	c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092720080928\index.dat
.
 
------- Sigcheck -------
 
2008-04-13 18:12  14336  27c6d03bcdb8cfeb96b716f3d8be3e18	c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe
2004-08-10 09:00  17408  83bf18aab3e169d2a78dd2672d1525bb	c:\windows\system32\svchost.exe
 
2008-04-13 18:12  507904  ed0ef0a136dec83df69f04118870003e	c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
2004-10-16 00:18  506368  3fafcdd4cc0af9ab3ee695cd8e901b89	c:\windows\system32\winlogon.exe
 
2004-08-10 09:00  1034752  619bdce4bcd0331da1d982e07e5a9414	c:\windows\explorer.exe
2007-06-13 05:26  1033216  7712df0cdde3a5ac89843e61cd5b3658	c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2008-04-13 18:12  1033728  12896823fb95bfb3dc9b46bcaedc9923	c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
 
2008-04-13 18:12  108544  0e776ed5f7cc9f94299e70461b7b8185	c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\services.exe
2004-08-10 09:00  110592  f34dcda03b10b32c1402110e196d7097	c:\windows\system32\services.exe
 
2008-04-13 18:12  13312  bf2466b3e18e970d8a976fb95fc1ca85	c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe
2004-08-10 09:00  14848  b54c37eadae349b737240915774b9666	c:\windows\system32\lsass.exe
 
2005-06-10 18:17  57856  ad3d9d191aea7b5445fe1d82ffbb4788	c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2008-04-13 18:12  57856  d8e14a61acc1d4a6cd0d38aebac7fa3b	c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\spoolsv.exe
2004-08-10 09:00  58880  58d43b5a04410e765fdf1753b0b6038e	c:\windows\system32\spoolsv.exe
.
(((((((((((((((((((((((((((((   SnapShot@2009-02-26_ 8.36.54.40   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-26 14:47:58	27,656	----a-w	c:\windows\system32\drivers\avgmfx86.sys
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
 
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-26 1601304]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-26 08:48 10520 c:\windows\system32\avgrsstx.dll
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-06-20 17:11 73728 c:\windows\system32\VESWinlogon.dll
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= c:\progra~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
 
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
 
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-02-26 325128]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-26 298264]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-09-01 226304]
S3 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
 
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc	REG_MULTI_SZ   	p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder
 
2009-02-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: trymedia.com
FF - ProfilePath - c:\documents and settings\Robert\Application Data\Mozilla\Firefox\Profiles\n457tnyv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1269415&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - P2P_Energy Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net
.
 
**************************************************************************
 
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-27 10:52:00
Windows 5.1.2600 Service Pack 2 NTFS
 
scanning hidden processes ...  
 
scanning hidden autostart entries ... 
 
scanning hidden files ...  
 
scan completed successfully
hidden files: 0
 
**************************************************************************
 
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EvtEng]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
 
- - - - - - - > 'winlogon.exe'(1020)
c:\windows\system32\VESWinlogon.dll
.
Completion time: 2009-02-27 10:54:25
ComboFix-quarantined-files.txt  2009-02-27 16:53:47
ComboFix2.txt  2009-02-26 14:38:38
 
Pre-Run: 51,013,218,304 bytes free
Post-Run: 50,998,452,224 bytes free
 
165	--- E O F ---	2009-02-27 16:46:13

Open in new window

ComboFix.txt
Glad you got it up and running again. Does AVG still detect those files as being suspicious?

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Go back to the System Restore tab and uncheck the same box to enable System Restore.
Avatar of GWitek

ASKER

Yes AVG keeps detecting them.
Go to Start->Run and type in sfc /scannow and hit OK. Let it scan. If it finds any files missing/corrupted, it may ask for the Windows CD. Otherwise, it will auto-close after it's done.
Those files might be patched since AVG keeps flagging them. And failing for the sigcheck could mean they really are patched/infected system files or corrupted.

Strange that Combofix didn't flag them as infected though because that's what it looks like, could be sality or even virut.
Avatar of GWitek

ASKER

Tried sfc /scannow and it asked for the XP CD.
Sony VIAOs have a recovery partition, so I had to create the CD's using the VIAO software.
This didn't work. It said I couldn't supply the files needed.

It wanted XP Pro CDs and this is MediaCenter installed.
yuck.
I found a random Media Center 2005 CD laying around the office and it copied all the files off, but then when it rebooted it wanted to re-activate Windows, but then wouldn't (obviously becuase the CD was to a different machine).
OK, use Dr. WebCureIt at:

http://www.freedrweb.com/cureit/

Run a scan and see if it can pick up those system files and cure/disinfect them.
ASKER CERTIFIED SOLUTION
Avatar of GWitek
GWitek
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial