GWitek
asked on
Help reading a log....Where to go from here?
1. Receieved this computer running VERY sluggish
2. Started in Safemode
3. Found that the regedit microsft\currentversion\ru n was FILLED with about 1800 entried of random letter/number combinations.
4. There was a scheduled task that was created that ran every hour, not quite sure what it did.
4.5. Deleted all those entries and installed AVG
4.75. MS Antivirus 2009 was also installed but Malware Malbytes took it out.
5. AVG is now barking about winlogon\PEpatch.AO and win32/PEPatch.AO but the files are in the "white-list" so I can prevent it from showing up.
6. All of my system restores were infected.
7. How should I proceed?
8. Hijackths is below
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:32:28 AM, on 2/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\PROGRA~1\AVG\AVG8\avgwd svc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrs x.exe
C:\PROGRA~1\AVG\AVG8\avgns x.exe
C:\Program Files\iTunes\iTunesHelper. exe
C:\PROGRA~1\AVG\AVG8\avgtr ay.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\iPod\bin\iPodService .exe
C:\WINDOWS\system32\wuaucl t.exe
C:\Program Files\HijackThis\HijackThi s.exe
C:\WINDOWS\system32\NOTEPA D.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.ex e
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4 E65E497C8C 0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper. exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtr ay.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKUS\S-1-5-20\..\Run: [InetChk] C:\DOCUME~1\NETWOR~1\LOCAL S~1\Temp\m s123542851 3.exe work (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [InetChk] C:\WINDOWS\TEMP\ms12353451 59.exe work (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [InetChk] C:\WINDOWS\TEMP\ms12353451 59.exe work (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5 8CAB36FD2A 2} - C:\PROGRA~1\Spybot\SDHelpe r.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5 8CAB36FD2A 2} - C:\PROGRA~1\Spybot\SDHelpe r.dll
O16 - DPF: {149e45d8-163e-4189-86fc-4 5022ab2b6c 9} (SpinTop DRM Control) - file://C:\Program Files\TextTwist 2\Images\stg_drm.ocx
O16 - DPF: {cc450d71-cc90-424c-8638-1 f2dbac87a5 4} (ArmHelper Control) - file://C:\Program Files\TextTwist 2\Images\armhelper.ocx
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-F BDDE494F8D 1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: qbbmzu.dll nxtmft.dll vrixxu.dll qlythg.dll hinzvc.dll awcclt.dll mrzyoz.dll mzxmtv.dll fsjtnt.dll mcrxqg.dll cnnhda.dll kwhuji.dll slpwmq.dll pqfidp.dll nlnpaj.dll fjbiop.dll vqrzaa.dll yprmcx.dll dqhgqe.dll vmkkdw.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrss tx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev iceService .exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwd svc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterServi ce.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver \11\Intel 32\IDriverT.exe
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService .exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.ex e
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.ex e
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\R egSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S 24EvMon.ex e
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStage Monitoring .exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex e
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareRe sourceMana ger\VzHard wareResour ceManager. exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-Integra tedServer- AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-Integra tedServer- HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.e xe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-Integra tedServer- UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramew ork.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile- Gateway) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VmGateway. exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.ex e
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
2. Started in Safemode
3. Found that the regedit microsft\currentversion\ru
4. There was a scheduled task that was created that ran every hour, not quite sure what it did.
4.5. Deleted all those entries and installed AVG
4.75. MS Antivirus 2009 was also installed but Malware Malbytes took it out.
5. AVG is now barking about winlogon\PEpatch.AO and win32/PEPatch.AO but the files are in the "white-list" so I can prevent it from showing up.
6. All of my system restores were infected.
7. How should I proceed?
8. Hijackths is below
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:32:28 AM, on 2/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\PROGRA~1\AVG\AVG8\avgwd
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrs
C:\PROGRA~1\AVG\AVG8\avgns
C:\Program Files\iTunes\iTunesHelper.
C:\PROGRA~1\AVG\AVG8\avgtr
C:\WINDOWS\system32\ctfmon
C:\Program Files\iPod\bin\iPodService
C:\WINDOWS\system32\wuaucl
C:\Program Files\HijackThis\HijackThi
C:\WINDOWS\system32\NOTEPA
C:\Program Files\AVG\AVG8\avgcsrvx.ex
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtr
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKUS\S-1-5-20\..\Run: [InetChk] C:\DOCUME~1\NETWOR~1\LOCAL
O4 - HKUS\S-1-5-18\..\Run: [InetChk] C:\WINDOWS\TEMP\ms12353451
O4 - HKUS\.DEFAULT\..\Run: [InetChk] C:\WINDOWS\TEMP\ms12353451
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-5
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-5
O16 - DPF: {149e45d8-163e-4189-86fc-4
O16 - DPF: {cc450d71-cc90-424c-8638-1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-F
O20 - AppInit_DLLs: qbbmzu.dll nxtmft.dll vrixxu.dll qlythg.dll hinzvc.dll awcclt.dll mrzyoz.dll mzxmtv.dll fsjtnt.dll mcrxqg.dll cnnhda.dll kwhuji.dll slpwmq.dll pqfidp.dll nlnpaj.dll fjbiop.dll vqrzaa.dll yprmcx.dll dqhgqe.dll vmkkdw.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrss
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwd
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
O23 - Service: Image Converter video recording monitor for VAIO Entertainment - Sony Corporation - C:\Program Files\Sony\Image Converter 2\IcVzMon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.ex
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.ex
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\R
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStage
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.ex
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareRe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-Integra
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-Integra
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-Integra
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.ex
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
Sorry, missed to see that you've already run MalwareBytes, did you update it before you scanning?
Let's worry about the System Restore later, all infected files in that folder are harmless right now and it's easy to delete them later on by turning off system Restore.
Can you run Combofix and show us the log?
Let's worry about the System Restore later, all infected files in that folder are harmless right now and it's easy to delete them later on by turning off system Restore.
Can you run Combofix and show us the log?
ASKER
Here is the combo fix log
ComboFix 09-02-25.02 - Robert 2009-02-26 8:28:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.603 [GMT -6:00]
Running from: c:\documents and settings\Robert\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Robert\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Robert\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\setup.exe
c:\windows\system\oeminfo.ini
c:\windows\system32\bknuvhxj.ini
c:\windows\system32\fxqleaxb.ini
c:\windows\system32\koefsjrv.ini
c:\windows\system32\octvshbq.ini
c:\windows\wiaserviv.log
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_IPRIP
-------\Legacy_new_drv
-------\Legacy_SYSREST.SYS
-------\Service_Iprip
((((((((((((((((((((((((( Files Created from 2009-01-26 to 2009-02-26 )))))))))))))))))))))))))))))))
.
2009-02-25 17:13 . 2009-02-25 17:13 <DIR> d-------- c:\program files\Alwil Software
2009-02-23 22:13 . 2009-02-23 22:13 552 --a------ c:\windows\system32\d3d8caps.dat
2009-02-23 21:44 . 2009-02-23 21:44 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-23 21:44 . 2009-02-23 21:44 <DIR> d-------- c:\documents and settings\Robert\Application Data\Malwarebytes
2009-02-23 21:44 . 2009-02-23 21:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-23 21:44 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-23 21:44 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-19 18:33 . 2009-02-20 08:53 <DIR> d-------- c:\documents and settings\Robert\Shared
2009-02-19 18:33 . 2009-02-24 07:46 <DIR> d-------- c:\documents and settings\Robert\Incomplete
2009-02-19 18:32 . 2009-02-19 19:41 <DIR> d-------- c:\documents and settings\Robert\Application Data\LimeWire Music
2009-02-15 09:46 . 2009-02-15 09:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\GameHouse
2009-02-15 09:45 . 2009-02-15 09:45 <DIR> d-------- c:\program files\TextTwist 2
2009-02-15 09:45 . 2009-02-15 09:45 <DIR> d-------- c:\documents and settings\Robert\Application Data\SpinTop
2009-02-15 09:45 . 2009-02-15 18:29 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-01-28 17:09 . 2009-02-17 18:02 0 --a------ c:\windows\system32\drivers\e164f576.sys
2009-01-28 17:08 . 2009-01-28 17:08 2 --a------ C:\1155048582
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 03:26 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-21 04:00 --------- d-----w c:\program files\Spybot
2009-02-21 03:54 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-21 03:21 --------- d-----w c:\program files\Trend Micro
2009-02-21 03:17 --------- d-----w c:\program files\LimeWire
2009-02-20 00:30 --------- d-----w c:\documents and settings\Robert\Application Data\LimeWire
2008-12-13 02:08 16,384 ----a-w c:\windows\DCEBoot.exe
2008-07-02 02:51 0 ----a-w c:\documents and settings\Robert\jagex_runescape_preferences.dat
2001-05-21 15:54 3,932 ------w c:\documents and settings\Robert\Application Data\CMLayout.dat
2008-09-08 13:41 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090120080908\index.dat
2008-09-15 23:02 49,152 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090820080915\index.dat
2008-09-22 13:54 49,152 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091520080922\index.dat
2008-09-23 01:20 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092220080923\index.dat
2008-09-24 23:25 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092420080925\index.dat
2008-09-26 04:30 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092520080926\index.dat
2008-09-27 01:49 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092620080927\index.dat
2008-09-27 21:34 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092720080928\index.dat
.
------- Sigcheck -------
2008-04-13 18:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe
2004-08-10 09:00 17408 83bf18aab3e169d2a78dd2672d1525bb c:\windows\system32\svchost.exe
2008-04-13 18:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
2004-10-16 00:18 506368 3fafcdd4cc0af9ab3ee695cd8e901b89 c:\windows\system32\winlogon.exe
2004-08-10 09:00 1034752 619bdce4bcd0331da1d982e07e5a9414 c:\windows\explorer.exe
2007-06-13 05:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2008-04-13 18:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
2008-04-13 18:12 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\services.exe
2004-08-10 09:00 110592 f34dcda03b10b32c1402110e196d7097 c:\windows\system32\services.exe
2008-04-13 18:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe
2004-08-10 09:00 14848 b54c37eadae349b737240915774b9666 c:\windows\system32\lsass.exe
2005-06-10 18:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2008-04-13 18:12 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\spoolsv.exe
2004-08-10 09:00 58880 58d43b5a04410e765fdf1753b0b6038e c:\windows\system32\spoolsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-06-20 17:11 73728 c:\windows\system32\VESWinlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= c:\progra~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-09-01 226304]
S1 5738137;5738137;c:\windows\system32\drivers\5738137.sys [2008-09-09 0]
S1 e164f576;e164f576;c:\windows\system32\drivers\e164f576.sys [2009-01-28 0]
S3 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder
2009-02-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-avast! - c:\progra~1\ALWILS~1\Avast4\ashDisp.exe
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: trymedia.com
FF - ProfilePath - c:\documents and settings\Robert\Application Data\Mozilla\Firefox\Profiles\n457tnyv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1269415&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - P2P_Energy Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-26 08:32:08
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EvtEng]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1004)
c:\windows\system32\VESWinlogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-02-26 8:38:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-26 14:38:16
Pre-Run: 51,395,051,520 bytes free
Post-Run: 51,402,395,648 bytes free
158 --- E O F --- 2009-02-25 20:02:55
ASKER
Running a Malwarebyte's scan causes AVG to report this. The malware scan comes up with no infections however.
AVGReports.JPG
AVGReports.JPG
Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the bold text below into Notepad:
Driver::5738137e164f576FCopy::c:\windows\SoftwareDistrib ution\Down load\dd9ab 5193501484 cf5e6884fa 1d22f9e\sv chost.exe | c:\windows\system32\svchos t.exec:\windows\SoftwareDistrib ution\Down load\dd9ab 5193501484 cf5e6884fa 1d22f9e\wi nlogon.exe | c:\windows\system32\winlog on.exec:\windows\SoftwareDistrib ution\Down load\dd9ab 5193501484 cf5e6884fa 1d22f9e\ex plorer.exe | c:\windows\explorer.exec:\windows\SoftwareDistrib ution\Down load\dd9ab 5193501484 cf5e6884fa 1d22f9e\se rvices.exe | c:\windows\system32\servic es.exec:\windows\SoftwareDistrib ution\Down load\dd9ab 5193501484 cf5e6884fa 1d22f9e\ls ass.exe | c:\windows\system32\lsass. exec:\windows\SoftwareDistrib ution\Down load\dd9ab 5193501484 cf5e6884fa 1d22f9e\sp oolsv.exe | c:\windows\system32\spools v.exeFile::c:\windows\system32\driver s\e164f576 .sysC:\1155048582c:\windows\system32\driver s\5738137. sys
Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.
Note: Do not click on combofix's window while it's running. That may cause it to stall.
Driver::5738137e164f576FCopy::c:\windows\SoftwareDistrib
Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.
Note: Do not click on combofix's window while it's running. That may cause it to stall.
ASKER
In the middle of the Combofix it warned about Windows File Protection. Then it manually rebooted itself.
You've got to be kidding me...
It's going through an endless boot cycle now.
You've got to be kidding me...
It's going through an endless boot cycle now.
ASKER
*Sorry not manually. It automatically rebooted itself.
Safe Mode produces the same results, just keeps rebooting...
Safe Mode produces the same results, just keeps rebooting...
ASKER
This is very urgent!
Looks like it cooked the registry. I have no idea how to go about getting this fixed and need help ASAP!
Looks like it cooked the registry. I have no idea how to go about getting this fixed and need help ASAP!
It didn't like the files that were replaced.
Boot up with the Windows XP CD and choose to run the recovery console since it wasn't installed when you ran ComboFix. See the below for more instructions on how to enter the recovery console:
http://pcsupport.about.com/od/fixtheproblem/ss/rconsole.htm
Once you are in and at the command prompt, type in each of the following lines and hit ENTER key after each line below:
ren c:\windows\system32\svchos t.exe c:\windows\system32\svchos t.exe.old
ren c:\windows\system32\winlog on.exe c:\windows\system32\winlog on.exe.old
ren c:\windows\explorer.exe c:\windows\explorer.exe.ol d
ren c:\windows\system32\servic es.exe c:\windows\system32\servic es.exe.old
ren c:\windows\system32\lsass. exe c:\windows\system32\lsass. exe.old
ren c:\windows\system32\spools v.exe c:\windows\system32\spools v.exe.old
move C:\Qoobox\Quarantine\C\WIN DOWS\syste m32\svchos t.exe.vir c:\windows\system32\svchos t.exemove C:\Qoobox\Quarantine\C\WIN DOWS\syste m32\winlog on.exe.vir c:\windows\system32\winlog on.exemove C:\Qoobox\Quarantine\C\WIN DOWS\explo rer.exe.vi r c:\windows\explorer.exemove C:\Qoobox\Quarantine\C\WIN DOWS\syste m32\servic es.exe.vir c:\windows\system32\servic es.exemove C:\Qoobox\Quarantine\C\WIN DOWS\syste m32\lsass. exe.vir c:\windows\system32\lsass. exemove C:\Qoobox\Quarantine\C\WIN DOWS\syste m32\spools v.exe.vir c:\windows\system32\spools v.exeexit
Remove the Windows CD and see if it will boot up properly now. If so, post the log file for ComboFix at C:\ComboFix\ComboFix.txt
Boot up with the Windows XP CD and choose to run the recovery console since it wasn't installed when you ran ComboFix. See the below for more instructions on how to enter the recovery console:
http://pcsupport.about.com/od/fixtheproblem/ss/rconsole.htm
Once you are in and at the command prompt, type in each of the following lines and hit ENTER key after each line below:
ren c:\windows\system32\svchos
ren c:\windows\system32\winlog
ren c:\windows\explorer.exe c:\windows\explorer.exe.ol
ren c:\windows\system32\servic
ren c:\windows\system32\lsass.
ren c:\windows\system32\spools
move C:\Qoobox\Quarantine\C\WIN
Remove the Windows CD and see if it will boot up properly now. If so, post the log file for ComboFix at C:\ComboFix\ComboFix.txt
What is the exact error you're getting?
F8 on boot -> Disable automatic restart on failure. Look at the stop codes and report back with what they are. You're looking for long numbers / characters, something like this:
0x0000007b
0x0000000a
c000021a
F8 on boot -> Disable automatic restart on failure. Look at the stop codes and report back with what they are. You're looking for long numbers / characters, something like this:
0x0000007b
0x0000000a
c000021a
I don't believe there are any error codes at this point. It's going through that "infinite" restart loop where it tries to boot to Windows and fails, then automatically restarts itself.
ASKER
greynight,
I can't rename the files because they are don't appear to be in the directory, if I try and access the \Qoobox it says access is denied.
Dooflegna,
I tried that and the screen just goes black and sit there. No error codes.
I can't rename the files because they are don't appear to be in the directory, if I try and access the \Qoobox it says access is denied.
Dooflegna,
I tried that and the screen just goes black and sit there. No error codes.
ASKER
It's also saying they move command is not supported in the recovery console. Can I "copy"?
ASKER
Update:
Since it appears like the files were deleted, I performed the following command
expand d:\i386\winlogon.exe c:\windows\system32
Then check the c:\windows\system32 files and Wha-la! The file was there!
The computer doesn't reboot automatically anymore! I get a cursor and black screen! Could this be light at the end of the tunnel? I'm going to keep going down this route for the files that greynight listed above and will update.
Since it appears like the files were deleted, I performed the following command
expand d:\i386\winlogon.exe c:\windows\system32
Then check the c:\windows\system32 files and Wha-la! The file was there!
The computer doesn't reboot automatically anymore! I get a cursor and black screen! Could this be light at the end of the tunnel? I'm going to keep going down this route for the files that greynight listed above and will update.
Yes, you may use copy, but you will need to rename to remove the .vir extension. Try to locate the directory where the backups are made. They should be in qoobox directory followed by the path to the removed files (c:\windows\system32\svcho st.ext = c\windows\system32\svchost .exe.vir).
It should allow you access to that folder. Make sure you start from the root c: folder first:
cd\
....followed by the other commands to run
It should allow you access to that folder. Make sure you start from the root c: folder first:
cd\
....followed by the other commands to run
ASKER
when I do a "dir" at c:\ I get the list but a lot of the folders have a size of 0 and a d------- in the attributes.
What does this mean?
I'm still getting "access is denied"
What does this mean?
I'm still getting "access is denied"
ASKER
Restrictions and limitations of the Recovery Console
When you use the Windows Recovery Console, you can use only the following items:
• The root folder
• The %SystemRoot% folder and the subfolders of the Windows installation that you are currently logged on to
• The Cmdcons folder
• The removable media drives such as the CD-ROM drive or the DVD-ROM drive
Note If you try to obtain access to other folders, you may receive an "Access Denied" error message. Also, when you are using the Windows Recovery Console, you cannot copy a file from the local hard disk to a floppy disk. However, you can copy a file from a floppy disk or from a CD-ROM to a hard disk, and you can copy a file from one hard disk to another hard disk.
I'm going to use BARTPE
http://www.nu2.nu/pebuilder/
When you use the Windows Recovery Console, you can use only the following items:
• The root folder
• The %SystemRoot% folder and the subfolders of the Windows installation that you are currently logged on to
• The Cmdcons folder
• The removable media drives such as the CD-ROM drive or the DVD-ROM drive
Note If you try to obtain access to other folders, you may receive an "Access Denied" error message. Also, when you are using the Windows Recovery Console, you cannot copy a file from the local hard disk to a floppy disk. However, you can copy a file from a floppy disk or from a CD-ROM to a hard disk, and you can copy a file from one hard disk to another hard disk.
I'm going to use BARTPE
http://www.nu2.nu/pebuilder/
ASKER
Sorry for all of the updates:
I restored the files using BartPE. Awesome awesome news.
Here's the lastest combofix. Let's try this again.
I restored the files using BartPE. Awesome awesome news.
Here's the lastest combofix. Let's try this again.
ComboFix 09-02-26.02 - Robert 2009-02-27 10:49:38.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.599 [GMT -6:00]
Running from: c:\documents and settings\Robert\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system\oeminfo.ini
.
---- Previous Run -------
.
C:\1155048582
c:\windows\system32\drivers\5738137.sys
c:\windows\system32\drivers\e164f576.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Service_5738137
-------\Service_e164f576
((((((((((((((((((((((((( Files Created from 2009-01-27 to 2009-02-27 )))))))))))))))))))))))))))))))
.
2009-02-27 10:45 . 2009-02-27 10:45 <DIR> d-------- c:\windows\LastGood
2009-02-27 03:37 . 2004-08-10 09:00 58,880 --a------ c:\windows\system32\spoolsv.exe
2009-02-27 03:36 . 2004-08-10 09:00 14,848 --a------ c:\windows\system32\lsass.exe
2009-02-27 03:35 . 2004-08-10 09:00 110,592 --a------ c:\windows\system32\services.exe
2009-02-27 03:34 . 2004-08-10 09:00 1,034,752 --a------ c:\windows\explorer.exe
2009-02-27 03:32 . 2004-08-10 09:00 17,408 --a------ c:\windows\system32\svchost.exe
2009-02-27 03:25 . 2004-10-16 00:18 506,368 --a------ c:\windows\system32\winlogon.exe
2009-02-26 12:00 . 2009-02-26 13:18 <DIR> d--h----- C:\$AVG8.VAULT$
2009-02-26 08:48 . 2009-02-26 08:48 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-02-26 08:47 . 2009-02-27 10:42 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-02-26 08:47 . 2009-02-26 08:47 <DIR> d-------- c:\program files\AVG
2009-02-26 08:47 . 2009-02-27 09:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-02-26 08:47 . 2009-02-26 08:47 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-02-25 17:13 . 2009-02-25 17:13 <DIR> d-------- c:\program files\Alwil Software
2009-02-23 22:13 . 2009-02-23 22:13 552 --a------ c:\windows\system32\d3d8caps.dat
2009-02-23 21:44 . 2009-02-23 21:44 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-23 21:44 . 2009-02-23 21:44 <DIR> d-------- c:\documents and settings\Robert\Application Data\Malwarebytes
2009-02-23 21:44 . 2009-02-23 21:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-23 21:44 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-23 21:44 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-19 18:33 . 2009-02-26 12:13 <DIR> d-------- c:\documents and settings\Robert\Shared
2009-02-19 18:33 . 2009-02-24 07:46 <DIR> d-------- c:\documents and settings\Robert\Incomplete
2009-02-19 18:32 . 2009-02-19 19:41 <DIR> d-------- c:\documents and settings\Robert\Application Data\LimeWire Music
2009-02-15 09:46 . 2009-02-15 09:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\GameHouse
2009-02-15 09:45 . 2009-02-15 09:45 <DIR> d-------- c:\program files\TextTwist 2
2009-02-15 09:45 . 2009-02-15 09:45 <DIR> d-------- c:\documents and settings\Robert\Application Data\SpinTop
2009-02-15 09:45 . 2009-02-15 18:29 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 03:26 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-21 04:00 --------- d-----w c:\program files\Spybot
2009-02-21 03:54 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-21 03:21 --------- d-----w c:\program files\Trend Micro
2009-02-21 03:17 --------- d-----w c:\program files\LimeWire
2009-02-20 00:30 --------- d-----w c:\documents and settings\Robert\Application Data\LimeWire
2008-12-13 02:08 16,384 ----a-w c:\windows\DCEBoot.exe
2008-07-02 02:51 0 ----a-w c:\documents and settings\Robert\jagex_runescape_preferences.dat
2001-05-21 15:54 3,932 ------w c:\documents and settings\Robert\Application Data\CMLayout.dat
2008-09-08 13:41 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090120080908\index.dat
2008-09-15 23:02 49,152 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090820080915\index.dat
2008-09-22 13:54 49,152 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091520080922\index.dat
2008-09-23 01:20 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092220080923\index.dat
2008-09-24 23:25 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092420080925\index.dat
2008-09-26 04:30 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092520080926\index.dat
2008-09-27 01:49 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092620080927\index.dat
2008-09-27 21:34 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092720080928\index.dat
.
------- Sigcheck -------
2008-04-13 18:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\svchost.exe
2004-08-10 09:00 17408 83bf18aab3e169d2a78dd2672d1525bb c:\windows\system32\svchost.exe
2008-04-13 18:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
2004-10-16 00:18 506368 3fafcdd4cc0af9ab3ee695cd8e901b89 c:\windows\system32\winlogon.exe
2004-08-10 09:00 1034752 619bdce4bcd0331da1d982e07e5a9414 c:\windows\explorer.exe
2007-06-13 05:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2008-04-13 18:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
2008-04-13 18:12 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\services.exe
2004-08-10 09:00 110592 f34dcda03b10b32c1402110e196d7097 c:\windows\system32\services.exe
2008-04-13 18:12 13312 bf2466b3e18e970d8a976fb95fc1ca85 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\lsass.exe
2004-08-10 09:00 14848 b54c37eadae349b737240915774b9666 c:\windows\system32\lsass.exe
2005-06-10 18:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2008-04-13 18:12 57856 d8e14a61acc1d4a6cd0d38aebac7fa3b c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\spoolsv.exe
2004-08-10 09:00 58880 58d43b5a04410e765fdf1753b0b6038e c:\windows\system32\spoolsv.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-02-26_ 8.36.54.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-26 14:47:58 27,656 ----a-w c:\windows\system32\drivers\avgmfx86.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-02-26 1601304]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-02-26 08:48 10520 c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2006-06-20 17:11 73728 c:\windows\system32\VESWinlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= c:\progra~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-02-26 325128]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-02-26 298264]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-09-01 226304]
S3 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
.
Contents of the 'Scheduled Tasks' folder
2009-02-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: trymedia.com
FF - ProfilePath - c:\documents and settings\Robert\Application Data\Mozilla\Firefox\Profiles\n457tnyv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1269415&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - P2P_Energy Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-27 10:52:00
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EvtEng]
"ImagePath"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1020)
c:\windows\system32\VESWinlogon.dll
.
Completion time: 2009-02-27 10:54:25
ComboFix-quarantined-files.txt 2009-02-27 16:53:47
ComboFix2.txt 2009-02-26 14:38:38
Pre-Run: 51,013,218,304 bytes free
Post-Run: 50,998,452,224 bytes free
165 --- E O F --- 2009-02-27 16:46:13
ComboFix.txt
Glad you got it up and running again. Does AVG still detect those files as being suspicious?
Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Go back to the System Restore tab and uncheck the same box to enable System Restore.
Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Go back to the System Restore tab and uncheck the same box to enable System Restore.
ASKER
Yes AVG keeps detecting them.
Go to Start->Run and type in sfc /scannow and hit OK. Let it scan. If it finds any files missing/corrupted, it may ask for the Windows CD. Otherwise, it will auto-close after it's done.
Those files might be patched since AVG keeps flagging them. And failing for the sigcheck could mean they really are patched/infected system files or corrupted.
Strange that Combofix didn't flag them as infected though because that's what it looks like, could be sality or even virut.
Strange that Combofix didn't flag them as infected though because that's what it looks like, could be sality or even virut.
ASKER
Tried sfc /scannow and it asked for the XP CD.
Sony VIAOs have a recovery partition, so I had to create the CD's using the VIAO software.
This didn't work. It said I couldn't supply the files needed.
It wanted XP Pro CDs and this is MediaCenter installed.
yuck.
I found a random Media Center 2005 CD laying around the office and it copied all the files off, but then when it rebooted it wanted to re-activate Windows, but then wouldn't (obviously becuase the CD was to a different machine).
Sony VIAOs have a recovery partition, so I had to create the CD's using the VIAO software.
This didn't work. It said I couldn't supply the files needed.
It wanted XP Pro CDs and this is MediaCenter installed.
yuck.
I found a random Media Center 2005 CD laying around the office and it copied all the files off, but then when it rebooted it wanted to re-activate Windows, but then wouldn't (obviously becuase the CD was to a different machine).
OK, use Dr. WebCureIt at:
http://www.freedrweb.com/cureit/
Run a scan and see if it can pick up those system files and cure/disinfect them.
http://www.freedrweb.com/cureit/
Run a scan and see if it can pick up those system files and cure/disinfect them.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
O4 - HKUS\S-1-5-20\..\Run: [InetChk] C:\DOCUME~1\NETWOR~1\LOCAL
O4 - HKUS\S-1-5-18\..\Run: [InetChk] C:\WINDOWS\TEMP\ms12353451
O4 - HKUS\.DEFAULT\..\Run: [InetChk] C:\WINDOWS\TEMP\ms12353451
O20 - AppInit_DLLs: qbbmzu.dll nxtmft.dll vrixxu.dll qlythg.dll hinzvc.dll awcclt.dll mrzyoz.dll mzxmtv.dll fsjtnt.dll mcrxqg.dll cnnhda.dll kwhuji.dll slpwmq.dll pqfidp.dll nlnpaj.dll fjbiop.dll vqrzaa.dll yprmcx.dll dqhgqe.dll vmkkdw.dll
Hi,
Fix the above entries in Hijackthis and run either one of the tools below and show us the log please.
Download Malwarebytes' Anti-Malware to your desktop, check for the tool's Updates before running a scan.
http://www.malwarebytes.or
If you can't access the above link then use this link and rename the file before saving to your desktop.
http://www.download.com/Ma
Please download ComboFix by sUBs:
http://download.bleepingco
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.