1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

am I being attacked?

Discussion in 'Virus & Other Malware Removal' started by wunderfly, Sep 22, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. wunderfly

    wunderfly Thread Starter

    Joined:
    Jun 10, 2003
    Messages:
    60
    I'm using a P3 1Ghz, with 786RAM, running windows 2000 pro with all critical updates and SP4

    when I came home from work my computer was off. it had been on when I left for work... thought maybe the power went out while I was at work. when I turned it on everything was fine. I continued as usual... installed a visual production program (resolume)... left to walk the dog and came back to a blue screen.

    "STOP... 0x 1E (0x 05, 0x 0, 0x 0, 0x 0, 0x 0) KMODE_EXCEPTION_NOT HANDLED)"

    (blue screens happen a lot)

    I restarted, got another blue stop error that included "config_initialization_failed"

    restarted in safe mode... blue screen... restarted... blue screen... turned it off. left it off for about 20 min. turned it on and started up fine.

    went to Admin Tools and took a look at the system log...

    I last touched my computer just before 7:30 AM:

    Event Type: Error
    Event Source: Rasman
    Event Category: None
    Event ID: 20035
    Date: 22/09/2003
    Time: 7:18:45 AM
    User: N/A
    Description:
    Remote Access Connection Manager failed to start because it could not create buffers. Restart the computer. Access is denied.

    Data:
    0000: 05 00 00 00 ....

    Event Type: Error
    Event Source: Service Control Manager
    Event Category: None
    Event ID: 7023
    Date: 22/09/2003
    Time: 7:18:45 AM
    User: N/A
    Description:
    The Remote Access Connection Manager service terminated with the following error:
    Access is denied.


    no events till I got home at 5:00

    Event Type: Information
    Event Source: EventLog
    Event Category: None
    Event ID: 6005
    Date: 22/09/2003
    Time: 4:54:33 PM
    User: N/A
    Description:
    The Event log service was started.

    Event Type: Information
    Event Source: EventLog
    Event Category: None
    Event ID: 6009
    Date: 22/09/2003
    Time: 4:54:33 PM
    User: N/A
    Description:
    Microsoft (R) Windows 2000 (R) 5.0 2195 Service Pack 4 Uniprocessor Free.

    Event Type: Information
    Event Source: Ati HotKey Poller
    Event Category: None
    Event ID: 105
    Date: 22/09/2003
    Time: 4:54:36 PM
    User: N/A
    Description:
    The service was started.

    Event Type: Error
    Event Source: Service Control Manager
    Event Category: None
    Event ID: 7023
    Date: 22/09/2003
    Time: 4:54:38 PM
    User: N/A
    Description:
    The IPSEC Policy Agent service terminated with the following error:
    The specified module could not be found.

    Event Type: Error
    Event Source: Service Control Manager
    Event Category: None
    Event ID: 7026
    Date: 22/09/2003
    Time: 4:54:52 PM
    User: N/A
    Description:
    The following boot-start or system-start driver(s) failed to load:
    Imagedrv

    Event Type: Warning
    Event Source: SNMP
    Event Category: None
    Event ID: 1101
    Date: 22/09/2003
    Time: 4:54:53 PM
    User: N/A
    Description:
    The SNMP Service is ignoring extension agent key SOFTWARE\Microsoft\IPXMibAgent\CurrentVersion because it is missing or misconfigured.
    Data:
    0000: 02 00 00 00 ....

    Event Type: Information
    Event Source: SNMP
    Event Category: None
    Event ID: 1001
    Date: 22/09/2003
    Time: 4:54:53 PM
    User: N/A
    Description:
    The SNMP Service has started successfully.

    Event Type: Error
    Event Source: Rasman
    Event Category: None
    Event ID: 20063
    Date: 22/09/2003
    Time: 4:55:33 PM
    User: N/A
    Description:
    Remote Access Connection Manager failed to start because the Point to Point Protocol failed to initialize. The specified module could not be found.

    Data:
    0000: 7e 00 00 00 ~...

    Event Type: Error
    Event Source: Rasman
    Event Category: None
    Event ID: 20035
    Date: 22/09/2003
    Time: 4:55:33 PM
    User: N/A
    Description:
    Remote Access Connection Manager failed to start because it could not create buffers. Restart the computer. Access is denied.

    Data:
    0000: 05 00 00 00 ....

    Event Type: Error
    Event Source: Service Control Manager
    Event Category: None
    Event ID: 7023
    Date: 22/09/2003
    Time: 4:55:33 PM
    User: N/A
    Description:
    The Remote Access Connection Manager service terminated with the following error:
    Access is denied.


    >>> 20 more Rasman and Service Control Manager Errors... then

    Event Type: Information
    Event Source: EventLog
    Event Category: None
    Event ID: 6009
    Date: 22/09/2003
    Time: 6:21:05 PM
    User: N/A
    Description:
    Microsoft (R) Windows 2000 (R) 5.0 2195 Service Pack 4 Uniprocessor Free.

    Event Type: Information
    Event Source: EventLog
    Event Category: None
    Event ID: 6005
    Date: 22/09/2003
    Time: 6:21:05 PM
    User: N/A
    Description:
    The Event log service was started.

    Event Type: Information
    Event Source: Save Dump
    Event Category: None
    Event ID: 1001
    Date: 22/09/2003
    Time: 6:21:05 PM
    User: N/A
    Description:
    The computer has rebooted from a bugcheck. The bugcheck was: 0x0000000a (0x00000000, 0x00000002, 0x00000000, 0x8043209b). Microsoft Windows 2000 [v15.2195]. A dump was saved in: E:\WINNT\Minidump\Mini092203-01.dmp.

    Event Type: Error
    Event Source: Service Control Manager
    Event Category: None
    Event ID: 7001
    Date: 22/09/2003
    Time: 6:21:07 PM
    User: N/A
    Description:
    The System Event Notification service depends on the COM+ Event System service which failed to start because of the following error:
    No attempts to start the service have been made since the last boot.

    Event Type: Error
    Event Source: Service Control Manager
    Event Category: None
    Event ID: 7026
    Date: 22/09/2003
    Time: 6:21:17 PM
    User: N/A
    Description:
    The following boot-start or system-start driver(s) failed to load:
    Imagedrv
    VET-FILT
    VET-REC
    VETMONNT

    Event Type: Error
    Event Source: Service Control Manager
    Event Category: None
    Event ID: 7001
    Date: 22/09/2003
    Time: 6:21:25 PM
    User: N/A
    Description:
    The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:
    No attempts to start the service have been made since the last boot.



    .... there are tons of Rasman and Service Control Manager Errors in the Event Viewer.... they seem to happen all the time.

    there's also a few DCOM msgs:


    Event Type: Error
    Event Source: DCOM
    Event Category: None
    Event ID: 10010
    Date: 22/09/2003
    Time: 6:23:30 PM
    User: NT AUTHORITY\SYSTEM
    Description:
    The server {1BE1F766-5536-11D1-B726-00C04FB926AF} did not register with DCOM within the required timeout.





    there's a ton of suspicious msgs... am I just being paranoid?

    there's also some weird unpacking thing that happens. without me doing anything at all. it looks like something is unpacked or installed very quickly... a little box pops up in the middle of the screen but it's very fast so I cant read what it says... it looks like the red box icon for self extracting files. I dont know if it's windows or something else.



    sorry for the really huge post. I really hope someone can tell me what's going on.

    The blue screens happen a lot and I dont have a clue why. I've tried reinstalling windows and it wont complete the installation without blue screen... argh. any help would be great.

    thanks
     
  2. wunderfly

    wunderfly Thread Starter

    Joined:
    Jun 10, 2003
    Messages:
    60
    I ran HijackThis... should I post the log?
     
  3. MysticEyes

    MysticEyes Banned

    Joined:
    Mar 30, 2002
    Messages:
    4,825
    No, somethings up. Have you run Ad-aware and Spybot?

    You could also run Tauscan , it's free to try.
     
  4. wunderfly

    wunderfly Thread Starter

    Joined:
    Jun 10, 2003
    Messages:
    60
    I just downloaded and ran ad-aware 6... found 337 objects. some scary entries in there "IPInsight... Sentry... possible hijack attempt... broadcastPC...."

    I removed them all.

    will run Tauscan too and see if it finds anything else

    thanks for your help mysticeyes
     
  5. normmork

    normmork

    Joined:
    Oct 4, 2002
    Messages:
    76
  6. wunderfly

    wunderfly Thread Starter

    Joined:
    Jun 10, 2003
    Messages:
    60
    thanks normmork... yeh it is build181... I'm running a full scan now

    I have a DSL router that I believe has a built in firewall but I opened some ports so ICQ would work properly (sending files)
     
  7. wunderfly

    wunderfly Thread Starter

    Joined:
    Jun 10, 2003
    Messages:
    60
    computer crashed during the full scan

    on startup twice now I've got this pop up msg:

    "The drive or network connection that the shortcug "GStartup.lnk" refers to is unavailable. Make sure that the disk is properly inserted or the network resource is available and then try again"
     
  8. MysticEyes

    MysticEyes Banned

    Joined:
    Mar 30, 2002
    Messages:
    4,825
  9. MysticEyes

    MysticEyes Banned

    Joined:
    Mar 30, 2002
    Messages:
    4,825
    That's Gator, did you by some chance install DIVX 5.02?

    If the computer still works get Spybot , update and run that.

    In Spybot under Tools -> System startup you may see GStartup.lnk . You could remove it from there.
     
  10. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    wunderfly

    After doing the scan with Adaware. Please do this.
    Go here http://www.tomcoyote.org/hjt/ and download Hijack This. Un Zip it and click on the Hijackthis.exe.

    Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

    Do NOT have Hijack This fix anything yet. Most of what it finds will be harmless. Someone here will be glad to advise you on what to fix.
     
  11. wunderfly

    wunderfly Thread Starter

    Joined:
    Jun 10, 2003
    Messages:
    60
    tried another full scan and it crashed again...

    on windows start up...

    STOP: 0x 1E, (0x 05, 0x 00, 0xBFD3043B, 0x00, 0x 08)
    KMODE EXCEPTION NOT HANDLED

    restart

    STOP: 0x D1 (0x 0, 0x 02, 0x 00, 0x 00)
    DRIVER IRQL NOT LESS OR EQUAL

    restart

    STOP: 0x 01E (0x C0000005, 0x804IFB5C, 0X 01, 0X 23)
    Address 8041FB5C base at 80400000 DateStamp 3ee6c002 - ntoskrnl.exe.

    turned it off

    left it for about 10 min

    turned it on

    started ok

    I'll try Spybot now... and ZA (or the other) if I get that far tonight

    Tauscan installed but doesnt scan... says it's scanning but isnt.
     
  12. wunderfly

    wunderfly Thread Starter

    Joined:
    Jun 10, 2003
    Messages:
    60
    I'll have to teach my sisters how to use soulseek instead of iMesh cuz I'm thinking thats where Gator came from... tho I do have DivX 5.0.3 Pro Bundle installed... I dont remember for what tho so I guess I should remove that?
     
  13. wunderfly

    wunderfly Thread Starter

    Joined:
    Jun 10, 2003
    Messages:
    60
    spybot found 29 problems. removed them all.

    will post HijackThis log next...
     
  14. wunderfly

    wunderfly Thread Starter

    Joined:
    Jun 10, 2003
    Messages:
    60
    Logfile of HijackThis v1.97.2
    Scan saved at 11:29:46 PM, on 22/09/2003
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    E:\WINNT\System32\smss.exe
    E:\WINNT\system32\winlogon.exe
    E:\WINNT\system32\services.exe
    E:\WINNT\system32\lsass.exe
    E:\WINNT\system32\svchost.exe
    E:\WINNT\system32\spoolsv.exe
    E:\WINNT\System32\Ati2evxx.exe
    E:\WINNT\System32\CTsvcCDA.exe
    E:\WINNT\System32\svchost.exe
    E:\WINNT\system32\hidserv.exe
    E:\WINNT\system32\regsvc.exe
    E:\WINNT\system32\MSTask.exe
    E:\WINNT\System32\tcpsvcs.exe
    E:\WINNT\System32\snmp.exe
    E:\WINNT\system32\stisvc.exe
    E:\WINNT\System32\WBEM\WinMgmt.exe
    E:\WINNT\System32\mspmspsv.exe
    E:\WINNT\system32\svchost.exe
    E:\WINNT\Explorer.EXE
    E:\WINNT\system32\atiptaxx.exe
    E:\WINNT\system32\CTHELPER.EXE
    E:\Program Files\Common Files\Real\Update_OB\realsched.exe
    E:\Program Files\Microsoft Hardware\Keyboard\type32.exe
    E:\Program Files\Microsoft Hardware\Mouse\point32.exe
    E:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 Trial\Monitor.exe
    E:\PROGRA~1\Agnitum\TAUSCA~1.6\taumon.exe
    E:\WINNT\system32\internat.exe
    E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    E:\Program Files\Internet Explorer\IEXPLORE.EXE
    E:\PROGRA~1\WinZip\winzip32.exe
    E:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] E:\WINNT\UpdReg.EXE
    O4 - HKLM\..\Run: [Jet Detection] "E:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [IntelliType] "E:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [Ulead Memory Card Detector] E:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 Trial\Monitor.exe
    O4 - HKLM\..\Run: [eanth_critical_update_alert] E:\PROGRA~1\ACCELE~1\ANTI-V~1\EANTH_~1.EXE /Startup
    O4 - HKLM\..\Run: [Tau Monitor] E:\PROGRA~1\Agnitum\TAUSCA~1.6\taumon.exe
    O4 - HKLM\..\Run: [Ad-aware] "E:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - Global Startup: Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it0_x.cab
    O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et0_x.cab
    O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2119776A-F1AD-4FCD-9548-F1E1C615350C} - http://www.stop-sign.com/pub/download/scandl_cnry.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldwinner.com/games/v44/pool/pool.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/21f30fdbb2e6bb443e06/netzip/RdxIE601.cab
    O16 - DPF: {58FC4C77-71C2-4972-A8CD-78691AD85158} (BJA Control) - http://mirror.worldwinner.com/games/v44/bjattack/bjattack.cab
    O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37877.5688888889
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{BA9B1A6B-08BF-4AE4-BFA1-CD017DED786E}: NameServer = 192.168.0.1

    I uninstalled the virus protection I had tonight and going to install the one suggested in the security tools thread...

    apparently it's a good thing I unplugged the webcam months ago.
     
  15. wunderfly

    wunderfly Thread Starter

    Joined:
    Jun 10, 2003
    Messages:
    60
    alright... so I tried another full scan with ad-aware... crashed again.

    STOP: 0x 24(0x00190256, 0xf248f994, 0XF248F5EC, 0X 0)
    NTFS_FILE_SYSTEM

    restart

    STOP: 0X 74 (0X 05, 0X 07, 0X 00, 0X 00)
    BAD SYSTEM CONFIG INFO

    restart

    STOP: 0X 67 (0X 04, 0X 07, 0X 00, 0X00)
    CONFIG INITIALIZATION FAILED

    long beep... long beep...

    turned it off

    left it off all day

    came home and it turned on and everything seems ok

    what the hell is going on?? is this a security issue? or win2000? or hardware? any suggestions??

    thanks for all of your help.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/166697

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice