amos5000
asked on
XP Hijackthis help
I have an XP machine that will not run superantispyware without a BSOD, safe mode, alt start, etc. Also can not get housecall to run using either kernel.
Could some one review my log below and offer some input. Thanks in advance..
hijackthis.log
Could some one review my log below and offer some input. Thanks in advance..
hijackthis.log
this looks bad in the HJT log
O4 - HKCU\..\Run: [LoadWatcher] Test
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm265YYUS
please try to uninstall the mywebsearch toolbar from add/remove programs first before trying fixing using HJT
also if you do not know otherwise , can you please upload the file C:\WINDOWS\SYSTEM32\cypher ixsrv.exe
to www.virustotal.com to confirm whether it is legit or not.
O4 - HKCU\..\Run: [LoadWatcher] Test
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm265YYUS
please try to uninstall the mywebsearch toolbar from add/remove programs first before trying fixing using HJT
also if you do not know otherwise , can you please upload the file C:\WINDOWS\SYSTEM32\cypher
to www.virustotal.com to confirm whether it is legit or not.
ASKER
Ok, ran ComboFix as suggested, it completed successfully. Logfile attached.
Also, will address Admin3ks recommendations next.
Then will re-run superantispyware...
Thanks!
combofixlog.txt
Also, will address Admin3ks recommendations next.
Then will re-run superantispyware...
Thanks!
combofixlog.txt
Here's my understanding of this ComboFix log:
1. Could you upload these files on www.virustotal.com for a viruscheck?
c:\program files\Microsoft SQL Server\100\Shared\sqladhlp .exe
c:\windows\system32\rdpcli p.exe
c:\windows\system32\wscntf y.exe
1. Could you upload these files on www.virustotal.com for a viruscheck?
c:\program files\Microsoft SQL Server\100\Shared\sqladhlp
c:\windows\system32\rdpcli
c:\windows\system32\wscntf
@wartutle: the above files are all legit & related to Sql server, terminal services & Windows security center in the same order, I do not see a reason to think that they were patched or tampered with at this stage.
@amos5000 : the Combofix log shows it has removed a couple of files it found bad, one interesting finding is the first one
[i] ADS - WINDOWS: deleted 24 bytes in 1 streams. [/i]
This usually means the presence of a rootkit , that was hiding its binaries using NTFS AFS(Alternate file stream) which is usually hidden from Windows explorer, Combofix detected the file presence & removed it , there are also another couple of deletions.
c:\docume~1\ANDYL~1\LOCALS ~1\Temp\in stall_flas h_player.e xe
c:\windows\system32\mdm.ex e
there maybe a leftover or more, so please let us know the outcome for SAS scan,and provide a fresh Hijack this log after the last Combofix run if the problem persists.
@amos5000 : the Combofix log shows it has removed a couple of files it found bad, one interesting finding is the first one
[i] ADS - WINDOWS: deleted 24 bytes in 1 streams. [/i]
This usually means the presence of a rootkit , that was hiding its binaries using NTFS AFS(Alternate file stream) which is usually hidden from Windows explorer, Combofix detected the file presence & removed it , there are also another couple of deletions.
c:\docume~1\ANDYL~1\LOCALS
c:\windows\system32\mdm.ex
there maybe a leftover or more, so please let us know the outcome for SAS scan,and provide a fresh Hijack this log after the last Combofix run if the problem persists.
ASKER
I submitted the files suggested by both of you to virustotal.com and all passed clear.
After Combofix and fixing mywebsearch via HJT... SAS BSOD'd again.
Will re-run HJT then Combofix and report.
Thanks for all the help so far!
After Combofix and fixing mywebsearch via HJT... SAS BSOD'd again.
Will re-run HJT then Combofix and report.
Thanks for all the help so far!
Could you try to post the exact system error from the computer eventviewer that was logged after the crash ?
start>run>eventvwr.msc>sys tem
we need to know event id , source &error text
start>run>eventvwr.msc>sys
we need to know event id , source &error text
ASKER
-Last system log ENTRY before crash on SAS @ 12:31:01PM
The IMAPI CD-Burning COM Service service entered the stopped state
-Last system log ERROR entry before crash @ 12:29:21PM
Unable to start a DCOM Server: {0C0A3666-30C9-11D0-8F20-0 0805F2CD06 4} as /. The error:
"The system cannot find the file specified. "
Happened while starting this command:
C:\WINDOWS\system32\MDM.EX E -Embedding
*Then I let the system sit blue until I returned from work...
-First system log ENTRY after crash @ 6:04:47PM
Microsoft (R) Windows (R) 5.01. 2600 Service Pack 3 Multiprocessor Free.
-First system log ERROR entry after crash @6:05:11PM
The Cypherix service service terminated with the following error:
A device attached to the system is not functioning.
-Second system log ERROR entry@6:06:09PM
Error code 1000000a, parameter1 00000016, parameter2 0000001c, parameter3 00000000, parameter4 80502eaa.
-Third system log ERROR entry@6:06:17PM
Unable to start a DCOM Server: {0C0A3666-30C9-11D0-8F20-0 0805F2CD06 4} as /. The error:
"The system cannot find the file specified. "
Happened while starting this command:
C:\WINDOWS\system32\MDM.EX E -Embedding
-This ENTRY I found interesting @6:04:48PM
The computer has rebooted from a bugcheck. The bugcheck was: 0x1000000a (0x00000016, 0x0000001c, 0x00000000, 0x80502eaa). A dump was saved in: C:\WINDOWS\Minidump\Mini05 1909-01.dm p.
Thanks!
The IMAPI CD-Burning COM Service service entered the stopped state
-Last system log ERROR entry before crash @ 12:29:21PM
Unable to start a DCOM Server: {0C0A3666-30C9-11D0-8F20-0
"The system cannot find the file specified. "
Happened while starting this command:
C:\WINDOWS\system32\MDM.EX
*Then I let the system sit blue until I returned from work...
-First system log ENTRY after crash @ 6:04:47PM
Microsoft (R) Windows (R) 5.01. 2600 Service Pack 3 Multiprocessor Free.
-First system log ERROR entry after crash @6:05:11PM
The Cypherix service service terminated with the following error:
A device attached to the system is not functioning.
-Second system log ERROR entry@6:06:09PM
Error code 1000000a, parameter1 00000016, parameter2 0000001c, parameter3 00000000, parameter4 80502eaa.
-Third system log ERROR entry@6:06:17PM
Unable to start a DCOM Server: {0C0A3666-30C9-11D0-8F20-0
"The system cannot find the file specified. "
Happened while starting this command:
C:\WINDOWS\system32\MDM.EX
-This ENTRY I found interesting @6:04:48PM
The computer has rebooted from a bugcheck. The bugcheck was: 0x1000000a (0x00000016, 0x0000001c, 0x00000000, 0x80502eaa). A dump was saved in: C:\WINDOWS\Minidump\Mini05
Thanks!
I would suggest running a sfc /scannow on start->run. You might need the Windows XP CD for this to work.
This will ask Windows to check all system files and replace missing/corrupted files by fresh copies.
This will ask Windows to check all system files and replace missing/corrupted files by fresh copies.
ASKER
I ran sfc successfully. Does it generate a log? I don't know if it made any changes of if all was well?
Thanks.
Also just re ran Combofix. Will post combofix and HJT logs then try SAS again.
Thanks.
Also just re ran Combofix. Will post combofix and HJT logs then try SAS again.
ASKER
ASKER
Tried again, SAS is still BSOD
Thanks!
Thanks!
ASKER
I'm struggling with a real view of the .dmp file using dumpchk, maybe I'm not so smart but I did see it finds catchme.sys and can't load symbols for it or nx6000.sys. (then it finishes and closes the cmd window)..
Any fixes for catchme.sys? Is it evil? Where does it come from?
Anybody want to see my dmp?
Any fixes for catchme.sys? Is it evil? Where does it come from?
Anybody want to see my dmp?
catchme.sys can be related to Combofix but there is also a known piece of malware by that name Please rename the .dmp file to .txt and attach here.
ASKER
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Tried the 'ol driver update but windows could not find a better driver than the one I am using... so I uninstalled the drivers and started SAS.
SAS is running!
I will post again when it completes the scan.
THANKS!
SAS is running!
I will post again when it completes the scan.
THANKS!
ASKER
Superantispyware would not run until I uninstalled the microsoft nx-6000 life cam drivers from my 32bit XP system.
Next I will re-install fresh drivers for it and see if it will run.
Thanks for all the excellent help again!
Next I will re-install fresh drivers for it and see if it will run.
Thanks for all the excellent help again!
ASKER
Oh, by the way, SAS found just 5 adware cookies, nothing too nasty!
ASKER
Thanks for staying with me on this!
ASKER
Re-installed lifecam using version 2.07 from microsoft for XP32...
SAS still works!!!! SOLVED!
SAS still works!!!! SOLVED!
Glad it worked out ! .
cheers .
cheers .
I cannot see anything obvious from the HijackThis log. Could you please download ComboFix from: http://www.bleepingcomputer.com/combofix/how-to-use-combofix and save it with a different name like jabba.exe.
Then disable your antivirus protection and run it. After it finishes and creates a log, then send us that log. Reenable your antivirus protection and then run SuperAntiSpyware again followed by a scan with your existing antivirus.