Mobile/PDA About Us Advertise here
User User name Password  
  Not registered yet? Register here.
Lost your password? Click here. 		 
  Home   News   Guides   Downloads   Glossary   Hardware   Profiles   Forums   v4  
 Advertise at AfterDawn.com     Link to us!     Private messages     Compose a private message     List of all updated threads     Threads without replies     Search messages
Sunday 9.3.2025 / 15:35
Search AfterDawn Forums:        In English   Suomeksi   På svenska
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > help: stop 0x0000008e [rootkits and viruses]
Show topics
 
Forums
Forums
Help: Stop 0X0000008E [Rootkits and Viruses]
  Jump to:
 
Posted Message
tammymc
Newbie
_ 		20. February 2008 @ 01:45 _ Link to this message    Send private message to this user   
Hi,

Please help me clean out my machine. My laptop snagged a nasty set of problems. SDFIX allowed me to move beyond safe mode along with the bluescreen. So far I have used NOD32. It found winexit-Z. And GMER found system modifications. And Trendmicro Rootkiller removed modifications. Today, my machine still has a missing shell.exe problem and the junk still in this recent Hijack log.

1) Below is my HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 12:55:53 AM, on 2/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\SealedMedia\sealmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Whfwljjw\zhrpgjue.exe
C:\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Documents and Settings\Desktop\Hijack This9\hijackthis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [sealmon] C:\Program Files\SealedMedia\sealmon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QCWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [QCTray] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [icasServ] C:\WINDOWS\system32\icasServ.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [braviax] braviax.exe
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [poxwpcjy] rundll32.exe "C:\Program Files\poxwpcjy\pqdonofg.dll",Init
O4 - HKLM\..\Run: [rsbehmbm] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\rsbehmbm.dll"
O4 - HKLM\..\Run: [zhrpgjue] C:\Program Files\Whfwljjw\zhrpgjue.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\MIKEFR~1\LOCALS~1\Temp\csrssc.exe
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - http://inst.c-wss.com/n024p/EN/install/gtdownlr.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.0.69.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsof...b?1203478740967
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://download.srtest.com/sysreqlab.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8689062D-66B2-4C6E-BD81-BA7DAE1DA8D3}: NameServer = 85.255.116.152,85.255.112.19
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA943B4A-ECCE-4C75-B5F1-14B7197E048B}: NameServer = 85.255.116.152,85.255.112.19
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.152 85.255.112.19
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.152 85.255.112.19
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.152 85.255.112.19
O21 - SSODL: ridUpSKF - {00A8002C-AA02-AA86-7F98-7C1849EA02E8} - C:\WINDOWS\system32\oqqfu.dll (file missing)
O21 - SSODL: BootSetup - {97f75a94-ac6e-483d-9d68-6c370cef6379} - C:\WINDOWS\Installer\{97f75a94-ac6e-483d-9d68-6c370cef6379}\BootSetup.dll (file missing)
O21 - SSODL: zip - {d7271c50-f95e-4bcc-a587-a6c4cbf764a1} - C:\WINDOWS\Installer\{d7271c50-f95e-4bcc-a587-a6c4cbf764a1}\zip.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe (file missing)
O23 - Service: NDO - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\NDO.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe (file missing)
O23 - Service: VFAVUTMPMCGVM - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\VFAVUTMPMCGVM.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

2) Next is a TrendMicro Rootkitbuster Log. The 11 entries were removed.


+----------------------------------------------------
| Trend Micro RootkitBuster 1.6 Beta.
| Module version: 1.6.0.1052
+----------------------------------------------------


--== Dump Hidden File on C:\ ==--
No hidden files found.

--== Dump Hidden Registry Value on HKLM ==--
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\3klagia
Root : 0
SubKey : 3klagia
ValueName : Type
Data : 1
ValueType : 4
AccessType: 0
FullLength: 0x3c
DataSize : 0x4
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\3klagia
Root : 0
SubKey : 3klagia
ValueName : Start
Data : 1
ValueType : 4
AccessType: 0
FullLength: 0x3c
DataSize : 0x4
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\3klagia
Root : 0
SubKey : 3klagia
ValueName : ErrorControl
Data : 0
ValueType : 4
AccessType: 0
FullLength: 0x3c
DataSize : 0x4
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\3klagia
Root : 0
SubKey : 3klagia
ValueName : ImagePath
Data : \??\C:\WINDOWS\system32\3klagia.dll
ValueType : 2
AccessType: 0
FullLength: 0x3c
DataSize : 0x48
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\3klagia
Root : 0
SubKey : 3klagia
ValueName : ExtParamD
Data : A6 0 35 49 C3 AD 7E FA ...
ValueType : 3
AccessType: 0
FullLength: 0x3c
DataSize : 0xa
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\3klagia\Security
Root : 0
SubKey : Security
ValueName : Security
Data : 1 0 14 80 90 0 0 0 ...
ValueType : 3
AccessType: 0
FullLength: 0x45
DataSize : 0xa8
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\3klagia\Enum
Root : 0
SubKey : Enum
ValueName : 0
Data : Root\LEGACY_3KLAGIA\0000
ValueType : 1
AccessType: 0
FullLength: 0x41
DataSize : 0x32
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\3klagia\Enum
Root : 0
SubKey : Enum
ValueName : Count
Data : 1
ValueType : 4
AccessType: 0
FullLength: 0x41
DataSize : 0x4
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\3klagia\Enum
Root : 0
SubKey : Enum
ValueName : NextInstance
Data : 1
ValueType : 4
AccessType: 0
FullLength: 0x41
DataSize : 0x4
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
Root : 0
SubKey : 0Jf40
ValueName : khjeh
Data : 20 2 0 0 CE A4 5F 3E ...
ValueType : 3
AccessType: 0
FullLength: 0x46
DataSize : 0x220
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
Root : 0
SubKey : 0Jf40
ValueName : hj34z0
Data : BF AC 4D 13 75 B2 63 51 ...
ValueType : 3
AccessType: 0
FullLength: 0x46
DataSize : 0x1a1
11 hidden registry entries found.


--== Dump Hidden Process ==--
No hidden processes found.

--== Dump Hidden Driver ==--
No hidden drivers found.

3) Here is a smitfraudfix log.

SmitFraudFix v2.292

Scan done at 21:43:52.76, Tue 02/19/2008
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

10.18.250.4 ad.doubleclick.net
10.18.250.4 ad.fastclick.net
10.18.250.4 ads.fastclick.net
10.18.250.4 ar.atwola.com
10.18.250.4 atdmt.com
10.18.250.4 avp.ch
10.18.250.4 avp.ru
10.18.250.4 awaps.net
10.18.250.4 banner.fastclick.net
10.18.250.4 banners.fastclick.net
10.18.250.4 click.atdmt.com
10.18.250.4 clicks.atdmt.com
10.18.250.4 downloads-us1.kaspersky-labs.com
10.18.250.4 downloads-us2.kaspersky-labs.com
10.18.250.4 downloads-us3.kaspersky-labs.com
10.18.250.4 downloads1.kaspersky-labs.com
10.18.250.4 downloads2.kaspersky-labs.com
10.18.250.4 downloads3.kaspersky-labs.com
10.18.250.4 downloads4.kaspersky-labs.com
10.18.250.4 engine.awaps.net
10.18.250.4 fastclick.net
10.18.250.4 ftp.avp.ch
10.18.250.4 ftp.downloads1.kaspersky-labs.com
10.18.250.4 ftp.downloads2.kaspersky-labs.com
10.18.250.4 ftp.downloads3.kaspersky-labs.com
10.18.250.4 ftp.f-secure.com
10.18.250.4 ftp.kasperskylab.ru
10.18.250.4 ftp.sophos.com
10.18.250.4 ids.kaspersky-labs.com
10.18.250.4 kaspersky-labs.com
10.18.250.4 media.fastclick.net
10.18.250.4 norton.com
10.18.250.4 phx.corporate-ir.net
10.18.250.4 securityresponse.symantec.com
10.18.250.4 service1.symantec.com
10.18.250.4 spd.atdmt.com
10.18.250.4 symantec.com
10.18.250.4 updates1.kaspersky-labs.com
10.18.250.4 updates2.kaspersky-labs.com
10.18.250.4 updates3.kaspersky-labs.com
10.18.250.4 updates4.kaspersky-labs.com
10.18.250.4 updates5.kaspersky-labs.com
10.18.250.4 vil.nai.com
10.18.250.4 viruslist.ru
10.18.250.4 virusscan.jotti.org
10.18.250.4 virustotal.com
10.18.250.4 www.avp.ch
10.18.250.4 www.avp.ru
10.18.250.4 www.awaps.net
10.18.250.4 www.fastclick.net
10.18.250.4 www.kaspersky-labs.com
10.18.250.4 www.kaspersky.ru
10.18.250.4 www.symantec.com
10.18.250.4 www.viruslist.ru
10.18.250.4 www.virustotal.com

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{32C0D7DF-7E58-496D-8C5D-5C2A7D588BB9}: DhcpNameServer=85.255.116.152,85.255.112.19
HKLM\SYSTEM\CCS\Services\Tcpip\..\{8689062D-66B2-4C6E-BD81-BA7DAE1DA8D3}: NameServer=85.255.116.152,85.255.112.19
HKLM\SYSTEM\CCS\Services\Tcpip\..\{BA943B4A-ECCE-4C75-B5F1-14B7197E048B}: NameServer=85.255.116.152,85.255.112.19
HKLM\SYSTEM\CS1\Services\Tcpip\..\{32C0D7DF-7E58-496D-8C5D-5C2A7D588BB9}: DhcpNameServer=85.255.116.152,85.255.112.19
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8689062D-66B2-4C6E-BD81-BA7DAE1DA8D3}: NameServer=85.255.116.152,85.255.112.19
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BA943B4A-ECCE-4C75-B5F1-14B7197E048B}: NameServer=85.255.116.152,85.255.112.19
HKLM\SYSTEM\CS2\Services\Tcpip\..\{32C0D7DF-7E58-496D-8C5D-5C2A7D588BB9}: DhcpNameServer=85.255.116.152,85.255.112.19
HKLM\SYSTEM\CS2\Services\Tcpip\..\{8689062D-66B2-4C6E-BD81-BA7DAE1DA8D3}: NameServer=85.255.116.152,85.255.112.19
HKLM\SYSTEM\CS2\Services\Tcpip\..\{BA943B4A-ECCE-4C75-B5F1-14B7197E048B}: NameServer=85.255.116.152,85.255.112.19
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.116.152 85.255.112.19
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.116.152 85.255.112.19
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=85.255.116.152 85.255.112.19


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

4) And last here is a Deckard's System Scan.
Deckard's System Scanner v20071014.68
Run on 2008-02-19 21:57:39
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
8: 2008-02-20 02:57:46 UTC - RP155 - Deckard's System Scanner Restore Point
7: 2008-02-20 01:04:06 UTC - RP154 - Installed Ad-Aware 2007
6: 2008-01-26 12:57:07 UTC - RP153 - System Checkpoint
5: 2008-01-11 06:57:09 UTC - RP152 - Installed Java(TM) 6 Update 3
4: 2007-11-22 11:17:49 UTC - RP151 - Installed Mids' Hero Designer


-- First Restore Point --
1: 2007-11-22 11:04:07 UTC - RP148 - Installed Windows XP WIC.


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as .exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:59:09 PM, on 2/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\SealedMedia\sealmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\\Desktop\dss.exe
C:\HIJACK~1\.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AtiPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [sealmon] C:\Program Files\SealedMedia\sealmon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [jkdfj94kgdftdf] C:\WINDOWS\TEMP\winlogan.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Jnskdfmf9eldfd] C:\WINDOWS\TEMP\csrssc.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [jkdfj94kgdftdf] C:\WINDOWS\TEMP\winlogan.exe (User 'Default user')
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} - http://inst.c-wss.com/n024p/EN/install/gtdownlr.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.0.69.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1129350461305
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www-307.ibm.com/pc/support/access/aslibmain/content/AcpIR.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://download.srtest.com/sysreqlab.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8689062D-66B2-4C6E-BD81-BA7DAE1DA8D3}: NameServer = 85.255.116.152,85.255.112.19
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA943B4A-ECCE-4C75-B5F1-14B7197E048B}: NameServer = 85.255.116.152,85.255.112.19
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.152 85.255.112.19
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.152 85.255.112.19
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.152 85.255.112.19
O21 - SSODL: ridUpSKF - {00A8002C-AA02-AA86-7F98-7C1849EA02E8} - C:\WINDOWS\system32\oqqfu.dll (file missing)
O21 - SSODL: BootSetup - {97f75a94-ac6e-483d-9d68-6c370cef6379} - C:\WINDOWS\Installer\{97f75a94-ac6e-483d-9d68-6c370cef6379}\BootSetup.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe (file missing)
O23 - Service: NDO - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\NDO.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe (file missing)
O23 - Service: VFAVUTMPMCGVM - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\VFAVUTMPMCGVM.exe (file missing)

--
End of file - 8620 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Shockprf - c:\windows\system32\drivers\shockprf.sys <Not Verified; IBM Corporation; IBM Hard Drive Active Protection System>
R0 vax347b - c:\windows\system32\drivers\vax347b.sys
R0 vax347s - c:\windows\system32\drivers\vax347s.sys
R1 ANC - c:\windows\system32\drivers\anc.sys <Not Verified; IBM Corp.; IBM Access Connections>
R1 IBMTPCHK - c:\windows\system32\drivers\ibmbldid.sys
R1 ShockMgr - c:\windows\system32\drivers\shockmgr.sys <Not Verified; IBM Corporation; IBM Hard Drive Active Protection System>
R1 TPPWR - c:\windows\system32\drivers\tppwr.sys <Not Verified; IBM Corp.; IBM ThinkPad Utility>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>

S1 atitray - c:\ati\new folder\ati tray tools\atitray.sys (file missing)
S3 catchme - c:\docume~1\mikefr~1\locals~1\temp\catchme.sys (file missing)
S3 QCNDISIF - c:\windows\system32\drivers\qcndisif.sys <Not Verified; IBM Corporation.; IBM ThinkPad Utility>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 QCONSVC - system32\qconsvc.exe <Not Verified; IBM Corp.; IBM ThinkPad Utility>
R2 TPHDEXLGSVC (IBM HDD APS Logging Service) - system32\tphdexlg.exe <Not Verified; IBM Corporation; IBM Active Protection System>

S2 ATI Smart - c:\windows\system32\ati2sgag.exe (file missing)
S2 LicCtrlService (LicCtrl Service) - c:\windows\runservice.exe (file missing)
S2 TpKmpSVC (IBM KCU Service) - c:\windows\system32\tpkmpsvc.exe (file missing)
S3 ACS (ACU Configuration Service) - c:\windows\system32\acs.exe (file missing)
S3 NDO - c:\docume~1\admini~1\locals~1\temp\ndo.exe (file missing)
S3 VFAVUTMPMCGVM - c:\docume~1\admini~1\locals~1\temp\vfavutmpmcgvm.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 11a/b/g Wireless LAN Mini PCI Adapter
Device ID: PCI\VEN_168C&DEV_1014&SUBSYS_833117AB&REV_01\4&39A85202&0&10F0
Manufacturer: Atheros Communications Inc
Name: 11a/b/g Wireless LAN Mini PCI Adapter
PNP Device ID: PCI\VEN_168C&DEV_1014&SUBSYS_833117AB&REV_01\4&39A85202&0&10F0
Service: AR5211


-- Scheduled Tasks -------------------------------------------------------------

2005-08-25 01:00:07 362 --a------ C:\WINDOWS\Tasks\BMMTask.job


-- Files created between 2008-01-19 and 2008-02-19 -----------------------------

2008-02-19 21:43:58 3008 --a------ C:\WINDOWS\system32\tmp.reg
2008-02-19 21:43:19 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-02-19 21:43:19 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-02-19 21:43:19 85504 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-02-19 21:43:19 82432 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-02-19 21:43:19 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-02-19 21:43:18 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-02-19 21:43:18 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-02-19 20:30:53 0 d-------- C:\Documents and Settings\\Application Data\Grisoft
2008-02-19 20:04:08 0 d-------- C:\Program Files\Lavasoft
2008-02-19 20:04:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-19 18:13:04 0 d-------- C:\WINDOWS\ERUNT
2008-02-19 13:48:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-19 13:48:19 0 d-------- C:\AVG Anti-Spyware 7.5
2008-02-19 13:43:33 0 d-------- C:\HijackThis
2008-02-19 04:14:56 298104 --a------ C:\WINDOWS\system32\imon.dll <Not Verified; Eset; NOD32 Antivirus System>
2008-02-19 04:11:26 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-02-19 04:11:26 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-02-19 04:11:26 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-02-19 04:11:26 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-02-19 04:11:26 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-02-19 04:11:26 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-02-19 04:11:26 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-02-19 04:11:26 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-02-19 04:11:26 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-02-19 04:11:26 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-02-19 04:11:26 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-02-19 04:11:26 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-02-19 04:11:26 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-02-19 04:11:26 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-02-19 03:10:39 11264 --a------ C:\fbpotbd.exe
2008-02-19 03:10:36 0 d-------- C:\Documents and Settings\LocalService\Application Data\Adobe
2008-02-19 03:10:05 19968 --a------ C:\WINDOWS\system32\pb.exe
2008-02-19 03:10:02 32256 --a------ C:\WINDOWS\system32\kwkx.exe
2008-02-19 03:10:00 35845 --a------ C:\Program Files\tmp4219317.exe
2008-02-19 03:09:59 11403 --a------ C:\WINDOWS\system32\F694518.dll
2008-02-19 03:09:58 48640 --a------ C:\WINDOWS\system32\os1zn2mO7Z.exe
2008-02-19 03:09:58 15872 --a------ C:\Program Files\tmp4217033.exe
2008-02-19 03:09:58 15872 --a------ C:\Program Files\tmp4216963.exe
2008-02-19 03:09:58 98709 --a------ C:\Documents and Settings\LocalService\Application Data\sysdefender.exe
2008-02-19 03:09:57 3584 --a------ C:\uehdrawy.exe
2008-02-19 03:09:54 54764 --a------ C:\WINDOWS\system32\3klagia.dll
2008-02-19 03:09:52 58368 --a------ C:\ftxybq.exe
2008-02-19 03:09:13 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-02-19 03:09:10 32768 --a------ C:\WINDOWS\system32\natmon.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-02-19 03:09:07 8 --a------ C:\WINDOWS\system32\11010091
2008-02-06 23:52:10 0 d-------- C:\Documents and Settings\\VASSAL


-- Find3M Report ---------------------------------------------------------------

2008-02-19 13:18:10 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-19 03:09:25 4096 --ahs---- C:\WINDOWS\system32\8308.dat
2008-02-19 02:00:27 665 --ahs---- C:\WINDOWS\system32\mmf.sys
2008-01-31 23:44:09 0 d-------- C:\Documents and Settings\\Application Data\Adobe
2008-01-24 03:36:08 0 d-------- C:\Program Files\DivX
2008-01-11 01:58:43 0 d-------- C:\Program Files\Java


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [04/01/2004 09:52 AM]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [08/06/2004 07:27 AM]
"TPKMAPHELPER"="C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe" [02/04/2004 08:39 PM]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [11/08/2004 01:17 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [11/08/2004 01:17 PM]
"BMMGAG"="C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll" [04/20/2005 03:38 AM]
"TpShocks"="TpShocks.exe" [04/05/2005 05:14 PM C:\WINDOWS\system32\TpShocks.exe]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [08/22/2004 04:05 PM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 10:50 AM]
"AtiPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [05/25/2005 08:00 PM]
"sealmon"="C:\Program Files\SealedMedia\sealmon.exe" [12/08/2005 05:35 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02/08/2006 02:03 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/01/2006 03:03 PM]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [02/19/2008 04:14 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 07:00 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"jkdfj94kgdftdf"=C:\WINDOWS\TEMP\winlogan.exe
"Jnskdfmf9eldfd"=C:\WINDOWS\TEMP\csrssc.exe

C:\Documents and Settings\\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [3/17/2005 1:06:14 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [12/14/2004 6:44:06 AM]
Microsoft Office OneNote 2003 Quick Launch.lnk - C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE [3/17/2005 1:06:14 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=1 (0x1)
"DisableTaskMgr"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"ridUpSKF"= {00A8002C-AA02-AA86-7F98-7C1849EA02E8} - C:\WINDOWS\system32\oqqfu.dll [ ]
"BootSetup"= {97f75a94-ac6e-483d-9d68-6c370cef6379} - C:\WINDOWS\Installer\{97f75a94-ac6e-483d-9d68-6c370cef6379}\BootSetup.dll [02/19/2008 03:09 AM 14374]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe C:\WINDOWS\shell.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina]
QConGina.dll 03/18/2005 05:07 AM 262144 C:\WINDOWS\system32\QConGina.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^^Start Menu^Programs^Startup^findfast.exe]
path=C:\Documents and Settings\\Start Menu\Programs\Startup\findfast.exe
backup=C:\WINDOWS\pss\findfast.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]
C:\Documents and Settings\LocalService\Local Settings\Application Data\cftmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BLOG]
rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMLREF]
C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMMONWND]
rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\braviax]
braviax.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\csrss]
C:\WINDOWS\system32\wbem\csrss.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\icasServ]
C:\WINDOWS\system32\icasServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jnskdfmf9eldfd]
C:\DOCUME~1\MIKEFR~1\LOCALS~1\Temp\csrssc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QCTray]
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QCWLIcon]
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"




-- Hosts -----------------------------------------------------------------------

10.18.250.4 ad.doubleclick.net
10.18.250.4 ad.fastclick.net
10.18.250.4 ads.fastclick.net
10.18.250.4 ar.atwola.com
10.18.250.4 atdmt.com
10.18.250.4 avp.ch
10.18.250.4 avp.ru
10.18.250.4 awaps.net
10.18.250.4 banner.fastclick.net
10.18.250.4 banners.fastclick.net

47 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-02-19 21:59:40 ------------
[ + quote]

This message has been edited since posting. Last time this message was edited on 20. February 2008 @ 03:44
QuikDraw
Senior Member
_ 		20. February 2008 @ 02:06 _ Link to this message    Send private message to this user   
Excellent candidate for a system recovery!
[ + quote]
tammymc
Newbie
_ 		20. February 2008 @ 03:34 _ Link to this message    Send private message to this user   
Hi,

The last known good config is 11:01PM 2/19/2008. The message comes back your computer can not restore restoration 19--restoration incomplete. It is the only block available. I created a new restoration point.
[ + quote]

This message has been edited since posting. Last time this message was edited on 20. February 2008 @ 03:57
Advertisement
_ 		__
 
_
QuikDraw
Senior Member
_ 		20. February 2008 @ 13:45 _ Link to this message    Send private message to this user   
Hi,

I didn't mean system restore, I meant system recovery. To reformat/reinstall your operating system. If you have a commercially built PC, such as, HP. There is a recovery partition installed on the HDD. At boot up you would start tapping the F10 key to start recovery. If your computer is custom built, you will need the windows xp installation CD. To reformat and reinstall winxp, would only take about 2 hours. Another few hours to update and install your third party software. On the other hand, to try to remove all the infections, or problems showing in your HJK log, could take several hours. Then there is no guarantee all the infection would be removed.
[ + quote]

This message has been edited since posting. Last time this message was edited on 20. February 2008 @ 13:48
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > help: stop 0x0000008e [rootkits and viruses]
 

Digital video: AfterDawn.com | AfterDawn Forums
Music: MP3Lizard.com
Gaming: Blasteroids.com | Blasteroids Forums | Compare game prices
Software: Software downloads
Blogs: User profile pages
RSS feeds: AfterDawn.com News | Software updates | AfterDawn Forums
International: AfterDawn in Finnish | AfterDawn in Swedish | AfterDawn in Norwegian | download.fi
Navigate: Search | Site map
About us: About AfterDawn Ltd | Advertise on our sites | Rules, Restrictions, Legal disclaimer & Privacy policy
Contact us: Send feedback | Contact our media sales team
 
  © 1999-2025 by AfterDawn Ltd.

  IDG TechNetwork