It's Cyber Monday - fantastic 70% discount

Buy Now

Limited time offer:

03

Days

/

00

Hrs

/

04

Min

/

04

Sec

Problems uploading log file

Posted 9/9/2006 1:24 PM
#36177
User avatar

irvy Member

Date Joined Nov 2016
Total Posts: 5
Hi,

Could you look at my logfile please and tell me how to clean out files. I am still getting virus alerts and as the computer is DEAD slow I fear there may be a trojan too.

Oooops just tried to upload the file but it wont let me. any suggestions
Posted 9/10/2006 5:39 AM
#36210
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12976
Hi irvy








1. Get newest Hijackthis from http://danborg.org/spy/hjt/alternativ.exe
Another name for Hijackthis exe

2 Install it in a PERMANENT folder! Example : c:\hijackthis\

3 Run hijackthis. (alternativ exe).

Choose the "Do a system scan and save a log file" option to perform your scan.

HijackThis will analyze your system, and automatically open a notepad textfile containing the HijackThis log when the scan is finished.

Open the text files containing the logs with a text editor and click Edit -> Select All, followed by Edit -> Copy.
From within the browser window and with the message body text box selected, click Edit -> Paste.





Post hijackthis (alternativ) log

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
[/color]
Do not PM me with logfiles. They will be deleted.


Posted 9/10/2006 11:40 AM
#36216
User avatar

irvy Member

Date Joined Nov 2016
Total Posts: 5
Hi,

Thanks for your response.

I had already downloaded hijackthis and edwido as recommended in another post. I now seem to have another virus/trojan or whatever called winantiviruspro 2006, that has taken over internet explorer and takes me to different web sites when I click on a link my google home page.

Any help would be much appreciated

irvy





Logfile of HijackThis v1.99.1
Scan saved at 12:33:17, on 10/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\program files\spybot - search & destroy\SpybotSD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\PROGRA~1\MICROS~1\rapimgr.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Documents and Settings\Irene & John\My Documents\DOWNLOADS\alternativ.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.targa.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0C810298-F94E-4B2F-B1FA-6E3EE5D9612C} - C:\WINDOWS\system32\jkhfc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.targa.co.uk/
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1115426152062
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151267868812
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {DBFECB3F-B78F-442E-AE46-4952E6F17545} (Bonusprint Image Uploader Version 3.5) - http://webalbum.bonusprint.com/ukipc01/downloads//ImageUploader3.cab
O16 - DPF: {FB90BA05-66E6-4C56-BCD3-D65B0F7EBA39} (Foto.com SpeedUploader 1.0 Control) - http://express.foto.com/SFUploader/SpeedUploader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: jkhfc - C:\WINDOWS\system32\jkhfc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winjyp32 - winjyp32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - Unknown owner - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Posted 9/10/2006 1:13 PM
#36217
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12976
Please download VirtumundoBeGone http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe
Save the file to your desktop
Close all running programs (including your Internet Browser)




Read the introductory information, and then click Continue
Click Start
When asked if you want to continue, click Yes to run the fix
Click "Save Log"




Note: It is normal for the the fix to terminate by producing a BLUE SCREEN OF DEATH so don't be concerned when this happens. It requires you to manually reboot to restore your normal windows desktop.

The log created by VirtumundoBeGone called VBG.TXT will be on located on your desktop.




Post VBG Txt log along with fresh hijackthis log and tell how things are running




[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
[/color]
Do not PM me with logfiles. They will be deleted.


Posted 9/10/2006 2:06 PM
#36219
User avatar

irvy Member

Date Joined Nov 2016
Total Posts: 5
Hi,
Thanks for getting back to me.,

I did as you suggested and here are the log files - which mean absolutely nothing to me!!!

irvy




[09/10/2006, 14:55:57] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Irene & John\My Documents\DOWNLOADS\VirtumundoBeGone.exe" )
[09/10/2006, 14:56:11] - Detected System Information:
[09/10/2006, 14:56:11] - Windows Version: 5.1.2600, Service Pack 2
[09/10/2006, 14:56:11] - Current Username: Irene & John (Admin)
[09/10/2006, 14:56:11] - Windows is in NORMAL mode.
[09/10/2006, 14:56:11] - Searching for Browser Helper Objects:
[09/10/2006, 14:56:11] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[09/10/2006, 14:56:11] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[09/10/2006, 14:56:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/10/2006, 14:56:11] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[09/10/2006, 14:56:11] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[09/10/2006, 14:56:11] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[09/10/2006, 14:56:11] - BHO 4: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[09/10/2006, 14:56:11] - BHO 5: {D6A5DB0C-643C-4053-B290-AA421049594B} ()
[09/10/2006, 14:56:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/10/2006, 14:56:11] - Checking for HKLM\...\Winlogon\Notify\jkhfc
[09/10/2006, 14:56:11] - Found: HKLM\...\Winlogon\Notify\jkhfc - This is probably Virtumundo.
[09/10/2006, 14:56:11] - Assigning {D6A5DB0C-643C-4053-B290-AA421049594B} MSEvents Object
[09/10/2006, 14:56:11] - BHO list has been changed! Starting over...
[09/10/2006, 14:56:11] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[09/10/2006, 14:56:11] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[09/10/2006, 14:56:11] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/10/2006, 14:56:11] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[09/10/2006, 14:56:11] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[09/10/2006, 14:56:11] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[09/10/2006, 14:56:11] - BHO 4: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[09/10/2006, 14:56:11] - BHO 5: {D6A5DB0C-643C-4053-B290-AA421049594B} (MSEvents Object)
[09/10/2006, 14:56:11] - ALERT: Found MSEvents Object!
[09/10/2006, 14:56:11] - Finished Searching Browser Helper Objects
[09/10/2006, 14:56:11] - *** Detected MSEvents Object
[09/10/2006, 14:56:11] - Trying to remove MSEvents Object...
[09/10/2006, 14:56:12] - Terminating Process: IEXPLORE.EXE
[09/10/2006, 14:56:12] - Terminating Process: RUNDLL32.EXE
[09/10/2006, 14:56:12] - Disabling Automatic Shell Restart
[09/10/2006, 14:56:12] - Terminating Process: EXPLORER.EXE
[09/10/2006, 14:56:12] - Suspending the NT Session Manager System Service
[09/10/2006, 14:56:12] - Terminating Windows NT Logon/Logoff Manager
[09/10/2006, 14:56:12] - Re-enabling Automatic Shell Restart
[09/10/2006, 14:56:12] - File to disable: C:\WINDOWS\system32\jkhfc.dll
[09/10/2006, 14:56:12] - Renaming C:\WINDOWS\system32\jkhfc.dll -> C:\WINDOWS\system32\jkhfc.dll.vir
[09/10/2006, 14:56:13] - File successfully renamed!
[09/10/2006, 14:56:13] - Removing HKLM\...\Browser Helper Objects\{D6A5DB0C-643C-4053-B290-AA421049594B}
[09/10/2006, 14:56:13] - Removing HKCR\CLSID\{D6A5DB0C-643C-4053-B290-AA421049594B}
[09/10/2006, 14:56:13] - Adding Kill Bit for ActiveX for GUID: {D6A5DB0C-643C-4053-B290-AA421049594B}
[09/10/2006, 14:56:13] - Deleting ATLEvents/MSEvents Registry entries
[09/10/2006, 14:56:13] - Removing HKLM\...\Winlogon\Notify\jkhfc
[09/10/2006, 14:56:13] - Searching for Browser Helper Objects:
[09/10/2006, 14:56:13] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[09/10/2006, 14:56:13] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[09/10/2006, 14:56:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[09/10/2006, 14:56:13] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[09/10/2006, 14:56:13] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[09/10/2006, 14:56:13] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[09/10/2006, 14:56:13] - BHO 4: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[09/10/2006, 14:56:13] - Finished Searching Browser Helper Objects
[09/10/2006, 14:56:13] - Finishing up...
[09/10/2006, 14:56:13] - A restart is needed.
[09/10/2006, 14:56:29] - Attempting to Restart via STOP error (Blue Screen!)






Logfile of HijackThis v1.99.1
Scan saved at 15:01:37, on 10/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\PROGRA~1\MICROS~1\rapimgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url=john@247realmedia[1].txt]john@247realmedia[1].txt[/url]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Irene & John\Cookies\irene & [url=john@ad.yieldmanager[2].txt]john@ad.yieldmanager[2].txt[/url]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Irene & John\Cookies\irene & [url=john@atdmt[2].txt]john@atdmt[2].txt[/url]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Irene & John\Cookies\irene & [url=john@doubleclick[1].txt]john@doubleclick[1].txt[/url]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Irene & John\Cookies\irene & [url=john@fastclick[2].txt]john@fastclick[2].txt[/url]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Irene & John\Cookies\irene & [url=john@hitbox[2].txt]john@hitbox[2].txt[/url]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Irene & John\Cookies\irene & [url=john@mediaplex[1].txt]john@mediaplex[1].txt[/url]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Irene & John\Cookies\irene & [url=john@statcounter[1].txt]john@statcounter[1].txt[/url]
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Irene & John\Cookies\irene & [url=john@stats1.reliablestats[1].txt]john@stats1.reliablestats[1].txt[/url]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Irene & John\Cookies\irene & [url=john@toplist[1].txt]john@toplist[1].txt[/url]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Irene & John\Cookies\irene & [url=john@tribalfusion[1].txt]john@tribalfusion[1].txt[/url]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Irene & John\Cookies\irene & [url=john@xiti[1].txt]john@xiti[1].txt[/url]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Irene & John\Desktop\SmitfraudFix\Process.exe
Adware:Adware/AdvertMem Not disinfected C:\Documents and Settings\Irene & John\Incomplete\T-512213-_better version_ oh its such a perfect day 44.rar[setup.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Irene & John\My Documents\DOWNLOADS\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Posted 9/10/2006 3:40 PM
#36226
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12976
It looks better to me :smile:







Please download free Trial of Superantispyware
[color=#22229c>http://www.superantispyware.com/superantispywarefreevspro.html[/url]

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it.

close the program




Download and install:
http://www.filehippo.com/download_ccleaner/[/color]
For a basic version of CCleaner with no Yahoo Toolbar, select the second or third install option as follows:
Even if you selected Option 2 or 3, if you do not want the Yahoo Toolbar installed:
Uncheck "Add CCleaner Yahoo! Toolbar", as it is checked by default during CCleaner Setup








You may want to print this or save it to notepad as we will go to safe mode.




Run Hijackthis and place a check beside each of the following. Close all other browser windows except HJT.
Click fix checked.

O4 - HKCU\..\Run: [TClockEx] C:\Program Files\TClockEx\TCLOCKEX.EXE

O8 - Extra context menu item: &Search - [color=#22229c>http://kl.bar.need2find.com/KL/menusearch.html?p=KL[/url]

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O20 - Winlogon Notify: winjyp32 - winjyp32.dll (file missing)

[/color]



Reboot into Safe Mode by tapping F8 after the BIOS has loaded.
The Windows Advanced Options Menu appears.
Ensure that the Safe mode option is selected.
Press Enter. The computer then begins to start in Safe mode.


Delete the following files or folders (delete item in bold). Please do not be concerned if
any of the items are not found as they may have been automatically removed by actions I had
you take earlier in the cleaning process.



Delete:



Folders:
C:\Program Files\TClockEx\TCLOCKEX.EXE







Open Ccleaner.

1. Before first use, check under Options, Advanced, and UNCHECK "Only delete files in Windows Temp folder older than 48 hours".
2. A pop up box will appear advising this process will permanently delete files from your system.
3. Then select the items you wish to clean up.
In the Windows Tab:
Clean all entries in the "Internet Explorer". Deleting cookies will require re-entry of user names and passwords on next visit to sites that require users log in.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section.
Clean all entries in the "Advanced" section.
Clean any others that you choose.

In the Applications Tab:
Clean all (optionally, except cookies) in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.
4. Then click the "Run Cleaner" button and it will scan and clean your system. Click exit.












Start Superantispyware/rightclick on the black/yellow bug in tray.

Hit - Scan Your Computer - button

Click on the drive(s) you want to scan. Put a check in - Perform Complete Scan, then next

it will scan now. When scan have finished, put a checkmark with all items it found. Next, after cleaning, let it Reboot





Next go to Start- Search and scrolldown using the scroll bar on the right. Go down to More advanced options and click.
Be sure the first three boxes are selected:
Search System folders
Search Hidden Files and folders
Search SubFolders
And Find:
superantispyware log





Post this log along with fresh hijackthis log and tell how things are running


[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
[/color]
Do not PM me with logfiles. They will be deleted.


Posted 9/10/2006 5:21 PM
#36231
User avatar

irvy Member

Date Joined Nov 2016
Total Posts: 5
Hi,
I really appreciate your help with this. You must let me know how I can make a donation to your site.

I did as you suggested and here are the log files.



Logfile of HijackThis v1.99.1
Scan saved at 18:15:43, on 10/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\PROGRA~1\MICROS~1\rapimgr.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url=john@xiti[1].txt]john@xiti[1].txt[/url]
C:\Documents and Settings\Irene & John\Cookies\irene & [url=john@122.2o7[1].txt]john@122.2o7[1].txt[/url]
C:\Documents and Settings\Irene & John\Cookies\irene & [url=john@winantivirus[1].txt]john@winantivirus[1].txt[/url]
C:\Documents and Settings\Irene & John\Cookies\irene & [url=john@indextools[2].txt]john@indextools[2].txt[/url]
C:\Documents and Settings\Irene & John\Cookies\irene & [url=john@ad.yieldmanager[1].txt]john@ad.yieldmanager[1].txt[/url]
C:\Documents and Settings\Irene & John\Cookies\irene & [url=john@1070847646[1].txt]john@1070847646[1].txt[/url]

Trojan.WinAntiSpyware/WinAntiVirus 2006
HKLM\SYSTEM\CurrentControlSet\Services\vspf
HKLM\SYSTEM\CurrentControlSet\Services\vspf#Type
HKLM\SYSTEM\CurrentControlSet\Services\vspf#Start
HKLM\SYSTEM\CurrentControlSet\Services\vspf#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\vspf#Tag
HKLM\SYSTEM\CurrentControlSet\Services\vspf#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\vspf#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\vspf#Group
HKLM\SYSTEM\CurrentControlSet\Services\vspf#DependOnService
HKLM\SYSTEM\CurrentControlSet\Services\vspf#DependOnGroup
HKLM\SYSTEM\CurrentControlSet\Services\vspf\Security
HKLM\SYSTEM\CurrentControlSet\Services\vspf\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk#Type
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk#Start
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk#Tag
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk#Group
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk\Security
HKLM\SYSTEM\CurrentControlSet\Services\vspf_hk\Security#Security

Trojan.Unknown Origin
HKLM\SOFTWARE\Microsoft\MSSMGR
HKLM\SOFTWARE\Microsoft\MSSMGR#Data
HKLM\SOFTWARE\Microsoft\MSSMGR#LSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#Brnd
HKLM\SOFTWARE\Microsoft\MSSMGR#Rid
HKLM\SOFTWARE\Microsoft\MSSMGR#LID
HKLM\SOFTWARE\Microsoft\MSSMGR#SCLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#SSLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#BSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#MSLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#BPTV
HKLM\SOFTWARE\Microsoft\MSSMGR#PSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#SSTV

Adware.Vundo Variant
C:\WINDOWS\system32\jkhfc.dll.vir

Unclassified.Unknown Origin
C:\WINDOWS\system32\tuvuvsr.dll
Posted 9/10/2006 5:53 PM
#36234
User avatar

Touch Advanced member

Date Joined Nov 2016
Total Posts: 12976

[color=black face="Courier New" sab="311">[2]Click here: Before-posting-a-log[/2][/url]

<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />
[/color]
Do not PM me with logfiles. They will be deleted.


Posted 9/10/2006 10:21 PM
#36253
User avatar

irvy Member

Date Joined Nov 2016
Total Posts: 5
Hi Touch,
Ever thought of changing your signature to Midas, cos you sure have the Midas Touch!!User image

Thank you so much for getting my system cleaned out. Hubby uses p.c. for online banking so I have to keep it bug free.

I have downloaded the files you suggested and will be nore vigilant in what I download from the net in future.

Thanks again for all you help. It was very much appreciated.

irvy
  • Unread posts or replies
  • No unread posts or replies
  • Unread Posts (Read Only Forum)
  • No Unread Posts (Read Only Forum)

Forum Information

Currently it is Sunday, December 4, 2016, 11:19 PM (GMT +1)
There are a total of 61,160 posts in 13,449 threads.
In the last 3 days there were 3 new threads and 4 reply posts.

Who's online

This forum has 37,968 registered members. Please welcome our newest member, Old shape.
There are currently no users on-line.