Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

B.s.o.d.


  • Please log in to reply
11 replies to this topic

#1 thrillhouse

thrillhouse

  • Members
  • 1,040 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Va
  • Local time:01:36 AM

Posted 07 May 2007 - 03:49 PM

recently, when I restart my computer, I'd say every fourth time or so, it will boot past the bios screen, past the windows screen, then to bsod. Then I have to restart and its fine. Just thought I'd get someone more knowledgeable than myself to look at the hijack this log and see if anything is amiss, as far as spyware. So, here it is:

Thank you for any and all help received or advice given.

Attached Files



BC AdBot (Login to Remove)

 


#2 thrillhouse

thrillhouse
  • Topic Starter

  • Members
  • 1,040 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Va
  • Local time:01:36 AM

Posted 08 May 2007 - 10:32 AM

The log looks pretty legit to me, but I'm not an expert or anything. I got rid of CYGWIN and the rest of the stuff on there I either use or don't know what it is.

#3 thrillhouse

thrillhouse
  • Topic Starter

  • Members
  • 1,040 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Va
  • Local time:01:36 AM

Posted 08 May 2007 - 04:37 PM

MyTray and Bootskin are legit too and have been on the machine forever.
MyTray is a MCE plugin that lets me plug firewire from the computer to my dvr and record on the computer, and Bootskin is the program that replaces the normal windows boot screen with an X-Ray of Homer Simpson that shows he has a small brain and says windohs instead of windows.

#4 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:06:36 AM

Posted 09 May 2007 - 01:56 AM

An uninstall list and further symptoms can be found here: http://www.bleepingcomputer.com/forums/ind...pid=517239&

have asked thrillhouse to submit log in post rather than as an attachment.

rgds,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#5 thrillhouse

thrillhouse
  • Topic Starter

  • Members
  • 1,040 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Va
  • Local time:01:36 AM

Posted 09 May 2007 - 03:42 AM

here is another log per Johannes' instructions. Also, i got the blue screen stop error: 0x000000C5 ( 0xE1DSA000, 0X00000002, 0X00000001, 0X8054AF6E)

mE LOG:

Logfile of HijackThis v1.99.1
Scan saved at 4:35:01 AM, on 5/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\S24EvMon.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\1XConfig.exe
C:\Program Files\Network Associates\Alert Manager\amgrsrvc.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\RegSrvc.exe
c:\program files\verizon wireless\venturi\Client\ventc.exe
C:\WINNT\system32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Intel\NCS\Sync\NetSvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM\aim.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINNT\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: MyTray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - Winlogon Notify: Sebring - C:\WINNT\system32\LgNotify.dll
O23 - Service: McAfee Alert Manager (AlertManager) - McAfee Division of Network Associates, Inc. - C:\Program Files\Network Associates\Alert Manager\amgrsrvc.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINNT\system32\ImapiRox.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\system32\S24EvMon.exe
O23 - Service: Venturi Client (Venturi2) - Venturi Wireless - c:\program files\verizon wireless\venturi\Client\ventc.exe

#6 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:06:36 AM

Posted 09 May 2007 - 01:37 PM

Hi thrillhouse,

lets start "official" on this.

My name is Johannes and I will be dealing with your log today.
Please note that comments are made in green, links are in red and important things are outlined by using the blue color.

Please also take note of the following:
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.
Thanks,
Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#7 thrillhouse

thrillhouse
  • Topic Starter

  • Members
  • 1,040 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Va
  • Local time:01:36 AM

Posted 09 May 2007 - 03:46 PM

Thanks a lot, I really appreciate it!

#8 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:06:36 AM

Posted 11 May 2007 - 11:23 AM

Just a quick note to let you know that I havent forgotten you. Its just been a bit of a madhouse privately/work/and cyberwise.

Please could you post a fresh full hijackthis log for me? just to make sure of something.
Thanks

Johannes

Edited by Yourhighness, 11 May 2007 - 11:50 AM.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#9 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:06:36 AM

Posted 14 May 2007 - 01:56 PM

Hi thrillhouse,

Your log looks clean so far, but you should update your java once the system is up and running smoothly again. Apologies for the delay again.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u1...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.
For now have a look at the following two links to try and fix your bsod / error message occuring:

Troubleshooting Windows Stop messages and How to use Driver Verifier to troubleshoot windows drivers

If you have further questions, you can also address them here: Windows XP subforum or the Hardware subforum.

You may also want to test your RAM with this tool. if you open a thread at the hardware section and your problems get resolved, please let me know so we can close this HijackThis log thread. Thanks and let me know how you are going with this.
Thanks,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#10 thrillhouse

thrillhouse
  • Topic Starter

  • Members
  • 1,040 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Va
  • Local time:01:36 AM

Posted 14 May 2007 - 02:46 PM

hey, thanks for the help. i will check those links and report back with a solution if I find one.

#11 thrillhouse

thrillhouse
  • Topic Starter

  • Members
  • 1,040 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Va
  • Local time:01:36 AM

Posted 17 May 2007 - 10:32 AM

I have rolled back my burner driver (with great difficulty!) and now my cd drive reads (I didn't realize but it wasn't reading) and the blue screens haven't come up in about three reboots so I think I might be good.

Edited by thrillhouse, 17 May 2007 - 10:32 AM.


#12 thrillhouse

thrillhouse
  • Topic Starter

  • Members
  • 1,040 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Va
  • Local time:01:36 AM

Posted 18 May 2007 - 05:34 PM

they came back and then I couldn't use my cd drive again so I upgraded my Roxio and so far so good. It reads and burns fine and I haven't had a bsod in a few boots so hopefully I'm in the clear

Edited by thrillhouse, 18 May 2007 - 06:39 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users