Need help please

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by LstCause2, Jul 9, 2006.

  1. LstCause2

    LstCause2 Private E-2

    Hello,

    I've read and have done all 7 steps to the "Read and Run..." post and I have the logs to show you.

    I'm still having a few problems performance-wise and was wondering if you guys could find it for me...

    Thanks in advance

    Jimmy K.
     

    Attached Files:

  2. LstCause2

    LstCause2 Private E-2

    Plus, my PC will lockup all of the sudden...
     
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    You are very badly infected with a load of different problems. Exactly what the heck have you been downloading and where have you been surfing. You are what we commonly call a "Malware Collector". This may take a few iterations and possibly some additional scans with other tools.

    The READ & RUN ME specifically requests that you do not run Spybot's Teatimer.

    Now Disable Spybot's TeaTimer
    • Run Spybot and click Mode
    • Select Advanced Mode.
    • Then click Tools and select Resident.
    • Now in the right window pane, uncheck TeaTimer.
    • Also while this is open, in the left column now select IE Tweaks
    • and then in the right pane make sure all the Miscellaneous locks are unchecked.
    • Now quit Spybot!
    Download HOSTER and then follow the below steps.
    • Unzip Hoster to a convenient folder such as C:\Hoster
    • Run Hoster.exe, click Restore Original Hosts and then click OK.
    • Click the X to exit the program
    Start by downloading two tools we will need

    - Process Explorer

    - Pocket KillBox

    Extract them to their own folder somewhere that you will be able to locate them later.

    IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

    Do the above before continuing! Okay unplug your cable now.

    Make sure you have rebooted in Normal Mode (do not open any other processes)

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of winm32.dll once and then click the kill button. After you have killed all of the winm32.dll under winlogon click ok. (If you do not find the dll, just continue on.)

    Now repeat the above step for the below DLL:
    cfgmngr32.dll

    Next double click on explorer.exe and again click once on each instance of winm32.dll and kill it. (If you do not find the dll, just continue on.)

    Now repeat the above step for the below DLL:
    cfgmngr32.dll

    Now just exit Process Explorer.

    Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
    C:\WINDOWS\system32\e52b8e65.exe
    C:\Documents and Settings\Warren\Local Settings\Application Data\e52b8e65.exe
    C:\PROGRA~1\COMMON~1\MBOLS~1\MCONFI~1.EXE



    After killing all the above processes, click Back.
    Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    R3 - URLSearchHook: (no name) - {C3CF6243-A580-D85F-A94D-F0EA16B475C7} - (no file)
    F3 - REG:win.ini: load=C:\WINDOWS\svchost.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,jxnknue.exe
    O2 - BHO: (no name) - {062492AF-392E-479D-BF52-A7A4BCA00307} - C:\WINDOWS\system32\compstuic.dll
    O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00306} - C:\WINDOWS\g135915.dll
    O3 - Toolbar: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - (no file)
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O4 - HKLM\..\Run: [0kg00fu4.dll] RUNDLL32.EXE 0kg00fu4.dll,b 166539
    O4 - HKLM\..\Run: [wrapperouter.exeg] C:\WINDOWS\system32\wrapperouter.exeg
    O4 - HKLM\..\Run: [MONEY2.exe7.exerg] C:\WINDOWS\system32\MONEY2.exe7.exerg
    O4 - HKLM\..\Run: [E3mu] C:\WINDOWS\kmdbxi.exe
    O4 - HKLM\..\Run: [guarnset] C:\WINDOWS\system32\guarnset.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [rpcc] rpcc.exe
    O4 - HKLM\..\Run: [e52b8e65.exe] C:\WINDOWS\system32\e52b8e65.exe
    O4 - HKLM\..\Run: [Manager 006] C:\WINDOWS\svchost.exe
    O4 - HKLM\..\RunServices: [Manager 006] C:\WINDOWS\svchost.exe
    O4 - HKLM\..\RunServicesOnce: [Manager 006] C:\WINDOWS\svchost.exe
    O4 - HKCU\..\Run: [jgddxo] C:\WINDOWS\system32\jgddxo.exe
    O4 - HKCU\..\Run: [EQAdvice] "C:\Program Files\EQAdvice\EQAdvice.exe"
    O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
    O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
    O4 - HKCU\..\Run: [5f784bea.exe] C:\Documents and Settings\Warren\Local Settings\Application Data\5f784bea.exe
    O4 - HKCU\..\Run: [0mcamcap] C:\WINDOWS\system32\0mcamcap.exe
    O4 - HKCU\..\Run: [e52b8e65.exe] C:\Documents and Settings\Warren\Local Settings\Application Data\e52b8e65.exe
    O4 - HKCU\..\Run: [Manager 006 sp] C:\WINDOWS\system32\mpcsvc.exe
    O4 - HKCU\..\Run: [Manager 006] C:\WINDOWS\svchost.exe
    O4 - HKCU\..\Run: [Elcghlic] C:\PROGRA~1\COMMON~1\MBOLS~1\MCONFI~1.EXE
    O4 - HKCU\..\Run: [Euls] "C:\DOCUME~1\Warren\MYDOCU~1\ICROSO~1\arpa.exe" -vt ndrv
    O4 - HKCU\..\Run: [E2TakeOut] C:\DOCUME~1\Warren\LOCALS~1\Temp\Temporary Directory 1 for e2takeout.zip\E2TakeOut.exe /finishremoval
    O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
    O20 - Winlogon Notify: bt848rom - bt848rom.dll (file missing)
    O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\system32\cfgmngr32.dll
    O20 - Winlogon Notify: ksfo - C:\WINDOWS\system32\ksfo.dll (file missing)
    O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\g604lgdq160e.dll (file missing)
    O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
    Be sure the "Save as" type is set to "all files"
    Once you have saved it double click it and allow it to merge with the registry.
    Now click Start, Run, and enter cmd and click OK! This will open a command prompt window. In the command prompt window enter the below commands each followed by the Enter key.
    del C:\WINDOWS\temp\win*.*
    del C:\WINDOWS\g*.dll
    exit


    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
    C:\Documents and Settings\Warren\Local Settings\Application Data\e52b8e65.exe
    C:\Documents and Settings\Warren\Local Settings\Application Data\5f784bea.exe
    C:\Documents and Settings\Warren\MYDOCU~1\ICROSO~1\arpa.exe
    C:\Program Files\Common Files\??mbols\m?config.exe
    C:\Program Files\Common Files\svchostsys\sysid.exe
    C:\Program Files\Common Files\svchostsys\svchostsys.exe
    C:\Program Files\EQAdvice\EQAdvice.exe
    C:\fran-forever.exe
    C:\WINDOWS\system32\0kg00fu4.dll
    C:\WINDOWS\system32\0mcamcap.exe
    C:\WINDOWS\system32\adl.exe
    C:\WINDOWS\system32\b2search.exe
    c:\windows\system32\cfgmngr32.dll
    C:\WINDOWS\system32\commsg.exe
    C:\WINDOWS\system32\compstuic.dll
    C:\WINDOWS\system32\dvdplay.dll
    c:\windows\system32\e52b8e65.exe
    C:\WINDOWS\system32\guarnset.exe
    C:\WINDOWS\system32\hmasyff.vxd
    C:\WINDOWS\system32\hncs.exe
    C:\WINDOWS\system32\ijkat2.exe
    C:\WINDOWS\system32\irssyncd.exe
    C:\WINDOWS\system32\jxnknue.exe
    C:\WINDOWS\system32\jgddxo.exe
    c:\windows\system32\key.~
    C:\WINDOWS\system32\ksfo.dll
    C:\WINDOWS\system32\mpcsvc.exe
    C:\WINDOWS\system32\rpcc.exe
    C:\WINDOWS\system32\spoolsv.dll
    C:\WINDOWS\SYSTEM32\winm32.dll
    C:\WINDOWS\system32\wmms.exe
    C:\WINDOWS\system32\wrapperouter.exeg
    C:\WINDOWS\system32\MONEY2.exe7.exerg
    C:\WINDOWS\g135915.dll
    c:\windows\keyboard1.dat
    C:\WINDOWS\kmdbxi.exe
    c:\windows\kwv2.dat
    c:\windows\unstall.exe
    C:\WINDOWS\JUSTIN2.exe
    C:\WINDOWS\svchost.exe
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
    If Killbox does not reboot just reboot your PC yourself.

    After reboot, look for the below folders and delete them if found:
    C:\Program Files\EQAdvice
    c:\program files\Zango Programs
    C:\Program Files\Common Files\svchostsys


    Now attach a new HJT log and tell me how the steps went.
    Make sure you tell me how things are working now!
     
  4. LstCause2

    LstCause2 Private E-2

    Now attach a new HJT log and tell me how the steps went.
    Make sure you tell me how things are working now![/QUOTE]


    "Once you see this screen click on each instance of winm32.dll once and then click the kill button. After you have killed all of the winm32.dll under winlogon click ok. (If you do not find the dll, just continue on.)

    Now repeat the above step for the below DLL:
    cfgmngr32.dll

    Next double click on explorer.exe and again click once on each instance of winm32.dll and kill it. (If you do not find the dll, just continue on.) Couldn't find this

    Now repeat the above step for the below DLL:
    cfgmngr32.dll" This step was tough because I couldn't find winm32.dll anywhere but I did find 2 or 3 cfgmngr32.dll's running


    Everything else went quite smoothly, I found c:\program files\Zango Programs
    and C:\Program Files\Common Files\svchostsys after the killbox program. Anyway, here is my hijackthis log for you. Thanks A LOT Chas!

    Jimmy K.

    PS- Things seem to be working a little bit faster and more efficiently
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    A couple problems from last time are still there:

    O2 - BHO: (no name) - {062492AF-392E-479D-BF52-A7A4BCA00307} - C:\WINDOWS\system32\compstuic.dll
    O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\system32\cfgmngr32.dll

    Are you sure you fixed these last time? Did Killbox really delete the files?
    Manually loog for the below two files yourself and tell me if you still see them. Make sure you EXACTLY match the file names (no substitutes - they must match exactly)

    C:\WINDOWS\system32\compstuic.dll
    C:\WINDOWS\system32\cfgmngr32.dll
     
  6. LstCause2

    LstCause2 Private E-2

    I see both of them and tried your suggested steps from the 2 posts previous to this but they just won't go away.

    After I deleted them, I immediately did another scan and they were there again....I rebooted and they were there again....
     
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Let's try the process again. It normally works. I have had several people with these same two problem files and this worked just fine. Before you run the below make absolutely sure you have
    - print insrtuctions to use while offline
    - disconnected from the internet (unplug cable)
    - closed all processes (windows) and kill all protection software that is running

    Now Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance (there could be more than 1) of cfgmngr32.dll once and then click the kill button. After you have killed all of the cfgmngr32.dll under winlogon click ok. (If you do not find the dll, just continue on.)

    Next double click on explorer.exe and again click once on each instance of cfgmngr32.dll and kill it. (If you do not find the dll, just continue on.)


    Now just exit Process Explorer.


    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O2 - BHO: (no name) - {062492AF-392E-479D-BF52-A7A4BCA00307} - C:\WINDOWS\system32\compstuic.dll
    O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\system32\cfgmngr32.dll


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
    Be sure the "Save as" type is set to "all files"
    Once you have saved it double click it and allow it to merge with the registry.

    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
    C:\WINDOWS\system32\compstuic.dll
    C:\WINDOWS\system32\cfgmngr32.dll
    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
    If Killbox does not reboot just reboot your PC yourself.

    After reboot, look for the below files yourself using Windows Explorer and delete them if found (tell me if they are still found and what happens if you try to delete them):
    C:\WINDOWS\system32\compstuic.dll
    C:\WINDOWS\system32\cfgmngr32.dll


    Now attach a new HJT log and tell me how the steps went.
     
  8. LstCause2

    LstCause2 Private E-2

    After completing all the steps you laid forth, I no longer see those two in my registry...

    I did a another Hijackthis scan and saw that after I completed all the steps and rebooted, I got this...

    O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\system32\cfgmngr32.dll (file missing)

    I have included yet another Hijack log for you to take a look at, please tell me what you think. I very much appreciate what you have done for me.
     

    Attached Files:

  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! Have HJT fix the below line and we should be finished removing your malware problems:

    O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\system32\cfgmngr32.dll (file missing)

    If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
  10. LstCause2

    LstCause2 Private E-2

    I'm having a problem with something clicking me of my current window. I have McAfee Internet Security Suite 2006 8.0 and I was wondering if it is that program doing it. One click sounds like it's trying to notify me then another click (the one that takes me out of my current window, especially annoying when playing a game) sounds like it's responding to a option the first click gave it.

    I'll be playing a game and that will happen, it doesn't close the program rather it takes me out of it and I'll have to go back into it.

    It is pretty frequent, like every 5-10 minutes or so. I'm suspecting the McAfee program of this but I'm not sure. What will you need from me for you to diagnose this problem?

    Thanks,
    Jimmy K.
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Why don't you jsut use MSconfig to disable ALL McAfee Startups and Services and then reboot. Now see if the problem goes away!
     
  12. LstCause2

    LstCause2 Private E-2

    Nope it didn't work....Then I thought it was AIM and it's not that. I even tried to see if it came up on task manager when the clicking started but I didn't find anything. I now have no idea what could possibly have done this. I've done an adware, spyware and virus scan and I've found nothing in each of them. My only guess is that there's some pop-up hidden and then a pop-up blocker kills it requiring my current program to close for a second...It's really irritating me and I have no clues where it's coming from.

    On a different topic, I found a "Internet Explorer Toolbar- Intelligent Explorer" in my Add and Remove Programs list which requires me to download an uninstaller to get rid of it...Any ideas on how I could get this off my PC?

    As always, I am very appreciative of what you have done for me and any advice you give in the future. Thanks ChasLang

    Sincerely,
    Jimmy K.
     
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try using the below tool to uninstall it:

    Your Uninstaller! 2006
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds