|
|||||||
| Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
 |
|
|
Topic Tools |
|
#1
August 28th, 2006, 08:09 PM
|
|||
|
|||
|
Stop 0x00000050 Error
Hi, I must confess to not being extremely computer literate, so some advice on the following problem could prove useful.
Okay, first things first, I'm running Windows XP Pro. Earlier today my computer began to act rather erratically, MS Word was failing to save documents due to an 'infection' of some sort. I attempted to scan my computer for viruses, but I wasn't able to open Norton anti virus (It would open briefly and then disappear). So I then decided to scan for spyware using Ad-Aware (fully updated), It found a number of items which I duly quarantined. I then attempted another scan using Spyware S&D, which again I could not open. After restarting my computer I was presented with a dreaded blue screen, informing me of a Stop 0x00000050 Error: PAGE_FAULT_IN_NONPAGED_AREA, and therefore would close Windows. So I restarted in safe mode to investigate. Ad-Aware found two critical items, a tracking cookie and a windows registry entry, the logfile of which is below: Name:Windows Category:Vulnerability Object Type:RegData Size:29 Bytes Location:software\microsoft\windows nt\currentversion\winlogon "Shell" (explorer.exe winservnt32.exe) Last Activity:28-08-2006 Relevance:Low TAC index:3 Comment:Shell Possibly Compromised Description:General Windows Security Issue. Your system security may be compromised. The specifics of the possible compromised item are listed in the comments section. I then ran hijack this, which produced the following report: Logfile of HijackThis v1.99.1 Scan saved at 19:59:55, on 28/08/2006 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\winservnt32.exe C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe C:\PROGRA~1\WINZIP\winzip32.exe C:\unzipped\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.o2.co.uk/ F2 - REG:system.ini: Shell=Explorer.exe winservnt32.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,winservn t32.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe O4 - HKLM\..\Run: [C-Media Mixer] C:\Program Files\PCI Audio Applications\Mixer.exe /startup O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [DigiSrv] C:\WINDOWS\Twain_32\DigiCam\DigiSrv.exe O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe O4 - HKLM\..\Run: [Ms Update WinServices NT/XP] winservnt32.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [STManager] C:/Program Files/SpeedTouch/Dr SpeedTouch/drst.exe -b O4 - HKCU\..\Run: [Ms Update WinServices NT/XP] winservnt32.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: ScanPanel.lnk = C:\ScanPanel\ScnPanel.exe O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab O16 - DPF: {0E79192A-C52C-4260-920F-639AC2296203} - http://scripts.downloadv3.com/binari...1048_EN_XP.cab O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab O16 - DPF: {39EA2F6F-3F50-4F58-9C63-4B3D53B0926E} - http://scripts.downloadv3.com/binari...1049_EN_XP.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {71CBDCD9-0830-4470-A890-35D364DA352C} - http://scripts.downloadv3.com/binari...1047_EN_XP.cab O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {B9F3009B-976B-41C4-A992-229DCCF3367C} (CoAxTrack Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab O16 - DPF: {BD3653E4-884B-43C4-970B-670802501B7F} - http://akamai.downloadv3.com/binarie...1043_EN_XP.cab O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_mp3.cab O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by16fd.bay16.hotmail.msn.com/...x/HMAtchmt.ocx O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O20 - Winlogon Notify: dvb03a - C:\WINDOWS\SYSTEM32\dvb03a.dll O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe I assume the problem lies in the winservnt32.exe file, although I am not sure by any means. I apologise for such a lengthy post but would be grateful if anybody could take a look over the Hijack This log and suggest a possible solution to my problem, as I now cannot access Windows other than in safe mode. Oh, and I have also attempted a System Restore but that has not helped. Any assistance at all would be grearly appreciated, Many thanks, Matt 
|
|
#2
August 29th, 2006, 02:00 PM
|
|||
|
|||
|
Problem now solved, one of my startup programs was causing the stop error. Thanks anyways
|
|
#3
August 31st, 2006, 03:38 AM
|
||||
|
||||
|
Howdy mattboyslim,
Welcome to CTH. Can appreciate you finding some solution there, but one of your other startups showing is a Haxdoor rootkit variant (along with other infection there). If you would like, let's be about cleaning that system up. Download haxfix.exe and save it to your desktop * Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix) * Checkmark "Create a desktop icon" * Click "Next" * When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed * Click "Finish" A red "dos window" (dos box) will open with options: 1. Make logfile 2. Run auto fix 3. Run manual fix E. Exit Haxfix * Select option 1. Make logfile by typing 1 and then pressing Enter * Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt * Copy the contents of that logfile and paste it into this thread > (c:\haxfix.txt)
|
|
| Bookmarks |
«
Previous Topic
|
Next Topic
»
| Topic Tools | |
|
|
Similar Topics
|
||||
| Topic | Topic Starter | Forum | Replies | Last Post |
| Error code 0x00000050 | dmb3684 | Windows XP | 1 | August 25th, 2008 02:18 PM |
| crash stop error code is 0x00000050 | rlmarr | Windows XP | 0 | November 27th, 2006 07:34 PM |
| random restarts STOP: 0x00000050 (bsod) | XxMiKeOxX | Windows XP | 2 | August 25th, 2006 12:27 AM |
| Stop 0x00000050 | LinkReincarnate | Windows XP | 1 | May 18th, 2006 11:54 PM |
| Stop error 0x00000050 | mfaris | Windows XP | 2 | November 9th, 2005 08:07 PM |
All times are GMT +1. The time now is 06:15 PM.