Help please!!! - Split from other user's thread

[bingo]

Hey Guys,

Great site, glad I found it. Hear are my problems. In the last couple of weeks I have been getting a lot of pop-ups IE AD while using Firefox. At the time I was using a google tool bar to block pop-ups and had Ad-aware, spybot search and destroy, and symantec anti-virus up and running. I have done the following to try and stop the problem. I have installed the latest editions of Ad-aware, spybotS&D, and my virus scanner. I ran all of these programs which picked up lots, but I'm still having the pop-ups. After that I installed RegCure and XoftSpySE, they picked up lots lots again, but still not solve the probelm. Pop-ups are still running. The worst thing happening now is I got blue screen sometimes When I use the Window Explorer and services.exe occupied 99% to 100% CPU many times.

I have also noticed couple processes in task manager that I can't find any information on, they're mUhta.exe, mUiexec.exe, s?ervices.exe and j0vaw.exe. I ran HijackThis couple of times, and fix the obvious bad things. But the situation seems getting worse by the blue screen and 100% CPU time. Here is a copy of my latest HJT log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 1:07:49 PM, on 5/7/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\$sys$filesystem\$sys$DRMServer.e xe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\CDProxyServ.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\QCONSVC.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\system32\PRPCUI.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINNT\system32\RunDll32.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\WINNT\system32\USBMonit.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
C:\PROGRA~1\SSEMBL~1\chkntfs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\ScanSoft\PaperPort\PopUp\SmartUI.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\ScanSoft\PaperPort\Pplinks.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\VPC32.EXE
C:\Documents and Settings\bingw.BINGO\My Documents\My Download Files\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = proxy:80
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPw rMonitor
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\BRMFLPRO\SetDefPrt.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINNT\system32\USBMonit.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Awoa] "C:\PROGRA~1\SSEMBL~1\chkntfs.exe" -vt yazb
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: SmartUI.lnk = C:\Program Files\ScanSoft\PaperPort\PopUp\SmartUI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O15 - Trusted Zone: http://www.icbc.com.cn
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?Link...04&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {7BA7BCE2-D359-4407-82D9-CDF9A74C487A} (DownLoadStub Class) - http://www.hpphoto.com/downloads/DownloadPhotos.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://apps.losangeles.auctionsoluti...all/isetup.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://connect.valleycrest.com/dana...erSetupSP1.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\system32\browseui.dll
O23 - Service: Plug and Play Device Manager ($sys$DRMServer) - First 4 Internet Ltd - C:\WINNT\system32\$sys$filesystem\$sys$DRMServer.e xe
O23 - Service: webMethods Broker Monitor 6.0 (ActiveWorksBrokerMonitor_3.0) - Unknown owner - C:\Program Files\webMethods6\Broker\bin\awbrokermon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINNT\CDProxyServ.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINNT\System32\QCONSVC.EXE
O23 - Service: webMethods Broker Server 6.0, port 6849 (webMethodsBroker_6.0_6849) - Unknown owner - C:\Program Files\webMethods6\Broker\bin\awbroker.exe

--
End of file - 9529 bytes

Please take a look and give me some remedies. I appreciate your help!!!

[PhilliePhan]

Please take a look and give me some remedies. I appreciate your help!!!

I split you into your own thread - less confusion that way

It looks like you have some issues as well as the Sony DRM Rootkit on your machine.
Please have a look at the linky below and follow the steps to obtain a fresh HijackThis Scanlog using HJT v1.99.1, a Kaspersky Online Scanlog and an AVG Anti-Spyware Scanlog and please submit them for us.

-- Be sure to rename HijackThis.exe as outlined in the link. You may have some VUNDO and it likest to hide from HJT.

ATTENTION: Read Me Before Posting For Help!!

I am quite busy these days, so please hang in there until Judy can have a look at the logs.

Best Luck
PP

[jholland1964]

Please follow the steps given in the Link that PhilliePhan has given you and I must STRESS, HiJackThis is NOT a fix tool, it is a tool used to scan the computer. Yes, "some" fixes MIGHT be finally made using HJT but usually later, AFTER other tools are used. Please don't use it for fixing unless advised to do so.
What is the FULL message do you get when you get the Blue Screen?
Please don't download any other tools unless advised to do so...
These are the ones you need, and need to use them in the manner described in Phillie Phan's link;
HJT v1.99.1...renamed according to instructions on PP's link
AVG Anti-spy
do and Online Kaspersky scan.
Post back here with all of those logs AFTER following his instructions.
Judy

[bingo]

Thank you so much PP! I'll follow your slecn procedures and post new log once I finish my homework.

Bingo

I split you into your own thread - less confusion that way

It looks like you have some issues as well as the Sony DRM Rootkit on your machine.
Please have a look at the linky below and follow the steps to obtain a fresh HijackThis Scanlog using HJT v1.99.1, a Kaspersky Online Scanlog and an AVG Anti-Spyware Scanlog and please submit them for us.

-- Be sure to rename HijackThis.exe as outlined in the link. You may have some VUNDO and it likest to hide from HJT.

ATTENTION: Read Me Before Posting For Help!!

I am quite busy these days, so please hang in there until Judy can have a look at the logs.

Best Luck
PP

[bingo]

Hi Judy,

Thank you for your kind help!

I'm on biz travel with limited internet access. I'll post my new log for your review once I go back to home.

Bingo

Please follow the steps given in the Link that PhilliePhan has given you and I must STRESS, HiJackThis is NOT a fix tool, it is a tool used to scan the computer. Yes, "some" fixes MIGHT be finally made using HJT but usually later, AFTER other tools are used. Please don't use it for fixing unless advised to do so.
What is the FULL message do you get when you get the Blue Screen?
Please don't download any other tools unless advised to do so...
These are the ones you need, and need to use them in the manner described in Phillie Phan's link;
HJT v1.99.1...renamed according to instructions on PP's link
AVG Anti-spy
do and Online Kaspersky scan.
Post back here with all of those logs AFTER following his instructions.
Judy

[jholland1964]

We will be waiting for your results.
Judy

[bingo]

Hi Judy and PP,

Thanks for your very nice patient! Here is what I did following PhilliePhan's steps:

1. I found following items that I don't familiar to from "Add or Remove Programs":

BroadJump Client Foundation
Catia(TM) Importer
CGM Importer
ConfigSafe
IGES&VDA Importer
Inventor Importer
ISO Importer
JT Importer
MAAoapInst
msxmlinst
OuterInfo
RAW Importer
SDRC Importer
Sentinel System Drive
Shockwave
STL Importer
Support.com Software
TDS Importer

2. Run Microsoft Windows Malicious Software Removal Tool, and no malicious software found.

3. Run Kaspersky Online Virus Scanner. Viruses found! but the on-line version doesn't offer CLEAN function. Please review the scan log.

4. Run ATF-Cleaner.exe in safe mode.

5. Scan all files by AVG Anti-Spyware 7.5 in safe mode. Click "Apply all actions" after the scanning finished. Please review the attached report. Because Windows Defender doesn't support Windows 2000 any more, I haven't run Windows Defender scan.

6. Running HiJackThis v1.99.1 by rename the exe file to analyze.exe. Scan log file attached.

After above activity, when I restart Windows in normal mode, the CUP Usage is still very high at the beginning (It's very slow when I try to run HJT and open the Task Manager). There is a avgas.exe in the processes window, and I'm not sure if it's a bad one. When I type this message, I experience 2 time 99%+ CPU occupied by services.exe and the computer is hang.

I forget what the blue screen said because it's go to restart the computer soon. If running RegCure many times until all the problems are fixed when computer is started, I haven't got blue screen again.

Please let me know what I should do next.

Thanks you!!!

Bingo

[jholland1964]

Are you the only user of this computer?

[bingo]

Yes. But I had a old user ID setup in this computer.

Are you the only user of this computer?

[jholland1964]

Yes. But I had a old user ID setup in this computer.

Then that may be where these programs you don't recognize have come from...the old user ID...is this a used computer?