Hijack This Log...

Dear all,

I have been a long time lurker on these forums (fora?) and have been constantly impressed by the quality of the advice given.

I consider myself to be fairly well protected (firewall, AV, AT and antispyware scanners and guards).

Some slightly unusual behaviour (by my computer not by me!) has prompted me to post my Hijack This log however... - Blue Screen of Death for no apparent reason - complete system lockup at unexpected times - etc. etc..

So if any of you Guru's could pass you expert eye over my log and see if there is anything untoward buried there I would be very grateful.

Many Thanks and Best regards

Mark S.

Logfile of HijackThis v1.97.7
Scan saved at 18:18:57, on 24/01/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\EVNTSVC.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\TROJANHUNTER 3.7\THGUARD.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\UTILS\SECCOPY\SECCOPY.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\PGP\PGPTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\GHOSTSURF\GHOSTSURF.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Gateway Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\SYSTEM\IETie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHELPER.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [SystemTray] SysTray.ExE
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 3.7\THGUARD.EXE"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKCU\..\Run: [Second Copy 2000] "C:\PROGRAM FILES\UTILS\SECCOPY\SECCOPY.EXE"
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGP\PGPTray.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: GhostSurf.lnk = C:\Program Files\GhostSurf\GhostSurf.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - User Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGP\PGPTray.exe
O4 - User Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - User Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O4 - User Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - User Startup: GhostSurf.lnk = C:\Program Files\GhostSurf\GhostSurf.exe
O4 - User Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O8 - Extra context menu item: Block this advertisement - file://C:\PROGRAM FILES\GHOSTSURF\menu.blockimg.html
O8 - Extra context menu item: Allow this advertisement - file://C:\PROGRAM FILES\GHOSTSURF\menu.allowimg.html
O8 - Extra context menu item: Block popups on this site - file://C:\PROGRAM FILES\GHOSTSURF\popup.block.html
O8 - Extra context menu item: Allow popups on this site - file://C:\PROGRAM FILES\GHOSTSURF\popup.allow.html
O8 - Extra context menu item: Block personal info from this site - file://C:\PROGRAM FILES\GHOSTSURF\info.block.html
O8 - Extra context menu item: Allow personal info to reach this site - file://C:\PROGRAM FILES\GHOSTSURF\info.allow.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: GhostSurf Privacy Center (HKLM)
O9 - Extra 'Tools' menuitem: GhostSurf Privacy Center (HKLM)
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} (MSN Chat Control 4.0) - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020124/qtinstall.info.apple.com/qt505/uk/win/QuickTimeInstaller.exe
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! WebCam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://62.39.141.135/tools/FlipsideWebLauncherControl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2002092801/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {E522120B-0CF2-4C26-A8EA-50A7591F10F1} (blueyonder Game Launcher Control) - http://gaming.blueyonder.co.uk/activex/launcher.ocx
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://sc.communities.msn.com/controls/chat/msnchat42.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: Yahoo! Chat - http://cs5.chat.sc5.yahoo.com/c381/chat.cab
O16 - DPF: ConferenceRoom Java Client - http://irc4.bondage.com:8080/java/cr.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37865.4625
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft.com/downloads/outc.cab
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab

 

Hi Arthur Dent,

Welcome at Wilders.

I hate to disappoint you after your friendly words, but all I could find was one tiny dialer:
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
that never got a chance to do anything if you use SpywareBlaster.

Did you write down the error reports on the Blue Screen?

You do have quite a few unnecessary programs starting up. Check the items listed as O4 against this list http://www.sysinfo.org/startuplist.php to see which ones you like to keep.

To save you some work I have listed the ones I thought were superfluous:

O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

O4 - HKCU\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup

O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGP\PGPTray.exe

O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
-EPSON Status Monitor 3 Environment Check (E_SRCV03.EXE)

O4 - User Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - User Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGP\PGPTray.exe

O4 - User Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

O4 - User Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
-EPSON Status Monitor 3 Environment Check (E_SRCV03.EXE)

Since your needs for having programs handy is very likely different from mine, check out what they are for and then decide.

Regards,

Pieter

 

Hi Pieter,

Thanks for your speedy and, as ever, helpful reply.

I do use SpywareBlaster (but I only installed it a couple of weeks ago). I do however regularly run both Spybot S&D and Adaware 6. Why did neither of those remove that dialler?

Can I remove it with Hijack This?

Unfortunatley I did not record any details from the Blue Screen(s). If it happens again I will do so. I guess this weird behaviour is nothing to do with malware but just a flaky system?

If that's the case I suppose any further discussion would be Off Topic here. Do you know of any useful diagnostic tools and/or other similarly helpful forums where I might try to sort out the problem?

I will look again at my startup items - I do have a startup manager - but I do use most of those programs fairly frequently (except for the Real Update which is a pain in the ar**!)

Thanks again for your help and advice...

Best Regards

Mark S.

 

As soon as a problems is adressed, anything related is not off-topic, so don't worry about that.

We'll have to take it from the error report.
It could be a hardware problem or a driver acting up.

You can use HijackThis to remove that ActiveX element, or remove it manually from your Downloaded Program Files folder. Whichever you prefer.
It never got a chance to install, I guess.

Regards,

Pieter

 

Hi Pieter,

I've just been Blue-Screened again...

The apps I had open at the time were Agenet Newsreader (Just started downloading some files from a NG), Outlook Express and IE 6 (both idle). I wanted to open up Windows Explorer and clicked on its icon and BAM...

"A fatal exception 0D has occured at 0028:C1510000 in VXD DCR(01) + 00052450. The current application will be terminated." .... You know the rest...

Pressing a key allowed me to recover from the Blue Screen and the the download in Agent then continued. Each attempt to launch Windows Explorer produced an identical result (Blue Screen of Death - same error message).

Any ideas where I should begin? - I am reasonably PC literate but at an application level - NOT at the deep-down dirty techie under-the-bonnet stuff so you might have to explain things in words of one syllable

Thanks for you help...

Mark S

 

Please backup your registry before trying this.

Start > Run > regedit > OK
Navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD
and see if there is a entry referring to dcr in the right hand pane.
If so rightclick it and delete that entry.

It may take a reboot for the changes to take effect.

Regards,

Pieter

 

Hi Pieter,

The only thing in that branch of the registry is "Default - Value not set".

Is that good or bad?

Mark S

 

That is neither good or bad, but it doesn't help much.

I'll have to do some more research.

Regards,

Pieter

 

Hi Pieter,

Another Blue-Screen episode this morning. This time the details are as follows:

Open programs - only IE6 and Outlook express. Both idle. in fact I went out of the room for c. 5 minutes to talk to my wife (receive orders ) )and when I came back there was a blue screen waiting for me.

"A fatal exception 0D has occured at 0028:C186B754 in VDHCP(03) + 00007664. The current application will be terminated." ....

I wonder if some process kicked off while I was away from the PC - perhaps OE checking for new mail or Windows Update running

Pressing a key allowed me to return to either of the programs as normal - but when I tried to access a .rtf file on the website I was looking at IE6 locked up.

I CRTL-ALT-DEL'd out of IE6 and thought that it would be a good idea to restart.

Shutting down proceeded normally for a while and then Blue-Screened, this time the message was:

"A fatal exception 0E has occured at 0028:C001545A . The current application will be Closed."

There was no way back from this one. Even CTRL-ALT-DEL didn't work. The only option was the Big Red Button.

I don't know if this gives you any further clues or just muddies the waters...

I do appreciate you trying to help on this - esspecially as we are way off topic here!

Thanks again

Mark S

 

A few KB artiocles that might help you:

http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q177/5/25.ASP&NoWebContent=1

http://support.microsoft.com/default.aspx?kbid=150314&product=w98

Regards,

Pieter

 

Hi Pieter,

Thanks for the info. As far as I could tell there were no exact matches of the errors I have been receiving in the knowledge base. It is also, I have to say, a little bit too "techie" for me...

One thing I did spot however was a suggestion to use System File Checker tool in the MS System Information application. I never even knew this existed.

I ran it and it came up with 2 errors - user.exe and setupx.dll which it said were corrupted. I did not allow the tool to fix them however and went and did a quick Internet search first. Now I found quite a few articles that said that problems with user.exe had caused the system to fail to boot at all and had necessitated a complete re-installation of Windows - NOT something I feel like doing this weekend!

I am naturally a little hesitant about replacing these files. What do you think?

Thanks again (yet again)

Mark S

 

You can let the System File Checker replace the files, without expecting any problems.

It will certainly not make things worse.

Regards,

Pieter

 

Well I did it...

I made sure I had a DOS boot disk to hand and placed backups of those two files in an easy-to-find (in DOS) directory, took a deep breath and pressed the button.

Rooted - no problem... Shut down, rebooted again - stiil all fine. Shut down went to bed. Woke up this morning, checked mail - shut down. Booted up this afternoon, went to put the kettle on while it was booting and came back to... - yep you guessed it... another Blue Screen!

Terminating thread due to a stack overflow problem. A VxD, possibly recently installed, has consumed too much stack space. Increase the settings of 'MinSPs' in SYSTEM.INI or remove recently installed VxD's. There are currently 5 SPs allocated. Press any key to continue.

Now, I haven't installed anything - I've told you *everything* i've done. I do, however remember seeing that exact same message a few weeks ago just after I *had* istalled something - I can't remember what - It could have been Trojan Hunter or it could have been Ghostsurf. Even on that occasion I ignored the message rebooted and never saw it again - until today.

From the Blue Screen today, one key press resulted in the same Blue Screen, the next returned me to my normal desktop. I re-booted and here I am - ererything fine... (or is it?)


What are VxD's? What are SPs? Is 5 too many? Too few?

Sigh...

Any ideas? - Anybody?

Best Regards

Mark S

 

Now we are getting somewhere. I think
Try this:
http://www.experts-exchange.com/Operating_Systems/Win98/Q_20247780.html

or this:
http://support.microsoft.com/default.aspx?scid=kb;en-us;145799

Regards,

Pieter

 

Hi Pieter,

Firstly, many thanks for your continuing patience!

The Microsoft article says...

"The Config.sys startup file may not be properly configured for the Windows installation. Use the following values:
STACKS=64,512 ;(this is the maximum allowed)
FILES=60
BUFFERS=40 "

But here is my Config.sys file - in its *entirety*:

DEVICE=C:\WINDOWS\HIMEM.SYS
DEVICE=C:\WINDOWS\EMM386.EXE
REM [Header]
REM == PISETUP Begin Delete ==
REM == PISETUP End Delete ==

REM [CD-ROM Drive]

REM [Miscellaneous]

REM [SCSI Controllers]

REM [Display]

REM [Sound, MIDI, or Video Capture Card]

REM [Mouse]
REM ------------------
device=c:\windows\COMMAND\display.sys con=(ega,,1)
Country=044,850,c:\windows\COMMAND\country.sys

... not much there... I haven't knowingly changed anything in there since I bought the system - but the file date is 09/11/03 (UK format).

Should I add those lines?


Secondly,
the "Experts Exchange" folks want me to register in order to get their solution. Are they on the good guy's side? Do I need to use a throwaway email address to register to avoid a mailbox full of spam or can I use my real address?

Thanks Pieter - I reall do appreciate your help.

Mark S

 

Hello---I am by no means an expert but had a similar problem after getting a Nachi and MsBlast trojan. I had to download a security update from microsoft to keep from a reoccurence.

 

This is the short version of their solution:

Go to start-run, type "sysedit" without the quotation mark and OK to open the System Configuration Editor. Select the system.ini window.

Go to the section and add the following line to the [386Enh] section of the System.ini file.

[386Enh]
MinSPs=12

Save the system.ini. Exit the System Configuration Editor and restart the computer.

If the problem persists, increase the number of spare stack pages in increments
of 4 (for example 12, 16, 32, 64).

Regards,

Pieter

 

Thanks Pieter,

I'll give it a go...

Do you think I should also add the

STACKS=64,512
FILES=60
BUFFERS=40 "

lines to my config.sys file? What effect would that have?

Thanks (yet) again!

Mark S

 

Try the solution from Experts Exchange first.

Some more information about what you can change in config.sys and what it all means can be found here:
http://www.winguides.com/registry/category.php?204

Regards,

Pieter