-
April 4th, 2005, 10:09 AM
#1
HJT is being Stopped/crashes
Had a machine hit my bench late this afternoon.. (hit hard and bounced into my seat )
Fired up had a look at the running processes.. found a **** load that looked out of place, some familure.. CWS, new.net
spotted one new name Snapper.exe
so restarted in safemode and did a quick HJT scan.. as it neared completion it crashed.. windows detected a problem and poped the We will close it window over top of the scan log..
restarted and tried again. same story..
spotted some thing that was definatly out of place..
I think it was in the System.ini
shell=explorer.exe; mcafee32.exe and
userint=userint.exe;userint32.exe
it was a bit hard to catch as the warning box landed right over the area I was reading.. and I couldnt do a bloody thing with HJT ..
So restarted with BartPE. and tried HJT.. the scan would run and close before you could read anything from the log..
Did a Adaware scan under BartPE..
last count had 600 items when I came back it was at the start?
did another scan.. stoped it at 450 or so items
had dyFuCa, Ist, CWS, new dot net.... forgotten the rest ..
at this point My office closed for the day.. .. quickly saved the log from adaware to the HDD.. but didnt save to my Jump-drive.
.........
I was not suprised when HJT failed in safe mode.. but I am puzzeled with it crashing under BartPE.. Has anyone seen this Issue before..
my version of HJT is 1.99.1
the machine is a 12mth old Compaq, WinXP Home..
the owners son has managed to infect the system badley enough require MOBO reset and Clean install (partition, format then recovery CD's..
The customers AV is Norton 2005.. (I point this out due to the mention of Mcafee in the system INI)
My first action will be to scavange out as many of the suspect files as possable under bart before I start any other cleanups.. (the adaware scann was set to move to recycle Bin)
then rename the mcafee32.exe file and edit the system.ini certainly checking the other entry mentioned above..
so why the failure of HJT during the scan under Bart? thoughts?
normaly Smartkiller dosent worry hjt in a BartPE scan.. while it is in my mind .. I have discounted it as most likley
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
April 4th, 2005, 10:39 AM
#2
G'day Undies,
Maybe this is the problem?...............or something with similar heuristics?
NOTE: Systems infected with the 'Ms4Hd' rootkit parasite will experience crashes in HijackThis 1.99.x since this parasite deliberately crashes programs that try to detect it.
EDIT:
Note: Beware of the Ms4Hd parasite, which will crash HijackThis when it reaches the new O23 (NT Services) section. This parasite deliberately crashes most apps that query any regkeys/files it owns, and We haven't found a way around this. For now a copy of HJT 1.98.2 (which shouldn't crash with Ms4Hd) at http://www.merijn.org/files/hijackthis1982.zip for such cases.
-
April 4th, 2005, 12:09 PM
#3
If that box is that fscked up I would just wipe the drive and reinstall a clean OS.
It's odd though, HJT crashing when loaded via BartPE. None of the rootkits/spyware would be loaded so I see no way for these to "detect" they're detected..
Oliver's Law:
Experience is something you don't get until just after you need it.
-
April 4th, 2005, 01:09 PM
#4
Ms4Hd parasite..?
did a google on this bugger.. all I have seen is reference to it crashing progs like HJT..
explains why in safemode that HJT Crashed.. but the trojan shouldnt be active when the system was booted from Bart..
I wonder if it is to do with the Remote registry tools?
hmm more research for me.. thanks Johnno..
sorry.. I am such a slow typist.. Sirdice.. yep I know.. this time it is personal.. I will give a machine a solid half hour if I am no closer.. wipe the bugger clean. I will give this one extra time.. it gets a total of 45min.. these are the jobs you can learn some serious **** from (oh and waste some serious time).. but I am not going to make a charity case out of it..my health cant afford it nor can the wallet..
thanks guys
found some hints on this one...the trojan/ROOT KIT THAT IS...
http://www.sophos.com/virusinfo/anal...ojagentbj.html
https://www-secure.symantec.com/avce...n.flush.a.html
as well as a few sites with registry tools to remove the problem.. just hope regedit works on Bartpe.. I want to have a look at this sucker..
Here also is a happy ending for a similar prob.. ahhhhhh..hangon.. was it the same .. ..this guy had some bloody trojan.. oh well interesting read.. tempers flare.. but there all lovers in the end..
This one could be a matter of setting up my Crashtest dummy with this trojan and see if I can find why the root kit kills HJT even in BART..
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
April 5th, 2005, 09:36 AM
#5
Didnt get a solid chance to play with this problem today..
save that the results of the HJT 1.99.1 still crash.. both in safe mode and BartPE.
HJT 1.98.2 has performed scans but one entry is different/missing that is the "shell=" entry (log shown below for interest..it has a **** load)
I am currently checking a couple of listings (I may zip these up for those interested)
the System.ini entries are Registry entries..
the HJT log (1.98.2)
Logfile of HijackThis v1.98.2
Scan saved at 1:14:13 PM, on 5/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\userinit32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for hijackthis1982.zip\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50162
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [snapple] snapple.exe
O4 - HKLM\..\Run: [blou] C:\WINDOWS\knhveqff.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [_Cat1] C:\WINDOWS\nmmst.exe
O4 - HKLM\..\Run: [Dns Resolver] dnsrslve.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [4F6X39P] wshbkend.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [blo786¤¿Ç*_q8*aîžC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\knhveqff.exe
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [rant] rant.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitexwi32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [blo786¤¿Ç*aîžigÝYæ¢C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\knhveqff.exe
O4 - HKLM\..\Run: [Compaq Service Drivers] compq.exe
O4 - HKLM\..\Run: [MS Windows Process Class] MSPRCSS32.exe
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\dckbunxq.exe
O4 - HKLM\..\Run: [¥gNˆÂÂq}K‘¦~ø÷^…¼‡—C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\knhveqff.exe
O4 - HKLM\..\Run: [ap9h4qmo] C:\WINDOWS\System32\ap9h4qmo.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\RunServices: [snapple] snapple.exe
O4 - HKLM\..\RunServices: [Dns Resolver] dnsrslve.exe
O4 - HKLM\..\RunServices: [rant] rant.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivers] compq.exe
O4 - HKLM\..\RunServices: [MS Windows Process Class] MSPRCSS32.exe
O4 - HKLM\..\RunOnce: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
O4 - HKLM\..\RunOnce: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe /boot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
O4 - HKCU\..\Run: [snapple] snapple.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://iframedollars.biz/tb/black.ocx
O21 - SSODL: EI00CJEB - {3B537B6D-249F-1674-3AE5-59352F106009} - C:\WINDOWS\System32\Egnallag.dll
O21 - SSODL: mtklefap - {9D88FC86-9FAD-4EFA-7CB4-C6E95EA7245F} - C:\WINDOWS\System32\atht32.dll
BTW moving the file and editing the registry didn't achieve very much with the userinit32 file..
bugger just realised I didnt copy the files I needed before I shut down for the day argh.
I had copied the userinit32.exe and the Mcafee32.exe just for you guys to play with...oh well tomorrow..
cheers
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
April 6th, 2005, 12:34 PM
#6
Progress Report
spent about 20mins playing with this problem.. spent my day plying with intermittant mobo problems and noisey fans..
main problem appears to have been rbot & Qhost infection.. but here is a list of the Bugger I have found thus far ( oh HJT 1.99.1 now works), but regedit, task manager and msconfig still only work in safemode..
this list from Ewido scan, as well as AVG7
w32.trojan.byteverify.a
trojan.rootkit.h
Trojan.dropper.small.11.BU/31.BU
Trojan.Qhost.ay
Spyware.Apropos/.e/.f/.b
Spyware.Perez.a
Spyware.Broadcup.b
Spyware.404Search.h
Spyware.WinAD.AF/.AB
Spyware.MediaPass
Spyware.Toolbar
Spyware.IBISToolbar
Trojan.Downloader.ISTBar
Trojan.Downloader.Elitebar.z
Trojan.Downloader.Sahat.o/.i
Trojan.Downloader.Agent/.ex/.hc/.kp/.ji
Trojan.Downloader.WebP2PInstaller
Trojan.Downloader.Small/.amg/.ahg
Trojan.Spy.Qukart.s
Spyware.Hijacker.Generic
Spyware.Sidefind
Backdoor.rBot/.rad/.avd
Backdoor.wootbot
Backdoor.sdbot
Dialer.Generic
Dialer.15.an
Dropper.Juntador.ad
Worm.Padobot.v
Trojan.colleted.z
A total of 43 malware (.. I manually delete ALL cookies and the Move the TIF, windows TEMP, user/localfiles/Temp files before getting to dambed involved..scan them later as a final check before giving the all clear) this is a count of Malware involved, not the total number of files.., after a automated cleaning by Adaware under BART.. AboutBuster, and a handfull of scripted tools were a monstrous help.
It may have been a financial waste of time.. but have played a few new tools as well as learnt a skill or 2 that I hope will be usefull more often.. (I hope)
I hope more to come..
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
April 7th, 2005, 08:50 AM
#7
Closed..
Formatted and clean installed.. Sp2'd it, FF, Sdd block Hosts, remove ün-needed Services, installed Trend-Pc-Cillin, Spybot snd with Teatime, ....... times up.. Next
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|