Pop up problems

Wewetan1 · 04-29-2007, 09:04 AM

Hello..

Recently my computer keep giving me pop ups to random sites and causing the computer to run really slow. I've run Ad-Aware, Spybot S&D but it's not really helping...
please help

here is my hijackthis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 10:51:26 PM, on 4/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\e-Games\tkjighg.exe
C:\WINDOWS\system32\f1e9.exe
C:\WINDOWS\SysSun1\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\SVCH0ST.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\MSRundll.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hjt\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Jpeg Class - {4970DA77-DB06-4EB9-AAB5-77AF0CC77310} - C:\WINDOWS\system32\bf1e.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {C8AF24A6-3564-4F64-84A3-AA80C88EDD8A} - C:\WINDOWS\system32\ilfqwgbfctxsj.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [mhsa] C:\DOCUME~1\User\LOCALS~1\Temp\mhso.exe
O4 - HKLM\..\Run: [cmdbcs] C:\WINDOWS\cmdbcs.exe
O4 - HKLM\..\Run: [msccrt] C:\WINDOWS\mcsconf.exe
O4 - HKLM\..\Run: [upxdnd] C:\DOCUME~1\User\LOCALS~1\Temp\TIMPLATF0RM.exe
O4 - HKLM\..\Run: [nwizwmgjs] C:\WINDOWS\system32\nwizwmgjs.exe
O4 - HKLM\..\Run: [tkjighg] C:\Program Files\e-Games\tkjighg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [ravtask] C:\WINDOWS\system32\SVCH0ST.EXE
O4 - Global Startup: yhlcde.lnk = C:\Program Files\Grisoft\yhlcdef.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Fast Client (fast) - Unknown owner - C:\WINDOWS\system32\f1e9.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Security Machine Manager (WIDETS) - Unknown owner - C:\WINDOWS\SYSTEM32\RUNDLL2KXP.EXE (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

thanks in advance. :)

Wewetan1 · 04-30-2007, 06:59 AM

uh.... bump?

Sempurna · 04-30-2007, 10:15 PM

Hi Wewetan1,

Welcome to Tech Support Forum!

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

OK, here’s what we do first.

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

O2 - BHO: Jpeg Class - {4970DA77-DB06-4EB9-AAB5-77AF0CC77310} - C:\WINDOWS\system32\bf1e.dll
O2 - BHO: (no name) - {C8AF24A6-3564-4F64-84A3-AA80C88EDD8A} - C:\WINDOWS\system32\ilfqwgbfctxsj.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 –k
O4 - HKLM\..\Run: [mhsa] C:\DOCUME~1\User\LOCALS~1\Temp\mhso.exe
O4 - HKLM\..\Run: [cmdbcs] C:\WINDOWS\cmdbcs.exe
O4 - HKLM\..\Run: [msccrt] C:\WINDOWS\mcsconf.exe
O4 - HKLM\..\Run: [upxdnd] C:\DOCUME~1\User\LOCALS~1\Temp\TIMPLATF0RM.exe
O4 - HKLM\..\Run: [nwizwmgjs] C:\WINDOWS\system32\nwizwmgjs.exe
O4 - HKLM\..\Run: [tkjighg] C:\Program Files\e-Games\tkjighg.exe
O4 - HKCU\..\Run: [ravtask] C:\WINDOWS\system32\SVCH0ST.EXE
O4 - Global Startup: yhlcde.lnk = C:\Program Files\Grisoft\yhlcdef.exe
O23 - Service: Fast Client (fast) - Unknown owner - C:\WINDOWS\system32\f1e9.exe
O23 - Service: Security Machine Manager (WIDETS) - Unknown owner - C:\WINDOWS\SYSTEM32\RUNDLL2KXP.EXE (file missing)

Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.

NEXT:

Please go to Start -> Run and type (or copy and paste) the following lines in the Open field, ONE AT A TIME, then click OK:

sc stop fast

sc delete fast

sc stop WIDETS

sc delete WIDETS

NEXT:

Please download OTMoveIt by OldTimer:

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\Program Files\e-Games\tkjighg.exe
C:\WINDOWS\system32\f1e9.exe
C:\WINDOWS\SysSun1\svchost.exe
C:\WINDOWS\system32\SVCH0ST.EXE
C:\WINDOWS\system32\MSRundll.exe
C:\WINDOWS\system32\bf1e.dll
C:\WINDOWS\system32\ilfqwgbfctxsj.dll
C:\DOCUME~1\User\LOCALS~1\Temp\mhso.exe
C:\WINDOWS\cmdbcs.exe
C:\WINDOWS\mcsconf.exe
C:\DOCUME~1\User\LOCALS~1\Temp\TIMPLATF0RM.exe
C:\WINDOWS\system32\nwizwmgjs.exe
C:\Program Files\Grisoft\yhlcdef.exe
C:\WINDOWS\SYSTEM32\RUNDLL2KXP.EXE
Return to OTMoveIt, right-click on the Paste List of Files/Folders to be Moved window and choose Paste.
Click the red MoveIt! button.
Close OTMoveIt.
Please post the log from OTMoveIt, located here:

C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. After reboot, please run OTMoveIt again, follow the directions as above, and post the Results report for me to see.

NEXT:

BEFORE BEGINNING, Please read completely through the instructions below. Please also print these instructions or copy them to Notepad (or another word processor), and save it for easier reference. This is because we will be in Safe Mode during the fix and you won’t be able to access the Internet to view these instructions.

Please download Dr.Web CureIt and save it to your desktop:

Next, please reboot your computer into Safe Mode by doing the following:

Reboot your computer.
After hearing your computer beep once during startup, but just before the Windows icon appears, begin tapping the F8 key on your keyboard. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, reboot the computer and try again.
Instead of Windows loading as normal, a menu should appear.
Using the arrow keys on the keyboard, scroll to and select the Safe Mode menu item, and then press Enter.

Now scan with Dr.Web CureIt:

Double-click the drweb-cureit.exe file. It will then suggest to run an "Express Scan" -- this you should allow.
After this (Dr.Web writes "Done" at the bottom left), you click "Options" menu -> "Change settings".
Choose the "Scan" tab, uncheck the mark at "Heuristic analysis".
Choose the "Actions" tab, and choose "Rename" under all the "Malware" issues. Then click "OK".
Back at the main window, you should now mark the drives that you want to scan (a red dot shows which drives have been chosen).
Click the green arrow at the right, and the scan will start. The first time Dr.Web finds something, you click "Yes to All", and it will after this automatically fix what is found.
After the scan, go to the "View" menu -> "Report list".
Then go to the "File" menu -> "Save report list".
Save the report to your desktop. The report will be called DrWeb.csv. Copy and paste the contents of the report in your next reply.
Close Dr.Web CureIt.
REBOOT your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

After reboot, post the contents of the log from Dr.Web you saved previously in your next reply, together with a new HijackThis log and the OTMoveIt log.

Wewetan1 · 05-01-2007, 01:29 AM

Thank you for replying, but I've already reformated my computer because it's way too slow to operate. =(

but thanks for your help anyway.

Sempurna · 05-01-2007, 01:43 AM

You're most welcome.

04-29-2007, 09:04 AM	#1 (permalink)
Wewetan1 Registered User Join Date: Nov 2004 Posts: 60 OS: Window XP	Pop up problems Hello.. Recently my computer keep giving me pop ups to random sites and causing the computer to run really slow. I've run Ad-Aware, Spybot S&D but it's not really helping... please help here is my hijackthis logfile: Logfile of HijackThis v1.99.1 Scan saved at 10:51:26 PM, on 4/29/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\DAEMON Tools\daemon.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\e-Games\tkjighg.exe C:\WINDOWS\system32\f1e9.exe C:\WINDOWS\SysSun1\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe C:\WINDOWS\system32\SVCH0ST.EXE C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\MSRundll.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\hjt\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: Jpeg Class - {4970DA77-DB06-4EB9-AAB5-77AF0CC77310} - C:\WINDOWS\system32\bf1e.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {C8AF24A6-3564-4F64-84A3-AA80C88EDD8A} - C:\WINDOWS\system32\ilfqwgbfctxsj.dll O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [mhsa] C:\DOCUME~1\User\LOCALS~1\Temp\mhso.exe O4 - HKLM\..\Run: [cmdbcs] C:\WINDOWS\cmdbcs.exe O4 - HKLM\..\Run: [msccrt] C:\WINDOWS\mcsconf.exe O4 - HKLM\..\Run: [upxdnd] C:\DOCUME~1\User\LOCALS~1\Temp\TIMPLATF0RM.exe O4 - HKLM\..\Run: [nwizwmgjs] C:\WINDOWS\system32\nwizwmgjs.exe O4 - HKLM\..\Run: [tkjighg] C:\Program Files\e-Games\tkjighg.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog O4 - HKCU\..\Run: [ravtask] C:\WINDOWS\system32\SVCH0ST.EXE O4 - Global Startup: yhlcde.lnk = C:\Program Files\Grisoft\yhlcdef.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: Fast Client (fast) - Unknown owner - C:\WINDOWS\system32\f1e9.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe O23 - Service: Security Machine Manager (WIDETS) - Unknown owner - C:\WINDOWS\SYSTEM32\RUNDLL2KXP.EXE (file missing) O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing) thanks in advance. :)

04-30-2007, 06:59 AM	#2 (permalink)
Wewetan1 Registered User Join Date: Nov 2004 Posts: 60 OS: Window XP	Re: Pop up problems uh.... bump?

04-30-2007, 10:15 PM	#3 (permalink)
Sempurna Analyst, Security Team; Assistant Rangemaster, TSF Academy Join Date: Sep 2006 Posts: 1,302 OS: Windows XP SP2	Re: Pop up problems Hi Wewetan1, Welcome to Tech Support Forum! I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help. OK, here’s what we do first. Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present): O2 - BHO: Jpeg Class - {4970DA77-DB06-4EB9-AAB5-77AF0CC77310} - C:\WINDOWS\system32\bf1e.dll O2 - BHO: (no name) - {C8AF24A6-3564-4F64-84A3-AA80C88EDD8A} - C:\WINDOWS\system32\ilfqwgbfctxsj.dll O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 –k O4 - HKLM\..\Run: [mhsa] C:\DOCUME~1\User\LOCALS~1\Temp\mhso.exe O4 - HKLM\..\Run: [cmdbcs] C:\WINDOWS\cmdbcs.exe O4 - HKLM\..\Run: [msccrt] C:\WINDOWS\mcsconf.exe O4 - HKLM\..\Run: [upxdnd] C:\DOCUME~1\User\LOCALS~1\Temp\TIMPLATF0RM.exe O4 - HKLM\..\Run: [nwizwmgjs] C:\WINDOWS\system32\nwizwmgjs.exe O4 - HKLM\..\Run: [tkjighg] C:\Program Files\e-Games\tkjighg.exe O4 - HKCU\..\Run: [ravtask] C:\WINDOWS\system32\SVCH0ST.EXE O4 - Global Startup: yhlcde.lnk = C:\Program Files\Grisoft\yhlcdef.exe O23 - Service: Fast Client (fast) - Unknown owner - C:\WINDOWS\system32\f1e9.exe O23 - Service: Security Machine Manager (WIDETS) - Unknown owner - C:\WINDOWS\SYSTEM32\RUNDLL2KXP.EXE (file missing) Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked". Then please exit HijackThis. NEXT: Please go to Start -> Run and type (or copy and paste) the following lines in the Open field, ONE AT A TIME, then click OK: sc stop fast sc delete fast sc stop WIDETS sc delete WIDETS NEXT: Please download OTMoveIt by OldTimer: Save it to your desktop. Please double-click OTMoveIt.exe to run it. Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): C:\Program Files\e-Games\tkjighg.exe C:\WINDOWS\system32\f1e9.exe C:\WINDOWS\SysSun1\svchost.exe C:\WINDOWS\system32\SVCH0ST.EXE C:\WINDOWS\system32\MSRundll.exe C:\WINDOWS\system32\bf1e.dll C:\WINDOWS\system32\ilfqwgbfctxsj.dll C:\DOCUME~1\User\LOCALS~1\Temp\mhso.exe C:\WINDOWS\cmdbcs.exe C:\WINDOWS\mcsconf.exe C:\DOCUME~1\User\LOCALS~1\Temp\TIMPLATF0RM.exe C:\WINDOWS\system32\nwizwmgjs.exe C:\Program Files\Grisoft\yhlcdef.exe C:\WINDOWS\SYSTEM32\RUNDLL2KXP.EXE Return to OTMoveIt, right-click on the Paste List of Files/Folders to be Moved window and choose Paste. Click the red MoveIt! button. Close OTMoveIt. Please post the log from OTMoveIt, located here: C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log Where mmddyyyy_hhmmss is the date of the tool run. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. After reboot, please run OTMoveIt again, follow the directions as above, and post the Results report for me to see. NEXT: BEFORE BEGINNING, Please read completely through the instructions below. Please also print these instructions or copy them to Notepad (or another word processor), and save it for easier reference. This is because we will be in Safe Mode during the fix and you won’t be able to access the Internet to view these instructions. Please download Dr.Web CureIt and save it to your desktop: Next, please reboot your computer into Safe Mode by doing the following: Reboot your computer. After hearing your computer beep once during startup, but just before the Windows icon appears, begin tapping the F8 key on your keyboard. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, reboot the computer and try again. Instead of Windows loading as normal, a menu should appear. Using the arrow keys on the keyboard, scroll to and select the Safe Mode menu item, and then press Enter. Now scan with Dr.Web CureIt: Double-click the drweb-cureit.exe file. It will then suggest to run an "Express Scan" -- this you should allow. After this (Dr.Web writes "Done" at the bottom left), you click "Options" menu -> "Change settings". Choose the "Scan" tab, uncheck the mark at "Heuristic analysis". Choose the "Actions" tab, and choose "Rename" under all the "Malware" issues. Then click "OK". Back at the main window, you should now mark the drives that you want to scan (a red dot shows which drives have been chosen). Click the green arrow at the right, and the scan will start. The first time Dr.Web finds something, you click "Yes to All", and it will after this automatically fix what is found. After the scan, go to the "View" menu -> "Report list". Then go to the "File" menu -> "Save report list". Save the report to your desktop. The report will be called DrWeb.csv. Copy and paste the contents of the report in your next reply. Close Dr.Web CureIt. REBOOT your computer!! Because it could be possible that files in use will be moved/deleted during reboot. After reboot, post the contents of the log from Dr.Web you saved previously in your next reply, together with a new HijackThis log and the OTMoveIt log. __________________ Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum Last edited by Sempurna : 04-30-2007 at 10:17 PM.

05-01-2007, 01:29 AM	#4 (permalink)
Wewetan1 Registered User Join Date: Nov 2004 Posts: 60 OS: Window XP	Re: Pop up problems Thank you for replying, but I've already reformated my computer because it's way too slow to operate. =( but thanks for your help anyway.

05-01-2007, 01:43 AM	#5 (permalink)
Sempurna Analyst, Security Team; Assistant Rangemaster, TSF Academy Join Date: Sep 2006 Posts: 1,302 OS: Windows XP SP2	Re: Pop up problems You're most welcome. __________________ Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum