HJT is being Stopped/crashes
Results 1 to 7 of 7

Thread: HJT is being Stopped/crashes

  1. #1
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744

    HJT is being Stopped/crashes

    Had a machine hit my bench late this afternoon.. (hit hard and bounced into my seat )

    Fired up had a look at the running processes.. found a **** load that looked out of place, some familure.. CWS, new.net

    spotted one new name Snapper.exe

    so restarted in safemode and did a quick HJT scan.. as it neared completion it crashed.. windows detected a problem and poped the We will close it window over top of the scan log..

    restarted and tried again. same story..

    spotted some thing that was definatly out of place..

    I think it was in the System.ini
    shell=explorer.exe; mcafee32.exe and
    userint=userint.exe;userint32.exe

    it was a bit hard to catch as the warning box landed right over the area I was reading.. and I couldnt do a bloody thing with HJT ..

    So restarted with BartPE. and tried HJT.. the scan would run and close before you could read anything from the log..

    Did a Adaware scan under BartPE..
    last count had 600 items when I came back it was at the start?
    did another scan.. stoped it at 450 or so items
    had dyFuCa, Ist, CWS, new dot net.... forgotten the rest ..

    at this point My office closed for the day.. .. quickly saved the log from adaware to the HDD.. but didnt save to my Jump-drive.

    .........

    I was not suprised when HJT failed in safe mode.. but I am puzzeled with it crashing under BartPE.. Has anyone seen this Issue before..
    my version of HJT is 1.99.1

    the machine is a 12mth old Compaq, WinXP Home..
    the owners son has managed to infect the system badley enough require MOBO reset and Clean install (partition, format then recovery CD's..
    The customers AV is Norton 2005.. (I point this out due to the mention of Mcafee in the system INI)

    My first action will be to scavange out as many of the suspect files as possable under bart before I start any other cleanups.. (the adaware scann was set to move to recycle Bin)
    then rename the mcafee32.exe file and edit the system.ini certainly checking the other entry mentioned above..

    so why the failure of HJT during the scan under Bart? thoughts?

    normaly Smartkiller dosent worry hjt in a BartPE scan.. while it is in my mind .. I have discounted it as most likley
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  2. #2
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    G'day Undies,

    Maybe this is the problem?...............or something with similar heuristics?



    NOTE: Systems infected with the 'Ms4Hd' rootkit parasite will experience crashes in HijackThis 1.99.x since this parasite deliberately crashes programs that try to detect it.


    EDIT:

    Note: Beware of the Ms4Hd parasite, which will crash HijackThis when it reaches the new O23 (NT Services) section. This parasite deliberately crashes most apps that query any regkeys/files it owns, and We haven't found a way around this. For now a copy of HJT 1.98.2 (which shouldn't crash with Ms4Hd) at http://www.merijn.org/files/hijackthis1982.zip for such cases.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    If that box is that fscked up I would just wipe the drive and reinstall a clean OS.

    It's odd though, HJT crashing when loaded via BartPE. None of the rootkits/spyware would be loaded so I see no way for these to "detect" they're detected..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Ms4Hd parasite..?

    did a google on this bugger.. all I have seen is reference to it crashing progs like HJT..

    explains why in safemode that HJT Crashed.. but the trojan shouldnt be active when the system was booted from Bart..

    I wonder if it is to do with the Remote registry tools?

    hmm more research for me.. thanks Johnno..

    sorry.. I am such a slow typist.. Sirdice.. yep I know.. this time it is personal.. I will give a machine a solid half hour if I am no closer.. wipe the bugger clean. I will give this one extra time.. it gets a total of 45min.. these are the jobs you can learn some serious **** from (oh and waste some serious time).. but I am not going to make a charity case out of it..my health cant afford it nor can the wallet..

    thanks guys


    found some hints on this one...the trojan/ROOT KIT THAT IS...

    http://www.sophos.com/virusinfo/anal...ojagentbj.html
    https://www-secure.symantec.com/avce...n.flush.a.html

    as well as a few sites with registry tools to remove the problem.. just hope regedit works on Bartpe.. I want to have a look at this sucker..

    Here also is a happy ending for a similar prob.. ahhhhhh..hangon.. was it the same .. ..this guy had some bloody trojan.. oh well interesting read.. tempers flare.. but there all lovers in the end..

    This one could be a matter of setting up my Crashtest dummy with this trojan and see if I can find why the root kit kills HJT even in BART..
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  5. #5
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Didnt get a solid chance to play with this problem today..

    save that the results of the HJT 1.99.1 still crash.. both in safe mode and BartPE.
    HJT 1.98.2 has performed scans but one entry is different/missing that is the "shell=" entry (log shown below for interest..it has a **** load)

    I am currently checking a couple of listings (I may zip these up for those interested)
    the System.ini entries are Registry entries..

    the HJT log (1.98.2)

    Logfile of HijackThis v1.98.2
    Scan saved at 1:14:13 PM, on 5/04/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\userinit32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\taskmgr.exe
    C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for hijackthis1982.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50162
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - (no file)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
    O4 - HKLM\..\Run: [snapple] snapple.exe
    O4 - HKLM\..\Run: [blou] C:\WINDOWS\knhveqff.exe
    O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
    O4 - HKLM\..\Run: [_Cat1] C:\WINDOWS\nmmst.exe
    O4 - HKLM\..\Run: [Dns Resolver] dnsrslve.exe
    O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
    O4 - HKLM\..\Run: [4F6X39P] wshbkend.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [blo786_q8aC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\knhveqff.exe
    O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
    O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
    O4 - HKLM\..\Run: [rant] rant.exe
    O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitexwi32.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [blo786aigYC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\knhveqff.exe
    O4 - HKLM\..\Run: [Compaq Service Drivers] compq.exe
    O4 - HKLM\..\Run: [MS Windows Process Class] MSPRCSS32.exe
    O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\dckbunxq.exe
    O4 - HKLM\..\Run: [gNq}K~^C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\knhveqff.exe
    O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
    O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
    O4 - HKLM\..\RunServices: [snapple] snapple.exe
    O4 - HKLM\..\RunServices: [Dns Resolver] dnsrslve.exe
    O4 - HKLM\..\RunServices: [rant] rant.exe
    O4 - HKLM\..\RunServices: [Compaq Service Drivers] compq.exe
    O4 - HKLM\..\RunServices: [MS Windows Process Class] MSPRCSS32.exe
    O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
    O4 - HKLM\..\RunOnce: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe /boot
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
    O4 - HKCU\..\Run: [snapple] snapple.exe
    O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://iframedollars.biz/tb/black.ocx
    O21 - SSODL: EI00CJEB - {3B537B6D-249F-1674-3AE5-59352F106009} - C:\WINDOWS\System32\Egnallag.dll
    O21 - SSODL: mtklefap - {9D88FC86-9FAD-4EFA-7CB4-C6E95EA7245F} - C:\WINDOWS\System32\atht32.dll

    BTW moving the file and editing the registry didn't achieve very much with the userinit32 file..


    bugger just realised I didnt copy the files I needed before I shut down for the day argh.

    I had copied the userinit32.exe and the Mcafee32.exe just for you guys to play with...oh well tomorrow..

    cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  6. #6
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744

    Progress Report

    spent about 20mins playing with this problem.. spent my day plying with intermittant mobo problems and noisey fans..

    main problem appears to have been rbot & Qhost infection.. but here is a list of the Bugger I have found thus far ( oh HJT 1.99.1 now works), but regedit, task manager and msconfig still only work in safemode..

    this list from Ewido scan, as well as AVG7

    w32.trojan.byteverify.a
    trojan.rootkit.h
    Trojan.dropper.small.11.BU/31.BU
    Trojan.Qhost.ay
    Spyware.Apropos/.e/.f/.b
    Spyware.Perez.a
    Spyware.Broadcup.b
    Spyware.404Search.h
    Spyware.WinAD.AF/.AB
    Spyware.MediaPass
    Spyware.Toolbar
    Spyware.IBISToolbar
    Trojan.Downloader.ISTBar
    Trojan.Downloader.Elitebar.z
    Trojan.Downloader.Sahat.o/.i
    Trojan.Downloader.Agent/.ex/.hc/.kp/.ji
    Trojan.Downloader.WebP2PInstaller
    Trojan.Downloader.Small/.amg/.ahg
    Trojan.Spy.Qukart.s
    Spyware.Hijacker.Generic
    Spyware.Sidefind
    Backdoor.rBot/.rad/.avd
    Backdoor.wootbot
    Backdoor.sdbot
    Dialer.Generic
    Dialer.15.an
    Dropper.Juntador.ad
    Worm.Padobot.v
    Trojan.colleted.z



    A total of 43 malware (.. I manually delete ALL cookies and the Move the TIF, windows TEMP, user/localfiles/Temp files before getting to dambed involved..scan them later as a final check before giving the all clear) this is a count of Malware involved, not the total number of files.., after a automated cleaning by Adaware under BART.. AboutBuster, and a handfull of scripted tools were a monstrous help.

    It may have been a financial waste of time.. but have played a few new tools as well as learnt a skill or 2 that I hope will be usefull more often.. (I hope)


    I hope more to come..
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  7. #7
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Closed..

    Formatted and clean installed.. Sp2'd it, FF, Sdd block Hosts, remove n-needed Services, installed Trend-Pc-Cillin, Spybot snd with Teatime, ....... times up.. Next
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides