BSOD: 0x8E error

Admiral-Norton · June 2008

This is actually a years old problem that made me change every part of the old computer and buy a new after everything failed, but I finally found a place I hope someone will help me solve it. I started the old computer after a long period of disuse on my desk. The old man keeps bumping up BSOD with this (0x0000008E) and 0x00000050 error message whenever I use the computer. Sometimes it's displayed instead of Windows startup logo, sometimes it takes minutes after the startup, sometimes hours and sometimes it even doesn't happen. I tried a solution suggesting Rustock rootkit I found somewhere on this site (the suggestion, not the rootkit), but I couldn't find the malware service. But anyway, here's the Hijack Log:

Logfile of HijackThis v1.99.1
Scan saved at 20:31:55, on 22.6.2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Encarta\Encarta Encyclopedia Premium 2006\Encarta Premium DVD 2006\EDICT.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Microsoft Office\Office\1033\OLFSNT40.EXE
A:\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Documents and Settings\Administrator\My Documents\page.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internal Exploder
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AzEntretien Class - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - (disabled by BHODemon)
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: TweakMASTER PRO Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TWEAKM~1\TweakBHO.dll
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O2 - BHO: Windows Genuine Tool - {c815ace8-3dbf-4ffd-8231-ab1d21e8b7ee} - %SystemRoot%\system32\atmliba.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [TweakMASTER] C:\PROGRA~1\TWEAKM~1\TMTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [E06AXLRD_14487546] "C:\Program Files\Microsoft Encarta\Encarta Encyclopedia Premium 2006\Encarta Premium DVD 2006\EDICT.EXE" -m
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Microsoft Office\Office\1033\OLFSNT40.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Add to &LinkFox - res://C:\PROGRA~1\TWEAKM~1\TweakBHO.dll/IESCRIPT
O8 - Extra context menu item: Bad Joke - C:\Program Files\Avant Browser\DoNothing.htm
O8 - Extra context menu item: Block all images from this server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Add to blacklist - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open Link Target in Firefox - [URL]file://C:\Documents[/URL] and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e4dt3abp.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Open all links on this page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Mark - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Subscribe in Desktop Sidebar - res://C:\Program Files\Desktop Sidebar\sbhelp.dll/menuhandler.html
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O8 - Extra context menu item: View This Page in Firefox - [URL]file://C:\Documents[/URL] and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e4dt3abp.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: http://*.anycracks.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O21 - SSODL: SysTray.Exgr - {5368D1FC-4F5C-4f1b-B134-E67214FC78E9} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - E:\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

Edit: I just ran a scan using my namesake program. The results are attached in CSV format. Thanks in advance for your reply.

Trogan · June 2008

Hello Admiral Norton,

There are two Anti-Virus programs present (Symantec/Norton and Sophos). This is not a good idea as multiple Anti-Virus programs can conflict and cause problems. Please uninstall one of the Anti-Virus programs from Add/Remove programs.

I need to see another log from HijackThis.

Run Hijackthis.
Click on Open the Misc Tools section.
Next click on Open uninstall manager.
Press the Save list button.
Save the file to your desktop, with the default name of uninstall_list
Copy & Paste the entire contents of that file in your in your next post.

Please post the Uninstall list, along with a new HijackThis log.

Admiral-Norton · June 2008

Thanks for your reply. I hope I'm gonna get this computer up to its feet after all these years. I uninstalled Sophos and I also downloaded a newer version of HijackThis. Here is the uninstall list you wanted:

0.3300
123 Free Solitaire for Children
Accent WORD Password Recovery 2.40 beta
Access Manager 2
Active Disk
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Photoshop Elements 3.0
Adobe Reader 7.0.8
Alex the Allegator 2
Alice Law
Ashampoo PowerUP XP Platinum 2
Autodesk MapGuide(R) Viewer ActiveX Control Release 6.5
Avant Browser (remove only)
AWicons Lite by Lokas Software
BC-Mod Installer .NET - FINAL Version
BC-Mod Packager BETA 4.4 - FULL Version
Borland Delphi 8.0 Architect Edition
BSPlayer
Bud Redhead
BurnInTest v2.3 Standard
BVE
Cactus Bruce and the Corporate Monkeys 1.0
CamMaestro 4.7EU build 21
Casino Las Vegas
CheboMan
ComponentOne Studio Enterprise For Delphi .Net
CutePDF Writer 2.3
Desktop Sidebar
DivX
DivX Player
Dreamweaver
DU Meter
ElectroServer 3
EPSON TWAIN 5
Extended Language Support Fonts Package
Folder Size Shell Extension v3.2
Font Fitting Room Deluxe
FreeMind
Gadwin PrintScreen
Game Maker 6.0
GeoGebra 2.6b
GetRight
Glace
GLOBEtrotter FLEXid Drivers
Google Earth
GWD Text Editor
Harry Potter and the Prisoner of Azkaban(TM)
HHD Software Free Hex Editor 3.12
HijackThis 2.0.2
HP Imaging Device Functions 5.3
HP Photosmart 330,380,420,470,7800,8000,8200 Series
HP Photosmart Cameras 3.5
HyperCam
HyperCam 2
ICQ Toolbar
ICQ 5
Icy Tower v1.2 (44kHz)
IngenMoney Pro 3.0
Intel(R) 845G Chipset Graphics Driver Software
IomegaWare 4.0.2
J2SE Development Kit 5.0 Update 6
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_01
Java 2 Runtime Environment, SE v1.4.2_05
KC Softwares AudioGrail
Kerio Personal Firewall
LandRouse Steering Wheel
Learn to Play Bridge
LEGO Digital Designer
LeoCAD
Lernout & Hauspie TruVoice for Microsoft Agent
Light Driver
LingvoSoft Talking Dictionary 2006 (English<->Lithuanian) for Windows
LiveUpdate 1.80 (Symantec Corporation)
Macromedia Captivate
Macromedia Director MX 2004
Macromedia Extension Manager
Macromedia Fireworks 8
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash MX 2004
Macromedia FlashPaper 2
Macromedia FreeHand MXa
Macromedia Shockwave Player
MDM Flash Studio PRO v2 Trial
Microsoft .NET Framework 1.1
Microsoft .NET Framework SDK (English) 1.1
Microsoft Agent 1.5
Microsoft Baseline Security Analyzer 1.2.1
Microsoft Encarta Premium 2006 DVD
Microsoft Internet Explorer 6 SP1
Microsoft Office 2000 Premium
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Visual Studio 6.0 Enterprise Edition
Microsoft VM for Java
Microsoft Web Publishing Wizard 1.53
MilkShape 3D 1.7.5
Monaco Gold Casino
MSDN Library - July 1999
Mystery Case Files - Prime Suspects (remove only)
Nero Suite
NetBeans IDE 4.1
OE-QuoteFix
OpenOffice.org 1.9.79
Optimizeit Profiler for the Microsoft .NET Framework 1.1
Outlook Express Q823353
Outlook-QuoteFix
PasswordService Recovery Suite (DEMO)
PowerDVD
PPP over Ethernet Protocol 0.98
Prefa
QuickTime
Real Alternative 1.27
Reg Organizer
RiftSpace
RoboHelp Office X5
RoboInfo Publisher 5.0
RoboSource Control
Santa Claus in Trouble
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896426)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB912919)
Sentinel System Driver
Shockwave
SigmaTel AC97 Audio Drivers
SiS 651
SkinStudio Free
SmartUSB56 Voice Modem
Social Security Benefit Calculator
Sothink SWF Decompiler
Split File Shell Extension v3.1b
Spybot - Search & Destroy 1.4
SST Programming Software
Star Trek Bridge Commander
Star Trek Bridge Commander Demo
Star Trek Elite Force II - Einzelspieler-Demo
Star Trek Trivia v1.5
StarLogin
Symantec AntiVirus Client
Systweak BoostXP 2
Tactical display Editor
T-Com Antidialer
Terragen
The Sims
TuneUp Utilities 2006
TweakMASTER
Tweakui Powertoy for Windows XP
UIFriend
Uinstall Aze Bar
Update for Windows XP (KB898461)
VB Decompiler Lite 2.2
VeryPDF PDF2Word v2.0
Visio Professional and Technical
VP-EYE Uninstall
VP-Hotline
WebEye
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Player Hotfix [See wm828026 for more information]
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB871250
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB873377
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888162
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889293
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891711
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinRAR archiver
Wise Owl Demeanor for .NET, Personal Edition
Wonderland v1.15
Word Key 7.9 Demo
XrX Logo Utility Version 2.6.2.1

...and the new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:23:56, on 24.6.2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Encarta\Encarta Encyclopedia Premium 2006\Encarta Premium DVD 2006\EDICT.EXE
C:\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\WINDOWS\explorer.exe
A:\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Documents and Settings\Administrator\My Documents\page.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internal Exploder
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AzEntretien Class - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - (disabled by BHODemon)
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: TweakMASTER PRO Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TWEAKM~1\TweakBHO.dll
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O2 - BHO: Windows Genuine Tool - {c815ace8-3dbf-4ffd-8231-ab1d21e8b7ee} - %SystemRoot%\system32\atmliba.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [TweakMASTER] C:\PROGRA~1\TWEAKM~1\TMTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [E06AXLRD_14487546] "C:\Program Files\Microsoft Encarta\Encarta Encyclopedia Premium 2006\Encarta Premium DVD 2006\EDICT.EXE" -m
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Microsoft Office\Office\1033\OLFSNT40.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Add to &LinkFox - res://C:\PROGRA~1\TWEAKM~1\TweakBHO.dll/IESCRIPT
O8 - Extra context menu item: Bad Joke - C:\Program Files\Avant Browser\DoNothing.htm
O8 - Extra context menu item: Block all images from this server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Add to blacklist - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open Link Target in Firefox - [URL]file://C:\Documents[/URL] and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e4dt3abp.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Open all links on this page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Mark - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Subscribe in Desktop Sidebar - res://C:\Program Files\Desktop Sidebar\sbhelp.dll/menuhandler.html
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O8 - Extra context menu item: View This Page in Firefox - [URL]file://C:\Documents[/URL] and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e4dt3abp.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: http://*.anycracks.com
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O21 - SSODL: SysTray.Exgr - {5368D1FC-4F5C-4f1b-B134-E67214FC78E9} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - E:\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Administrator\My Documents\director\projects\Mišica Anica\bezveze\hippyballon-ad2.htm
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Administrator\My Documents\director\projects\Mišica Anica\bezveze\bozicbox.htm
O24 - Desktop Component 2: (no name) - C:\Documents and Settings\Administrator\My Documents\flash\jedino što radi\hippy-ads\hippy-ads.html
--
End of file - 10562 bytes

Trogan · June 2008

Hi Admiral Norton! Thanks for the logs.

The computer needs to be updated to SP2 as soon as we have the computer cleaned, but NOT just yet.

Before we begin, please create a new folder for HijackThis.exe on your Desktop in your C: drive and move HijackThis.exe there. This is so backups have a safe place to reside.

Also,

Open Spybot Search & Destroy
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts
Exit SpyBot

Please do the following...

1. Click Start > Run > type in appwiz.cpl and hit enter. From the list uninstall the following, if present

Uinstall Aze Bar

The following are old and should be updated. You can find updates from Here

Ad-Aware SE Personal
Spybot - Search & Destroy 1.4
Adobe Reader 7.0.8

2. Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 update6.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove the following...
- J2SE Development Kit 5.0 Update 6
- J2SE Runtime Environment 5.0 Update 6
- Java 2 Runtime Environment, SE v1.4.2_01
- Java 2 Runtime Environment, SE v1.4.2_05
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.

3. Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

O2 - BHO: Windows Genuine Tool - {c815ace8-3dbf-4ffd-8231-ab1d21e8b7ee} - %SystemRoot%\system32\atmliba.dll (file missing)

...(Unless you set these with a anti-spyware program like SpyBot's Immunize feature, or a System Administrator set them, have HiJackThis fix this.)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O15 - Trusted Zone: http://*.anycracks.com

O21 - SSODL: SysTray.Exgr - {5368D1FC-4F5C-4f1b-B134-E67214FC78E9} - (no file)

- Close ALL open windows (especially Internet Explorer!)
- Click Fix Checked
Close HiajckThis

4. Please post a new HijackThis log.

Admiral-Norton · June 2008

I did everything you asked for, except the Aze Bar. When I click on the Remove button in Add/Remove Programs applet, nothing happens. That may be because I had trouble with that Aze Toolbar about two years ago and I manually removed all the malicious EXEs, DLLs and OCXs, but it seems I missed some unimportant data, such as this uninstall reference. Here's the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:04:43, on 25.6.2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft Encarta\Encarta Encyclopedia Premium 2006\Encarta Premium DVD 2006\EDICT.EXE
C:\WINDOWS\System32\mqtgsvc.exe
C:\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Documents and Settings\Administrator\My Documents\page.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internal Exploder
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AzEntretien Class - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - (disabled by BHODemon)
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Idea2 SidebarBrowserMonitor Class - {45AD732C-2CE2-4666-B366-B2214AD57A49} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: TweakMASTER PRO Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - C:\PROGRA~1\TWEAKM~1\TweakBHO.dll
O2 - BHO: Encarta Web Companion Helper Object - {955BE0B8-BC85-4CAF-856E-8E0D8B610560} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [TweakMASTER] C:\PROGRA~1\TWEAKM~1\TMTray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [E06AXLRD_14487546] "C:\Program Files\Microsoft Encarta\Encarta Encyclopedia Premium 2006\Encarta Premium DVD 2006\EDICT.EXE" -m
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Add to &LinkFox - res://C:\PROGRA~1\TWEAKM~1\TweakBHO.dll/IESCRIPT
O8 - Extra context menu item: Bad Joke - C:\Program Files\Avant Browser\DoNothing.htm
O8 - Extra context menu item: Block all images from this server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Add to blacklist - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open Link Target in Firefox - [URL]file://C:\Documents[/URL] and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e4dt3abp.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Open all links on this page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Mark - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Subscribe in Desktop Sidebar - res://C:\Program Files\Desktop Sidebar\sbhelp.dll/menuhandler.html
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O8 - Extra context menu item: View This Page in Firefox - [URL]file://C:\Documents[/URL] and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\e4dt3abp.default\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - E:\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Administrator\My Documents\director\projects\Mišica Anica\bezveze\hippyballon-ad2.htm
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\Administrator\My Documents\director\projects\Mišica Anica\bezveze\bozicbox.htm
O24 - Desktop Component 2: (no name) - C:\Documents and Settings\Administrator\My Documents\flash\jedino što radi\hippy-ads\hippy-ads.html
--
End of file - 10587 bytes

Trogan · June 2008

Hi,

Please create a new Folder on your Desktop, and move HijackThis.exe into it.

Please do the following...

1. Open HijackThis

Click on Open the Misc Tools section
Click on Open Uninstall Manager
Select Uinstall Aze Bar and press Delete this entry

2. Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
- Update Malwarebytes' Anti-Malware
- and Launch Malwarebytes' Anti-Malware
then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply
- If you accidently close it, the log file is saved here and will be named like this:
- C:\\Documents and Settings\\Username\\Application Data\\Malwarebytes\\Malwarebytes' Anti-Malware\\Logs\\mbam-log-date (time).txt

3. Please post the log from Malwarebytes Anti-Malware

Also, please tell me if you know what these files are?

C:\Documents and Settings\Administrator\My Documents\director\projects\Mišica Anica\bezveze\hippyballon-ad2.htm
C:\Documents and Settings\Administrator\My Documents\director\projects\Mišica Anica\bezveze\bozicbox.htm
C:\Documents and Settings\Administrator\My Documents\flash\jedino što radi\hippy-ads\hippy-ads.html

Admiral-Norton · June 2008

It took a while to complete the scan without the computer BSODing. Actually, the program found every time two infected files right at the beginning and then crashed at about 25-30,000th file. After a few times, I let it find the viruses and then aborted the scan. After that I ran the scan again and it didn't BSOD at that point (it locked up at about 250,000 files). I finally got it finished today. Because of this problem I have two logs now. As for the three files, these are just some of my Flash experiments, harmless Active Desktop things.

First log:

Malwarebytes' Anti-Malware 1.18
Database version: 870
21:39:27 25.6.2008
mbam-log-6-25-2008 (21-39-27).txt
Scan type: Full Scan (C:\|)
Objects scanned: 11750
Time elapsed: 3 minute(s), 23 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{90c61707
-c8f8-43db-a25c-c1f4b18ee41e} (Spyware.Comet.Cursor) -> Quarantined and deleted
successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{edc4193f
-34ad-4d07-aa87-e3fdb89e3e76} (Spyware.Comet.Cursor) -> Quarantined and deleted
successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

Second log:

Malwarebytes' Anti-Malware 1.18
Database version: 870
19:22:49 26.6.2008
mbam-log-6-26-2008 (19-22-49).txt
Scan type: Full Scan (C:\|)
Objects scanned: 309344
Time elapsed: 2 hour(s), 3 minute(s), 5 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Program Files\WinRAR\Default.SFX (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Star Trek\Bridge Commander\sfx\Explosions\explo_large_01.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Casino Las Vegas setup.exe (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\explorer.opt (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Trogan · June 2008

Hi Admiral,

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases
[*]Click OK
[*]Now under select a target to scan:

SelectMy Computer
[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.

Now click on the Save Report As button:
Change Save as type: to Text file
Save this as Kaspersky scan to your Desktop

[*]Post the Kaspersky report back here, along with a new HijackThis log.
Also, let me know if the BSOD's continue.

Admiral-Norton · June 2008

There is a tiny problem here, Trogan: I can't connect my old computer to the Internet. My computer's network card is broken. I had a dial-up account for the old computer only, but I gave it up after I bought the new computer, the one I'm writing on right now. Up to now I've used a memory stick and a diskette to install your antivirus programs and send you HijackThis logs. Also, I've worked today on this computer for a longer stretch of time and it didn't BSOD yet.

Trogan · June 2008

Hi,

Trogan wrote:

...Also, please tell me if you know what these files are?

C:\Documents and Settings\Administrator\My Documents\director\projects\Mišica Anica\bezveze\hippyballon-ad2.htm
C:\Documents and Settings\Administrator\My Documents\director\projects\Mišica Anica\bezveze\bozicbox.htm
C:\Documents and Settings\Administrator\My Documents\flash\jedino što radi\hippy-ads\hippy-ads.html

You didn't answer the above question. Please let me know about the files.

Admiral Norton wrote:

There is a tiny problem here, Trogan: I can't connect my old computer to the Internet. My computer's network card is broken. I had a dial-up account for the old computer only, but I gave it up after I bought the new computer, the one I'm writing on right now. Up to now I've used a memory stick and a diskette to install your antivirus programs and send you HijackThis logs. Also, I've worked today on this computer for a longer stretch of time and it didn't BSOD yet.

That's good to hear. I don't see any other malware present in your logs.

Admiral-Norton · June 2008

Hi. Thanks for all your efforts and sorry if I made you any problems.

Trogan wrote:

You didn't answer the above question. Please let me know about the files.

These files are just some of my home-made Macromedia Flash and Shockwave experiments with Active Desktop. Just some cubes spinning and similar stuff. I checked the files and everything's fine.

Trogan wrote:

That's good to hear. I don't see any other malware present in your logs.

I hope it holds up. I'll run a few antispyware scans and let you know if anything is found or the BSOD occurs again. I'll watch this page for a few more days if you have any more scans to run. One more time, thanks for your efforts.

Trogan · June 2008

I don't see any current need to download and run more scans. I hope things have settled down, but let me know.

Trogan · June 2008

Hi Admiral,

Something I would like you to do that may help for future use please.

Navigate to the C:\Windows\Minidump folder.
- If the Minidump folder exists, open it.
Select the most recent file, which will look like the following
- minidump(date-somenumber).dmp, where "date-somenumber" matches dates of any recent crashes.
Please attach the file here using the "Management Attachment" button.

Thanks!

Katana · July 2008

Whilst we appreciate that you may be busy, it has been 7 days or more since we heard from you. This topic is now closed.

Infections can change and fresh instructions will now need to be given. If you wish to reopen your topic, please send a Private Message (PM) to Trogan with a link to your thread.

If you are not the user who started this thread, you must start your own Thread instead

BSOD: 0x8E error

Comments