Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

New HijackThis log for your attention please

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

New HijackThis log for your attention please

Unread postby Janet Perkins » April 29th, 2007, 11:20 am

Logfile of HijackThis v1.99.1
Scan saved at 16:10:05, on 29/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\WINDOWS\System32\khooker.exe
C:\Apps\ActivBoard\MMKeybd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S2.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\etMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [EPSON Stylus C66 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S2.EXE /P23 "EPSON Stylus C66 Series" /O6 "USB002" /M "Stylus C66"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [etMonitor] C:\WINDOWS\etMon.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\xtahpdbk.dll",realset
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Janet\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/c ... /xt0_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-U ... E_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Janet Perkins
Active Member
 
Posts: 7
Joined: April 29th, 2007, 11:15 am
Advertisement
Register to Remove

Unread postby beynac » April 29th, 2007, 12:27 pm

Hi Janet.

Welcome to MalWare Removal! I'm looking through your log now, and will post back very shortly.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby beynac » April 29th, 2007, 12:55 pm

Hi Janet.

VundoFix

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • It will create a report named vundofix.txt on your main drive (C:\vundofix.txt)
Note: It is possible that VundoFix may encounter a file it cannot remove.
In this case, VundoFix will run on reboot Simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

-------------------------------------------------------------------

Please post, as a reply to this thread:
  • The VundoFix report (C:\vundofix.txt)
  • A new HijackThis log
Please also let me know what problems you are having with the computer.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby Janet Perkins » May 1st, 2007, 6:05 pm

Hi beynac.

Thanks for your help. I've run VundoFix (log below).
One of my twin niece's has managed to click on a link sent to them via MSN and got a virus on this machine. It kept locking things up, bringing up new advert web pages when you clicked on hyperlinks etc. I ran a full AVGscan and let it heal what it found, also ran Spybot and Adaware the same, but it's still bringing up new web windows with adverts in and the occational virus is still being picked up by AVG resident shield, usually things like a.exe or p.exe in the temp folder. After VundoFix finished I had a system popup saying: Error loading C:\WINDOWS\system32\xtahpdbk.dll Specified module could not be found. So someting is still there trying to envoke this driver, no?

Anyway hear's the log files, Cheers.



VundoFix V6.3.21

Checking Java version...

Sun Java not detected
Scan started at 22:00:13 01/05/2007

Listing files found while scanning....

C:\WINDOWS\system32\awtttrq.dll
C:\WINDOWS\system32\awvts.dll
C:\WINDOWS\system32\byxvutr.dll
C:\WINDOWS\system32\byxvwur.dll
C:\WINDOWS\system32\byxxxwv.dll
C:\WINDOWS\system32\byxxxww.dll
C:\WINDOWS\system32\byxxxyx.dll
C:\WINDOWS\system32\cbxuvst.dll
C:\WINDOWS\system32\cbxwuss.dll
C:\WINDOWS\system32\cbxwxyx.dll
C:\WINDOWS\system32\efcyyyv.dll
C:\WINDOWS\system32\ekdtorur.dll
C:\WINDOWS\system32\gebxxyy.dll
C:\WINDOWS\system32\hggddec.dll
C:\WINDOWS\system32\hggfedc.dll
C:\WINDOWS\system32\ihmrhnch.dll
C:\WINDOWS\system32\iifcdee.dll
C:\WINDOWS\system32\iifebbb.dll
C:\WINDOWS\system32\jkkighg.dll
C:\WINDOWS\system32\jkkjkkk.dll
C:\WINDOWS\system32\jkkklml.dll
C:\WINDOWS\system32\kbdphatx.ini
C:\WINDOWS\system32\khfddda.dll
C:\WINDOWS\system32\khfghhe.dll
C:\WINDOWS\system32\ljjhede.dll
C:\WINDOWS\system32\ljjigff.dll
C:\WINDOWS\system32\ljjiggg.dll
C:\WINDOWS\system32\ljjiifg.dll
C:\WINDOWS\system32\ljjkihh.dll
C:\WINDOWS\system32\nnnlmji.dll
C:\WINDOWS\system32\nnnmjjj.dll
C:\WINDOWS\system32\nnnoopq.dll
C:\WINDOWS\system32\oktgjceo.dll
C:\WINDOWS\system32\opnkigd.dll
C:\WINDOWS\system32\opnolkl.dll
C:\WINDOWS\system32\opnoomk.dll
C:\WINDOWS\system32\pmnlljk.dll
C:\WINDOWS\system32\pmnlmnl.dll
C:\WINDOWS\system32\rgknuuqu.dll
C:\WINDOWS\system32\rmhygruv.dll
C:\WINDOWS\system32\rqrpmkj.dll
C:\WINDOWS\system32\rqrspom.dll
C:\WINDOWS\system32\ssqnoll.dll
C:\WINDOWS\system32\ssqqnmm.dll
C:\WINDOWS\system32\ssqronn.dll
C:\WINDOWS\system32\stvwa.bak1
C:\WINDOWS\system32\stvwa.bak2
C:\WINDOWS\system32\stvwa.ini
C:\WINDOWS\system32\tuvwtur.dll
C:\WINDOWS\system32\tuvwtus.dll
C:\WINDOWS\system32\tuvwutt.dll
C:\WINDOWS\system32\urqolji.dll
C:\WINDOWS\system32\urqpomm.dll
C:\WINDOWS\system32\urqqrqp.dll
C:\WINDOWS\system32\vtuspqo.dll
C:\WINDOWS\system32\vtuutqn.dll
C:\WINDOWS\system32\vwxtgwud.dll
C:\WINDOWS\system32\wvusqrs.dll
C:\WINDOWS\system32\wvuurpm.dll
C:\WINDOWS\system32\xtahpdbk.dll
C:\WINDOWS\system32\xxdsbgdy.ini
C:\WINDOWS\system32\xxyxyvs.dll
C:\WINDOWS\system32\yayaaxy.dll
C:\WINDOWS\system32\yaywwus.dll
C:\WINDOWS\system32\yayyayv.dll
C:\WINDOWS\system32\yayyxyy.dll
C:\WINDOWS\system32\ydgbsdxx.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awtttrq.dll
C:\WINDOWS\system32\awtttrq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\awvts.dll
C:\WINDOWS\system32\awvts.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\byxvutr.dll
C:\WINDOWS\system32\byxvutr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\byxvwur.dll
C:\WINDOWS\system32\byxvwur.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\byxxxwv.dll
C:\WINDOWS\system32\byxxxwv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\byxxxww.dll
C:\WINDOWS\system32\byxxxww.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\byxxxyx.dll
C:\WINDOWS\system32\byxxxyx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbxuvst.dll
C:\WINDOWS\system32\cbxuvst.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbxwuss.dll
C:\WINDOWS\system32\cbxwuss.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbxwxyx.dll
C:\WINDOWS\system32\cbxwxyx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\efcyyyv.dll
C:\WINDOWS\system32\efcyyyv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ekdtorur.dll
C:\WINDOWS\system32\ekdtorur.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gebxxyy.dll
C:\WINDOWS\system32\gebxxyy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hggddec.dll
C:\WINDOWS\system32\hggddec.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hggfedc.dll
C:\WINDOWS\system32\hggfedc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ihmrhnch.dll
C:\WINDOWS\system32\ihmrhnch.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iifcdee.dll
C:\WINDOWS\system32\iifcdee.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iifebbb.dll
C:\WINDOWS\system32\iifebbb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkkighg.dll
C:\WINDOWS\system32\jkkighg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkkjkkk.dll
C:\WINDOWS\system32\jkkjkkk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkkklml.dll
C:\WINDOWS\system32\jkkklml.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kbdphatx.ini
C:\WINDOWS\system32\kbdphatx.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\khfddda.dll
C:\WINDOWS\system32\khfddda.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\khfghhe.dll
C:\WINDOWS\system32\khfghhe.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ljjhede.dll
C:\WINDOWS\system32\ljjhede.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ljjigff.dll
C:\WINDOWS\system32\ljjigff.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ljjiggg.dll
C:\WINDOWS\system32\ljjiggg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ljjiifg.dll
C:\WINDOWS\system32\ljjiifg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ljjkihh.dll
C:\WINDOWS\system32\ljjkihh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nnnlmji.dll
C:\WINDOWS\system32\nnnlmji.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nnnmjjj.dll
C:\WINDOWS\system32\nnnmjjj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nnnoopq.dll
C:\WINDOWS\system32\nnnoopq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\oktgjceo.dll
C:\WINDOWS\system32\oktgjceo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\opnkigd.dll
C:\WINDOWS\system32\opnkigd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\opnolkl.dll
C:\WINDOWS\system32\opnolkl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\opnoomk.dll
C:\WINDOWS\system32\opnoomk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnlljk.dll
C:\WINDOWS\system32\pmnlljk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnlmnl.dll
C:\WINDOWS\system32\pmnlmnl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rgknuuqu.dll
C:\WINDOWS\system32\rgknuuqu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rmhygruv.dll
C:\WINDOWS\system32\rmhygruv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqrpmkj.dll
C:\WINDOWS\system32\rqrpmkj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqrspom.dll
C:\WINDOWS\system32\rqrspom.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqnoll.dll
C:\WINDOWS\system32\ssqnoll.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqqnmm.dll
C:\WINDOWS\system32\ssqqnmm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqronn.dll
C:\WINDOWS\system32\ssqronn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\stvwa.bak1
C:\WINDOWS\system32\stvwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\stvwa.bak2
C:\WINDOWS\system32\stvwa.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\stvwa.ini
C:\WINDOWS\system32\stvwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\tuvwtur.dll
C:\WINDOWS\system32\tuvwtur.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tuvwtus.dll
C:\WINDOWS\system32\tuvwtus.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tuvwutt.dll
C:\WINDOWS\system32\tuvwutt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\urqolji.dll
C:\WINDOWS\system32\urqolji.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\urqpomm.dll
C:\WINDOWS\system32\urqpomm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\urqqrqp.dll
C:\WINDOWS\system32\urqqrqp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtuspqo.dll
C:\WINDOWS\system32\vtuspqo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtuutqn.dll
C:\WINDOWS\system32\vtuutqn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vwxtgwud.dll
C:\WINDOWS\system32\vwxtgwud.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvusqrs.dll
C:\WINDOWS\system32\wvusqrs.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvuurpm.dll
C:\WINDOWS\system32\wvuurpm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xtahpdbk.dll
C:\WINDOWS\system32\xtahpdbk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xxdsbgdy.ini
C:\WINDOWS\system32\xxdsbgdy.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\xxyxyvs.dll
C:\WINDOWS\system32\xxyxyvs.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yayaaxy.dll
C:\WINDOWS\system32\yayaaxy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yaywwus.dll
C:\WINDOWS\system32\yaywwus.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yayyayv.dll
C:\WINDOWS\system32\yayyayv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yayyxyy.dll
C:\WINDOWS\system32\yayyxyy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ydgbsdxx.dll
C:\WINDOWS\system32\ydgbsdxx.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.21

Checking Java version...

Sun Java not detected
Scan started at 22:29:37 01/05/2007

Listing files found while scanning....

C:\WINDOWS\system32\ljjhede.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ljjhede.dll
C:\WINDOWS\system32\ljjhede.dll Has been deleted!

Performing Repairs to the registry.
Done!


--------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 23:03:26, on 01/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Apps\ActivBoard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\WINDOWS\System32\khooker.exe
C:\Apps\ActivBoard\MMKeybd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S2.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\etMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\system32\svchost.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {F3ECFEAD-AED0-47AA-8243-0EA5FBB88170} - C:\WINDOWS\system32\awvts.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [EPSON Stylus C66 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S2.EXE /P23 "EPSON Stylus C66 Series" /O6 "USB002" /M "Stylus C66"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [etMonitor] C:\WINDOWS\etMon.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\xtahpdbk.dll",realset
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Janet\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/c ... /xt0_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-U ... E_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Janet Perkins
Active Member
 
Posts: 7
Joined: April 29th, 2007, 11:15 am

Unread postby beynac » May 2nd, 2007, 4:44 am

Good morning Janet.

Well, that got rid of a lot! :)

After VundoFix finished I had a system popup saying: Error loading C:\WINDOWS\system32\xtahpdbk.dll Specified module could not be found. So someting is still there trying to envoke this driver, no?

Yes and no! The file has been deleted by VundoFix but the startup registry entry is still there. We'll fix that in a minute.

----------------------------------------------------------------------

We need to temporarily disable Spybot S&D 'TeaTimer' as it may interfere with the fix. Please do the following:
  • Right-click the Spybot icon in the System Tray (looks like a calendar with a padlock symbol)
  • Choose Exit Spybot S&D Resident
  • Open Spybot S&D
  • Go to the Mode menu, and make sure Advanced Mode is selected
  • On the left hand side, choose Tools then Resident
  • Uncheck Resident TeaTimer and OK any prompts
  • Reboot the computer
Do not re-enable TeaTimer until we have finished.

------------------------------------------------------------------------

Run HijackThis and click Scan and then check (tick) the following, if present (don't worry if any are missing):

O2 - BHO: (no name) - {F3ECFEAD-AED0-47AA-8243-0EA5FBB88170} - C:\WINDOWS\system32\awvts.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\xtahpdbk.dll",realset

Close down all programs, browsers and other open windows. Make sure that only the above items are checked and then click on Fix checked.

Still in HijackThis:
  • Click on the Config button (bottom right)
  • Click on the Misc Tools button
  • Click on Delete a file on reboot...
  • Copy and paste C:\WINDOWS\system32\ljjhede.dll into the "File name:" text box and then click Open
  • When you are asked "Do you want to restart your computer now?", click OK.
Your PC MUST reboot to delete the file!

------------------------------------------------------------------------

ATF Cleaner by Atribune ©

Download ATF Cleaner by Atribune © from here : http://www.atribune.org/ccount/click.php?id=1
This is a stand-alone program that does not need to be installed. Save it to a convenient location and make a shortcut on your desktop. Using this program will remove temporary files, temporary internet files and cookies from your system, which will mean that any scans will run faster.
  • Make sure that all browser windows are closed
  • Double-click the shortcut on your desktop to run the program.
  • Under Main, choose Select All
  • Untick Prefetch
  • Click Empty Selected
  • If you use Firefox browser,
    • Click Firefox at the top and choose Select All
    • Click on Empty Selected
    • NOTE: If you would like to keep any saved passwords, please untick that option.
  • Click Exit to close.
  • If you use Opera browser,
    • Click Opera at the top and choose Select All
    • Click on Empty Selected
    • NOTE: If you would like to keep any saved passwords, please untick that option.
  • Click Exit to close.
----------------------------------------------------------------

AVG Anti-Spyware:

Download the trial version of AVG Anti-Spyware from here and install it. When the program has been installed, and you click the Finish button, AVG Anti-Spyware will open. Do not run a scan yet.

If the program does not automatically update itself during installation, or you are unsure whether it has done so, please do the following:
  • Click the Update icon at the top and under Manual Update click the Start update button.
  • The program will either update or inform you that no update was available.
You will need to change the following settings:
  • Click the Shield icon at the top and under Resident shield is... click active. This should now change to inactive.
  • Click the Update icon and untick the automatic update option.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act? - make sure that Quarantine is selected.
    • Under How to scan? - All checkboxes should be ticked.
    • Under Possibly unwanted software - All checkboxes should be ticked.
    • Under Reports - Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan? - Select Scan every file.
You can now close AVG Anti-Spyware. Do not scan yet.

---------------------------------------------------

Boot to Safe Mode.

You will need to reboot your computer into Safe Mode for the next steps. It would be a good idea for you to print these instructions, as you will not have access to the internet.

Important: If you have an always on connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode. I suggest that you print out these instructions.
  • Restart your computer.
  • Continually tap the F8 button as your computer is booting (a menu appears).
  • Use up-arrow key to select Safe Mode and press Enter.
------------------------------------------------

Run AVG Anti-Spyware:

Close all open windows and then start AVG Anti-Spyware, which you downloaded earlier
  • Click on Scanner on the toolbar.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan your computer.
  • When the scan has finished, follow the instructions below:
    • Make sure that Set all elements to: shows Quarantine
    • Important: Click on the Apply all Actions button (*** This must done before saving the report ***)
    • When the program has finished, it will display the message All actions have been applied.
    • Then click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Tray Icon and select Exit.
-----------------------------------------------------------------

Reboot in Normal Mode.

-----------------------------------------------------------------------

Please post, as a reply to this thread:
  • The AVG Anti-Spyware report
  • A new HijackThis log
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby Janet Perkins » May 2nd, 2007, 6:23 pm

That took a while to get thru that lot. Nearly a hour just for the AVG scan but here's the results, J.


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 23:14:01 02/05/2007

+ Scan result:



C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP534\A0170716.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP534\A0170719.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP534\A0170721.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP534\A0170722.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP534\A0170723.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP534\A0170725.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP534\A0170726.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP534\A0170732.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP534\A0170734.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP534\A0170735.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP534\A0170738.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP534\A0170742.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP534\A0170748.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP534\A0170750.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP534\A0170756.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP534\A0170761.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP534\A0170764.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP534\A0170769.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP534\A0170774.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP534\A0170775.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP534\A0170776.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP534\A0170784.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\awtttrq.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\byxvwur.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\byxxxww.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\byxxxyx.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\cbxuvst.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\cbxwxyx.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\efcyyyv.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\iifcdee.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\jkkighg.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\jkkjkkk.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\khfghhe.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\ljjhede.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\ljjkihh.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\opnolkl.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\pmnlljk.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\ssqnoll.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\tuvwutt.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\urqqrqp.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\wvuurpm.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\yaywwus.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\yayyayv.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\yayyxyy.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP534\A0170646.exe -> Dropper.Agent.mf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP534\A0170647.exe -> Dropper.Agent.mf : Cleaned with backup (quarantined).
C:\Program Files\MSN Messenger\msnmsgr.exe -> Dropper.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP527\A0158172.exe -> Dropper.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP527\A0158173.exe -> Worm.Agent.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP527\A0159173.exe -> Worm.Agent.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP527\A0159179.exe -> Worm.Agent.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP527\A0160180.exe -> Worm.Agent.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP527\A0160190.exe -> Worm.Agent.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP527\A0160200.exe -> Worm.Agent.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP527\A0161206.exe -> Worm.Agent.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP527\A0161208.exe -> Worm.Agent.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP527\A0162198.exe -> Worm.Agent.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP527\A0162266.exe -> Worm.Agent.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP527\A0162277.exe -> Worm.Agent.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP528\A0162286.exe -> Worm.Agent.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP531\A0162513.exe -> Worm.Agent.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP531\A0165514.exe -> Worm.Agent.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP531\A0165525.exe -> Worm.Agent.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP531\A0165526.exe -> Worm.Agent.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP531\A0165530.exe -> Worm.Agent.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP534\A0170632.exe -> Worm.Agent.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{4B947F5A-4C6B-4709-862A-2F6019CA6E3D}\RP534\A0170636.exe -> Worm.Agent.a : Cleaned with backup (quarantined).


::Report end




---------------------------------------------------



Logfile of HijackThis v1.99.1
Scan saved at 23:21:37, on 02/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\WINDOWS\System32\khooker.exe
C:\WINDOWS\system32\svchost.exe
C:\Apps\ActivBoard\MMKeybd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S2.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\etMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [EPSON Stylus C66 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S2.EXE /P23 "EPSON Stylus C66 Series" /O6 "USB002" /M "Stylus C66"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [etMonitor] C:\WINDOWS\etMon.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Janet\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/c ... /xt0_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-U ... E_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Janet Perkins
Active Member
 
Posts: 7
Joined: April 29th, 2007, 11:15 am

Unread postby beynac » May 2nd, 2007, 6:38 pm

Hi Janet.

Well done - the log appears to be clean! :)

I'm afraid that these scans can take a while to run - but it's necessary. I would like you to run VundoFix again to make sure that we got it all. I'll repeat the instructions for clarity.

VundoFix

You can use the version that you previously downloaded - I've checked that it's still current.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • It will create a report named vundofix.txt on your main drive (C:\vundofix.txt)
Note: It is possible that VundoFix may encounter a file it cannot remove.
In this case, VundoFix will run on reboot Simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

Please post the VundoFix report (C:\vundofix.txt) and let me know how the computer is running. Are you still having any problems?
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby Janet Perkins » May 3rd, 2007, 4:06 pm

Vundoo found no problems at all, so all clear it looks.
Do i need to reset any disabled programs to working order, AVG-as was one i remember we turned some thing off of.
I haven't been using the machine while the repair have been going on. I've been flicking around on some sites just now and everything seems ok. I'll give it a couple of days use to make sure and then post back if i find anything. I'm sure it's fine now though.

Thanks very much for all your help,
Janet.
Janet Perkins
Active Member
 
Posts: 7
Joined: April 29th, 2007, 11:15 am

Unread postby beynac » May 3rd, 2007, 4:28 pm

Hi Janet.

Yes, it looks as if we've done it. :)

You can re-enable Spybot's TeaTimer now if you wish. We disabled the real-time protection in AVG Anti-Spware. You can turn this on if you wish, but it will only be available for the remainder of the 30-day trial period, unless you purchase the full version. To do this, open AVG Anti-Spyware, click the Shield icon at the top and under Resident shield is... click inactive. This should now change to active.

You can delete VundoFix and its report (C:\vundofix.txt). I suggest that you keep ATF Cleaner as it is a useful program.

---------------------------------------------------------

Flush System Restore

Now that the computer is clean, I suggest that you flush the System Restore points. This will remove any infected ones and create a new, clean one
Turn OFF System Restore.
  • Click on Start
  • Right-click My Computer
  • Click Properties
  • Click the System Restore tab
  • Check Turn off System Restore
  • Click Apply, and then click OK
Restart your computer

Turn ON System Restore.
  • Click on Start
  • Right-click My Computer
  • Click Properties
  • Click the System Restore tab
  • Uncheck Turn off System Restore
  • Click Apply, and then click OK
---------------------------------------------------------

If you do not already use it, I suggest that you install SpywareBlaster. This program will:
  • Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
  • Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
  • Restrict the actions of potentially unwanted sites in Internet Explorer.
This program blocks these items but does not run in the background. It therefore does not use any resources.

I would also recommend that you have a look at Firetrust SiteHound. This gives warnings when you are about to enter a website that is on their 'block' list. An alternative is McAfee SiteAdvisor. I use SiteHound, but both have a good reputation (N.B. use only one of them, not both).

Please let me know if you have any questions. I'll keep this thread open for a few days so that you can let me know whether, or not, you get any further problems.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby Nick-YF19 » May 6th, 2007, 10:42 am

Glad we could help

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.


You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Nick-YF19
Admin/Teacher Emeritus
 
Posts: 4036
Joined: May 17th, 2005, 12:42 am
Location: California

Unread postby ChrisRLG » May 9th, 2007, 3:01 pm

reoppened on email request.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby beynac » May 10th, 2007, 6:27 am

Good morning Janet.

I see that you have asked for this thread to be re-opened. Please could you post a new HijackThis log and let me know what problems you are having.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby Janet Perkins » May 13th, 2007, 12:43 pm

Hi again beynac. I am having problems with SiteHound. It seems to work on my main xp user account but not on the second user account I have set up for the twins (who caused the problems in the first place).
Every time they try to open a web browser it asks for the SiteHound password to acivate the account that i set up ok on my axp account. I enter the same password I was given but it says it can't connect and gives me advise on how to let it through ZoneAlarm. The program has full permissions in ZA but still wont register to get the latest updates. Do I have to setup a new SiteHound account for them to use on their user account? The computer seems to run slower since installing Sitehound and Spywareblaster also. And I seem to be getting shutdown problems too. I was just on my user account, then switched to the twins account then tried to log off the twins account but nothing would happen. Tried to switch user back to mine, then tried to shutdown pc. All failed. Had to hold power button in for 5 seconds to shut pc down. It didn't give me any errors starting up as i tought it would as i had forced it to shutdown. I've posted a Hijack this log below to see if that reveals anything.

Many thanks, Janet.


........................................................


Logfile of HijackThis v1.99.1
Scan saved at 17:42:58, on 13/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe
C:\WINDOWS\System32\khooker.exe
C:\Apps\ActivBoard\MMKeybd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S2.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\etMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Fire-Trust SiteHound - {C86AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Program Files\FireTrust\SiteHound\SiteHound.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: SiteHound - {73F7F495-A325-4C52-BE48-5F97FA511E89} - C:\Program Files\FireTrust\SiteHound\SiteHound.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [VCSPlayer] "C:\Program Files\Virtual CD v4 SDK\system\vcsplay.exe"
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [EPSON Stylus C66 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0S2.EXE /P23 "EPSON Stylus C66 Series" /O6 "USB002" /M "Stylus C66"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [etMonitor] C:\WINDOWS\etMon.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {11316B13-33F0-4C9F-BD55-09994CCFA8EB} - C:\Program Files\FireTrust\SiteHound\SiteHound.dll
O9 - Extra button: Packard Bell - {1D49B7D4-524D-4ac9-BC34-B4822CAE4BB1} - C:\Apps\IECustom\script.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Janet\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/c ... /xt0_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-U ... E_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Program Files\Virtual CD v4 SDK\system\vcssecs.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Janet Perkins
Active Member
 
Posts: 7
Joined: April 29th, 2007, 11:15 am

Unread postby beynac » May 13th, 2007, 12:57 pm

Hi Janet.

I'm sorry that you're having these problems. I'll look into the situation regarding SiteHound. In the meantime, could you please log into the twins' account, run HijackThis and post the log please.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England

Unread postby beynac » May 15th, 2007, 7:34 am

Hello Janet.

I've looked into your SiteHound problem. Once you have input the SiteHound Id, it should apply to all users - you should not have to re-enter it. I've asked for advice on your problem, but haven't had a reply yet. In the meantime, let's try a couple of things:

Make sure that all windows are closed. Click on Start the Run. Copy/paste the following into the textbox: C:\Program Files\FireTrust\SiteHound\Repair_SiteHound.exe. Click OK.

Reboot the computer. If SiteHound's still not working properly, I suggest that you uninstall and then reinstall the program. If you do this, check to see if your computer runs any quicker without it before reinstalling.

SpywareBlaster shouldn't cause any problems. It may be worth uninstalling and reinstalling the program. Again, check to see whether the computer is faster without it.

Please let me know how you get on.

I would still like to see a HijackThis log run from your twins' account.
User avatar
beynac
MRU Honors Grad Emeritus
 
Posts: 1638
Joined: February 14th, 2006, 12:14 pm
Location: Norwich, England
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 371 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware