10 replies to this topic

[Corm]

I just downloaded photo editing software, and scanned it with CA antivirus and it showed up negative. However, after installing it, I immediately noticed a tremendous slowdown, and this morning I got a BSOD
KERNEL_STACK_INPAGE_ERROR
It could be my RAM, but i'd suspect a virus first. None of my anti-spyware or antivirus programs picked it up., I used Ad-aware, Spybot S&D, and CA. Also, upon booting, it wasn't detecting my HDD (which is only 3 months old), I think it messed with my BIOS settings as well, because I can still boot intermittently. Figured I'd run hijack this and let someone take a look at it. I'm not an expert in it, but i'd say item 08 and 09 look quite suspicous. there was also an 04, no-name BHO object that I removed upon an initial scan.

Logfile of HijackThis v1.99.1
Scan saved at 12:37:15 PM, on 3/5/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA Internet Security Suite\CA Anti-Spam\QSP-5.0.419.0\QOELoader.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\BrmfBAgS.exe
C:\Program Files\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://accountservi...egXPWizCredOnly
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA Internet Security Suite\CA Anti-Spam\QSP-5.0.419.0\QOELoader.exe"
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O23 - Service: Brother BidiAgent Service for Resource manager (brmfbags) - Brother Industries, Ltd. - C:\WINDOWS\System32\BrmfBAgS.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

[dan12]

Hi Cormand welcome to Tom Coyote forums

I am currently looking over your log. As I am an Undergraduate, everything that I post to you must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long. I will post back shortly with a potential fix.

Thanks for your patience!
dan

[Corm]

thank you. since the last post, i've tried switching out RAM modules, but same thing. Everytime I boot, it says '2nd hard drive not found' then, once i hit F2 to go into BIOS, then hit ESC out of it without making changes it loads up. I think something got written there possibly. I went into startup as well, and disabled a check box that had no description, however, it wrote itself back when i rebooted.

[dan12]

Hi, Corm,

Update Your Windows XP .
You are currently using an unpatched version of Windows XP.
Before attempting to remove malware, it is CRITICAL that you update to Service Pack 1a.
Get SP1a here : http://www.softwarep...s/winxpsp1.html
Do not install service pack 2 untill I tell you it's ok to do so.

please post a fresh HJT log
Thanks dan

[Corm]

downloading it now. won't be done until i'm back from school, which is around 10:00 PM. so i'll sign back on around then and update to it then wait to hear back

[Corm]

ok ,here's the new log: (also, anyone know a quick way to view my prior posts so i can find this topic easier?)


Logfile of HijackThis v1.99.1
Scan saved at 10:21:54 PM, on 3/5/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\BrmfBAgS.exe
C:\Program Files\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\CA Internet Security Suite\CA Anti-Spam\QSP-5.0.419.0\QOELoader.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://accountservi...egXPWizCredOnly
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA Internet Security Suite\CA Anti-Spam\QSP-5.0.419.0\QOELoader.exe"
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O23 - Service: Brother BidiAgent Service for Resource manager (brmfbags) - Brother Industries, Ltd. - C:\WINDOWS\System32\BrmfBAgS.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

[dan12]

Hi Corm

also, anyone know a quick way to view my prior posts so i can find this topic easier?

Right click and bookmark the topic

Download ATF Cleaner by Atribune and save it to your Desktop.
Do not use yet!

Ewido is now known as ( AVG Anti-Spyware.)

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

• Install AVG Anti-Spyware by double clicking the installer.
• Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
• On the main screen under Your Computer's security.
  • Click on Change state next to Resident shield. It should now change to inactive.
  • Click on Change state next to Automatic updates. It should now change to inactive.
  • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
  • Wait until you see the Update succesfull message.
• Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
• Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Dont use yet!

Make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:



5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
____________________

Re-boot into safe mode

• Next, please reboot your computer in Safe Mode by doing the following:
  
• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  
• Instead of Windows loading as normal, a menu should appear use arrow up to highlight
  
• Select the first option, to run Windows in Safe Mode hit enter.
  
• For additional help in booting into Safe Mode, see the following site: HERE

Run ATF cleaner

• Double click ATF-Cleaner.exe to run the program.
• Check the following boxes:
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Prefetch
  • Recycle Bin
  • Java Cache
• The rest are optional - if you want to remove the lot, check Select All.
• Now click Empty Selected.
• When you get the Done Cleaning message, click OK.
  
• If you use Firefox browser.
  • Click Firefox at the top and choose: Select All
  • If you would like to keep your saved passwords, please click No at the prompt.
  • Click the Empty Selected button.
• If you use Opera browser.
  • Click Opera at the top and choose: Select All
  • If you would like to keep your saved passwords, please click No at the prompt.
  • Click the Empty Selected button.

Run AVG Anti-Spyware

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

• Click on Scanner on the toolbar.
• Click on the Settings tab.
  • Under How to act?
    • Click on Recommended Action and choose Quarantine from the popup menu.
  • Under How to scan?
    • All checkboxes should be ticked.
  • Under Possibly unwanted software:
    • All checkboxes should be ticked.
  • Under Reports:
    • Select Automatically generate report after every scan and uncheck Only if threats were found.
  • Under What to scan?
    • Select Scan every file.
• Click on the Scan tab.
• Click on Complete System Scan to start the scan process.
• Let the program scan the machine.
• When the scan has finished, follow the instructions below.
  IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
  • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
  • At the bottom of the window click on the Apply all Actions button. (3)
    
    
• When done, click the Save Scan Report button. (4)
  • Click the Save Report as button.
  • Save the report to your Desktop.
• Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot in Normal Mode.
____________

please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings
• In the scan settings make that the following are selected:
• Scan using the following Anti-Virus database:
• Extended (If available otherwise Standard)
• Scan Options:
• Scan Archives
• Scan Mail Bases
• Click OK
• Now under select a target to scan select My Computer
• The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Please include new HJT log, AVG Anti-Spyware log and kaspersky log
in your next post
Thanks dan

[Corm]

here's the uninstall list from hijack this: 3ivx D4 4.5.1 (remove only) Ad-Aware SE Personal Adobe Flash Player 9 ActiveX Adobe Reader 8 AIM 6.0 Audio Converter AVG Anti-Spyware 7.5 Brother MFL-Pro Suite CA Internet Security Suite CA Pest Patrol Realtime Protection Canon Camera Window for ZoomBrowser EX Canon PhotoRecord Canon RAW Image Task for ZoomBrowser EX Canon RemoteCapture Task for ZoomBrowser EX Canon Utilities File Viewer Utility 1.3 Canon Utilities PhotoStitch 3.1 Canon Utilities RemoteCapture 2.7 Canon Utilities ZoomBrowser EX HijackThis 1.99.1 LabConnection Microsoft .NET Framework 2.0 Microsoft Office Professional Edition 2003 Mozilla Firefox (1.5.0.10) RealPlayer Viewpoint Media Player Windows Installer 3.1 (KB893803) Windows Media Format Runtime Windows XP Service Pack 1a here's the report from AVG after it was cleaned: AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 1:01:25 PM 3/6/2007 + Scan result: :mozilla.32:C:\Documents and Settings\andy\Application Data\Mozilla\Firefox\Profiles\9m7x26e1.default\cookies.txt -> TrackingCookie.Advertising : Cleaned. :mozilla.33:C:\Documents and Settings\andy\Application Data\Mozilla\Firefox\Profiles\9m7x26e1.default\cookies.txt -> TrackingCookie.Advertising : Cleaned. :mozilla.34:C:\Documents and Settings\andy\Application Data\Mozilla\Firefox\Profiles\9m7x26e1.default\cookies.txt -> TrackingCookie.Advertising : Cleaned. :mozilla.37:C:\Documents and Settings\andy\Application Data\Mozilla\Firefox\Profiles\9m7x26e1.default\cookies.txt -> TrackingCookie.Advertising : Cleaned. :mozilla.39:C:\Documents and Settings\andy\Application Data\Mozilla\Firefox\Profiles\9m7x26e1.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned. :mozilla.10:C:\Documents and Settings\andy\Application Data\Mozilla\Firefox\Profiles\9m7x26e1.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned. :mozilla.44:C:\Documents and Settings\andy\Application Data\Mozilla\Firefox\Profiles\9m7x26e1.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned. :mozilla.45:C:\Documents and Settings\andy\Application Data\Mozilla\Firefox\Profiles\9m7x26e1.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned. :mozilla.63:C:\Documents and Settings\andy\Application Data\Mozilla\Firefox\Profiles\9m7x26e1.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned. :mozilla.31:C:\Documents and Settings\andy\Application Data\Mozilla\Firefox\Profiles\9m7x26e1.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned. :mozilla.35:C:\Documents and Settings\andy\Application Data\Mozilla\Firefox\Profiles\9m7x26e1.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned. :mozilla.40:C:\Documents and Settings\andy\Application Data\Mozilla\Firefox\Profiles\9m7x26e1.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned. :mozilla.41:C:\Documents and Settings\andy\Application Data\Mozilla\Firefox\Profiles\9m7x26e1.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned. :mozilla.42:C:\Documents and Settings\andy\Application Data\Mozilla\Firefox\Profiles\9m7x26e1.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned. :mozilla.43:C:\Documents and Settings\andy\Application Data\Mozilla\Firefox\Profiles\9m7x26e1.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned. ::Report end nothign turned up, but when i updated to SP1 last night, my AV found something called HTML/PHISHBANK.TH and deleted it. I think that might've been causing the trouble....also, i went into BIOS and disabled the 2nd HDD (as I don't have one) and now it's fine. I might have accidentally changed that the first time it didn't boot right.

[dan12]

Hi,Corm, my apology, for delay for some reason didn't get notified of your post. Back with you shortly. dan

[dan12]

As it's been a few days since I saw your last log,can you post me a new HJT log. and the kaspersky scan I asked for, that may be where the delay has come because I was waiting for the kaspersky scan to come back. Thanks dan

[little eagle]

Due to a lack of a responce this topic is now closed.

If you wish it reopened, please send us an email (Click for address) with a link to your thread.
Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

To help keep your PC clean follow the recommendations here by shelf life.