|
|
|
New Member
Group: Forum Members
Last Login: 6/11/2008 2:22 PM
Posts: 65,
Visits: 62
|
|
In a another thread, I was told by RichieUK to post a HiJack this log here. Here is a little background info on my problem, two days ago I received a BSOD stating a problem with a driver overrunning a stack based buffer. I then started up my computer again and shortly after another BSOD came up with a win2k.sys error.
Here is my log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:50:52 PM, on 11/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal
Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\spoolsv.exe
I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
I:\Program Files\Bonjour\mDNSResponder.exe
I:\Program Files\Java\jre6\bin\jqs.exe
I:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
I:\WINDOWS\system32\IoctlSvc.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\Explorer.EXE
I:\WINDOWS\system32\wscntfy.exe
I:\WINDOWS\ALCXMNTR.EXE
I:\WINDOWS\system32\ctfmon.exe
I:\WINDOWS\System32\svchost.exe
I:\Documents and Settings\Danny\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
I:\Documents and Settings\Danny\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
I:\Program Files\Internet Download Manager\IEMonitor.exe
I:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.155:8118
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - I:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - I:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - I:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - I:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - I:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - I:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Download all links with IDM - I:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - I:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - I:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E85362EF-40D4-4E5D-BE07-D6B036CCA277} (GoPets Control) - http://secure.gopetslive.com/dev/gopets.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - http://secure.gopetslive.com/dev/GoPetsWeb.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: Antiwpa - I:\WINDOWS\SYSTEM32\antiwpa.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - I:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - I:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - I:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - I:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - I:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - I:\WINDOWS\system32\IoctlSvc.exe
--
End of file - 5150 bytes
If anyone could help me, I would definitely appreciate it!
|
|
|
|
|
Senior Forum Moderator
Group: Moderators
Last Login: 8/9/2008 10:14 AM
Posts: 32,826,
Visits: 54,734
|
|
Copy and paste ALL the following text in the code box below into Notepad.
Click on Start/All Programs/Accessories/Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge the information into the registry,then restart your pc.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=-
Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
Download TFC by OldTimer to your Desktop.
* Please double-click TFC.exe to run it,if you're running Windows Vista right click on TFC.exe and click on "Run as Administrator".
* It will close all programs when run, so make sure you have saved all your work before you begin.
* Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Let it run uninterrupted until it's finished.
* Once it's finished it should reboot your machine.If it doesn't,please manually restart the pc to ensure a complete cleanup.
Please download Stealth MBR rootkit detector by Gmer and save it to your root directory, usually C:\ <- (This is Important!).
* Click on Start/Run,type CMD into the 'Open:' space,then press OK
* At the command prompt type,or copy and paste, c:\mbr.exe >>"C:\mbr.log" then press Enter
* A "DOS" box will open then close,that's normal.
* A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
* Copy and paste the entire contents of the mbr.log into your next reply.
Download and scan with GMER by carefully following the steps below.
Being as certain malware won't let gmer.exe run,click on the button [Download EXE] in the following link to download GMER to your desktop.
* Double click on the randomly named .exe file on your desktop to launch GMER,then click on the Rootkit/Malware tab.
* Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
* Click on Scan.
* When the scan has run click the "Copy" button then paste the results into your next reply.
Please read ALL of the following before making a start.
Then download ComboFix from HERE or HERE to your Desktop,by following the steps below.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
1.If you are using Firefox, make sure that your download settings are as follows:
* Click on Tools->Options->"Main" tab
* Set to "Always ask me where to Save the files".
2.During the download,rename Combofix to Combo-Fix as follows:
3.It is important you rename Combofix during the download, but not after.
4.Please do not rename Combofix to other names, but only to the one indicated.
5.Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
* Click Here to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
* Close any open browsers.
* WARNING: Combofix will disconnect your machine from the Internet as soon as it starts.
* Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
* If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
6.Double click on Combo-Fix.exe & follow the prompts,if you're running Windows Vista right click on Combo-Fix.exe and click on "Run as Administrator".
7.When finished, it will produce a report for you.
8.Please post the contents of "C:\Combo-Fix.txt" along with a new HijackThis log into your next reply.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**
-----------------------------------------------------------
**VERY IMPORTANT**
* As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
* Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures**
Once the Microsoft Windows Recovery Console is installed using ComboFix,you should see the following message:
Post the following in your next reply:
The contents of "C:\ComboFix.txt"
The contents of the mbr.log
The contents of the GMER log
A new HijackThis log.
_______________________________________________________________
ASAP & UNITE member since 2006
|
|
|
|
|
New Member
Group: Forum Members
Last Login: 6/11/2008 2:22 PM
Posts: 65,
Visits: 62
|
|
I was just about to try what you instructed above but the computer screen went black on me...no BSOD this time, so I had to shut off and restart. It was running well for me for about 12 hours and it suddenly done that. I opened my mini dump file and it states:
Unable to load image ntoskrnl.exe, Win32 error 0n2
*** WARNING: Unable to verify timestamp for ntoskrnl.exe
*** ERROR: Module load completed but symbols could not be loaded for ntoskrnl.exe
Unable to load image tcpip.sys, Win32 error 0n2
*** WARNING: Unable to verify timestamp for tcpip.sys
*** ERROR: Module load completed but symbols could not be loaded for tcpip.sys
I will try what you mentioned above as soon as I wake up tomorrow, it's really late. Do you really think it's a malware/rootkit issue?
|
|
|
|
|
Senior Forum Moderator
Group: Moderators
Last Login: 8/9/2008 10:14 AM
Posts: 32,826,
Visits: 54,734
|
|
|
|
|
|
New Member
Group: Forum Members
Last Login: 6/11/2008 2:22 PM
Posts: 65,
Visits: 62
|
|
I updated everything through Windows Update, so I will see if it crashes after that. If it does, I will do what you said earlier.
When it crashed last night, it mentioned tcpip.sys instead of win2k.sys so there is more than one error causing the BSOD.
|
|
|
|
|
New Member
Group: Forum Members
Last Login: 6/11/2008 2:22 PM
Posts: 65,
Visits: 62
|
|
| Is there anything else that I should do other than that?
|
|
|
|
|
Senior Forum Moderator
Group: Moderators
Last Login: 8/9/2008 10:14 AM
Posts: 32,826,
Visits: 54,734
|
|
If you get a crash with tcpip.sys again the following may help:
Download to your desktop TCPIP_Fix.exe,a self-extracting ZIP archive from here:
http://tinyurl.com/4a8ts5
Double-click Tcpip_Fix.exe to create a new folder on your desktop,Tcpip_Fix.
Open the new folder and double-click Tcpip_fix.cmd to replace tcpip.sys file with a new copy.
Restart your computer.
If still no joy i suggest you run the scans posted earlier.
_______________________________________________________________
ASAP & UNITE member since 2006
|
|
|
|
|
New Member
Group: Forum Members
Last Login: 6/11/2008 2:22 PM
Posts: 65,
Visits: 62
|
|
| It crashed again, but this time...the error was the driver has overrun a stack based buffer, so I brought up the minidump file and it displayed errors with ntoskrnl.exe and tcpip.sys
|
|
|
|
|
Senior Forum Moderator
Group: Moderators
Last Login: 8/9/2008 10:14 AM
Posts: 32,826,
Visits: 54,734
|
|
Run the scans posted earlier.
_______________________________________________________________
ASAP & UNITE member since 2006
|
|
|
|
|
New Member
Group: Forum Members
Last Login: 6/11/2008 2:22 PM
Posts: 65,
Visits: 62
|
|
Okay, I will do that.
I first applied the tcpip fix and when the script finished, the windows file protection window came up and says " Files that are required for Windows to run properly have been replaced by unrecognized versions. To maintain system stability, Windows must restore the original versions of these files. "
What should I do about that?
|
|
|
|
© 2009 Advanced PC Media LLC, all rights reserved. Tweaks.com is not affiliated with Microsoft.