Tech Support Forum - View Single Post

Sempurna · 04-30-2007, 10:15 PM

Hi Wewetan1,

Welcome to Tech Support Forum!

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

OK, here’s what we do first.

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

O2 - BHO: Jpeg Class - {4970DA77-DB06-4EB9-AAB5-77AF0CC77310} - C:\WINDOWS\system32\bf1e.dll
O2 - BHO: (no name) - {C8AF24A6-3564-4F64-84A3-AA80C88EDD8A} - C:\WINDOWS\system32\ilfqwgbfctxsj.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 –k
O4 - HKLM\..\Run: [mhsa] C:\DOCUME~1\User\LOCALS~1\Temp\mhso.exe
O4 - HKLM\..\Run: [cmdbcs] C:\WINDOWS\cmdbcs.exe
O4 - HKLM\..\Run: [msccrt] C:\WINDOWS\mcsconf.exe
O4 - HKLM\..\Run: [upxdnd] C:\DOCUME~1\User\LOCALS~1\Temp\TIMPLATF0RM.exe
O4 - HKLM\..\Run: [nwizwmgjs] C:\WINDOWS\system32\nwizwmgjs.exe
O4 - HKLM\..\Run: [tkjighg] C:\Program Files\e-Games\tkjighg.exe
O4 - HKCU\..\Run: [ravtask] C:\WINDOWS\system32\SVCH0ST.EXE
O4 - Global Startup: yhlcde.lnk = C:\Program Files\Grisoft\yhlcdef.exe
O23 - Service: Fast Client (fast) - Unknown owner - C:\WINDOWS\system32\f1e9.exe
O23 - Service: Security Machine Manager (WIDETS) - Unknown owner - C:\WINDOWS\SYSTEM32\RUNDLL2KXP.EXE (file missing)

Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.

NEXT:

Please go to Start -> Run and type (or copy and paste) the following lines in the Open field, ONE AT A TIME, then click OK:

sc stop fast

sc delete fast

sc stop WIDETS

sc delete WIDETS

NEXT:

Please download OTMoveIt by OldTimer:

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\Program Files\e-Games\tkjighg.exe
C:\WINDOWS\system32\f1e9.exe
C:\WINDOWS\SysSun1\svchost.exe
C:\WINDOWS\system32\SVCH0ST.EXE
C:\WINDOWS\system32\MSRundll.exe
C:\WINDOWS\system32\bf1e.dll
C:\WINDOWS\system32\ilfqwgbfctxsj.dll
C:\DOCUME~1\User\LOCALS~1\Temp\mhso.exe
C:\WINDOWS\cmdbcs.exe
C:\WINDOWS\mcsconf.exe
C:\DOCUME~1\User\LOCALS~1\Temp\TIMPLATF0RM.exe
C:\WINDOWS\system32\nwizwmgjs.exe
C:\Program Files\Grisoft\yhlcdef.exe
C:\WINDOWS\SYSTEM32\RUNDLL2KXP.EXE
Return to OTMoveIt, right-click on the Paste List of Files/Folders to be Moved window and choose Paste.
Click the red MoveIt! button.
Close OTMoveIt.
Please post the log from OTMoveIt, located here:

C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. After reboot, please run OTMoveIt again, follow the directions as above, and post the Results report for me to see.

NEXT:

BEFORE BEGINNING, Please read completely through the instructions below. Please also print these instructions or copy them to Notepad (or another word processor), and save it for easier reference. This is because we will be in Safe Mode during the fix and you won’t be able to access the Internet to view these instructions.

Please download Dr.Web CureIt and save it to your desktop:

Next, please reboot your computer into Safe Mode by doing the following:

Reboot your computer.
After hearing your computer beep once during startup, but just before the Windows icon appears, begin tapping the F8 key on your keyboard. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, reboot the computer and try again.
Instead of Windows loading as normal, a menu should appear.
Using the arrow keys on the keyboard, scroll to and select the Safe Mode menu item, and then press Enter.

Now scan with Dr.Web CureIt:

Double-click the drweb-cureit.exe file. It will then suggest to run an "Express Scan" -- this you should allow.
After this (Dr.Web writes "Done" at the bottom left), you click "Options" menu -> "Change settings".
Choose the "Scan" tab, uncheck the mark at "Heuristic analysis".
Choose the "Actions" tab, and choose "Rename" under all the "Malware" issues. Then click "OK".
Back at the main window, you should now mark the drives that you want to scan (a red dot shows which drives have been chosen).
Click the green arrow at the right, and the scan will start. The first time Dr.Web finds something, you click "Yes to All", and it will after this automatically fix what is found.
After the scan, go to the "View" menu -> "Report list".
Then go to the "File" menu -> "Save report list".
Save the report to your desktop. The report will be called DrWeb.csv. Copy and paste the contents of the report in your next reply.
Close Dr.Web CureIt.
REBOOT your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

After reboot, post the contents of the log from Dr.Web you saved previously in your next reply, together with a new HijackThis log and the OTMoveIt log.

04-30-2007, 10:15 PM	#3 (permalink)
Sempurna Analyst, Security Team Join Date: Sep 2006 Posts: 1,302 OS: Windows XP SP2	Re: Pop up problems Hi Wewetan1, Welcome to Tech Support Forum! I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help. OK, here’s what we do first. Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present): O2 - BHO: Jpeg Class - {4970DA77-DB06-4EB9-AAB5-77AF0CC77310} - C:\WINDOWS\system32\bf1e.dll O2 - BHO: (no name) - {C8AF24A6-3564-4F64-84A3-AA80C88EDD8A} - C:\WINDOWS\system32\ilfqwgbfctxsj.dll O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 –k O4 - HKLM\..\Run: [mhsa] C:\DOCUME~1\User\LOCALS~1\Temp\mhso.exe O4 - HKLM\..\Run: [cmdbcs] C:\WINDOWS\cmdbcs.exe O4 - HKLM\..\Run: [msccrt] C:\WINDOWS\mcsconf.exe O4 - HKLM\..\Run: [upxdnd] C:\DOCUME~1\User\LOCALS~1\Temp\TIMPLATF0RM.exe O4 - HKLM\..\Run: [nwizwmgjs] C:\WINDOWS\system32\nwizwmgjs.exe O4 - HKLM\..\Run: [tkjighg] C:\Program Files\e-Games\tkjighg.exe O4 - HKCU\..\Run: [ravtask] C:\WINDOWS\system32\SVCH0ST.EXE O4 - Global Startup: yhlcde.lnk = C:\Program Files\Grisoft\yhlcdef.exe O23 - Service: Fast Client (fast) - Unknown owner - C:\WINDOWS\system32\f1e9.exe O23 - Service: Security Machine Manager (WIDETS) - Unknown owner - C:\WINDOWS\SYSTEM32\RUNDLL2KXP.EXE (file missing) Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked". Then please exit HijackThis. NEXT: Please go to Start -> Run and type (or copy and paste) the following lines in the Open field, ONE AT A TIME, then click OK: sc stop fast sc delete fast sc stop WIDETS sc delete WIDETS NEXT: Please download OTMoveIt by OldTimer: Save it to your desktop. Please double-click OTMoveIt.exe to run it. Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): C:\Program Files\e-Games\tkjighg.exe C:\WINDOWS\system32\f1e9.exe C:\WINDOWS\SysSun1\svchost.exe C:\WINDOWS\system32\SVCH0ST.EXE C:\WINDOWS\system32\MSRundll.exe C:\WINDOWS\system32\bf1e.dll C:\WINDOWS\system32\ilfqwgbfctxsj.dll C:\DOCUME~1\User\LOCALS~1\Temp\mhso.exe C:\WINDOWS\cmdbcs.exe C:\WINDOWS\mcsconf.exe C:\DOCUME~1\User\LOCALS~1\Temp\TIMPLATF0RM.exe C:\WINDOWS\system32\nwizwmgjs.exe C:\Program Files\Grisoft\yhlcdef.exe C:\WINDOWS\SYSTEM32\RUNDLL2KXP.EXE Return to OTMoveIt, right-click on the Paste List of Files/Folders to be Moved window and choose Paste. Click the red MoveIt! button. Close OTMoveIt. Please post the log from OTMoveIt, located here: C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log Where mmddyyyy_hhmmss is the date of the tool run. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. After reboot, please run OTMoveIt again, follow the directions as above, and post the Results report for me to see. NEXT: BEFORE BEGINNING, Please read completely through the instructions below. Please also print these instructions or copy them to Notepad (or another word processor), and save it for easier reference. This is because we will be in Safe Mode during the fix and you won’t be able to access the Internet to view these instructions. Please download Dr.Web CureIt and save it to your desktop: Next, please reboot your computer into Safe Mode by doing the following: Reboot your computer. After hearing your computer beep once during startup, but just before the Windows icon appears, begin tapping the F8 key on your keyboard. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, reboot the computer and try again. Instead of Windows loading as normal, a menu should appear. Using the arrow keys on the keyboard, scroll to and select the Safe Mode menu item, and then press Enter. Now scan with Dr.Web CureIt: Double-click the drweb-cureit.exe file. It will then suggest to run an "Express Scan" -- this you should allow. After this (Dr.Web writes "Done" at the bottom left), you click "Options" menu -> "Change settings". Choose the "Scan" tab, uncheck the mark at "Heuristic analysis". Choose the "Actions" tab, and choose "Rename" under all the "Malware" issues. Then click "OK". Back at the main window, you should now mark the drives that you want to scan (a red dot shows which drives have been chosen). Click the green arrow at the right, and the scan will start. The first time Dr.Web finds something, you click "Yes to All", and it will after this automatically fix what is found. After the scan, go to the "View" menu -> "Report list". Then go to the "File" menu -> "Save report list". Save the report to your desktop. The report will be called DrWeb.csv. Copy and paste the contents of the report in your next reply. Close Dr.Web CureIt. REBOOT your computer!! Because it could be possible that files in use will be moved/deleted during reboot. After reboot, post the contents of the log from Dr.Web you saved previously in your next reply, together with a new HijackThis log and the OTMoveIt log. __________________ Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum Last edited by Sempurna; 04-30-2007 at 10:17 PM.