Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Error 0x000000008e


  • Please log in to reply
29 replies to this topic

#1 LostLEGION

LostLEGION

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 29 November 2006 - 07:07 AM

Hello. There is a huge problem in my computer. After weeks of desorying viruses in Safemode, I encountered another problem. Error 0x000000008E. People told me that I could disable ctfmon and dumprep 0-k at the msconfig. I did so and the computer worked for a few days. But now, the computer runs ctfmon again and it could be disabled by msconfig but it instantly pops back out when I restart the computer, and leads to the crash. I have tried my best but I could not do anything. I updated the BIOS. I am very unappy and feel completely hopeless. Please help me. Here is my hijackthis scan log. I would be very grateful for anyone who could fix it. Thanks.
(Moderator edit: log post move to HJT Forum for team analysis and member help. jgweed)
Logfile of HijackThis v1.99.1
Scan saved at 19:49:03, on 29/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Documents and Settings\admin\\HijackThis.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINPENJR\Win32\pphidpad.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxtray.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\SKDAEMON.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\VM_STI.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\Common Files\{F821B7BF-0BF3-3076-0923-050707200354}\Update.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\FSRremoS.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {132C021B-4744-96C1-B709-031F95FCD31A} - C:\WINDOWS\system32\jcdjdhd.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {58BBF2A4-A147-36DD-8BA0-097813B085E4} - C:\WINDOWS\system32\nvkzium.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {737AD681-C715-3A2D-D64E-023470EF0853} - C:\WINDOWS\system32\xblwjfb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: CFilter Object - {C97EAD04-D1D3-4580-BDAC-EB13B6CB176E} - C:\WINDOWS\fonts\font.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [YeppStudioAgent] C:\Program Files\Samsung\SamsungMediaStudio4.1\SamsungMediaStudioAgent.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\Win32\pphidpad.exe
O4 - HKLM\..\Run: [msstart] C:\WINDOWS\system32\msstart.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [klvanon.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\klvanon.dll,wejdulg
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd Daemon] SKDAEMON.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ekgcqjl.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ekgcqjl.dll,aetjarf
O4 - HKLM\..\Run: [dwiverl.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\dwiverl.dll,ibbffo
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\ChangJie\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE USB PC Camera Mi-640
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [01 that sign phone] C:\Documents and Settings\All Users\Application Data\face drv 01 that\debug show.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Junk Chic] C:\DOCUME~1\admin\APPLIC~1\Insideup\Iso Four.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: ㄏノ BitSpirit 更(&:thumbsup: - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: ノゑ疭弘艶更(&:flowers: - C:\Program Files\BitSpirit\bsurl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 北 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: 穝 ThinkPad 硁砰 - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...899/mcfscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - (no file)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Edited by jgweed, 29 November 2006 - 10:33 AM.


BC AdBot (Login to Remove)

 


#2 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:01:11 AM

Posted 29 November 2006 - 11:10 AM

Hi LostLEGION :thumbsup:

You got infections there....

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

:flowers:

Go to Start >Run and type "Notepad" without the quotes
Copy the text from the quotebox to Notepad.
Go to the menu at the top of the Notepad file and Save as:
  • Name the file peek.bat
  • Save as Type: All files
  • Select the desktop icon on the left to save it on the desktop.
Double click on peek.bat and let it run.
When finished it will open a file in Notepad.
That file will be named startup.txt
Please post the contents of startup.txt into your next reply here.

if not exist Files MkDir Files

regedit /e peek1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg"
regedit /e peek2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder"
type peek1.txt >> startup.txt
type peek2.txt >> startup.txt
del peek*.txt
start notepad startup.txt

Copy files\*.txt = startup.txt
rmdir /s /q files
Start Notepad startup.txt


Edited by Mr_JAk3, 29 November 2006 - 11:20 AM.

UNITE & ASAP member since 2006
Posted Image
Posted Image

#3 LostLEGION

LostLEGION
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 30 November 2006 - 07:45 AM

Thank you for helping me out. Here is the text you need:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

#4 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:01:11 AM

Posted 30 November 2006 - 02:36 PM

Hi again :thumbsup:

Please post the contents of C.\VundoFix.txt to here :flowers:
UNITE & ASAP member since 2006
Posted Image
Posted Image

#5 LostLEGION

LostLEGION
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 01 December 2006 - 07:07 AM

Oh sorry...here it is:

VundoFix V6.2.13

Checking Java version...

Java version is 1.5.0.7

Scan started at 20:23:55 30/11/2006

Listing files found while scanning....

C:\WINDOWS\system32\dwiverl.dll
C:\WINDOWS\system32\klvanon.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\dwiverl.dll
C:\WINDOWS\system32\dwiverl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\klvanon.dll
C:\WINDOWS\system32\klvanon.dll Has been deleted!

Performing Repairs to the registry.
Done!

Is everything working now?

#6 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:01:11 AM

Posted 01 December 2006 - 02:26 PM

Ok we'll continue...

Please Download NoLop to your desktop from one of the links below...
Link 1
Link 2
Link 3
  • First close any other programs you have running as this will require a reboot
  • Double click NoLop.exe to run it
  • Now click the button labelled "Search and Destroy"
    <<your computer will now be scanned for infected files>>
  • When scanning is finished you will be prompted to reboot only if infected, Click OK
  • Now click the "REBOOT" Button.
  • A Message should popup from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log along with a fresh HijackThis log
--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.--
UNITE & ASAP member since 2006
Posted Image
Posted Image

#7 LostLEGION

LostLEGION
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 01 December 2006 - 07:55 PM

Here is the NoLop log:
NoLop! Log by Skate_Punk_21

Fix running from: F:\
[2/12/2006]
[8:37:34]

---Infection Files Found/Removed---
C:\WINDOWS\tasks\A9CB24949188DCA8.job

Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**

---Listing AppData sub directories---

C:\Documents and Settings\Admin\Application Data\Adobe
C:\Documents and Settings\Admin\Application Data\Adobeum
C:\Documents and Settings\Admin\Application Data\Apple Computer
C:\Documents and Settings\Admin\Application Data\Black Sea Studios
C:\Documents and Settings\Admin\Application Data\Firaxis Games
C:\Documents and Settings\Admin\Application Data\Google
C:\Documents and Settings\Admin\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Admin\Application Data\Ibm
C:\Documents and Settings\Admin\Application Data\Identities
C:\Documents and Settings\Admin\Application Data\Insideup
C:\Documents and Settings\Admin\Application Data\Installshield
C:\Documents and Settings\Admin\Application Data\Intervideo
C:\Documents and Settings\Admin\Application Data\Lavasoft
C:\Documents and Settings\Admin\Application Data\Leadertech
C:\Documents and Settings\Admin\Application Data\Macromedia
C:\Documents and Settings\Admin\Application Data\Microsoft
C:\Documents and Settings\Admin\Application Data\Microsoft Games
C:\Documents and Settings\Admin\Application Data\Microsoft Web Folders -- EMPTY Directory
C:\Documents and Settings\Admin\Application Data\Mozilla
C:\Documents and Settings\Admin\Application Data\My Games -- EMPTY Directory
C:\Documents and Settings\Admin\Application Data\Netpumper
C:\Documents and Settings\Admin\Application Data\Real
C:\Documents and Settings\Admin\Application Data\Seven Zip
C:\Documents and Settings\Admin\Application Data\Sonic
C:\Documents and Settings\Admin\Application Data\Sun
C:\Documents and Settings\Admin\Application Data\Symantec
C:\Documents and Settings\Admin\Application Data\Wings3d
C:\Documents and Settings\Admin\Application Data\Xfire
C:\Documents and Settings\Administrator.bn-home\Application Data\Adobe
C:\Documents and Settings\Administrator.bn-home\Application Data\Ibm
C:\Documents and Settings\Administrator.bn-home\Application Data\Identities
C:\Documents and Settings\Administrator.bn-home\Application Data\Lavasoft
C:\Documents and Settings\Administrator.bn-home\Application Data\Microsoft
C:\Documents and Settings\Administrator.bn-home\Application Data\Real
C:\Documents and Settings\Administrator.bn-home\Application Data\Sonic
C:\Documents and Settings\Administrator.bn-home\Application Data\Symantec -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Adobe Systems
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Face Drv 01 That
C:\Documents and Settings\All Users\Application Data\Google
C:\Documents and Settings\All Users\Application Data\Ibm
C:\Documents and Settings\All Users\Application Data\Macromedia
C:\Documents and Settings\All Users\Application Data\Macrovision
C:\Documents and Settings\All Users\Application Data\Mgi
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Quicktime
C:\Documents and Settings\All Users\Application Data\Sbsi
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\All Users\Application Data\{fbda53f5-763e-4114-a576-612e9769c133}
C:\Documents and Settings\Default User\Application Data\Ibm
C:\Documents and Settings\Default User\Application Data\Identities
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Default User\Application Data\Sonic
C:\Documents and Settings\Default User\Application Data\Symantec -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Symantec

And the new HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 8:44:08, on 2/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINPENJR\Win32\pphidpad.exe
C:\WINDOWS\system32\ICO.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxtray.exe
C:\IBMTOOLS\UTILS\ibmprc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\SKDAEMON.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\VM_STI.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Documents and Settings\All Users\Application Data\face drv 01 that\debug show.exe
C:\Program Files\Common Files\{F821B7BF-0BF3-3076-0923-050707200354}\Update.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\DOCUME~1\admin\APPLIC~1\Insideup\Iso Four.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\admin\\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {132C021B-4744-96C1-B709-031F95FCD31A} - C:\WINDOWS\system32\jcdjdhd.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {58BBF2A4-A147-36DD-8BA0-097813B085E4} - C:\WINDOWS\system32\nvkzium.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {737AD681-C715-3A2D-D64E-023470EF0853} - C:\WINDOWS\system32\xblwjfb.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: CFilter Object - {C97EAD04-D1D3-4580-BDAC-EB13B6CB176E} - C:\WINDOWS\fonts\font.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [YeppStudioAgent] C:\Program Files\Samsung\SamsungMediaStudio4.1\SamsungMediaStudioAgent.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\Win32\pphidpad.exe
O4 - HKLM\..\Run: [msstart] C:\WINDOWS\system32\msstart.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [klvanon.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\klvanon.dll,wejdulg
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd Daemon] SKDAEMON.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ekgcqjl.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ekgcqjl.dll,aetjarf
O4 - HKLM\..\Run: [dwiverl.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\dwiverl.dll,ibbffo
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\ChangJie\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE USB PC Camera Mi-640
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [01 that sign phone] C:\Documents and Settings\All Users\Application Data\face drv 01 that\debug show.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Junk Chic] C:\DOCUME~1\admin\APPLIC~1\Insideup\Iso Four.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: ㄏノ BitSpirit 更(&:thumbsup: - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: ノゑ疭弘艶更(&:flowers: - C:\Program Files\BitSpirit\bsurl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 北 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: 穝 ThinkPad 硁砰 - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...899/mcfscan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - (no file)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

I tried starting the computer in normal mode (cos I used safe mode as it crashes a few minutes after normal mode is run, but safe mode doesn't have the problem. However, my HijackThis logs are done in normal mode by running them very fast and getting the log before it crashes...) but the crash is still there. Do I have to do more stuff?

#8 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:01:11 AM

Posted 03 December 2006 - 02:53 AM

Hi again and sorry for the delay. At first I would like you to submit a few files for further analyzation.

Please download the Suspicious file Packer from Safer-Networking.Org and unzip it to your desktop.

Run SFP.exe.

Please copy the following lines into the Step 1: Paste Text window:

C:\Documents and Settings\All Users\Application Data\face drv 01 that\debug show.exe
C:\Documents and Settings\admin\Application Data\Insideup\Iso Four.exe

then click "Continue".

This will create a .cab file on your desktop named requested-files[Date/Time].cab

Please go to here to upload the cab file -> File for skatepunk
Copy the name of this thread to the first field.
To the "Browse to the file you want to submit:", browser to the .cab file on your desktop and upload it.
To the commments, please mention that I asked for the file.

Thank you :thumbsup:




Then you may continue from here:

You seem to have this NetPumper program installed. The free version is bundled with ad-aware but the pro version should be good to go.
If you have the pro version, skip the blue steps.

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.

Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

Make your hidden files visible:
  • Go to My Computer
  • Select the Tools menu and click Folder Options
  • Click the View tab.
  • Checkmark the "Display the contents of system folders"
  • Under the Hidden files and folders select "Show hidden files and folders"
  • Uncheck "Hide protected operating system files"
  • Click Apply and then the OK and close My Computer.
==================

Open Control Panel -> Add/Remove programs -> Remove all the of the following or similar entries if found:

NetPumper

and any other programs you didn't install or don't recognize - if your not sure please ask first

Stop the following processes using Task Manager (press ctrl+alt+del, select the Processes tab, highlight the first process in the list and click End Process). Continue through the list (one at a time) until all processes have been ended. If something isn't found, please continue with the next process in the list.

debug show.exe
Update.exe
Iso Four.exe

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O2 - BHO: (no name) - {132C021B-4744-96C1-B709-031F95FCD31A} - C:\WINDOWS\system32\jcdjdhd.dll
O2 - BHO: (no name) - {58BBF2A4-A147-36DD-8BA0-097813B085E4} - C:\WINDOWS\system32\nvkzium.dll
O2 - BHO: (no name) - {737AD681-C715-3A2D-D64E-023470EF0853} - C:\WINDOWS\system32\xblwjfb.dll
O2 - BHO: CFilter Object - {C97EAD04-D1D3-4580-BDAC-EB13B6CB176E} - C:\WINDOWS\fonts\font.dll
O4 - HKLM\..\Run: [msstart] C:\WINDOWS\system32\msstart.exe
O4 - HKLM\..\Run: [klvanon.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\klvanon.dll,wejdulg
O4 - HKLM\..\Run: [ekgcqjl.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ekgcqjl.dll,aetjarf
O4 - HKLM\..\Run: [dwiverl.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\dwiverl.dll,ibbffo
O4 - HKLM\..\Run: [01 that sign phone] C:\Documents and Settings\All Users\Application Data\face drv 01 that\debug show.exe
O4 - HKCU\..\Run: [Junk Chic] C:\DOCUME~1\admin\APPLIC~1\Insideup\Iso Four.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - (no file)


Please run Killbox.

Select "Delete on Reboot".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\jcdjdhd.dll
C:\WINDOWS\system32\nvkzium.dll
C:\WINDOWS\system32\xblwjfb.dll
C:\WINDOWS\fonts\font.dll
C:\WINDOWS\system32\msstart.exe
C:\WINDOWS\system32\klvanon.dll
C:\WINDOWS\system32\ekgcqjl.dll
C:\WINDOWS\system32\dwiverl.dll
C:\Documents and Settings\All Users\Application Data\face drv 01 that\debug show.exe
C:\Documents and Settings\admin\Application Data\Insideup\Iso Four.exe

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Select "All Files".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Restart your computer to the safe mode:
  • Restart your computer
  • Start tapping the F8 key when the computer restarts.
  • When the start menu opens, choose Safe mode
  • Press Enter. The computer then begins to start in Safe mode.
Go to the My Computer and delete the following folders (if present):
C:\Documents and Settings\All Users\Application Data\face drv 01 that
C:\Documents and Settings\admin\Application Data\Insideup
C:\Documents and Settings\Admin\Application Data\Netpumper
C:\Program Files\Netpumper
C:\Program Files\Common Files\{F821B7BF-0BF3-3076-0923-050707200354}

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log

Edited by Mr_JAk3, 03 December 2006 - 02:53 AM.

UNITE & ASAP member since 2006
Posted Image
Posted Image

#9 LostLEGION

LostLEGION
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 03 December 2006 - 09:33 AM

Sorry...but first before I start everything, I have to say
My computer crashed into the STOP 0x000000008E screeen once the whole computer runs fully, and the time for me to do anything in normal windows is minimal. I am currently using my office's computer and saving everything you needed in a usb stick, so I can bring it home to do the stuff in safe mode. ONly the hijackthis logs were done in normal mode because it runs fast enough before the computer crashes. Sorry for the inconvenience.

#10 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:01:11 AM

Posted 04 December 2006 - 12:13 AM

Ok thanks for letting me know.

When you've completed the instructions, please try if the computer runs in normal mode :thumbsup:
UNITE & ASAP member since 2006
Posted Image
Posted Image

#11 LostLEGION

LostLEGION
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 04 December 2006 - 06:59 AM

I am sorry, but I dont really understand the following instruction:
Copy the file names below to the clipboard by highlighting them and pressing Control-C

#12 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:01:11 AM

Posted 04 December 2006 - 01:57 PM

Ok that means that you need to copy the following filenames to your clipboard (codebox):

C:\WINDOWS\system32\jcdjdhd.dll
C:\WINDOWS\system32\nvkzium.dll
C:\WINDOWS\system32\xblwjfb.dll
C:\WINDOWS\fonts\font.dll
C:\WINDOWS\system32\msstart.exe
C:\WINDOWS\system32\klvanon.dll
C:\WINDOWS\system32\ekgcqjl.dll
C:\WINDOWS\system32\dwiverl.dll
C:\Documents and Settings\All Users\Application Data\face drv 01 that\debug show.exe
C:\Documents and Settings\admin\Application Data\Insideup\Iso Four.exe

Select (highlight) the text with your mouse and it changes to colour. Rightclick the text that is now selectted with your mouse. A menu will open. Choose copy from the menu. Now the text has been copyed to your clipboard. Then just continue with the instructions.

Let me know if it didn't work :thumbsup:
UNITE & ASAP member since 2006
Posted Image
Posted Image

#13 LostLEGION

LostLEGION
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 05 December 2006 - 08:35 AM

okay, I've done the things you needed. I have also submitted the requested file thing. But can you please tell me what it is about? What is in it?
This is the AVG report scan:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 21:10:15 5/12/2006

+ Scan result:



C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip -> Downloader.Delf.qz : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip -> Downloader.Delf.qz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3B4D14C7-DE53-4CE5-81B3-EEF93FE04AB7}\RP354\A0141833.exe -> Downloader.Zlob.aes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3B4D14C7-DE53-4CE5-81B3-EEF93FE04AB7}\RP354\A0142853.exe -> Downloader.Zlob.aes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3B4D14C7-DE53-4CE5-81B3-EEF93FE04AB7}\RP354\A0143845.exe -> Downloader.Zlob.aes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3B4D14C7-DE53-4CE5-81B3-EEF93FE04AB7}\RP354\A0140827.exe -> Downloader.Zlob.axl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3B4D14C7-DE53-4CE5-81B3-EEF93FE04AB7}\RP354\A0141827.exe -> Downloader.Zlob.axl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3B4D14C7-DE53-4CE5-81B3-EEF93FE04AB7}\RP354\A0142827.exe -> Downloader.Zlob.axl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3B4D14C7-DE53-4CE5-81B3-EEF93FE04AB7}\RP354\A0143827.exe -> Downloader.Zlob.axl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3B4D14C7-DE53-4CE5-81B3-EEF93FE04AB7}\RP354\A0144827.exe -> Downloader.Zlob.axl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3B4D14C7-DE53-4CE5-81B3-EEF93FE04AB7}\RP354\A0145828.exe -> Downloader.Zlob.axl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3B4D14C7-DE53-4CE5-81B3-EEF93FE04AB7}\RP354\A0146828.exe -> Downloader.Zlob.axl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3B4D14C7-DE53-4CE5-81B3-EEF93FE04AB7}\RP354\A0147828.exe -> Downloader.Zlob.axl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3B4D14C7-DE53-4CE5-81B3-EEF93FE04AB7}\RP354\A0148828.exe -> Downloader.Zlob.axl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3B4D14C7-DE53-4CE5-81B3-EEF93FE04AB7}\RP354\A0149827.exe -> Downloader.Zlob.axl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3B4D14C7-DE53-4CE5-81B3-EEF93FE04AB7}\RP354\A0150828.exe -> Downloader.Zlob.axl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3B4D14C7-DE53-4CE5-81B3-EEF93FE04AB7}\RP354\A0151828.exe -> Downloader.Zlob.axl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3B4D14C7-DE53-4CE5-81B3-EEF93FE04AB7}\RP354\A0151839.exe -> Downloader.Zlob.axl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3B4D14C7-DE53-4CE5-81B3-EEF93FE04AB7}\RP354\A0151845.exe -> Downloader.Zlob.axl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3B4D14C7-DE53-4CE5-81B3-EEF93FE04AB7}\RP354\A0152958.exe -> Downloader.Zlob.axl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3B4D14C7-DE53-4CE5-81B3-EEF93FE04AB7}\RP354\A0152964.exe -> Downloader.Zlob.azj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3B4D14C7-DE53-4CE5-81B3-EEF93FE04AB7}\RP354\A0153964.exe -> Downloader.Zlob.azj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3B4D14C7-DE53-4CE5-81B3-EEF93FE04AB7}\RP354\A0154967.exe -> Downloader.Zlob.azj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3B4D14C7-DE53-4CE5-81B3-EEF93FE04AB7}\RP354\A0154984.exe -> Downloader.Zlob.azj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3B4D14C7-DE53-4CE5-81B3-EEF93FE04AB7}\RP354\A0154991.exe -> Downloader.Zlob.azj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3B4D14C7-DE53-4CE5-81B3-EEF93FE04AB7}\RP354\A0155992.exe -> Downloader.Zlob.azj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3B4D14C7-DE53-4CE5-81B3-EEF93FE04AB7}\RP337\A0109585.exe -> Hijacker.Costrat.n : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3B4D14C7-DE53-4CE5-81B3-EEF93FE04AB7}\RP340\A0111084.exe -> Hijacker.Costrat.n : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3B4D14C7-DE53-4CE5-81B3-EEF93FE04AB7}\RP354\A0155990.dll -> Not-A-Virus.Hoax.Win32.Renos.ap : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3B4D14C7-DE53-4CE5-81B3-EEF93FE04AB7}\RP354\A0155997.dll -> Not-A-Virus.Hoax.Win32.Renos.fa : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3B4D14C7-DE53-4CE5-81B3-EEF93FE04AB7}\RP337\A0109586.exe -> Proxy.Small.bo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{3B4D14C7-DE53-4CE5-81B3-EEF93FE04AB7}\RP340\A0111085.exe -> Proxy.Small.bo : Cleaned with backup (quarantined).
C:\WINDOWS\system32\MZU_DRV.sys -> Proxy.Small.bo : Cleaned with backup (quarantined).
C:\WINDOWS\system32\_mzu_stonedrv2.exe -> Proxy.Small.bo : Cleaned with backup (quarantined).


::Report end

And the Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 21:17:11, on 5/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\admin\\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: CFilter Object - {C97EAD04-D1D3-4580-BDAC-EB13B6CB176E} - C:\WINDOWS\fonts\font.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [YeppStudioAgent] C:\Program Files\Samsung\SamsungMediaStudio4.1\SamsungMediaStudioAgent.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\Win32\pphidpad.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [IBMPRC] C:\IBMTOOLS\UTILS\ibmprc.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd Daemon] SKDAEMON.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\ChangJie\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE USB PC Camera Mi-640
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: ㄏノ BitSpirit 更(&:thumbsup: - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: ノゑ疭弘艶更(&:flowers: - C:\Program Files\BitSpirit\bsurl.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 北 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: 穝 ThinkPad 硁砰 - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...899/mcfscan.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: IBM Rapid Restore Ultra Service - Unknown owner - C:\Program Files\IBM\IBM Rapid Restore Ultra\rrpcsb.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Finally, I have retried the computer in normalmode, but it crashed into the stop 0x000000008E again.

#14 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:01:11 AM

Posted 05 December 2006 - 11:38 AM

Hi again :flowers:

You have a rootkit that doesn't show in normal logs. That is propably why your computer is crashing...

AVG log was mostly files in system restore. We can clean that easlily but not yet...

Now let's see what else is hiding :huh:

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

:thumbsup:

Edited by Mr_JAk3, 05 December 2006 - 11:39 AM.

UNITE & ASAP member since 2006
Posted Image
Posted Image

#15 LostLEGION

LostLEGION
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 06 December 2006 - 09:59 AM

I am afraid that gmer doesn't work. It was scanning through the files and suddenly...it crashes into the stop0x0000000008E screen. Is there another possible solution?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users