hijack this file - Dev Shed

Dev Shed Forums Sponsor:

June 17th, 2005, 09:45 AM

ran_dizolph

from the lab...

Dev Shed Intermediate (1500 - 1999 posts)

Join Date: Nov 2004

Location: the land of wind and ghosts

Posts: 1,537

Time spent in forums: 2 Weeks 4 Days 19 h 18 m 3 sec
Reputation Power: 123

hijack this file

Hi there,

k, here's what's going on;
i've succesfully run norton, spybot, and have spywareblaster installed. Ad-aware will not complete a scan for some reason. i've tried to restart in safe mode, but it won't go. it just loops, and a screen pops up saying something to the extent of 'beginning dump of physical memory'.
any restart causes this, and will not allow me back into windows until i do 'last known good configuration'.

i ran hijack this, and this is what the log said.

Code:

Logfile of HijackThis v1.99.1
Scan saved at 10:53:31 AM, on 6/17/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\savedump.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\hkcmd.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\NavNT\vptray.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.graphixplus.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E5E3288-9DC9-4514-96F2-F37ED5E1BA2F}: NameServer = 206.48.122.8,206.48.122.2
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

any help you can offer is greatly appreciated.

__________________
if i've been helpful, please add to my reputation.
http://www.gpwebsolutions.com
my band's myspace site

June 17th, 2005, 03:02 PM

Yegg`

Contributing User

Join Date: Dec 2004

Location: Meriden, Connecticut

Posts: 1,676

Time spent in forums: 3 Weeks 5 Days 13 h 52 m 19 sec
Reputation Power: 68

Did you try searching any file names that you did not recognize on a site such as symantec.com?

June 17th, 2005, 03:16 PM

ran_dizolph

from the lab...

Join Date: Nov 2004

Location: the land of wind and ghosts

Posts: 1,537

Time spent in forums: 2 Weeks 4 Days 19 h 18 m 3 sec
Reputation Power: 123

it's actually not from my system, so i'm not entirely sure what's supposed to be there and what isn't...i figured there'd be a couple files that raised some flags with the experienced folks in here.

i'll do some more research tho!

thanks.

June 18th, 2005, 02:04 AM

oneMSBi

CAUTION: Loderator Moose

Join Date: Nov 2004

Location: some starry place (india)

Posts: 3,431

Time spent in forums: 4 Weeks 1 Day 21 h 34 m 19 sec
Reputation Power: 156

hi ran_dizolph

I had a quick glance through your log, and you do not seem to have any traces of malware. If windows is dumping memory contents that means the system has crashed. It will usually create a memory log and dump file, which is actually useless to anybody but a microsoft technician. I think your problem has its roots in windows system files being corrupt, or faulty drivers or some other kind of windows fault. Does not seem to be malware. But it is not possible to be conclusive. maybe somebody else will find something i missed in your log. Please keep checking this thread over the next few days.

Right now i reccomend you run this command from the run prompt.
"sfc /scannow". it will check all the important windows system files. you will need the windows install cd in the cd tray for this. (i cant remember if this command exists for win2000, but i think it does)

Try to reboot into safe mode after this.

Can you give us any information on the system prior to this problem ? any recent installs, or system wide changes ?

__________________
Nigel
..Seeking code free nirvana...
Nigel Fernandes Blog
Never argue with fools. They will bring you down to their level and beat you with experience.

Manchester United Forever

June 20th, 2005, 08:50 AM

ran_dizolph

from the lab...

Join Date: Nov 2004

Location: the land of wind and ghosts

Posts: 1,537

Time spent in forums: 2 Weeks 4 Days 19 h 18 m 3 sec
Reputation Power: 123

Thanks for the help!

As far as I know, there haven't been any changes or updates to the system as of late. I'll try running the 'scannow' command and see what it comes up with.

Thank you!

June 20th, 2005, 10:34 AM

ran_dizolph

from the lab...

Join Date: Nov 2004

Location: the land of wind and ghosts

Posts: 1,537

Time spent in forums: 2 Weeks 4 Days 19 h 18 m 3 sec
Reputation Power: 123

well, i couldn't even get back into windows after a restart...so she's goin' to the shop!

thanks anyway!

June 22nd, 2005, 12:46 AM

Tom Myboy

Contributing User

Join Date: Aug 2003

Posts: 2,491

Time spent in forums: 3 Days 20 h 13 m 41 sec
Reputation Power: 13

As your problem has been solved, this thread will now be closed. If you need the thread reopened in the future, please PM a mod.

Thanks,

Tom

__________________
HijackThis
Ad-aware
Spybot Search & Destroy
SpywareBlaster
SpywareGuard
Housecall Online A/V Scan
Please read the stickys at the top of the forum before posting!

Thread Tools	Search this Thread
Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread: