Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

windows\system32\vtst pup detection & winfixer win anti

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

windows\system32\vtst pup detection & winfixer win anti

Unread postby graham.hassall » September 9th, 2005, 7:43 pm

Dear All
I have run adaware se and the PC is clear. The aforementioned PUP has dissappeared but winfixer win antispyware is still causing problems.

Any help gratefully received. I have copied the hijack this log file below.

regards

Graham

Logfile of HijackThis v1.99.1
Scan saved at 23:11:33, on 08/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\HPConfig.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\essspk.exe
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\Program Files\Iomega HotBurn\Autolaunch.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\FlowMatch\5.0-win\pvm3\lib\win32\pvmd3.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\FlowMatch\5.0-win\pvm3\bin\WIN32\hoster.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~2\GAH\LOCALS~1\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.totalise.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com/notebooks/omnibook/home
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\vtstq.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [FlowMatch_PVM_AUTO] C:\FlowMatch\5.0-win\pvm3\bin\WIN32\pvmboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/omnibook/home
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 5764669171
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{84D6039B-FBFB-4870-BCEE-3619B9594C17}: NameServer = 80.189.92.2 80.189.94.2
O20 - Winlogon Notify: vtstq - C:\WINDOWS\system32\vtstq.dll
O23 - Service: CWShredder Service - Unknown owner - C:\DOCUME~2\GAH\LOCALS~1\Temp\CWShredder.exe (file missing)
O23 - Service: HP Configuration Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\System32\HPConfig.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
graham.hassall
Active Member
 
Posts: 5
Joined: September 9th, 2005, 7:31 pm
Location: UK
Advertisement
Register to Remove

Unread postby markkhunt » September 9th, 2005, 7:49 pm

Hi, Graham. Welcome to MWR.

I'm looking at your log now and will be back with you as quickly as possible. If you have any questions at all during the process, please do not hesitate to ask.
User avatar
markkhunt
Admin/Teacher Emeritus
 
Posts: 7911
Joined: April 15th, 2005, 8:58 pm
Location: Newburgh, IN

Unread postby markkhunt » September 9th, 2005, 11:07 pm

Hi, Graham. I will have you start your computer in Safe Mode later in the fix, which will prevent you from accessing the Internet, so you'll either want to print these instructions or save them to a file for reference.

Please go to Start => Run and type Services.msc then click OK. Scroll down and find the service called CWShredder Service. When you find it, double-click on it. In the next window that opens, if the Service Status shows Started, please click the Stop button, then make sure that Startup Type is set to Disabled. Now, hit Apply, then OK, and close the Services windows. If you cannot find the service listed, that's OK. Just continue with the rest of the fix.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously. I recommend that you remove the Viewpoint products; however, the choice is up to you.

To remove the Viewpoint products, please go to Add/Remove Programs in the Windows Control Panel and select to remove the following (if listed):
Viewpoint
Viewpoint Manager
Viewpoint Media Player


Please download VundoFix.exe to your desktop.

  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning and a list of forums to seek help at.
    it should look like this
    VundoFix V2.1 by Atri
    By pressing enter you agree that you are using this at your own risk
    Please seek assistance at one of the following forums:
    http://www.atribune.org/forums
    http://www.247fixes.com/forums
    http://www.geekstogo.com/forum
    http://forums.net-integration.net

  • At this point press enter one time.
  • Next you will see:
    Type in the filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.
  • At this point please type the following file path (make sure to enter it exactly as below!):

      C:\WINDOWS\system32\vtstq.dll
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • Next you will see:
    Please type in the second filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.
  • At this point please type the following file path (make sure to enter it exactly as below!):

      C:\WINDOWS\system32\qtstv.*
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • The fix will run then HijackThis will open.
  • Check the box next to each of these items to have them fixed. If something isn't there, please continue with the next item in the list:

      O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\vtstq.dll
      O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
      O20 - Winlogon Notify: vtstq - C:\WINDOWS\system32\vtstq.dll
      O23 - Service: CWShredder Service - Unknown owner - C:\DOCUME~2\GAH\LOCALS~1\Temp\CWShredder.exe (file missing)
  • If you chose to remove the Viewpoint Products, please check the box next to each of these items also:

      O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
      O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
      O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
      O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
  • You may optionally check the following entries. PowerReg Scheduler is a registration reminder that is used by a number of different companies. It is not needed and many people think that it reports back to the company about your computer, so I recommend fixing them:
      O4 - Startup: PowerReg Scheduler.exe
      O4 - Startup: PowerReg SchedulerV2.exe
  • Click Fix Checked
  • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
  • Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
  • Once your machine reboots please continue with the instructions below.


If you chose to remove the Viewpoint Products, please use Windows Explorer and delete the folder shown below in red if still present:

C:\Program Files\Viewpoint\

If you chose to have HijackThis fix the PowerReg Schedulers, you will need to search for the files and delete them. Please click Start => Search => All files and folders. In the All or part of the file name: box, please type PowerReg Scheduler and make sure the Look in: box is set to search your C: drive. Now, click Search. If a match is found, they will appear in the right-hand panel. Please delete PowerReg Scheduler.exe and PowerReg SchedulerV2.exe.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.
User avatar
markkhunt
Admin/Teacher Emeritus
 
Posts: 7911
Joined: April 15th, 2005, 8:58 pm
Location: Newburgh, IN

thanks for the feedback

Unread postby graham.hassall » September 10th, 2005, 6:21 pm

Hi
I will carry out your instructions next week.

Thanks for the advice. I will send the files when I have completed.

regards

Graham
graham.hassall
Active Member
 
Posts: 5
Joined: September 9th, 2005, 7:31 pm
Location: UK

Unread postby markkhunt » September 10th, 2005, 7:38 pm

Hi, Graham.

I will be here. :)
User avatar
markkhunt
Admin/Teacher Emeritus
 
Posts: 7911
Joined: April 15th, 2005, 8:58 pm
Location: Newburgh, IN

safe mode problem

Unread postby graham.hassall » September 15th, 2005, 6:53 pm

Hi

I have downloaded vundofix.exe.

I can start pc in safe mode by pressing f8. I am then taken thru the usual log on procedure entering password etc but I am left with a black screen saying across the top that I have xp pro and in the bottom left and right hand corner safe mode. The desktop doesn't come up enabling me to run vundofix.

What should I do

regards

Graham
graham.hassall
Active Member
 
Posts: 5
Joined: September 9th, 2005, 7:31 pm
Location: UK

Unread postby markkhunt » September 16th, 2005, 10:15 am

Hi, Graham. Before we worry about your problem with Safe Mode, I noticed that you’re running HijackThis from a temporary folder. I’m sorry I missed this before. HijackThis creates backups of all the changes we make, so that we can do a restore if something goes wrong. When HijackThis is in a temporary folder, the program and the backups it creates can be easily deleted. I need you to create a new folder (C:\HJT or something similar), move the HijackThis.exe file to this new folder, and run it from there..

Sometimes USB devices attached to your system can prevent you from completely booting into Safe Mode. Do you have any USB devices? If so, please disconnect them and try Safe Mode again. If either your mouse or keyboard is USB, do you have access to ones that are not USB?

If you’re still not successful in getting into Safe Mode, please restart your computer and try selecting Safe Mode with Command Prompt instead. At the command prompt, please type the following commands and hit Enter after each line:

CD C:\DOCUME~1\GAH\Desktop\VundoFix
KillVundo.bat


The VundoFix should start, and you can follow the rest of my previous instructions. If HijackThis does not start automatically, please type the following at the command prompt: (Assuming you called the new folder C:\HJT. If you called the new folder something else, please substitute the correct folder name in the command below.)

CD C:\HJT
HijackThis
User avatar
markkhunt
Admin/Teacher Emeritus
 
Posts: 7911
Joined: April 15th, 2005, 8:58 pm
Location: Newburgh, IN

Unread postby graham.hassall » September 17th, 2005, 4:29 pm

Hi Mark
I still couldn't start in safe mode (there are no usb devices connected and it is a laptop) but no worries your instructions for the dos prompts were very clear and everything went well with your instructions I think.

The active scan results didn't detect any problems. (Winfixer seems to have dissappeared)

This is the hijack file. I will add the vundofix.txt to the end.

Thanks for your help

regards

Graham

Logfile of HijackThis v1.99.1
Scan saved at 21:18:00, on 17/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\HPConfig.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\essspk.exe
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\Program Files\Iomega HotBurn\Autolaunch.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\FlowMatch\5.0-win\pvm3\lib\win32\pvmd3.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\FlowMatch\5.0-win\pvm3\bin\WIN32\hoster.exe
C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.totalise.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.hp.com/notebooks/omnibook/home
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft

Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} -

c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display

Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CP4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn\Autolaunch.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart

11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP

Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [FlowMatch_PVM_AUTO] C:\FlowMatch\5.0-win\pvm3\bin\WIN32\pvmboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat

7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare

software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program

Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com/notebooks/omnibook/home
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation

Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) -

http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://v5.windowsupdate.microsoft.com/v ... te.cab?109

5764669171
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://www.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) -

http://download.mcafee.com/molbin/share ... cgdmgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{84D6039B-FBFB-4870-BCEE-3619B9594C17}: NameServer =

80.189.92.2 80.189.94.2
O23 - Service: HP Configuration Service (HPConfig) - Hewlett-Packard -

C:\WINDOWS\System32\HPConfig.exe
O23 - Service: Iomega App Services - Iomega Corporation -

C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company -

C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program

files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. -

c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc -

c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc -

C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe

vundo file
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Suspending PID 152 'smss.exe'
Threads [156][160][164]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of explorer.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 224 'winlogon.exe'
Killing PID 224 'winlogon.exe'
File Deleted sucessfully.
Files Deleted sucessfully.
graham.hassall
Active Member
 
Posts: 5
Joined: September 9th, 2005, 7:31 pm
Location: UK

Unread postby markkhunt » September 17th, 2005, 5:29 pm

Hi, Graham. It looks the VundoFix did its job because your last log looks really good. :D

How is the computer running? Are you having any more problems?

Let’s clean out your temporary folders. Please click Start => Run and type cleanmgr in the command box. Select your C: and click OK to scan your system. When the scan has completed, please make sure that Temporary Internet Files, Recycle Bin, and Temporary Files are the only items selected. Click OK, and then click Yes to confirm. If you have more than one user account on the computer, you will need to run cleanmgr from each account to delete all the temporary files.

Let’s also clean out your Prefetch folder. Using Windows Explorer, please navigate to C:\Windows\Prefetch\ and delete everything in the folder. Please delete only the contents of the folder, NOT the Prefetch folder itself.

Viruses, Adware, and Spyware are running rampant, but taking a few simple precautions can prevent many of them. Below I have included a number of recommendations for additional protection to help prevent future malware infections. These few simple steps can stave off the vast majority of spyware problems.

You have already installed the second Service Pack for Windows XP. That's great. I highly recommend you regularly visit the Windows Update site and install all High Priority updates as soon as possible. I cannot stress enough how important this is. If you have not already, you may want to set up your computer to receive updates from Microsoft automatically. For instructions, on enabling automatic updates, visit the Microsoft website.

1) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE Already installed
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

2) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here: http://www.mozilla.org/products/firefox/

3) When you use Internet Explorer, add another level of protection to your browser by blocking certain sites that are known to contain malware. IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. ID-SPYAD may be found here.

4) You already have McAfee's anti-virus package installed. Excellent! For your own protection, please be sure to run it regularly, and to keep it up-to-date.

5) Finally, if you are not already, you should consider maintaining a firewall. Some good free firewalls are ZoneAlarm, Kerio, and Sygate.
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
User avatar
markkhunt
Admin/Teacher Emeritus
 
Posts: 7911
Joined: April 15th, 2005, 8:58 pm
Location: Newburgh, IN

Unread postby graham.hassall » September 20th, 2005, 4:24 pm

hi mark

I have downloaded ie spyad.

Can I run mozilla without removing ie explore? So that I can try it out.

regards

Graham
graham.hassall
Active Member
 
Posts: 5
Joined: September 9th, 2005, 7:31 pm
Location: UK

Unread postby markkhunt » September 20th, 2005, 7:05 pm

Hi, Graham.

By all means, please give Firefox a try and see how you like it. You can usually run both Internet Explorer and Firefox on the same machine without any conflicts. Websites that use ActiveX components, however, (like Windows Update) may not display properly or work the way they should in Firefox , so you will probably find yourself still using Internet Explorer occasionally. By installing IE-SPYAD, you've added an extra layer of protection. Good choice.
User avatar
markkhunt
Admin/Teacher Emeritus
 
Posts: 7911
Joined: April 15th, 2005, 8:58 pm
Location: Newburgh, IN

Unread postby NonSuch » October 1st, 2005, 3:05 am

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27211
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 37 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware