HJT v1.99.0 is faulty?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

AvvY

Thread Starter
Joined
Oct 8, 2004
Messages
1,762
i was reading through another thread an noticed HJT has been updated, so naturally i upgraded to the latest version - but when i ran a system scan it srashed! i got one of those messages saying HJT stopped responding would u like to send an error report... and so on. has anyone else had this? im on winxp home sp2. i still have 1.98 somewhere but if this is a problem then it should be looked at. thanx
 

etaf

Wayne
Moderator
Joined
Oct 2, 2003
Messages
65,454
{NOTE: Systems infected with the 'Ms4Hd' rootkit parasite will experience crashes in HijackThis 1.99.x since this parasite deliberately crashes programs that try to detect it. For such cases, Use HijackThis 1.98.2 }
from the website http://www.merijn.org
 

AvvY

Thread Starter
Joined
Oct 8, 2004
Messages
1,762
hmm, so i should probably run HJT 1.98.2, post a log and fix this stuff up?... dag nam it
one moment please...
 

AvvY

Thread Starter
Joined
Oct 8, 2004
Messages
1,762
Logfile of HijackThis v1.98.2
Scan saved at 1:06:37 AM, on 12/22/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Macromedia\CFusionMX\runtime\bin\jrunsvc.exe
C:\Program Files\Macromedia\CFusionMX\db\slserver52\bin\swagent.exe
C:\Program Files\Macromedia\CFusionMX\runtime\bin\jrun.exe
C:\Program Files\Macromedia\CFusionMX\db\slserver52\bin\swstrtr.exe
C:\Program Files\Macromedia\CFusionMX\db\slserver52\bin\swsoc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\WebScheduler\wrapper.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\Program Files\Macromedia\Flash Communication Server MX\FlashComAdmin.exe
C:\Program Files\Java\jre1.5.0\bin\java.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Macromedia\Flash Communication Server MX\FlashCom.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\DVDREG~1\DVDRegionFree.exe
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - Startup: Ad-Watch SE Professional.lnk = C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
O4 - Startup: Shortcut to MSNLoader.lnk = C:\Documents and Settings\Owner\Desktop\Program Files\MSNLoader.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Resume Beyond TV Installation.lnk = C:\Program Files\SnapStream Media\Installers\1894\installer\MsiWebBootStrap.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

thanx :)
 

etaf

Wayne
Moderator
Joined
Oct 2, 2003
Messages
65,454
may not be the problem - but worth posting a 1.98.2 log to see.
 

AvvY

Thread Starter
Joined
Oct 8, 2004
Messages
1,762
*bump*.
could somone check my hjt log re: 'Ms4Hd'. or suggest another method for removal of this? thanx very much
 
Joined
Dec 9, 2000
Messages
45,855
I don't see any problems in the current scanlog at all.

Can you repeat the issue with the most recent version of HijackThis, running it after a fresh reboot and without opening any other programs or the browser itself?

The hang may occur when it is scanning the "service" entries.

If that continues, try downloading and running "autoruns.exe"

Under the "view" tab make sure the first four entries are checked. Upload the log as an "attachment"

http://www.sysinternals.com/ntw2k/freeware/autoruns.shtml
 

AvvY

Thread Starter
Joined
Oct 8, 2004
Messages
1,762
thanx for ur reply rollin' rog. i tried scanning again with hjt 1.99 first thing on reboot, but no luck, i even tried booting in safe mode but still wouldnt work. so i followed ur instructions and used autoruns, attached is the log
 

Attachments

Joined
Dec 9, 2000
Messages
45,855
Well I don't see any evidence of infection in that log -- but it certainly is a complex one with many esoteric entries.

Since the 1.99 version of HijackThis has been known to crash when certain rootkit files are installed, try downloading, unzipping and running this file:

http://www.bleepingcomputer.com/files/spyware/imm_mh4.zip

run the "runme.bat" file and copy/paste the log it produces here.
 

AvvY

Thread Starter
Joined
Oct 8, 2004
Messages
1,762
Well thats good to hear - everything looking fine (i guess) - lol, how do u mean esoteric?

i ran that runme.bat, and here is the log:

An Ms4Hd_look by IMM (v0.003)
Version Info: 5.1000 = Windows XP Home Ed. SP2 (Build 2600)
The volume containing the system directory is C: (NTFS)

HKLM\SYSTEM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd
Error: Unable to open key (Return Code was 2)

HKLM\SYSTEM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\Files
Error: Unable to open key (Return Code was 2)

HKLM\SYSTEM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\Processes
Error: Unable to open key (Return Code was 2)

HKLM\SYSTEM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\RegKeys
Error: Unable to open key (Return Code was 2)

HKLM\SYSTEM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\RegValues
Error: Unable to open key (Return Code was 2)

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
(1 subkey(s) and 20 values) last modified 00:34 23/12/2004 (UTC)
[CTSysVol] "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r" (SZ)
[CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE" (SZ)
[CTHelper] "CTHELPER.EXE" (SZ)
[SBDrvDet] "C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r" (SZ)
[ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" (SZ)
[zBrowser Launcher] "C:\Program Files\Logitech\iTouch\iTouch.exe" (SZ)
[Logitech Utility] "Logi_MwX.Exe" (SZ)
[RemoteControl] ""C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"" (SZ)
[RemoteCenter] "" (SZ)
[BigPondCable] ""C:\Program Files\Telstra\Cable Login\bpcable.exe" /r" (SZ)
[OpwareSE2] ""C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"" (SZ)
[SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0\bin\jusched.exe" (SZ)
[DAEMON Tools-1033] ""C:\Program Files\D-Tools\daemon.exe" -lang 1033" (SZ)
[MessengerPlus3] ""C:\Program Files\Messenger Plus! 3\MsgPlus.exe"" (SZ)
[WinampAgent] ""C:\Program Files\Winamp\winampa.exe"" (SZ)
[AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" (SZ)
[AVG7_EMC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" (SZ)
[Zone Labs Client] ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" (SZ)
[{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "C:\Program Files\Google\Gmail Notifier\gnotify.exe" (SZ)
[NeroFilterCheck] "C:\WINDOWS\system32\NeroCheck.exe" (SZ)
 
Joined
Dec 9, 2000
Messages
45,855
Edit: changed my mind, I think you are ok, but check back in a while -- I need to review the history of this.
 
Joined
Dec 9, 2000
Messages
45,855
There is no evidence of the rootkit infection in any of the logs. I have no explanation for the HijackThis version failure.
 

AvvY

Thread Starter
Joined
Oct 8, 2004
Messages
1,762
Thanx Rollin' Rog for ur help with this problem. it is interesting. Its not of huge importance as i am not suffering any other problems which would require examination of a HJT log - i just was updating for the future if need ever occurs. I guess until a solution is found I will rely on HJT 1.98.2 if need be. thanx, take care,
merry xmas and happy new years
 
Joined
Dec 9, 2000
Messages
45,855
You're most welcome. If there was any indication at all of the typical entries associated with the rootkit parasite I would take this a bit further, but really there isn't. Typically we see an unwanted entry in the Internet Explorer "trusted zone". You have only the Windows update domain you placed there yourself.

Have a great holiday!
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top