Hijack This -can anyone examine this log

mastercorm

Here is the logfile I used for Hijack this to search my computer. I think I got a virus cuz I got a BSOD KERNEL_STACK_INPAGE_ERROR
either that or it's my RAM, but I downloaded a photo editing software, so I'd suspect a virus first, cuz it's intermittent, and half the time doesn't detect my HDD when i boot, so I think its messing with my BIOS settings. -i'm pissed too, cuz i scanned the thing with CA antivirus before I installed it and it didn't pick up anything.

Logfile of HijackThis v1.99.1
Scan saved at 12:19:28 PM, on 3/5/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA Internet Security Suite\CA Anti-Spam\QSP-5.0.419.0\QOELoader.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\BrmfBAgS.exe
C:\Program Files\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://accountservices.passport.net/reg.srf?xpwiz=true&lc=1033&fid=RegXPWizCredOnly
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA Internet Security Suite\CA Anti-Spam\QSP-5.0.419.0\QOELoader.exe"
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O23 - Service: Brother BidiAgent Service for Resource manager (brmfbags) - Brother Industries, Ltd. - C:\WINDOWS\System32\BrmfBAgS.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

as far as this log goes, 08 and 09 look incredibly suspicious to me, but i'm not an expert in this stuff, so i can say for sure. so does 02- BHO, no name. any help would be appreciated

JDMurray

Here is the link to the Security Cleanup FAQ from DSLReports.com. Follow the instructions for cleaning your system. Step 3 gives instructions for submitting a HijackThis log file to the DSLReports Security Cleanup forum. Those guys are the best for helping interpret these logs.

sprkymrk

It actually all looks legit to me.

02- BHO looks like you at one time (or currently) had Spybot Search and Destroy installed.

The Microsoft ones look legit too with Office. I'd guess you're having software conflict issues or maybe as you mentioned bad RAM or even a hard drive.

http://support.microsoft.com/kb/315266
http://msdn2.microsoft.com/en-us/library/ms794027.aspx

mastercorm

yes, i have spybot S&D on there. I doubt it's the HDD, as it's only 3 months old. The RAM is a possibility though. If it keeps up, I'll switch modules and see if that takes care of it.

KGhaleon

The running processes look legit, but I haven't looked at the startup stuff. Go into control panel, administrative tools and event viewer, and look for disk errors in your system log.

I would try taking one RAM stick out at a time or use a diagnostic utility(Memtest, Windows memory diag, etc). I see you have an interesting antivirus service running...CA Internet Security Suite, perhaps try disabling it? Also look at task manager for anything that might be consuming a lot of system resources.

Going into msconfig and cleaning the startup is always a good thing to take care of.

KG

mastercorm

This is the only error in event viewer:

The Computer Browser service depends on the Server service which failed to start because of the following error:
The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I tried switching RAM sticks, and had the same results.
I just noticed a checkbox in startup though, it was checked, but had no description or anything. just turned it off, so i'll see if that helps.

Sie

can you go to task manager. Processes > View > Select Columns and Choose PID.

Next run tasklist /svc from command line compare the two and post any services (most likely svchost's) that look a bit 'odd'.

Also whats causing you to be worried? What did you spot? happen?

mastercorm

Well, in startup, there's a checkbox, but then no command or item. It only says it's located in windws\currentversion\run

there's one SVCHOST in command that says: LMHOSTS, remote registry, SSDPSRV, webclient.
the other one is a DNS cache.

Sie

If theres no command cant hurt disabling it? after all you can re-enable it if needed. LMHOSTS and HOSTS fiel can be infected by viruses so check these for strange entries.

Is it a secondary HDD or primary thats causing problems??

SSDPSRV is pre Win ME though for PnP...... What are you running??

Kaminsky

or it may be hidden.

Get friendly with
LOCAL_MACHINE/Software/Microsoft/Software/CurrentVersion/{Run|RunOnce|RunOnceEx}
and
CURRENT_USER/<same path>

Things in here run before control of the pc is handed to you on bootup.

Learn what should be in these keys and you will know when something that shouldn't pops up.

svchost.exe is one of the biggest targets for newbie hackers so look for svchosts especially if they are not underneath the windows directory.

Also, if you can stay away from messenger services like msn, yahoo, etc. They are just not worth it considering the doors they open up coming back in your PC and how widely known these exploits are.

mastercorm

i'm running XP pro. and yes, i don't use messenger services. i'm pretty good when it comes to keeping my computer clean and not giving hackers loopholes. i'm pretty sure it was caused by that damn photo editor ...vicmans it was called. and i'm pissed that my AV didn't catch it. there is no secondary HDD though. and the HDD i have is only 3 months old and has had no trouble so far.

KGhaleon

I thought tasklist wasn't available on all versions of XP?

You can download it here:
http://www.computerhope.com/download/winxp.htm

KG

mastercorm

i have it on mine. not exactly sure what i should be looking at though. there's so many processess, and i'm not too familiar with a bunch of em. what certification would help me to learn all those, anyway? one of the microsoft ones?

mastercorm

well, not sure if this fixed it or not until i reboot, but my anti-virus finally just picked up a virus called: HTML/PHISHBANK.TH and deleted it. i had the computer installing SP1 while I was at school, so maybe it needed new security features to pick it up.

KGhaleon

You should download and have Avast! antivirus do a boot scan, also try an online virus scan such as Bitdefender.

KG

mastercorm

I did that this morning, ran a new hijack this log, then rebooted to safe mode and used AVG antivirus and ATF cleaner. All they got was a few tracking cookies, and i booted fine this morning without any trouble, so I think it looks good so far.