Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT and related items close...?


  • Please log in to reply
41 replies to this topic

#1 MatreX

MatreX

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 02 October 2005 - 12:44 PM

whenever i run HJT it closes on me.. like right away, soo i was going to go to the hjt forum and post this there but i couldnt because few seconds after i clicked the forum my browser closes...

my browser is firefox and has never closed by itself before.




Help :-/
Current Sig:
Posted Image

BC AdBot (Login to Remove)

 


#2 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:04:26 AM

Posted 02 October 2005 - 12:54 PM

Hello MatreX and welcome to BC.

Hang in there and I'll get one of our experts to assist you as soon as they have time.

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#3 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 AM

Posted 02 October 2005 - 12:58 PM

There is a variant of the Coolwebsearch trojan spreading that closes several anti-spyware apps when you try to open them.
If this is happening to you, download PepiMK's CoolWWWSearch.SmartKiller removal tool first and run it. After it does its job, CWShredder and HijackThis will run properly (as well Spybot S&D, Ad-aware and several anti-spyware forums).

#4 MatreX

MatreX
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 02 October 2005 - 01:05 PM

:/

It says "CoolWWWSearch.SmartKiller(v1/v2) has not been found on your system."

hjt still closes... :-(
Current Sig:
Posted Image

#5 MatreX

MatreX
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 02 October 2005 - 01:12 PM

my ad-aware SE pro runs fine...
Current Sig:
Posted Image

#6 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 AM

Posted 02 October 2005 - 01:13 PM

Can you please rename hijackThis.exe and try it again!

#7 MatreX

MatreX
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 02 October 2005 - 01:14 PM

nope closes still....

ad-aware didnt seem to find whats closing it, im going to try re unzipping it or redownloading it

Edited by MatreX, 02 October 2005 - 01:15 PM.

Current Sig:
Posted Image

#8 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 AM

Posted 02 October 2005 - 01:16 PM

Please download this:
http://www.bleepingcomputer.com/files/Merijn/ibprocman.zip

Run it. Save the log and copy the entire contest of into this threat!

#9 MatreX

MatreX
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 02 October 2005 - 01:17 PM

i opened it, what do you mean run it? it only shows my prossesses.

theres no log but i coppied my processes to here:


this what u wanted?
Process list saved on 2:19:26 PM, on 10/2/2005
Platform: WinNT 5.01.2600 SP2

[pid] [full path to filename] [file version] [company name]
464 C:\WINDOWS\System32\smss.exe 5.1.2600.2180 Microsoft Corporation
552 C:\WINDOWS\system32\winlogon.exe 5.1.2600.2180 Microsoft Corporation
596 C:\WINDOWS\system32\services.exe 5.1.2600.2180 Microsoft Corporation
608 C:\WINDOWS\system32\lsass.exe 5.1.2600.2180 Microsoft Corporation
752 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
896 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1116 C:\WINDOWS\svchost.exe 5.1.0.0 Microsoft Corporation
1220 C:\WINDOWS\Explorer.EXE 6.0.2900.2180 Microsoft Corporation
1232 C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe 0.0.5.9 Stardock
1260 C:\WINDOWS\system32\spoolsv.exe 5.1.2600.2696 Microsoft Corporation
1480 C:\WINDOWS\svchost.exe 5.1.0.0 Microsoft Corporation
1520 C:\WINDOWS\system32\drivers\etc\data\svchost.exe 6.0.0.2 Cat Soft
1876 C:\WINDOWS\system32\rhmawl\csrss.exe
1900 C:\WINDOWS\system32\rhmawl\winsp3.exe
1936 C:\Program Files\LocalNet Express 2.0\PropelAC.exe 5.0.0.1053 Propel Software Corporation
1944 C:\WINDOWS\system32\rhmawl\nat.exe
1952 C:\Program Files\Messenger\msmsgs.exe 4.7.0.3001 Microsoft Corporation
480 C:\Program Files\Logitech\MouseWare\system\em_exec.exe 9.79.19.0 Logitech Inc.
2764 C:\WINDOWS\system32\LMPDPUI.EXE 1.0.0.245 DeviceGuys
3100 C:\WINDOWS\system32\CMMON32.EXE 7.2.2600.2180 Microsoft Corporation
3220 C:\Program Files\Mozilla Firefox\firefox.exe 1.0.4.0 Mozilla
3784 c:\progra~1\intern~1\iexplore.exe 6.0.2900.2180 Microsoft Corporation
1048 C:\Documents and Settings\MatreX\Desktop\ibprocman\IBProcMan.exe 1.4.0.0 Soeperman Enterprises Ltd.
520 C:\WINDOWS\system32\perfmon.exe 5.1.2600.2180 Microsoft Corporation

Edited by MatreX, 02 October 2005 - 01:21 PM.

Current Sig:
Posted Image

#10 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 AM

Posted 02 October 2005 - 01:28 PM

Please open ibprocman.exe

Select: 1876 C:\WINDOWS\system32\rhmawl\csrss.exe
Hold down you 'shift key' and also select :
1900 C:\WINDOWS\system32\rhmawl\winsp3.exe
1944 C:\WINDOWS\system32\rhmawl\nat.exe


Then click Kill Process (so you have to kill them all at the same time)

Exit the program.

Find and delete this folder:
C:\WINDOWS\system32\rhmawl

Then reboot your computer and try to run HijackThis again!

Edited by didom, 02 October 2005 - 01:29 PM.


#11 MatreX

MatreX
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 02 October 2005 - 01:35 PM

uhm.. for some reason my system32 and the rhmawl file in system32 are hidden...
Current Sig:
Posted Image

#12 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 AM

Posted 02 October 2005 - 01:36 PM

Whoops forgot to tell you this:

Make sure all hidden files and folders are visible (Instructions )

Edited by didom, 02 October 2005 - 01:42 PM.


#13 MatreX

MatreX
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 02 October 2005 - 01:47 PM

i closed the processes and deleted the file rhmawl and rebooted, now when my comp sarted back up i got:

Windows Cannot Find 'C:\WINDOWS\system32\rhmawl\csrss.exe'.
Current Sig:
Posted Image

#14 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 AM

Posted 02 October 2005 - 01:48 PM

That's good!

Can you run HijackThis now? PLease post me a log if you can....

#15 MatreX

MatreX
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:05:26 AM

Posted 02 October 2005 - 01:48 PM

Logfile of HijackThis v1.99.1
Scan saved at 2:50:41 PM, on 10/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\etc\data\svchost.exe
C:\WINDOWS\system32\LMPDPUI.EXE
C:\WINDOWS\system32\CMMON32.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\Program Files\LocalNet Express 2.0\PropelAC.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\MatreX\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
F3 - REG:win.ini: load=C:\WINDOWS\system32\rhmawl\csrss.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\rhmawl\csrss.exe
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\LocalNet Express 2.0\prpl_IePopupBlocker.dll
O2 - BHO: (no name) - {777BE465-50E2-A03D-9E19-BCE515945591} - C:\DOCUME~1\Owner\APPLIC~1\UPLOAD~1\ENC MANAGER.exe
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [Microsoft XML Update] IEXPLORER.EXE
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\WINDOWS\system32\rhmawl\winsp3.exe
O4 - HKLM\..\Run: [Pad39A-HtEHL] D:\Pad39A.exe
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\LocalNet Express 2.0\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [stop dog rule real] C:\Documents and Settings\All Users\Application Data\multihelpstopdog\winsafe.exe
O4 - HKLM\..\Run: [Services] C:\WINDOWS\system32\rhmawl\nat.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\RunServices: [Microsoft XML Update] IEXPLORER.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Startup: csrss.lnk = C:\WINDOWS\system32\rhmawl\csrss.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\LocalNet Express 2.0\pac-addwl.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\LocalNet Express 2.0\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\LocalNet Express 2.0\pac-image.html
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/WebsiteA...Bridge-c139.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121139669156
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX28.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futuremark.com/global/msc34.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/gold/default/gf.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{655A7354-5690-4809-9FA4-4BCE0A577CF3}: NameServer = 207.251.194.54 207.251.194.55
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: McAfee SpamKiller Server (MskService) - Unknown owner - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe (file missing)
O23 - Service: NTLOAD - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe
O23 - Service: NTSVCMGR - Unknown owner - c:\windows\system32\dllcache\win32\winlogon.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Hardware Detection (Serv-U) - Cat Soft - C:\WINDOWS\system32\drivers\etc\data\svchost.exe



;-)

Edited by MatreX, 02 October 2005 - 01:52 PM.

Current Sig:
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users