Solved

XP Hijackthis help

Posted on 2009-05-19
22
507 Views
Last Modified: 2013-12-06
I have an XP machine that will not run superantispyware without a BSOD, safe mode, alt start, etc. Also can not get housecall to run using either kernel.
Could some one review my log below and offer some input.  Thanks in advance..
hijackthis.log
0
Comment
Question by:amos5000
  • 13
  • 6
  • 3
22 Comments
 
LVL 16

Expert Comment

by:warturtle
ID: 24424728
Hello,

I cannot see anything obvious from the HijackThis log. Could you please download ComboFix from: http://www.bleepingcomputer.com/combofix/how-to-use-combofix and save it with a different name like jabba.exe.

Then disable your antivirus protection and run it. After it finishes and creates a log, then send us that log. Reenable your antivirus protection and then run SuperAntiSpyware again followed by a scan with your existing antivirus.
0
 
LVL 23

Expert Comment

by:Admin3k
ID: 24425648
this looks bad in the HJT log

O4 - HKCU\..\Run: [LoadWatcher] Test

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm265YYUS
please try to uninstall the mywebsearch toolbar from add/remove programs first before trying fixing using HJT
also if you do not know otherwise , can you please upload the file C:\WINDOWS\SYSTEM32\cypherixsrv.exe
to www.virustotal.com to confirm whether it is legit or not.



0
 

Author Comment

by:amos5000
ID: 24425969
Ok, ran ComboFix as suggested, it completed successfully.  Logfile attached.
Also, will address Admin3ks recommendations next.
Then will re-run superantispyware...

Thanks!
combofixlog.txt
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24426596
Here's my understanding of this ComboFix log:

1. Could you upload these files on www.virustotal.com for a viruscheck?

c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe
c:\windows\system32\rdpclip.exe
c:\windows\system32\wscntfy.exe

0
 
LVL 23

Expert Comment

by:Admin3k
ID: 24426795
@wartutle: the above files are all legit & related to Sql server, terminal services & Windows security center in the same order, I do not see a reason to think that they were patched or tampered with at this stage.
@amos5000 : the Combofix log shows it has removed a couple of files it found bad, one interesting finding is the first one 
[i] ADS - WINDOWS: deleted 24 bytes in 1 streams. [/i]
This usually means the presence of a rootkit , that was hiding its binaries using NTFS AFS(Alternate file stream) which is usually hidden from Windows explorer, Combofix detected the file presence & removed it , there are also another couple of deletions.
c:\docume~1\ANDYL~1\LOCALS~1\Temp\install_flash_player.exe
c:\windows\system32\mdm.exe


there maybe a leftover or more, so please let us know the outcome for SAS scan,and  provide a fresh Hijack this log after the last Combofix run if the problem persists.



0
 

Author Comment

by:amos5000
ID: 24427308
I submitted the files suggested by both of you to virustotal.com and all passed clear.

After Combofix and fixing mywebsearch via HJT... SAS BSOD'd again.

Will re-run HJT then Combofix and report.

Thanks for all the help so far!
0
 
LVL 23

Expert Comment

by:Admin3k
ID: 24427547
Could you try to post the exact system error from the computer eventviewer that was logged after the crash ?
start>run>eventvwr.msc>system
we need to know event id , source &error text

0
 

Author Comment

by:amos5000
ID: 24427796
-Last system log ENTRY before crash on SAS @ 12:31:01PM
The IMAPI CD-Burning COM Service service entered the stopped state

-Last system log ERROR entry before crash @ 12:29:21PM
Unable to start a DCOM Server: {0C0A3666-30C9-11D0-8F20-00805F2CD064} as /. The error:
"The system cannot find the file specified. "
Happened while starting this command:
C:\WINDOWS\system32\MDM.EXE -Embedding

*Then I let the system sit blue until I returned from work...

-First system log ENTRY after crash @ 6:04:47PM
Microsoft (R) Windows (R) 5.01. 2600 Service Pack 3 Multiprocessor Free.

-First system log ERROR entry after crash @6:05:11PM
The Cypherix service service terminated with the following error:
A device attached to the system is not functioning.

-Second system log ERROR entry@6:06:09PM
Error code 1000000a, parameter1 00000016, parameter2 0000001c, parameter3 00000000, parameter4 80502eaa.

-Third system log ERROR entry@6:06:17PM
Unable to start a DCOM Server: {0C0A3666-30C9-11D0-8F20-00805F2CD064} as /. The error:
"The system cannot find the file specified. "
Happened while starting this command:
C:\WINDOWS\system32\MDM.EXE -Embedding

-This ENTRY I found interesting @6:04:48PM
The computer has rebooted from a bugcheck.  The bugcheck was: 0x1000000a (0x00000016, 0x0000001c, 0x00000000, 0x80502eaa). A dump was saved in: C:\WINDOWS\Minidump\Mini051909-01.dmp.

Thanks!

0
 
LVL 16

Expert Comment

by:warturtle
ID: 24429484
I would suggest running a sfc /scannow on start->run. You might need the Windows XP CD for this to work.

This will ask Windows to check all system files and replace missing/corrupted files by fresh copies.

0
 

Author Comment

by:amos5000
ID: 24433033
I ran sfc successfully.  Does it generate a log?  I don't know if it made any changes of if all was well?

Thanks.

Also just re ran Combofix.  Will post combofix and HJT logs then try SAS again.

0
 

Author Comment

by:amos5000
ID: 24433474
Here are most recent HJT and Combofix logs..
Thanks
combofixlog2.txt
hijackthis2.log
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:amos5000
ID: 24433752
Tried again, SAS is still BSOD

Thanks!
0
 

Author Comment

by:amos5000
ID: 24435691
I'm struggling with a real view of the .dmp file using dumpchk, maybe I'm not so smart but I did see it finds  catchme.sys and can't load symbols for it or nx6000.sys. (then it finishes and closes the cmd window)..

Any fixes for catchme.sys?  Is it evil?  Where does it come from?

 Anybody want to see my dmp?
0
 
LVL 23

Expert Comment

by:Admin3k
ID: 24435846
catchme.sys can be related to Combofix but there is also a known piece of malware by that name Please rename the .dmp file to .txt and attach here.

0
 

Author Comment

by:amos5000
ID: 24436016
Here is the minidump renamed from .dmp to .txt

Thanks again!
Mini052009-01.txt
0
 
LVL 23

Accepted Solution

by:
Admin3k earned 500 total points
ID: 24436395
The minidump does say nx6000.sys is the culprit here, could be a conflicat between SAS & the currently installed driver of Microsoft Lifecam nx6000 , please try to obtain the latest drivers and see if the problem persists, or uninstall it for now to confirm our thoughts.

0
 

Author Comment

by:amos5000
ID: 24436763
Tried the 'ol driver update but windows could not find a better driver than the one I am using... so I uninstalled the drivers and started SAS.  

SAS is running!  

I will post again when it completes the scan.

THANKS!
0
 

Author Comment

by:amos5000
ID: 24436856
Superantispyware would not run until I uninstalled the microsoft nx-6000 life cam drivers from my 32bit XP system.

Next I will re-install fresh drivers for it and see if it will run.

Thanks for all the excellent help again!
0
 

Author Comment

by:amos5000
ID: 24436862
Oh, by the way, SAS found just 5 adware cookies, nothing too nasty!
0
 

Author Closing Comment

by:amos5000
ID: 31583116
Thanks for staying with me on this!
0
 

Author Comment

by:amos5000
ID: 24436970
Re-installed lifecam using version 2.07 from microsoft for XP32...

SAS still works!!!! SOLVED!
0
 
LVL 23

Expert Comment

by:Admin3k
ID: 24437338
Glad it worked out ! .
cheers .
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now