Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Old Hippies Overworking Toaster (Resolved)


  • This topic is locked This topic is locked

#1
hippiemind

hippiemind

    Member

  • Member
  • PipPipPip
  • 108 posts
I did an upgrade installation of WinXP Home W/SP2. Everything went smoothly and I have been delighted for the past week "exploring" the new tool.

Somewhere during my travels I must have made the wrong left turn following the paisley sun. :tazz:

All of a sudden I have become infected with some unworldly contamination.

Pop-Ups have invaded me for the first time in my 3 years playing with this computer. Every four to five minutes I get put up to the wall as 10 t0 15 Pop-Ups invade with, no doubt, an unjustified mission.

PLEASE HELP me correct what ever it is that I screwed up.

As Always...............upfront I will thank you for your addiction and its incredible product, as the staff here are trully far out.

The Hipster ;) ;) :)

Edited by hippiemind, 21 May 2005 - 08:42 PM.

  • 0

Advertisements


#2
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Hello there and welcome to GeeksToGo!! Please go here and follow the directions for Step 5:Posting a HijackThis log.

Reply to this thread with a copy of your HJT log, and then I will move this thread over to the Malware forum, and help you get your pc cleaned back up! :tazz:
  • 0

#3
hippiemind

hippiemind

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 108 posts
The most commonly found pop-up has been something called "Aurora".............seems to be the ring leader.

How do I find this rant again if you are moving to another forum?

And here is another "log" for the fireplace: THANKS KAT

Logfile of HijackThis v1.99.1
Scan saved at 10:22:35 PM, on 5/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\winupdt.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
C:\WINDOWS\system32\jgang.exe
C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe
C:\WINDOWS\SYSTEM32\qttask.exe
C:\Program Files\Common Files\eAcceleration\eanthology.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMAN.EXE
C:\WINDOWS\system32\krnfun.exe
C:\Program Files\Aws\WeatherBug\Weather.exe
c:\windows\system32\vfrfha.exe
C:\WINDOWS\system32\sfmcsp.exe
C:\WINDOWS\system32\krnfun.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\MY DOWNLOADS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr51.dll
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\system32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteart32.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [q74W36T] jgang.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [RegisterDropHandler] C:\Program Files\ScannerU\TBRIDGE\BIN\RegisterDropHandler.exe
O4 - HKLM\..\Run: [InstantAccess] C:\Program Files\ScannerU\TBRIDGE\BIN\InstantAccess.exe /h
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [StopSignStatus] Rundll32.exe "C:\Program Files\Common Files\eAcceleration\Installer\stopsinfo.dll",VerifyStatus
O4 - HKLM\..\Run: [EanthologyApp] "C:\Program Files\Common Files\eAcceleration\eanthology.exe" /b Startup
O4 - HKLM\..\Run: [tqntmih] c:\windows\system32\vfrfha.exe
O4 - HKLM\..\RunOnce: [StopSignStatus] Rundll32.exe "C:\Program Files\Common Files\eAcceleration\Installer\stopsinfo.dll",VerifyStatus /ro
O4 - HKCU\..\Run: [Weather] C:\Program Files\Aws\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [krnfun] C:\WINDOWS\system32\krnfun.exe
O4 - HKCU\..\Run: [bwv6RWf7e] sfmcsp.exe
O4 - HKCU\..\RunOnce: [krnfun] C:\WINDOWS\system32\krnfun.exe
O4 - Global Startup: Action Manager 32.lnk = C:\WINDOWS\SYSTEM32\notepad.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra button: (no name) - {2F099F5D-7003-4441-82C2-707C7C273FEB} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O9 - Extra 'Tools' menuitem: Block This Page - {2F099F5D-7003-4441-82C2-707C7C273FEB} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Win32 Classes -
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupd...ll/aun_0015.exe
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensave.../sinstaller.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral....s/pmupdate2.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7A3374E-2D30-4C4A-811F-80E6356DEE77}: NameServer = 168.253.8.17 168.253.8.18
  • 0

#4
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Hello again! I'll leave this thread right here, so you won't have to go looking for it! ;)

You have several nasty infections on that machine hon. Let's take this step by step and get you cleaned up, and then I'll show you how to stay that way! :tazz:

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Please download Nailfix from here:
http://www.noidea.us...050515010747824
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml


Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Next please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Reboot your computer normally. Now...

Download CWShredder Here.

After you have it downloaded, reboot into Safe Mode again. Double click CWShredder to open it. Do not click the "Scan" button. Instead, please click I Agree, then Fix and then Next, let it fix everything it asks about.

Reboot normally, and make a reply right here with a copy of the log from Ewido, and a new HijackThis log that you scan and get me AFTER all of the above has been done. That will clean about half of it up for us. After I see the two new logs, I will give you more instructions! ;)
  • 0

#5
hippiemind

hippiemind

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 108 posts
I downloaded the first site, but when I tried the nailfix from:
http://www.noidea.us...050515010747824
I get a message that it does not exist. I get the same message wheather I click on the link or I C&P it to my address bar.

(BTW......when you say "unzip to the desktop" I can only relate to an accident in grade school..........lol.............I have, although I have seen the term, no idea what "unzip" is, or how to do it.)

Sorry it takes a while to get back to you but I am fighting off legions of invading pop-ups.
  • 0

#6
hippiemind

hippiemind

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 108 posts
It is 1:00 AM here in the Rockies..................I will check back in the morn.
  • 0

#7
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
How very odd that the link is dead. :tazz: We will just go back to doing this manually!! ;)

You should either print these instructions, or save them to a notepad file on your desktop. (Start>All Programs>Accessories>Notepad)

Please run Notepad and copy the following text into a new file:

@ECHO OFF
cd\windows
Nail.exe /FULLREMOVE
sc config SvcProc start= disabled
sc stop SvcProc
sc delete SvcProc
attrib -s -r -h nail.exe
attrib -s -r -h svcproc.exe
del nail.exe
del svcproc.exe
exit

Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".

Next, please reboot your computer in Safe Mode.
Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.

Open HijackThis
Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Restart your computer

After you have rebooted, run the Ewido program. Then make a reply here with the Ewido log and a new HijackThis log!
  • 0

#8
hippiemind

hippiemind

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 108 posts
Good morning Kat,

Here we go................I made the remove.bat file.............went to safe mode and double clicked on it.............Got the message "C:\documents and settings\paul bayha\desktop\remove.bat is not a valid win 32 application"..........

I then went to HJT and clicked on the F2 file.............then did a restart.

I then went to the Ewido folder and found 30+ files. Not finding any that said "log or start", I decided to click on
Ewido ctrl
Ewido control
Ewido networks
The scan had me clean several items which I did. Still not finding a "log" item to click on I did a restart.

I then ran a new HJT log which follows: (at this point in time I am not getting any pop-ups)

Logfile of HijackThis v1.99.1
Scan saved at 7:24:57 AM, on 5/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\MY DOWNLOADS\security suite\ewidoctrl.exe
C:\MY DOWNLOADS\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\jgang.exe
C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe
C:\WINDOWS\SYSTEM32\qttask.exe
C:\Program Files\Common Files\eAcceleration\eanthology.exe
C:\Program Files\Aws\WeatherBug\Weather.exe
C:\WINDOWS\system32\sfmcsp.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\MY DOWNLOADS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =

http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

websearch.drsnsrch.com/q.cgi?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -

C:\WINDOWS\cfgmgr51.dll (file missing)
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} -

C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [q74W36T] jgang.exe
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program

Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [RegisterDropHandler] C:\Program

Files\ScannerU\TBRIDGE\BIN\RegisterDropHandler.exe
O4 - HKLM\..\Run: [InstantAccess] C:\Program

Files\ScannerU\TBRIDGE\BIN\InstantAccess.exe /h
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe

powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StopSignStatus] Rundll32.exe "C:\Program Files\Common

Files\eAcceleration\Installer\stopsinfo.dll",VerifyStatus
O4 - HKLM\..\Run: [EanthologyApp] "C:\Program Files\Common

Files\eAcceleration\eanthology.exe" /b Startup
O4 - HKLM\..\RunOnce: [StopSignStatus] Rundll32.exe "C:\Program Files\Common

Files\eAcceleration\Installer\stopsinfo.dll",VerifyStatus /ro
O4 - HKCU\..\Run: [Weather] C:\Program Files\Aws\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [krnfun] C:\WINDOWS\system32\krnfun.exe
O4 - HKCU\..\Run: [bwv6RWf7e] sfmcsp.exe
O4 - Global Startup: Action Manager 32.lnk = C:\WINDOWS\SYSTEM32\notepad.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra button: (no name) - {2F099F5D-7003-4441-82C2-707C7C273FEB} -

C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O9 - Extra 'Tools' menuitem: Block This Page -

{2F099F5D-7003-4441-82C2-707C7C273FEB} -

C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: Win32 Classes -
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class)

-

http://wdownload.wea...Transporter.cab?
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} -

http://www.alwaysupd...ll/aun_0015.exe
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) -

http://dm.screensave.../sinstaller.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) -

http://moneycentral....s/pmupdate2.exe
O23 - Service: ewido security suite control - ewido networks - C:\MY

DOWNLOADS\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\MY

DOWNLOADS\security suite\ewidoguard.exe
  • 0

#9
hippiemind

hippiemind

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 108 posts
Kat................now an hour later and still no pop-ups...........FAR OUT!!!!!!

What else do I need to do?
  • 0

#10
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
ok here we go!
1. Open your task manager by clicking CTRL + ALT + Delete keys at the same time. Locate the following on the processes tab, single left click on each and choose to disable:
jgang.exe
sfmcsp.exe


2. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
websearch.drsnsrch.com/q.cgi?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
C:\WINDOWS\SYSTEM\blank.htm

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -
C:\WINDOWS\cfgmgr51.dll (file missing)
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} -
C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing)

O4 - HKLM\..\Run: [q74W36T] jgang.exe
O4 - HKCU\..\Run: [krnfun] C:\WINDOWS\system32\krnfun.exe
O4 - HKCU\..\Run: [bwv6RWf7e] sfmcsp.exe
O16 - DPF: Win32 Classes -
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} -
http://www.alwaysupd...ll/aun_0015.exe
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) -
http://dm.screensave.../sinstaller.cab

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please delete these folders using Windows Explorer(if present):
C:\WINDOWS\EliteToolBar
Please delete these files using Windows Explorer(if present):
C:\WINDOWS\system32\krnfun.exe
jgang.exe <<do a search for this one, delete where found.
sfmcsp.exe <<do a search for this one, delete where found

After that, Reboot.

3. After you have done the above and rebooted, please post a fresh HJT log here in a reply!
  • 0

Advertisements


#11
hippiemind

hippiemind

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 108 posts
Hi Kat..............glad someone knows this computerese.

Dumped Jgang.exe, and sfmcsp.exe.

Went to HJT and fixed all that you mentioned

Found Elite Toolbar and deleted the 2 files in the folder

Tried searches in both the address bar and through "run" for files(system32\krnfun.exe),(jgang.exe), and (sfmcsp.exe)............got messages back on all 3 that said they could not be found.

Maybe I did the search wrong or my entry had the wrong information or format. What should I do?

Here is the new log:

Logfile of HijackThis v1.99.1
Scan saved at 12:13:57 AM, on 5/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\MY DOWNLOADS\security suite\ewidoctrl.exe
C:\MY DOWNLOADS\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe
C:\WINDOWS\SYSTEM32\qttask.exe
C:\Program Files\Common Files\eAcceleration\eanthology.exe
C:\Program Files\Aws\WeatherBug\Weather.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\MY DOWNLOADS\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {4D118E4B-CD57-230C-384B-844848AEFCAA} - C:\WINDOWS\system32\drvi\sswqrhbsdj.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [RegisterDropHandler] C:\Program Files\ScannerU\TBRIDGE\BIN\RegisterDropHandler.exe
O4 - HKLM\..\Run: [InstantAccess] C:\Program Files\ScannerU\TBRIDGE\BIN\InstantAccess.exe /h
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StopSignStatus] Rundll32.exe "C:\Program Files\Common Files\eAcceleration\Installer\stopsinfo.dll",VerifyStatus
O4 - HKLM\..\Run: [EanthologyApp] "C:\Program Files\Common Files\eAcceleration\eanthology.exe" /b Startup
O4 - HKLM\..\Run: [q74W36T] JGANG.EXE
O4 - HKLM\..\RunOnce: [StopSignStatus] Rundll32.exe "C:\Program Files\Common Files\eAcceleration\Installer\stopsinfo.dll",VerifyStatus /ro
O4 - HKCU\..\Run: [Weather] C:\Program Files\Aws\WeatherBug\Weather.exe 1
O4 - Global Startup: Action Manager 32.lnk = C:\WINDOWS\SYSTEM32\notepad.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra button: (no name) - {2F099F5D-7003-4441-82C2-707C7C273FEB} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O9 - Extra 'Tools' menuitem: Block This Page - {2F099F5D-7003-4441-82C2-707C7C273FEB} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral....s/pmupdate2.exe
O23 - Service: ewido security suite control - ewido networks - C:\MY DOWNLOADS\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\MY DOWNLOADS\security suite\ewidoguard.exe
  • 0

#12
hippiemind

hippiemind

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 108 posts
Hi Kat...........

After I sent you the last post I went to start-search-files and folders.

Was able to delete one file under jgang.exe, and two files under sfmcsp.exe

Under krnfun.exe..............no file could be found.


I then rebooted and here is the new HJT log: (also, can I now delete these folders and files from my recycle bin?)

Logfile of HijackThis v1.99.1
Scan saved at 12:37:04 AM, on 5/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\MY DOWNLOADS\security suite\ewidoctrl.exe
C:\MY DOWNLOADS\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe
C:\WINDOWS\SYSTEM32\qttask.exe
C:\Program Files\Common Files\eAcceleration\eanthology.exe
C:\Program Files\Aws\WeatherBug\Weather.exe
C:\WINDOWS\system32\wuauclt.exe
C:\MY DOWNLOADS\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {4D118E4B-CD57-230C-384B-844848AEFCAA} - C:\WINDOWS\system32\drvi\sswqrhbsdj.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [RegisterDropHandler] C:\Program Files\ScannerU\TBRIDGE\BIN\RegisterDropHandler.exe
O4 - HKLM\..\Run: [InstantAccess] C:\Program Files\ScannerU\TBRIDGE\BIN\InstantAccess.exe /h
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StopSignStatus] Rundll32.exe "C:\Program Files\Common Files\eAcceleration\Installer\stopsinfo.dll",VerifyStatus
O4 - HKLM\..\Run: [EanthologyApp] "C:\Program Files\Common Files\eAcceleration\eanthology.exe" /b Startup
O4 - HKLM\..\Run: [q74W36T] JGANG.EXE
O4 - HKLM\..\RunOnce: [StopSignStatus] Rundll32.exe "C:\Program Files\Common Files\eAcceleration\Installer\stopsinfo.dll",VerifyStatus /ro
O4 - HKCU\..\Run: [Weather] C:\Program Files\Aws\WeatherBug\Weather.exe 1
O4 - Global Startup: Action Manager 32.lnk = C:\WINDOWS\SYSTEM32\notepad.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra button: (no name) - {2F099F5D-7003-4441-82C2-707C7C273FEB} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O9 - Extra 'Tools' menuitem: Block This Page - {2F099F5D-7003-4441-82C2-707C7C273FEB} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral....s/pmupdate2.exe
O23 - Service: ewido security suite control - ewido networks - C:\MY DOWNLOADS\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\MY DOWNLOADS\security suite\ewidoguard.exe
  • 0

#13
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Do you remember where you found the JGANG.exe file? Was it in your system32 folder?? It still is showing up in your log, so I want to use a different method to kill it off. I'm hoping the file path was C:\Windows\System32\JGANG Is that correct??

and yes, PLEASE delete them from your recycle bin! :tazz:
  • 0

#14
Kat

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
I found it! :tazz:

Here's what we're going to do:

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
O2 - BHO: (no name) - {4D118E4B-CD57-230C-384B-844848AEFCAA} - C:\WINDOWS\system32\drvi\sswqrhbsdj.dll
O4 - HKLM\..\Run: [q74W36T] JGANG.EXE

Now close all windows other than HiJackThis, then click Fix Checked.

Reboot the computer.

Next, I need you to open Notepad and copy everything in the code box below exactly as it appears and paste it into notepad. Save it to your desktop as File Name: drvi.bat and Save as Type: ALL FILES

cd "%windir%\system32\drvi"
dir /s /a >drvi.txt
Start notepad drvi.txt
echo %systemroot%
cls

Now, close ALL programs and windows, and double click on the drvi.bat on your desktop. It will do what I need it to, and then open something in Notepad. Please copy everything that comes up in Notepad, and paste it here to me in a reply, along with another HJT log!!
  • 0

#15
hippiemind

hippiemind

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 108 posts
Hi Kat.............

Here are the logs: (I opened FRUNLOG as a notepad file and got this)

FirstRunScreens:Start
ProcessInfInstall:File:C:\WINDOWS\OPTIONS\OEMAUDIT.INF: Section=:OneTime:
ProcessInfInstall:Failed to open:C:\WINDOWS\OPTIONS\OEMAUDIT.INF: reRet=105
VcpClose:About to close
VcpClose:About to End
VcpClose:About to Terminate
SpezialGeninstalls:Start
SpezialGeninstalls:Looking for :C:\WINDOWS\OPTIONS\PREDUP.TAG:
Intl:INTL:0:
GetUserInfo:INIT
DoPreInstallWork:Auditmode :0:
PrepareRunonce:Failed to open :C:\WINDOWS\OPTIONS\OEMAUDIT.INF:
ProcessInfInstall:File:C:\WINDOWS\OPTIONS\EndUser.INF: Section=:Options:
ProcessInfInstall:Failed to open:C:\WINDOWS\OPTIONS\EndUser.INF: reRet=105
VcpClose:About to close
VcpClose:About to End
VcpClose:About to Terminate
IsKeyEmpty:Start
Timer:Start OPKRemoveInstalledNetDevice :1917554:
Timer:End OPKRemoveInstalledNetDevice :1917554:
CheckRunonceSetup:Start
IsKeyEmpty:Start
IsKeyEmpty:1) Have :Time zone: :RUNDLL32.EXE SHELL32.DLL,Control_RunDLL TIMEDATE.CPL,,/f:
CheckRunonceSetup:Check for wrapper =
FirstRunScreens:Exit:0



and here is the HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 8:10:08 AM, on 5/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\MY DOWNLOADS\security suite\ewidoctrl.exe
C:\MY DOWNLOADS\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe
C:\WINDOWS\SYSTEM32\qttask.exe
C:\Program Files\Common Files\eAcceleration\eanthology.exe
C:\Program Files\Aws\WeatherBug\Weather.exe
C:\WINDOWS\system32\wuauclt.exe
C:\MY DOWNLOADS\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {7755FEA5-2921-00C0-BD00-E0C620BD4600} - C:\WINDOWS\system32\drvi\sswqrhbsdj.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [WeirdOnTheWeb] "C:\Program Files\WeirdOnTheWeb\WeirdOnTheWeb.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [RegisterDropHandler] C:\Program Files\ScannerU\TBRIDGE\BIN\RegisterDropHandler.exe
O4 - HKLM\..\Run: [InstantAccess] C:\Program Files\ScannerU\TBRIDGE\BIN\InstantAccess.exe /h
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StopSignStatus] Rundll32.exe "C:\Program Files\Common Files\eAcceleration\Installer\stopsinfo.dll",VerifyStatus
O4 - HKLM\..\Run: [EanthologyApp] "C:\Program Files\Common Files\eAcceleration\eanthology.exe" /b Startup
O4 - HKLM\..\RunOnce: [StopSignStatus] Rundll32.exe "C:\Program Files\Common Files\eAcceleration\Installer\stopsinfo.dll",VerifyStatus /ro
O4 - HKCU\..\Run: [Weather] C:\Program Files\Aws\WeatherBug\Weather.exe 1
O4 - Global Startup: Action Manager 32.lnk = C:\WINDOWS\SYSTEM32\notepad.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra button: (no name) - {2F099F5D-7003-4441-82C2-707C7C273FEB} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O9 - Extra 'Tools' menuitem: Block This Page - {2F099F5D-7003-4441-82C2-707C7C273FEB} - C:\PROGRA~1\ACCELE~1\StopSign\webcbrowse.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral....s/pmupdate2.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7A3374E-2D30-4C4A-811F-80E6356DEE77}: NameServer = 168.253.8.17 168.253.8.18
O23 - Service: ewido security suite control - ewido networks - C:\MY DOWNLOADS\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\MY DOWNLOADS\security suite\ewidoguard.exe


What's next???????
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP