Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multi Error Messages - Closing Windows


  • Please log in to reply
1 reply to this topic

#1 Lady_Of_Chaos

Lady_Of_Chaos

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 18 June 2007 - 01:52 AM

hello again , Im not sure what to call this (as I am not getting any names- he is running zone alarm and avast - no virus warnings) but I have a friends computer here that keeps freezing , locking up and when you try to do anything , it starts closing down processes :

first is netstat.exe closing cause of error
then "cmd.exe" has closed because of an unknown error
it wont allow IRC logs to save(says unable to write file - yes I removed it from internet when this happened)
also saying that IE is not the default browser , yet it has never been changed
plus now my clock is gone and i keep having to reboot it cause of the processes being shutdown .

It is also running at cpu overload % . Have shut off system restore as well .

Any help would be appreciated .

Hijack this file :

Logfile of HijackThis v1.99.1
Scan saved at 16:48, on 2007-06-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\TOSHIBA\gigabeat room 2.0.2\TosGbWatcher.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
D:\IRC\mirc.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\explorer.exe
C:\ComboFix\catchme.cfexe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Dunn\Desktop\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bigpond.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sydney.cache.telstra.net:3128
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TosGbWatcher] "C:\Program Files\TOSHIBA\gigabeat room 2.0.2\TosGbWatcher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Dunn\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-AU/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1176631862140
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jin...ows-i586-jc.cab
O16 - DPF: {B6648EB8-2460-484F-9255-9654454C4C70} - https://vpn.dal01.softlayer.com/prx/000/htt...lhost/arr_x.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Array Utility Service 8,1,0,307 (Array_Utility_Service8.1.0.307) - Unknown owner - C:\Program Files\Array Networks\Common\8,1,0,307\arr_isrv.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe




--------------------------

combofix log :

ComboFix 07-06-13.7 - C:\Documents and Settings\Dunn\Desktop\ComboFix.exe
"Dunn" - 2007-06-18 16:02:18 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-05-18 to 2007-06-18 )))))))))))))))))))))))))))))))


2007-06-18 16:01 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-18 15:58 <DIR> d-------- C:\VundoFix Backups
2007-06-15 01:48 0 --a------ C:\BW-114.exe
2007-06-15 01:18 <DIR> d-------- C:\Program Files\Hamachi
2007-06-15 01:09 0 --a------ C:\DOCUME~1\Dunn\SC-113f.exe
2007-06-15 00:55 <DIR> d-------- C:\Program Files\Starcraft Broodwar
2007-06-13 21:11 <DIR> d-------- C:\DOCUME~1\Dunn\hob_jportal
2007-06-13 21:04 379 --a------ C:\DOCUME~1\Dunn\hobpk.dat
2007-06-13 21:04 <DIR> d--h----- C:\Program Files\Zero G Registry
2007-06-13 21:04 <DIR> d-------- C:\Program Files\HOB
2007-06-13 21:03 <DIR> d--h----- C:\DOCUME~1\Dunn\InstallAnywhere
2007-06-13 17:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Messenger Plus!
2007-06-13 17:40 <DIR> d-------- C:\Program Files\Windows Live
2007-06-13 17:40 <DIR> d-------- C:\Program Files\Messenger Plus! Live
2007-06-11 17:52 <DIR> d-------- C:\WINDOWS\system32\URTTEMP
2007-06-11 17:49 <DIR> d-------- C:\Program Files\Carved Stone Productions
2007-06-10 14:44 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-06-10 14:44 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-06-10 14:44 43,528 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-06-10 14:44 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-06-10 14:43 <DIR> d-------- C:\WINDOWS\RegisteredPackages
2007-06-10 14:42 <DIR> d-------- C:\Program Files\Winamp
2007-06-09 18:31 <DIR> d-------- C:\DOCUME~1\Dunn\APPLIC~1\IGN_DLM
2007-06-09 18:25 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2007-06-09 18:25 152,566 --a------ C:\WINDOWS\system32\drivers\dump_wmimmc.sys
2007-06-09 18:15 <DIR> d-------- C:\Program Files\TriglowPictures
2007-06-05 20:51 <DIR> d-------- C:\Program Files\Telstra
2007-05-29 23:53 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2007-05-29 23:53 <DIR> d-------- C:\Program Files\Unreal3.2
2007-05-29 18:22 <DIR> d-------- C:\WINDOWS\ricoh
2007-05-24 15:59 <DIR> d-------- C:\DOCUME~1\Dunn\.sshterm
2007-05-24 15:59 <DIR> d-------- C:\DOCUME~1\Dunn\.ssh
2007-05-21 13:44 <DIR> d-------- C:\Program Files\DOSBox-0.70
2007-05-20 21:39 84,992 -rahs---- C:\eraseme_82412.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-17 02:27:05 -------- d-----w C:\Program Files\Steam
2007-06-14 19:49:53 -------- d-----w C:\DOCUME~1\Dunn\APPLIC~1\Hamachi
2007-06-14 15:18:56 25,544 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2007-06-13 07:40:20 -------- d-----w C:\Program Files\MSN Messenger
2007-06-09 09:56:29 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-31 05:55:00 -------- d-----w C:\DOCUME~1\Dunn\APPLIC~1\Skype
2007-05-17 08:48:12 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-05-16 03:25:58 -------- d-----w C:\DOCUME~1\Dunn\APPLIC~1\IMVU
2007-05-11 00:20:17 -------- d-----w C:\Program Files\Creative Labs
2007-05-11 00:20:09 -------- d-----w C:\Program Files\EidosNet
2007-05-08 05:55:55 -------- d-----w C:\Program Files\Canon
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:41:55 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-30 15:39:41 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-30 15:38:51 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-30 15:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-30 01:35:00 -------- d-----w C:\Program Files\DAEMON Tools
2007-04-30 01:28:54 682,232 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-04-28 14:29:18 -------- d-----w C:\Program Files\DVD Shrink
2007-04-22 08:48:07 -------- d-----w C:\Program Files\Skype
2007-04-22 08:48:06 -------- d-----w C:\Program Files\Common Files\Skype
2007-04-22 02:12:43 -------- d-----w C:\DOCUME~1\Dunn\APPLIC~1\Apple Computer
2007-04-22 02:11:54 -------- d-----w C:\DOCUME~1\Dunn\APPLIC~1\Ahead
2007-04-20 23:46:23 -------- d-----w C:\Program Files\Computability
2007-04-20 23:46:23 -------- d-----w C:\Program Files\Common Files\Borland Shared
2007-04-20 05:19:10 -------- d-----w C:\Program Files\Common Files\Ahead
2007-04-20 05:17:24 -------- d-----w C:\Program Files\Ahead
2007-04-20 05:09:58 208,956 ----a-w C:\WINDOWS\system32\ArrayApi.dll
2007-04-16 07:19:33 335 ----a-w C:\WINDOWS\nsreg.dat
2007-04-05 04:15:50 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2007-04-05 03:30:25 0 --sha-r C:\MSDOS.SYS
2007-04-05 03:30:25 0 --sha-r C:\IO.SYS
2007-04-05 03:30:25 0 ----a-w C:\CONFIG.SYS
2007-04-05 03:30:25 0 ----a-w C:\AUTOEXEC.BAT
2007-04-05 03:27:13 21,640 -c--a-w C:\WINDOWS\system32\emptyregdb.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [2006-12-15 03:23]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-05-01 01:42]
"SoundMan"="SOUNDMAN.EXE" [2002-09-11 12:57 C:\WINDOWS\soundman.exe]
"nwiz"="nwiz.exe" [2003-03-20 22:13 C:\WINDOWS\system32\nwiz.exe]
"TosGbWatcher"="C:\Program Files\TOSHIBA\gigabeat room 2.0.2\TosGbWatcher.exe" [2005-05-19 02:02]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23]
"EEventManager"="C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2005-04-08 14:09]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"BigPondCable"="C:\Program Files\Telstra\Cable Login\bpcable.exe" [2004-08-18 16:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit" []
"Steam"="" []
"Aim6"="" []
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-04-04 08:29]


Contents of the 'Scheduled Tasks' folder
2007-06-16 06:53:02 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-18 16:03:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

cmd.exe [7352]


scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-18 16:04:37

--- E O F ---
((((((((((((((((((((((((( Files Created from 2007-05-18 to 2007-06-18 )))))))))))))))))))))))))))))))


--------------------------------------

vundo(friend tried to run it) - doesnt find any files

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:02 PM

Posted 24 June 2007 - 04:25 PM

Hello Lady_Of_Chaos and welcome to the BC HijackThis forum. The only thing I see in the logs that is of interest is the hidden cmd.exe process. Let's see if we can find out a bit more about that.

Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • In the Driver Services section click Non-Microsoft
  • Under Additional Scans click the checkboxes in front of the following items to select them:

    • Reg - Security Settings
      Reg - Session Manager Settings
      Reg - WOW Settings
      File - Additional Folder Scans
      Evnt - EventViewer Errors/Warnings
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in.

If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users