Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Infected with popups and ie keeps crashing


  • Please log in to reply

#16
phat_ox

phat_ox

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Hi, thanks again.
I have uploaded the file. However i did not find this file: c:\windows\system32\drivers\hjfafebc.sys
  • 0

Advertisements


#17
sari

sari

    GeekU Admin

  • Administrator
  • 21,803 posts
  • MVP
phat ox,

Show Hidden Files
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Reboot into safe mode, and find the following file:

c:\windows\system32\drivers\hjfafebc.sys

Right click on it, and select Send to Compressed (zipped) folder. It will rename the file to hjfafebc.zip.

Reboot into normal mode. Find the zipped file and follow the same steps to submit it to uploadmalware.com.

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Thanks,

sari
  • 0

#18
phat_ox

phat_ox

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
I followed the instruction but still did not find the file: c:\windows\system32\drivers\hjfafebc.sys

I noticed that after i select the show hidden files and folders and click ok, then i went back to check again and it was selected at the do not show hidden files and folders.


Access IBM
Access IBM Message Center
Access IBM Tools
Adobe Reader 7.0.8
Adobe® Photoshop® Album Starter Edition 3.0
Agere Systems AC'97 Modem
alm
ATI Control Panel
ATI Display Driver
ATI HydraVision
avast! Antivirus
AviSynth 2.5
BitLord 1.1
Boingo Wireless
Bonus Pack Documentation
CIC Sign-it EX for Acrobat
Digicert Backup Local Module 1.7
Digicert Signing Module Borang B 1.0
ewido anti-spyware 4.0
Exl-Plan Micro
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB896344)
IBM Access Connections
IBM Rapid Restore PC Setup
IBM ThinkPad Battery MaxiMiser and Power Management Features
IBM ThinkPad Configuration
IBM ThinkPad EasyEject Utility
IBM ThinkPad Keyboard Customizer Utility
IBM ThinkPad Presentation Director
IBM TrackPoint Accessibility Features
IBM TrackPoint Support
iPalm
J2SE Runtime Environment 5.0 Update 4
Java 2 SDK, SE v1.4.2_08
K-Lite Mega Codec Pack 1.56
Lotus Notes
Lotus NotesSQL 2.06 driver
Lotus SmartSuite - English
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Data Access Components KB870669
Microsoft Office Professional Edition 2003
Microsoft Windows Journal Viewer
MSN Messenger 7.5
Palm Conduit Support for COM
palmOne
PalmSource Package Installer 1.5
Panda ActiveScan
PC-Doctor for Windows
PPP over Ethernet Protocol 0.98
PRUlink Quote Foreign Ver 1.1
PRUlink Quote Foreign Ver 2.0
PRUlink Quote II Ver 4.4
PRUlink Quote II Ver 4.5
PRUquote
Pruquote Par Relaunch - 24 July 2006
SafeCast Shared Components
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
SigmaTel MSCN Audio Player
SpywareBlaster v3.5.1
Tango Manager
ThinkPad FullScreen Magnifier
ThinkPad Power Management Driver
ThinkPad Software Installer
tmnet streamyx
TopSync(1.81)-Server(3.11)-PalmClient(3.19)
TPNala Wallpaper
TrojanHunter 4.6
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Connect
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
Wintime USB Tablet Driver
WinZip
WL630USB Wireless B/G USB Adapter
XP Themes
Yahoo! Messenger
  • 0

#19
sari

sari

    GeekU Admin

  • Administrator
  • 21,803 posts
  • MVP
phat ox,

Please download the Suspicious file Packer from Safer-Networking.Org and unzip it to your desktop.

Boot into safe mode.

Run SFP.exe.

Please copy the following lines into the Step 1: Paste Text window:

c:\windows\system32\drivers\hjfafebc.sys

then click "Continue".

This will create a .cab file on your desktop named requested-files[Date/Time].cab, can you locate that file and right click it then choose Send To then Compressed (zipped) folder) this will add a second folder to the desktop named requested-files[Date/Time].zip.

Reboot into normal mode, and upload the requested-files[Date/Time].zip to uploadmalware.com.

You can then delete the requested-files.cab file and the requested-files.zip file from your desktop.

Thanks,

sari
  • 0

#20
phat_ox

phat_ox

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Ok, i uploaded the zip file. Mmm, i forgot to mention about you though...Is that ok??
  • 0

#21
sari

sari

    GeekU Admin

  • Administrator
  • 21,803 posts
  • MVP
phat ox,

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {00014B58-338A-45F2-81E2-6A86F27399B7} - C:\PROGRA~1\INTERN~1\PLUGINS\cfg.dll
O2 - BHO: SYM - {36BF6929-DCBC-4CCD-A620-C5E3BBA77B95} - C:\WINDOWS\system32\usersrd.dll (file missing)
O2 - BHO: bingo - {B626AE7E-4F5D-4CD4-B457-D8693015DEFC} - C:\WINDOWS\system32\amvda.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Please delete these files using Windows Explorer(if present):

C:\PROGRAM FILES\INTERNET EXPLORER\PLUGINS\cfg.dll
C:\WINDOWS\system32\drivers\pcmmup.sys

After that, Reboot.

Let me see a new hijackthis log and let me know how things are running.

Thanks,

sari
  • 0

#22
phat_ox

phat_ox

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
I'm still getting popups.
I followed your instrudtions but these lines are still here,
O2 - BHO: SYM - {36BF6929-DCBC-4CCD-A620-C5E3BBA77B95} - C:\WINDOWS\system32\usersrd.dll (file missing)
O2 - BHO: bingo - {B626AE7E-4F5D-4CD4-B457-D8693015DEFC} - C:\WINDOWS\system32\amvda.dll (file missing)
Also, i can't seem to delete this: C:\WINDOWS\system32\drivers\pcmmup.sys
After i delete i double check and it was back again.
Here's the log.

Logfile of HijackThis v1.99.1
Scan saved at 9:52:05 AM, on 20/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\System32\Wintab32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Boingo\WENGINE\wmonitor.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\Svchost.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.prupartne...y/src/login.php
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AdPopup - {11F09AFD-75AD-4E51-AB43-E09E9351CE16} - C:\Program Files\Common Files\CPUSH\cpush.dll
O2 - BHO: SYM - {36BF6929-DCBC-4CCD-A620-C5E3BBA77B95} - C:\WINDOWS\system32\usersrd.dll (file missing)
O2 - BHO: bingo - {B626AE7E-4F5D-4CD4-B457-D8693015DEFC} - C:\WINDOWS\system32\amvda.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C23854C6-9633-4176-B531-D7EC730B39B7}: NameServer = 202.188.0.133,202.188.1.5
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Boingo Monitor Service (BoingoMonitor) - Boingo Wireless, Inc. - C:\Program Files\Boingo\WENGINE\wmonitor.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
O23 - Service: Wintab32 - Unknown owner - C:\WINDOWS\System32\Wintab32.exe
  • 0

#23
sari

sari

    GeekU Admin

  • Administrator
  • 21,803 posts
  • MVP
phat ox,

Let's see if those files are truly missing. I want you to see if you can upload them for analysis, and then we'll fix those entries in safemode.

Please go here to upload a suspicious file for analysis.
  • Enter your username from this forum
  • Copy and paste the link to this thread
  • Browse for this filename: C:\WINDOWS\system32\usersrd.dll
  • In the comments, please mention that I asked you to upload this file
  • Click on Send File
Repeat these steps for these 2 files:

C:\WINDOWS\system32\amvda.dll
C:\Program Files\Common Files\CPUSH\cpush.dll

Now I want you to get some more information about some services, and we'll try a different way to delete everything that's bad on your pc.

Please go here:
http://www.billsway.com/vbspage/

Scroll down the page
and download the "Registry Search Tool"

Unzip RegSrch.zip to the desktop

Double click on RegSrch.vbs

If you get a warning from your Anti Virus please ignore it and allow this to run.

When it starts, you will be prompted to enter a search phrase.

Please enter this:

pcmmup

Click OK, it will disappear and won't look as if it's doing anything. When it's done searching, a prompt will come up saying how many instances it found. Click OK, and a notepad will open up. Please copy the contents of that notepad and paste it here.

Please repeat the above steps for this:

hjfafebc

When I get that information, I'll post a fix to delete these items.

Thanks,

sari
  • 0

#24
phat_ox

phat_ox

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Can't upload these files. Seems like their missing.
C:\WINDOWS\system32\usersrd.dll
C:\WINDOWS\system32\amvda.dll

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "pcmmup" 24/10/2006 7:59:52 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\pcmmup]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\pcmmup]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PCMMUP]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PCMMUP\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PCMMUP\0000]
"Service"="pcmmup"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PCMMUP\0000]
"DeviceDesc"="pcmmup"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PCMMUP\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PCMMUP\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PCMMUP\0000\Control]
"ActiveService"="pcmmup"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\pcmmup]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\pcmmup]
"DisplayName"="pcmmup"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\pcmmup\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\pcmmup\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\pcmmup\Enum]
"0"="Root\\LEGACY_PCMMUP\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\pcmmup]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\pcmmup]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_PCMMUP]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_PCMMUP\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_PCMMUP\0000]
"Service"="pcmmup"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_PCMMUP\0000]
"DeviceDesc"="pcmmup"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_PCMMUP\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\pcmmup]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\pcmmup]
"DisplayName"="pcmmup"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\pcmmup\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\pcmmup]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\pcmmup]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCMMUP]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCMMUP\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCMMUP\0000]
"Service"="pcmmup"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCMMUP\0000]
"DeviceDesc"="pcmmup"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCMMUP\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCMMUP\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PCMMUP\0000\Control]
"ActiveService"="pcmmup"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pcmmup]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pcmmup]
"DisplayName"="pcmmup"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pcmmup\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pcmmup\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pcmmup\Enum]
"0"="Root\\LEGACY_PCMMUP\\0000"

[HKEY_USERS\S-1-5-21-70496603-960036739-1783615469-1004\Software\Microsoft\Search Assistant\ACMru\5603]
"005"="pcmmup.sys"

[HKEY_USERS\S-1-5-21-70496603-960036739-1783615469-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\sys]
"a"="C:\\WINDOWS\\system32\\drivers\\pcmmup.sys"


REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "hjfafebc" 24/10/2006 8:06:13 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\hjfafebc]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\hjfafebc]
"DisplayName"="hjfafebc"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\hjfafebc]
"DescriptionName"="hjfafebc"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\hjfafebc]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\hjfafebc]
"DisplayName"="hjfafebc"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\hjfafebc]
"DescriptionName"="hjfafebc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hjfafebc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hjfafebc]
"DisplayName"="hjfafebc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hjfafebc]
"DescriptionName"="hjfafebc"

[HKEY_USERS\S-1-5-21-70496603-960036739-1783615469-1004\Software\Microsoft\Search Assistant\ACMru\5603]
"002"="hjfafebc.sys"

[HKEY_USERS\S-1-5-21-70496603-960036739-1783615469-1004\Software\Microsoft\Search Assistant\ACMru\5603]
"003"="hjfafebc"
  • 0

#25
sari

sari

    GeekU Admin

  • Administrator
  • 21,803 posts
  • MVP
Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C) and then save it on Notepad. (Do not copy the header where it says CODE):

Files to delete:

C:\WINDOWS\system32\drivers\pcmmup.sys
c:\windows\system32\drivers\hjfafebc.sys

Folders to delete:

C:\Program Files\Common Files\CPUSH

Drivers to unload:

pcmmup
hjfafebc

Programs to launch on reboot:

C:\Tools\HijackThis.exe


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Reboot your computer into SafeMode. You can do this by restarting your computer and tapping the F8 key just before Windows starts to load, until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • Again on reboot, HijackThis will open. When it opens, put a check next to the following items, click Fix Checked, and then close HijackThis.

    O2 - BHO: AdPopup - {11F09AFD-75AD-4E51-AB43-E09E9351CE16} - C:\Program Files\Common Files\CPUSH\cpush.dll
    O2 - BHO: SYM - {36BF6929-DCBC-4CCD-A620-C5E3BBA77B95} - C:\WINDOWS\system32\usersrd.dll (file missing)
    O2 - BHO: bingo - {B626AE7E-4F5D-4CD4-B457-D8693015DEFC} - C:\WINDOWS\system32\amvda.dll (file missing)


  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

Thanks,

sari
  • 0

Advertisements


#26
phat_ox

phat_ox

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Thsnks again for helping me. Here are the logs.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ygffyneh

*******************

Script file located at: \??\C:\Program Files\vugdbjqm.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\drivers\pcmmup.sys deleted successfully.


File c:\windows\system32\drivers\hjfafebc.sys not found!
Deletion of file c:\windows\system32\drivers\hjfafebc.sys failed!

Could not process line:
c:\windows\system32\drivers\hjfafebc.sys
Status: 0xc0000034

Folder C:\Program Files\Common Files\CPUSH deleted successfully.
Driver pcmmup unloaded successfully.
Driver hjfafebc unloaded successfully.
Program C:\Tools\HijackThis.exe successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.


Logfile of HijackThis v1.99.1
Scan saved at 7:14:47 AM, on 27/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\System32\Wintab32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Boingo\WENGINE\wmonitor.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\Svchost.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.prupartne...y/src/login.php
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SYM - {36BF6929-DCBC-4CCD-A620-C5E3BBA77B95} - C:\WINDOWS\system32\usersrd.dll (file missing)
O2 - BHO: IEHlprObj Class - {EAACBF9E-4B91-45FF-93ED-B297093951EA} - C:\Program Files\Internet Explorer\PLUGINS\Flash_Player.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C23854C6-9633-4176-B531-D7EC730B39B7}: NameServer = 202.188.0.133,202.188.1.5
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Boingo Monitor Service (BoingoMonitor) - Boingo Wireless, Inc. - C:\Program Files\Boingo\WENGINE\wmonitor.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
O23 - Service: Wintab32 - Unknown owner - C:\WINDOWS\System32\Wintab32.exe
  • 0

#27
sari

sari

    GeekU Admin

  • Administrator
  • 21,803 posts
  • MVP
phat ox,

I'm sorry for my brief disappearance. I had some things at work that kept me very busy and I was sick. It looks like the Avenger took care of almost everything, except for that one entry. Let me know if your popups are gone and post a recent hijackthis log for me, please.

Thanks

sari
  • 0

#28
phat_ox

phat_ox

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Thanks. Hope you have recovered.
The popups are still there and everytime i start my laptop a baloon popup saying the firewall is not turned on. However when i click it, it is already on. Im not sure if this has anything to do with the popups.

Logfile of HijackThis v1.99.1
Scan saved at 9:22:07 AM, on 11/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\System32\Wintab32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Boingo\WENGINE\wmonitor.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\Svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SYM - {36BF6929-DCBC-4CCD-A620-C5E3BBA77B95} - C:\WINDOWS\system32\usersrd.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5BB75963-7031-4F8D-A1DB-3A09040FD332}: NameServer = 202.188.0.133 202.188.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{C23854C6-9633-4176-B531-D7EC730B39B7}: NameServer = 202.188.0.133,202.188.1.5
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Boingo Monitor Service (BoingoMonitor) - Boingo Wireless, Inc. - C:\Program Files\Boingo\WENGINE\wmonitor.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
O23 - Service: Wintab32 - Unknown owner - C:\WINDOWS\System32\Wintab32.exe
  • 0

#29
sari

sari

    GeekU Admin

  • Administrator
  • 21,803 posts
  • MVP
phat_ox,

1. Download ComboFix.exe using either of these links:

* bleepingcomputer.com

* techsupportforum.com

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Thanks,

sari
  • 0

#30
phat_ox

phat_ox

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Assurance - 06-11-12 9:14:44.02 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Assurance\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-10-12 to 2006-11-12 ))))))))))))))))))))))))))))))))))


2006-11-08 20:39 2,368 --a------ C:\WINDOWS\system32\SVKP.sys
2006-11-08 20:38 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll
2006-11-04 23:01 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2006-10-28 09:39 122,880 --a------ C:\WINDOWS\UnGins.exe
2006-10-19 07:22 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2006-10-17 13:33 6,049,280 --------- C:\WINDOWS\system32\ieframe.dll
2006-10-17 13:33 50,688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-10-17 13:33 458,752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-10-17 13:33 180,736 --------- C:\WINDOWS\system32\ieui.dll
2006-10-17 13:05 206,336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 13:01 13,312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-10-17 12:58 61,952 --------- C:\WINDOWS\system32\icardie.dll
2006-10-17 12:58 12,288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 12:57 266,752 --------- C:\WINDOWS\system32\iertutil.dll
2006-10-17 12:27 380,928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-10-16 20:17 249,856 --------- C:\WINDOWS\Setup1.exe
2006-10-12 09:39 89,600 --a------ C:\WINDOWS\system32\drivers\hdusb.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-08 20:40 -------- d-------- C:\Program Files\DAP
2006-11-07 09:39 -------- d-------- C:\Program Files\PRUquote ver 16.3
2006-11-05 17:20 -------- d-------- C:\Program Files\Noiseware Community Edition
2006-11-04 23:15 -------- d-------- C:\Program Files\Internet Explorer
2006-11-04 08:21 -------- d-------- C:\Program Files\Common Files\CPUSH
2006-11-04 08:21 -------- d-------- C:\Program Files\Common Files
2006-11-02 12:18 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-11-02 08:07 -------- d-------- C:\Program Files\Mobipocket.com
2006-11-02 08:07 -------- d-------- C:\Program Files\Common Files\Mobipocket Shared
2006-11-02 01:18 -------- d-------- C:\Program Files\Prulink
2006-11-01 14:39 -------- d-------- C:\Program Files\SpywareBlaster
2006-11-01 10:28 -------- d-------- C:\Program Files\Microsoft Office
2006-11-01 09:50 -------- d---s---- C:\Documents and Settings\Assurance\Application Data\Microsoft
2006-10-28 10:29 -------- d-------- C:\Program Files\Common Files\DataViz
2006-10-28 10:19 -------- d-------- C:\Program Files\palmOne
2006-10-27 16:00 79626 --a------ C:\WINDOWS\system32\MessageServices.exe
2006-10-23 07:53 -------- d-------- C:\Program Files\eRightSoft
2006-10-22 23:02 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2006-10-22 14:07 -------- d-------- C:\Program Files\Winamp
2006-10-20 23:14 -------- d-------- C:\Documents and Settings\Assurance\Application Data\Adobe
2006-10-17 13:33 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-10-17 13:33 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-10-17 13:33 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-10-17 13:06 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-10-17 13:05 40960 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-10-17 13:05 105984 --a------ C:\WINDOWS\system32\url.dll
2006-10-17 13:04 101376 --a------ C:\WINDOWS\system32\occache.dll
2006-10-17 13:03 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-10-17 13:01 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-10-17 13:01 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-10-17 13:01 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-10-17 13:01 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-10-17 13:01 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-10-17 13:00 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-10-17 13:00 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-10-17 13:00 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-10-17 12:57 36352 --a------ C:\WINDOWS\system32\imgutil.dll
2006-10-17 12:56 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-10-17 12:28 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-10-17 12:23 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-10-14 14:27 -------- d-------- C:\Program Files\Pruquote
2006-10-14 14:27 -------- d-------- C:\Program Files\Prulink-Fgn
2006-10-12 10:06 74 --a------ C:\WINDOWS\system32\drivers\tdac.sys
2006-10-09 07:11 -------- d-------- C:\Program Files\CNNIC
2006-10-07 20:52 36892 --a------ C:\WINDOWS\bassmod.dll
2006-10-01 11:53 18347 --------- C:\WINDOWS\system32\drivers\ProcServ.sys
2006-10-01 03:44 -------- d-------- C:\Program Files\WinRAR
2006-10-01 03:44 -------- d-------- C:\Documents and Settings\Assurance\Application Data\TrojanHunter
2006-09-30 21:19 14336 --------- C:\WINDOWS\system32\usercrd.dll
2006-09-30 20:51 544 --a------ C:\WINDOWS\system32\nvwrssvd32.dll
2006-09-30 20:51 1008 --a------ C:\WINDOWS\system32\winnvusmb32.dll
2006-09-30 00:18 53248 --a------ C:\WINDOWS\system32\googlebar.dll
2006-09-30 00:13 28672 --a--c--- C:\WINDOWS\system32\drivers\ispvcr.sys__
2006-09-30 00:13 28672 --a------ C:\WINDOWS\system32\drivers\ispvcr.sys
2006-09-30 00:13 28672 --a------ C:\WINDOWS\system32\checknetwork.exe
2006-09-28 10:57 485929 --a------ C:\WINDOWS\system32\msvsxml.dll
2006-09-28 01:01 -------- d-------- C:\Documents and Settings\Assurance\Application Data\Lavasoft
2006-09-26 14:42 -------- d-------- C:\Program Files\coolsign
2006-09-26 14:42 -------- d-------- C:\Program Files\Common Files\UPDATE2
2006-09-25 23:45 666240 --a------ C:\WINDOWS\system32\aswBoot.exe
2006-09-25 23:40 87424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2006-09-25 23:40 85952 --a--c--- C:\WINDOWS\system32\drivers\aswmon.sys
2006-09-25 23:39 36176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2006-09-25 23:39 16352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2006-09-25 23:37 90112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2006-09-25 23:37 24560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2006-09-25 22:38 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2006-09-24 18:40 88 --a------ C:\Program Files\autorun.inf
2006-09-24 18:24 328320 --a------ C:\WINDOWS\rjzc072_cns_yassist.exe
2006-09-23 20:26 0 --a--c--- C:\WINDOWS\ef26ev.dll
2006-09-23 20:21 28 --a------ C:\WINDOWS\system32\SystemID.dll
2006-09-23 20:21 20 --a------ C:\WINDOWS\system32\C1C003E6.dll
2006-09-23 20:21 176 --a------ C:\WINDOWS\system32\nvwrseng32.dll
2006-09-17 16:21 57344 --a------ C:\WINDOWS\SSEUninstaller.exe
2006-09-17 16:21 44544 --a------ C:\WINDOWS\system32\Gif89.dll
2006-09-17 16:21 32768 --a------ C:\WINDOWS\system32\ShellLnkSSE.dll
2006-09-17 16:21 -------- d-------- C:\Program Files\AviSynth 2.5
2006-09-13 13:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-06 17:43 22752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-08-26 21:14 33280 --a------ C:\WINDOWS\system32\HUFFYUV.DLL
2006-08-25 23:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 20:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 17:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 19:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"daemon"="C:\\WINDOWS\\daemon.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"daemon"="C:\\WINDOWS\\daemon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:000000bd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"hx-1"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WL630USB Wireless B+G Utility.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\WL630USB Wireless B+G Utility.lnk"
"backup"="C:\\WINDOWS\\pss\\WL630USB Wireless B+G Utility.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AZTECH~1\\WL630U~1\\ZDWlan.exe "
"item"="WL630USB Wireless B+G Utility"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Prudential Assurance^Start Menu^Programs^Startup^palmOne Registration.lnk]
"path"="C:\\Documents and Settings\\Prudential Assurance\\Start Menu\\Programs\\Startup\\palmOne Registration.lnk"
"backup"="C:\\WINDOWS\\pss\\palmOne Registration.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\palmOne\\register.exe /remind /language=ENU /PRNM=\"palmOne\""
"item"="palmOne Registration"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\alchem]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="alchem"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\alchem.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="rundll32"
"hkey"="HKLM"
"command"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3TRAY2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="S3Tray2"
"hkey"="HKLM"
"command"="S3Tray2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SVOHOST"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\SVOHOST.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tp4ex"
"hkey"="HKLM"
"command"="tp4ex.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindUpdates]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WinUpdt"
"hkey"="HKLM"
"command"="C:\\Program Files\\WindUpdates\\WinUpdt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"seclogon"=dword:00000002
"SDhelper"=dword:00000002
"LmHosts"=dword:00000002

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\pcmmup
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\ProcServ
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\Services


~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20061104-094004-423
O9 - Extra button: IE2PDB - {7B79A932-63FD-11D4-AE23-000086534C5C} - C:\Program Files\IE2PDB\IE2PDB.dll (file missing)
backup-20061104-094004-867
O2 - BHO: IEHlprObj Class - {EAACBF9E-4B91-45FF-93ED-B297093951EA} - C:\Program Files\Internet Explorer\PLUGINS\Flash_Player.dll (file missing)
backup-20061027-071015-869
O2 - BHO: SYM - {36BF6929-DCBC-4CCD-A620-C5E3BBA77B95} - C:\WINDOWS\system32\usersrd.dll (file missing)
backup-20061027-065706-390
O2 - BHO: bingo - {B626AE7E-4F5D-4CD4-B457-D8693015DEFC} - C:\WINDOWS\system32\amvda.dll (file missing)
backup-20061027-065706-157
O2 - BHO: SYM - {36BF6929-DCBC-4CCD-A620-C5E3BBA77B95} - C:\WINDOWS\system32\usersrd.dll (file missing)
backup-20061027-065706-725
O2 - BHO: AdPopup - {11F09AFD-75AD-4E51-AB43-E09E9351CE16} - C:\Program Files\Common Files\CPUSH\cpush0.dll (file missing)
backup-20061020-093600-467
O2 - BHO: SYM - {36BF6929-DCBC-4CCD-A620-C5E3BBA77B95} - C:\WINDOWS\system32\usersrd.dll (file missing)
backup-20061020-093600-246
O2 - BHO: bingo - {B626AE7E-4F5D-4CD4-B457-D8693015DEFC} - C:\WINDOWS\system32\amvda.dll (file missing)
backup-20061020-093600-520
O2 - BHO: (no name) - {00014B58-338A-45F2-81E2-6A86F27399B7} - C:\PROGRA~1\INTERN~1\PLUGINS\cfg.dll
backup-20061012-100651-297
O2 - BHO: BrowserProxy4 - {BCF4D74B-E6BD-4C8F-83D7-90D6439705B9} - C:\WINDOWS\system32\AlxTbl.dll
backup-20061012-100651-518
O2 - BHO: bingo - {B626AE7E-4F5D-4CD4-B457-D8693015DEFC} - C:\WINDOWS\system32\amvda.dll (file missing)
backup-20061012-100651-928
O2 - BHO: SYM - {36BF6929-DCBC-4CCD-A620-C5E3BBA77B95} - C:\WINDOWS\system32\usersrd.dll (file missing)
backup-20061011-220909-992
O2 - BHO: bingo - {B626AE7E-4F5D-4CD4-B457-D8693015DEFC} - C:\WINDOWS\system32\amvda.dll (file missing)
backup-20061011-220909-341
O2 - BHO: SYM - {36BF6929-DCBC-4CCD-A620-C5E3BBA77B95} - C:\WINDOWS\system32\usersrd.dll (file missing)
backup-20061011-020803-760
O2 - BHO: bingo - {B626AE7E-4F5D-4CD4-B457-D8693015DEFC} - C:\WINDOWS\system32\amvda.dll (file missing)
backup-20061011-020803-558
O2 - BHO: SYM - {36BF6929-DCBC-4CCD-A620-C5E3BBA77B95} - C:\WINDOWS\system32\usersrd.dll (file missing)
backup-20061010-134404-862
O2 - BHO: bingo - {B626AE7E-4F5D-4CD4-B457-D8693015DEFC} - C:\WINDOWS\system32\amvda.dll
backup-20061010-134404-821
O2 - BHO: SYM - {36BF6929-DCBC-4CCD-A620-C5E3BBA77B95} - C:\WINDOWS\system32\usersrd.dll
backup-20061010-134214-347
O2 - BHO: bingo - {B626AE7E-4F5D-4CD4-B457-D8693015DEFC} - C:\WINDOWS\system32\amvda.dll
backup-20061010-134214-649
O2 - BHO: SYM - {36BF6929-DCBC-4CCD-A620-C5E3BBA77B95} - C:\WINDOWS\system32\usersrd.dll
backup-20061009-163739-392
O2 - BHO: SYM - {36BF6929-DCBC-4CCD-A620-C5E3BBA77B95} - C:\WINDOWS\system32\usersrd.dll
backup-20061009-163739-178
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://client.jogo.c...msearch-en.html
backup-20061009-163739-570
R3 - URLSearchHook: SrchHook Class - {EED92A43-CFCE-4548-BD73-B0A405470ED5} - C:\PROGRA~1\CNNIC\Cdn\iesrch.dll
backup-20061009-163739-783
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://client.jogo.c...esearch-en.html
backup-20061009-163034-938
O11 - Options group: [CDNCLIENT] Chinese Navigation
backup-20061009-163034-997
O9 - Extra 'Tools' menuitem: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
backup-20061009-163033-732
O9 - Extra button: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
backup-20061009-163033-533
O8 - Extra context menu item: Access Internet Keyword - C:\Program Files\CNNIC\Cdn\cnnic.htm
backup-20061009-163033-470
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
backup-20061009-163033-988
O2 - BHO: WMHlprObj Class - {F5824EFB-728A-4726-A5A5-85A68B20EDC3} - C:\PROGRA~1\CNNIC\Cdn\wmhlpr.dll
backup-20061009-163033-394
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
backup-20061009-163033-123
O2 - BHO: SYM - {36BF6929-DCBC-4CCD-A620-C5E3BBA77B95} - C:\WINDOWS\system32\usersrd.dll
backup-20061009-163033-812
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://client.jogo.c...msearch-en.html
backup-20061009-163033-440
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://client.jogo.c...esearch-en.html
backup-20061007-013448-486
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
backup-20061007-013448-815
O2 - BHO: WMHlprObj Class - {F5824EFB-728A-4726-A5A5-85A68B20EDC3} - C:\PROGRA~1\CNNIC\Cdn\wmhlpr.dll (file missing)
backup-20061007-013448-245
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll (file missing)
backup-20061007-013448-193
O2 - BHO: BrowserProxy4 - {BCF4D74B-E6BD-4C8F-83D7-90D6439705B9} - C:\WINDOWS\system32\AlxTbl.dll
backup-20061007-013448-847
O2 - BHO: (no name) - {707D86CC-0DE3-43D7-B874-F0A3F5E82578} - C:\WINDOWS\system32\asfersife.dll (file missing)
backup-20061007-013448-831
O2 - BHO: SYM - {36BF6929-DCBC-4CCD-A620-C5E3BBA77B95} - C:\WINDOWS\system32\usersrd.dll
backup-20061007-013448-288
R3 - URLSearchHook: SrchHook Class - {EED92A43-CFCE-4548-BD73-B0A405470ED5} - C:\PROGRA~1\CNNIC\Cdn\iesrch.dll
backup-20061007-013448-198
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
backup-20061007-013448-441
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://client.jogo.c...esearch-en.html
backup-20061007-013448-384
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://client.jogo.c...msearch-en.html
backup-20061007-013447-372
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
backup-20061007-013447-786
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\BMMTask.job

Completion time: 06-11-12 9:16:30.90
C:\ComboFix.txt ... 06-11-12 09:16


Logfile of HijackThis v1.99.1
Scan saved at 9:23:26 AM, on 12/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\System32\Wintab32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Boingo\WENGINE\wmonitor.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\Svchost.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BitLord\BitLord.exe
C:\PROGRA~1\DAP\DAP.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SYM - {36BF6929-DCBC-4CCD-A620-C5E3BBA77B95} - C:\WINDOWS\system32\usersrd.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5BB75963-7031-4F8D-A1DB-3A09040FD332}: NameServer = 202.188.0.133 202.188.1.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{C23854C6-9633-4176-B531-D7EC730B39B7}: NameServer = 202.188.0.133,202.188.1.5
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Boingo Monitor Service (BoingoMonitor) - Boingo Wireless, Inc. - C:\Program Files\Boingo\WENGINE\wmonitor.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
O23 - Service: Wintab32 - Unknown owner - C:\WINDOWS\System32\Wintab32.exe
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP