PDA

View Full Version : What happened to my windoze?



Peegee
09-11-2007, 01:58 AM
I can't run taskmanager or regedit. group policies is fine. When task manager or regedit runs, it shuts down right away.

I ran antivirus and spyware -- they come back clean. I downloaded hijackthis and it doesn't run -- same behaviour of starting, then shutting (the installer)

I renamed the executable and was able to run it. I have suspicions of what might've happened but lack the know-how to fix it.

Here's the logfile. I'll be scanning this as well. Hopefully I know what I'm looking for. Any other things to do?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:50 PM, on 9/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\r_server.exe
C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\Executor.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\RhinoSoft.com\Serv-U\ServUTray.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Gaim\gaim.exe
C:\WINDOWS\system32\cmd.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\1HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google (http://www.google.ca/)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 209.183.131.91 i # inscriber.com
O1 - Hosts: 66.35.250.150 s # slashdot.org
O1 - Hosts: 216.239.39.99 g # google.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [\\animatrix\EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P42 "\\animatrix\EPSON Stylus Photo R200 Series" /O6 "USB002" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [Auto EPSON Stylus Photo R200 Series on animatrix] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P48 "Auto EPSON Stylus Photo R200 Series on animatrix" /O20 "\\ANIMATRIX\EPSONSty" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKCU\..\Run: [ServUTrayIcon] C:\Program Files\RhinoSoft.com\Serv-U\ServUTray.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Windows Update] C:\WINDOWS\system32\Executor.exe
O4 - Startup: Azureus.lnk = C:\Program Files\Azureus\Azureus.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = D:\Program Files\Adobe\Reader\AdobeCollabSync.exe
O4 - Global Startup: Gaim.lnk = C:\Program Files\Gaim\gaim.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187397231062
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe
O23 - Service: Serv-U FTP Server (Serv-U) - Rhino Software, Inc. +1(262) 560-9627 - C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

--
End of file - 5870 bytes

Odaisé Gaelach
09-11-2007, 02:23 AM
I still think that it's a virus or some kind of spyware. The regedit and taskmgr programs themselves are fine - you rename the file, and they start.

Try this: rename regedit into something else. Now rename notepad to regedit, and try and start it. If it doesn't start, then there's some virus on your computer that's deliberately looking for regedit.exe and is killing it. Something that the scans missed.

And if you have time, see if you can run regedit and taskmgr in Safe Mode.

Peegee
09-11-2007, 03:38 AM
I also think it's virus / spyware. Your test is interesting and this is my result: I renamed hijackthis.exe to regedit.exe and it also behaved the same way. Currently my pc is on safe mode and I am running a virus scan on it (also regedit / taskmgr works fine on safe mode).

Computers in this network have been compromised too many times. A month or so ago my brother had virus problems that I was not able to clean up until several runs in safe mode. Recently he had this odd issue where he couldn't surf the net which was fixed rather quickly, and now my pc gets hit.

I r scared panda.

Odaisé Gaelach
09-11-2007, 05:40 AM
I also think it's virus / spyware. Your test is interesting and this is my result: I renamed hijackthis.exe to regedit.exe and it also behaved the same way. Currently my pc is on safe mode and I am running a virus scan on it (also regedit / taskmgr works fine on safe mode).

Computers in this network have been compromised too many times. A month or so ago my brother had virus problems that I was not able to clean up until several runs in safe mode. Recently he had this odd issue where he couldn't surf the net which was fixed rather quickly, and now my pc gets hit.

I r scared panda.

I know, brother bear. If it's killing a program called (but not necessarily) regedit.exe in normal mode, I'd bet that it's a virus. The virus doesn't get started in Safe Mode, so that's why it doesn't affect regedit or taskmgr there.

Download Process Explorer for Windows v11.0 (http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx) from Microsoft's website. Run it, and select the Image Path column (from View... Select Columns).

What I think you should do is start killing processes, one by one, and running regedit. The process that killing allows regedit to run is the guilty party. Start by killing everything outside of C:\WINDOWS. Even if you're sure the process isn't a virus, kill it anyway.

Any process that immediately restarts after you kill it is also a prime suspect. Make a note of that process name and path. Let me know how you get on.

Rostum
09-11-2007, 06:50 AM
Computers in this network have been compromised too many times. A month or so ago my brother had virus problems that I was not able to clean up until several runs in safe mode. Recently he had this odd issue where he couldn't surf the net which was fixed rather quickly, and now my pc gets hit.

Make sure he's not surfing any porn or warez websites. Not saying this as a joke, but just that they are all filled with virus. If he wants porn, just torrent it. If he doesn't, then ignore this post. :D

Baloki
09-11-2007, 09:17 AM
MAKE SURE YOU TURN OFF SYSTEM RESTORE BEFORE YOU START TRYING TO FIX ANYTHING!

Just as a note :p

Peegee
09-11-2007, 01:41 PM
Found it -- executor.exe but it comes and goes too quickly. McAfee was able to stop but not delete it, and the file does not exist in my computer under that name. However my McAfee subscription renewed, and I downloaded norton corporate -- it doesn't find it.

:grrr:

I was able to stop it using process explorer, but naturally it restores itself upon reboot.

Ugh...I have to work, but that's the update.

Baloki
09-11-2007, 02:46 PM
Start Menu > Run > type 'msconfig' > find it in there and remove it from the list?

Peegee
09-11-2007, 02:51 PM
Start Menu > Run > type 'msconfig' > find it in there and remove it from the list?

Good idea. I will try it tonight. Though, why is it I can't find it as a file from cmd?

Baloki
09-11-2007, 03:07 PM
Could be a Rootkit?

o_O
09-11-2007, 03:14 PM
It's probably installed itself as some kind of rootkit-like program. That would explain your not being able to locate the file. It would also mean it likely wouldn't show up in task manager or msconfig though. It might also be moving itself around and copying itself to make removal difficult.

Nothing really jumps out from Google, other than "backdoor.executor.a.exe" which definitely is a rootkit-like program (it's a RAT). I would get Rootkit Revealer from Microsoft and see if that turns anything out.

Edit: Baloki beat me. :p

Serapy
09-11-2007, 06:56 PM
Hmm, if it's not a virus or spyware, try re-installing the drivers that functions task manager and regedit. Apparently, I don't know what are the drivers called :(.

But if you think it's a virus or spyware, then which downloaded file do you think that caused the problem? Go find that file, and use an online scanner with it. If it found the virus, search the virus name via google, there may be solutions (e.g. tool repair for the virus).

crono_logical
09-13-2007, 04:11 PM
As Baloki/Face said, it's probably a rootkit :p I'd recommend wiping the machine as per the usual process - I've tried to remove one of these from my uncle's machine before, but it had somehow even infected Safe Mode (making it no longer safe either :p ), and with the continuous changing name and other stuff it was doing, the time required to disinfect the machine properly isn't worth it compared to a clean reinstall :p

Baloki
09-13-2007, 04:51 PM
You can blame Sony for the introduction of Rootkits into the mainstream :D

Peegee
09-17-2007, 10:36 PM
I've since reimaged the machine, and picked up norton ghost to get clean images (stored on another drive ... I may consider moving them to another computer).

This rootkit noton is pretty interesting -- I was curious the entire time whether it would be worth my time to install the hard drive as a slave on another pc to clean it: does the renaming mechanism work there too?

Even Bart's PE didn't find the executable btw, so maybe not.

o_O
09-18-2007, 02:51 AM
The main objective of the rootkit is to do bad stuff or allow someone to do bad stuff to your computer. The second objective is for the rootkit to be able to hide itself and totally conceal its tracks (25-odd years of experience means people are pretty good at it by now :p), which is why it's probably more efficient to just wipe the drive and reinstall.

As far as I know, rootkits tend to install themselves in low layers of the operating system like the kernel or the OS layer. If you switched the drive over to a new PC as a slave then since the PC is booting from a different kernel/registry/OS, more than likely you'd be able to clean the drive without having to worry about stuff jumping around the place.
That's about all you'd gain though, because you'd still be trawling through hundreds of files without knowing for sure what to look for. You would have to export the registry from the infected PC and search it for bad keys and again, you couldn't know exactly what to look for. The registry would presumably contain a few null keys as well, which you can't see, but have to find anyway. :p