malware causes system.exe process to hog 100%cpu

Discussion in 'Malware Help (A Specialist Will Reply)' started by tbrunojr, Feb 21, 2011.

  1. tbrunojr

    tbrunojr Private E-2

    Malware is causing the system.exe process to hog 100%of my cpu.

    Using 'process explorer.exe' I can see that more specifically, under the system.exe process, the key that is hogging my cpu is:

    HKLM\SYSTEM\ControlSet006\Enum\___________

    Where ____ changes momentarily between USB, Root, SW, HID, etc., etc.,

    The problem is so bad that I can no longer run any programs under a normal windows boot... the cpu is too busy.

    Therefore, I was only able to follow all of your recommended procedures in 'SAFE MODE with NETWORKING'.

    I will attach all requested logs as prescribed, plus a log for Sophos Rootkit scan.

    Thanks so much in advance.
     

    Attached Files:

    tbrunojr, Feb 21, 2011
    #1
  2. tbrunojr

    tbrunojr Private E-2

    attaching other logs below...
     

    Attached Files:

    tbrunojr, Feb 21, 2011
    #2
  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi there and welcome. I am currently reviewing your logs and will get back to you with a set of instructions in the next post I make to you.
     
    Kestrel13!, Feb 21, 2011
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Please attach the 4 logs from running SUPERantispyware on 21st feb.

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {074C1DC5-9320-4A9A-947D-C042949C6216} - (no file)
    O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file)
    O9 - Extra button: (no name) - AutorunsDisabled - (no file)
    O23 - Service: BEYRPD - Unknown owner - C:\DOCUME~1\TOMBRU~1\LOCALS~1\Temp\BEYRPD.exe (file missing)
    O23 - Service: OYOXDKKN - Unknown owner - C:\DOCUME~1\TOMBRU~1\LOCALS~1\Temp\OYOXDKKN.exe (file missing)
    O23 - Service: YSRKXTLQD - Unknown owner - C:\DOCUME~1\TOMBRU~1\LOCALS~1\Temp\YSRKXTLQD.exe (file missing)
    O24 - Desktop Component 1: (no name) - http://bbfm.tumblr.com/photo/1280/176967979/1/tumblr_kp8gvevKuN1qzqzpg

    After clicking Fix exit HJT.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

Driver::
BEYRPD
OYOXDKKN
YSRKXTLQD
File::
c:\docume~1\TOMBRU~1\LOCALS~1\Temp\BEYRPD.exe
c:\docume~1\TOMBRU~1\LOCALS~1\Temp\OYOXDKKN.exe
c:\docume~1\TOMBRU~1\LOCALS~1\Temp\YSRKXTLQD.exe
Registry::
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{074C1DC5-9320-4A9A-947D-C042949C6216}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}]
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    Run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Feb 21, 2011
    #4
  5. tbrunojr

    tbrunojr Private E-2

    Hi, thanks for looking into this for me. Just to re-iterate, I'm following each and all of your steps in safe mode with networking, since it is the only way i can function.

    I was able to follow all of your instructions and have enclosed both requested logs.

    I'm staying tuned for more instructions, as there have been no improvements.

    Thanks again!
     

    Attached Files:

    tbrunojr, Feb 22, 2011
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    This should hopefully straighten things out for you. Combofix claimed it had replaced infected system files but it did not work, so let's try again.

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

Fcopy::
C:\WINDOWS\ServicePackFiles\i386\regedit.exe | c:\windows\regedit.exe 
C:\WINDOWS\ServicePackFiles\i386\explorer.exe | c:\windows\explorer.exe
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
    Kestrel13!, Feb 22, 2011
    #6
  7. tbrunojr

    tbrunojr Private E-2

    it is 6pm PST. I get home from work at 7:30pm PST, and plan to do this immediately and send a reply. Thanks so much!
     
    tbrunojr, Feb 22, 2011
    #7
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    That's fine. I will probably get back to you tomorrow afternoon (UK time)
     
    Kestrel13!, Feb 22, 2011
    #8
  9. tbrunojr

    tbrunojr Private E-2

    Good to know. My problem with bringing my laptop to work is that in safe-mode I can't utilize wireless (my only way of connecting there), while at home, I can plug in through a hardline and connect to the internet while in safe mode, if necessary.

    I've enclosed the logs requested, but am wondering whether the problems we are having have to do with a lack of specificity in whether I should boot BACK into Safe-Mode after Combo-Fix has me re-boot. Then again, I've tried it both ways to no avail.

    Any ideas?

    Our process would likely go faster if you knew of some way for me to initiate wireless in safe mode as well- That way I could bring my laptop to work and we'd have more back and forth possibilities per day. I don't even know if wireless IS possible through safe mode.

    Meanwhile, as I said, I've enclosed the requested zipped log.

    Thanks again.

    (P.S. In both normal, and safe mode, I'm still being flooded by my services.exe process. I've enclosed a screencapture I made in normal mode (it took FOREVER, because I had to open an app to paste it into in order to save it as a .jpg ) using the program 'processor explorer' from www.sysinternals.com which shows a breakdown of what is usually shown in the process manager- I'm sure you're familiar with it.)

    (I'm noticing the screenshot is useless due to the resolution... It shows those various HKEY lines I included before)
     

    Attached Files:

    Last edited: Feb 23, 2011
    tbrunojr, Feb 23, 2011
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Could you please get this: regedit.exe into a zipped file and attach it for me in your next post? To do this, see the below:

    Please go to start > Run and paste in the following:
    log retrievable @ C:\collect.zip


    Please go to virustotal and upload the following files for analysis, and let me know the results.
    • c:\windows\regedit.exe
     
    Kestrel13!, Feb 23, 2011
    #10
  11. tbrunojr

    tbrunojr Private E-2

    regedit.exe
    Submission date:
    2011-02-23 16:30:41 (UTC)
    Current status:
    queued (#3) queued (#4) analysing finished
    Result:
    0/ 43 (0.0%)
     

    Attached Files:

    Last edited by a moderator: Feb 23, 2011
    tbrunojr, Feb 23, 2011
    #11
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Next, run combofixby double clicking its icon, let it run, be patient, once it has finished please do the below.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Feb 23, 2011
    #12
  13. tbrunojr

    tbrunojr Private E-2

    One error happened while collecting the log. I just re-ran the bat file and it worked second time around.

    Things to note:

    1) Running ComboFix again claimed that regedit was affected, a system restore point was created, and then it was supposedly replaced. I'm sure this type of info is available from the logs.

    2) This time, when ComboFix required a restart, I was hands-off, letting it boot into normal windows (not safe-mode). I've basically alternated doing this over the course of our correspondence, not knowing which is the correct procedure. When I DO let it boot into 'normal' vs forcing it into 'safe', the whole logging process takes almost an hour due to the lack of cpu available.

    3) Whenever I run Combo-Fix (always in Safe-Mode) it warns me the Kaspersky is still running, but there is nothing (even in the task manager) left for me to quit or force-quit. No other errors ever come up during the process, just the one that warns me that ComboFix might have a conflict.

    4) I'm still working on a way of connecting wireless in safe-mode, which would allow me to interact better with you during your hours of productivity.

    Thanks!
     

    Attached Files:

    tbrunojr, Feb 24, 2011
    #13
  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

SRPeek::
C:\WINDOWS\regedit.exe
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
     
    Kestrel13!, Feb 24, 2011
    #14
  15. tbrunojr

    tbrunojr Private E-2

    I followed your instructions, and THEN some... Still, the problem exists.

    Here are some things to mention:

    -When booting into safe mode, I'm always required to choose whether to log in as Administrator or with my regular login. So the question becomes, which one to choose? Up until now I had been choosing my user account.

    -Also, concerned about ComboFix's warnings about Kaspersky, I researched how to properly disable it... One must do so through the application's 'settings' menu, rather than just exiting the program and disabling the start-up files. After doing so, for the first time, ComboFix ran without the warnings... This gave me hope.

    The four MG logs are:

    v01- I ran ComboFix on the Admin account before receiving this post, and it errored out with a freeze and a warning about a rootkit ntos.exe located in an Application Data folder... the freeze though, partially obscured the warning and the path.

    v02- After properly disabling Kaspersky I ran the CFScript you provided on my Admin account.

    v03 - I tried a normal ComboFix without the CFScript on my user acct.

    v04 - I ran the CFScript you provided on my Admin account

    Finally, frustrated, I then literally started up in Repair Mode, changed my regedit.exe to regedit.old and copied the regedit.exe from my OEM disk to my WINDOWS folder. I wanted to be sure that there was no way, as an application, it could be infected. I ran ComboFix, and sure enough, "c:\windows\regedit.exe . . . is infected!" Since this was directly off my OEM disk, this implies that something is happening to the file upon start-up.

    Hope that helps!
     

    Attached Files:

    tbrunojr, Feb 25, 2011
    #15
  16. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Sorry about the late reply. I have been rather busy.

    SystemLook

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :file
C:\Windows\regedit.exe
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt

    Seems that regedit.exe is not infected after all, It is just the wrong version for SP3.
     
    Kestrel13!, Feb 25, 2011
    #16
  17. tbrunojr

    tbrunojr Private E-2

    I'll follow these instructions once I get home. One quick thing:

    In regard to: "Seems that regedit.exe is not infected after all, It is just the wrong version for SP3"

    I wanted to point out just in case you missed it at the end of my last post, but in a moment of desperation yesterday, I replaced my regedit.exe with the one from my OEM disk.

    Is that what you're referring to? Just thought I'd check, since I can just as easily put the 'old' one back. (See end of last post).

    Thanks!
     
    tbrunojr, Feb 25, 2011
    #17
  18. tbrunojr

    tbrunojr Private E-2

    here ya go!
     
    tbrunojr, Feb 26, 2011
    #18
  19. tbrunojr

    tbrunojr Private E-2

    log didn't attach. here you go, for reals...
     

    Attached Files:

    tbrunojr, Feb 26, 2011
    #19
  20. tbrunojr

    tbrunojr Private E-2

    Okay, downloaded Microsoft's SP3 CD and grabbed regedit.exe and replaced mine. Here's the SystemLook.txt log that verifies this. I'm going to run ComboFix overnight and will post the usual MGlog for your perusal. No improvements btw as far as my services.exe process. It is still consuming nearly 100% of my cpu outside of safe mode, and still 70% in safe mode... Ugh.
     

    Attached Files:

    tbrunojr, Feb 26, 2011
    #20
  21. tbrunojr

    tbrunojr Private E-2

    Looks like HT/Combo Fix is giving me a clean bill of health. My services.exe is still spiking CPU usage, however.
     

    Attached Files:

    tbrunojr, Feb 26, 2011
    #21
  22. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Delete this:
    c:\windows\winstart.bat

    Could you please get this: e8b11.sys into a zipped file and attach it for me in your next post? To do this, see the below:

    Please go to start > Run and paste in the following:
    log retrievable @ C:\collect.zip
     
    Kestrel13!, Feb 26, 2011
    #22
  23. tbrunojr

    tbrunojr Private E-2

    I WAS able to delete 'winstart.bat'. I was NOT, however, able to find 'e8b11.sys'.

    This morning just after my last post (and before your response), I ran chkdsk /r through the Recovery console and then left for work. When I returned home at lunch, chkdsk had completed- having 'fixed errors'. Is it possible that chkdsk /r deleted it?

    Anyway, I did a major search for that file or anything like it in the WINDOWS folder and there was absolutely nothing. I tried many variations, like *.sys, etc.- nothing.

    I started ComboFix before leaving again for work. When I return home, I will attach another MGlog.

    Cheers!
     
    tbrunojr, Feb 26, 2011
    #23
  24. tbrunojr

    tbrunojr Private E-2

    Here's the latest MGlog as per my last post. Thanks a ton, btw, for all of your time and determination: I feel like we're closing in on this thing! I'm not working tomorrow, so I'll be able to participate as much and as often as necessary (you, of course, may understandably be taking the day off :) ).

    Cheers!
     

    Attached Files:

    tbrunojr, Feb 27, 2011
    #24
  25. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box. Ensure you scroll down to select ALL the lines:
    Code:
    KILLALL::

Driver::
07dB
1695
194D
2f413
38b4
60b9
79c10
afa15
b9bF
c2217
cf318
d7d7
e8b11
ee6C
ef614
f1219
f1c8
f2a3
File::
c:\windows\system32\07dB.sys
c:\windows\system32\1695.sys
c:\windows\system32\194D.sys
c:\windows\system32\2f413.sys
c:\windows\system32\38b4.sys
c:\windows\system32\60b9.sys
c:\windows\system32\79c10.sys
c:\windows\system32\afa15.sys
c:\windows\system32\b9bF.sys
c:\windows\system32\c2217.sys
c:\windows\system32\cf318.sys
c:\windows\system32\d7d7.sys
c:\windows\system32\e8b11.sys
c:\windows\system32\ee6C.sys
c:\windows\system32\ef614.sys
c:\windows\system32\f1219.sys 
c:\windows\system32\f1c8.sys
c:\windows\system32\f2a3.sys
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe

      http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    Kestrel13!, Feb 27, 2011
    #25

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds