Help My PC won't stop sending E-Mails

  1. 20-02-2007  #1
    ninamackie
    ninamackie is offline Newbie

    Help My PC won't stop sending E-Mails

    Hi guys...

    I recently posted on the sister site to this one but luckily received a reply today asking me to post onto this as the logreader is away - Hoping someone can help me??? b4 i go mad!

    I've tried to read as much of the FAQ for this as possible but really stumped. I ran HJT and have the results below..

    At the moment McAfee keeps popping up a box that alerts me that my 'E-Mail Connection is Lost' When i check my scan it shows hundreds and hundreds of pornographic e-mails which are being sent from my PC all over the world. It is causing my computer to run really slow and i haven't had it that long.

    Any help would be greatly appreciated..

    Logfile of HijackThis v1.99.1
    Scan saved at 20:20:48, on 19/02/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
    C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
    C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
    c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\PROGRA~1\McAfee\MSC\mctskshd.exe
    C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\SiteAdvisor\6028\SAService.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\system32\svchost.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\system32\VTTimer.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\LVCOMSX.EXE
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
    C:\Program Files\Logitech\Video\FxSvr2.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
    c:\PROGRA~1\COMMON~1\mcafee\emproxy\emtray.exe
    C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\BitComet\BitComet.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=22028
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
    O2 - BHO: (no name) - {0D01EE1D-E411-4E72-856C-A9C2A16D57B9} - C:\WINDOWS\system32\psodqnqk.dll
    O2 - BHO: Visual Renderer - {16946E6F-C8B7-4D66-B97D-785B7D6BF083} - C:\WINDOWS\system\brwptr32.dll (file missing)
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
    O2 - BHO: (no name) - {56FA2DD4-979B-4314-A21D-399A472FA5E3} - C:\WINDOWS\system32\bhoabho.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [PCEyeLic] "C:\Program Files\PCEye2000\pceye2000.exe"
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechVideoRepair] "C:\Program Files\Logitech\Video\ISStart.exe"
    O4 - HKLM\..\Run: [LogitechVideoTray] "C:\Program Files\Logitech\Video\LogiTray.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [sysvx.exe] C:\WINDOWS\system32\sysvx.exe
    O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O4 - HKCU\..\Run: [WinUpdate] "C:\WINDOWS\system32\dkjmxaaa2030921.exe "
    O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Broken Internet access because of LSP provider 'lsp32.dll' missing
    O14 - IERESET.INF: START_PAGE_URL=http://www.iqon.ie
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
    O20 - Winlogon Notify: emskrxpk - emskrxpk.dll (file missing)
    O20 - Winlogon Notify: jtanlntc - C:\WINDOWS\SYSTEM32\bhoabho.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: lxby_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbycoms.exe
    O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
    O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
    O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
    O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
    O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6028\SAService.exe

  3. 23-02-2007  #2
    VopThis
    VopThis is offline Senior Member (Canada)
    O10 - Broken Internet access because of LSP provider 'lsp32.dll' missing
    DownLoad http://www.cexx.org/lspfix.htm

    Launch the LSP application, and click the "I know what I'm doing" checkbox.

    Move nothing just click Finish.


    If still no joy, download and run WinsockXPFix:
    http://members.shaw.ca/techcd/WinsockXPFix.exe - Winsock repair utility designed for Windows XP.




    SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

    O2 - BHO: (no name) - {0D01EE1D-E411-4E72-856C-A9C2A16D57B9} - C:\WINDOWS\system32\psodqnqk.dll
    O2 - BHO: Visual Renderer - {16946E6F-C8B7-4D66-B97D-785B7D6BF083} - C:\WINDOWS\system\brwptr32.dll (file missing)
    O2 - BHO: (no name) - {56FA2DD4-979B-4314-A21D-399A472FA5E3} - C:\WINDOWS\system32\bhoabho.dll

    O4 - HKLM\..\Run: [SYSVX.EXE] C:\WINDOWS\system32\sysvx.exe
    O4 - HKCU\..\Run: [WINUPDATE] "C:\WINDOWS\system32\dkjmxaaa2030921.exe "

    O20 - Winlogon Notify: emskrxpk - emskrxpk.dll (file missing)
    O20 - Winlogon Notify: jtanlntc - C:\WINDOWS\SYSTEM32\bhoabho.dll

    Make sure that all browser windows and internet links are closed, even this one!
    CLICK ’FIX CHECKED’ with HijackThis.






    HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here

    SAFEMODE: Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' menu option (explained here if needed).



    Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if present):


    DELETE FILES:

    C:\WINDOWS\system32\psodqnqk.dll
    C:\WINDOWS\system32\bhoabho.dll
    C:\WINDOWS\system32\sysvx.exe
    C:\WINDOWS\system32\dkjmxaaa2030921.exe




    POST A REVISED HIJACKTHIS LOG for review:
    Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.
  4. 24-02-2007  #3
    ninamackie
    ninamackie is offline Newbie
    Thanks very much for your help..

    I tried to delete - c:\windows\system32\bhoabho.dll both in safe mode and using the fix on hijackthis but it comes up with the message - access denied.

    I couldn't c:\windows\system32\sysvx.exe OR c:\windows\system32\dkjmxaaa203092exe but I think this is probably because they had been removed by Hijackthis.

    Seems to be running a bit better now but I have posted my new Hijackthis log below...

    Logfile of HijackThis v1.99.1
    Scan saved at 10:43:45, on 24/02/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\VTTimer.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\LVCOMSX.EXE
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
    C:\Program Files\Logitech\Video\FxSvr2.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
    C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
    c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\SiteAdvisor\6028\SAService.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\system32\svchost.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=22028
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
    O2 - BHO: (no name) - {56FA2DD4-979B-4314-A21D-399A472FA5E3} - C:\WINDOWS\system32\bhoabho.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [PCEyeLic] "C:\Program Files\PCEye2000\pceye2000.exe"
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechVideoRepair] "C:\Program Files\Logitech\Video\ISStart.exe"
    O4 - HKLM\..\Run: [LogitechVideoTray] "C:\Program Files\Logitech\Video\LogiTray.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.iqon.ie
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
    O20 - Winlogon Notify: jtanlntc - C:\WINDOWS\SYSTEM32\bhoabho.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: lxby_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbycoms.exe
    O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
    O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
    O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
    O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
    O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6028\SAService.exe


    I will keep an eye on it over the next few days and post again if the e-mails start again but at the moment they seem to have stopped

    Nina xx
  5. 24-02-2007  #4
    VopThis
    VopThis is offline Senior Member (Canada)
    HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here



    bhoabho.dll is definately an unknown item and is likely malware. Please submit to VirusTotal for their immediate evaluation and feedback. POst any malware findings back here:

    C:\WINDOWS\system32\bhoabho.dll



    Additionally, suggest you run the following scan:

    We will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Accordingly, it is probably a good idea to print out the following directions or copy them to a text file on your desktop using NOTEPAD. Read these instructions carefully and feel free to ask if you're unsure about anything.




    Download and install AVG Anti-Spyware 7.5 (AVG AS - formally known as Ewido anti-spyware 4.0 - uninstall any previous version first).
    • Click the Download BUTTON. On the next page click the Download now BUTTON.
    • Save and then install (Run) from the save location.
    • Open/Run AVG Anti-Spyware
    • Wait a few moments and AVG Anti-Spyware should Auto update itself (note date of last update). If it doesn't update, click the update ICON at top of screen:

    • Click on the Update now LINK at the top of the window
      • Click on the Start update button
      • Wait for the update to download and install
  6. This is very important to get the LATEST updates.
  7. Click on the Status ICON
    • Under "Your computers Security"
      Click change status on Resident shield to inactive (ONLY consider activation of that feature once you are clean)
  8. Click on the Scanner ICON at the top of the window
  9. Click on the Settings tab then select Recommended Actions and choose Quarantine
  10. When updating has finished. Close AVG Anti-Spyware.



    11. We will be using this tool in a later step.




    Reboot your computer in Safe Mode.
    • If the computer is running, shut down Windows, and then turn off the power.
    • Wait 30 seconds, and then turn the computer on.
    • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
    • Ensure that the Safe Mode option is selected.
    • Press Enter. The computer then begins to start in Safe mode.
    • Login on your usual account.
    ______________________________


    Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware , and run a full scan:
    • Click on the default Status ICON and select the Scan now LINK.

      OR

    • Click on the Scanner ICON . Select the Scan TAB.

      • Select Complete System Scan. AVG Anti-Spyware will now begin to scan your system.

    • If AVG Anti-Spyware finds anything it will list them in the Preview WINDOW:
      • Make sure that Set all elements to: shows Quarantine, if not click on the link and choose Quarantine from the popup menu.
      • Select Apply all actions at the bottom of the window (and the items found will be quarantined – and recoverable, if any items are needed back).

    • When the scan has completed, click on the Save Scan Report button and save the scan to your Desktop where it can be easily found.
    • Copy and paste the AVG Anti-Spyware scan results into your next post.
    • Close AVG Anti-Spyware.
  • 27-02-2007  #5
    ninamackie
    ninamackie is offline Newbie
    Hi there.. Ok seems like the e-mail problem is still occuring,

    I submitted this C:\WINDOWS\system32\bhoabho.dll to VirusTotal and the following results came back:

    VirusTotal Results -

    STATUS: FINISHEDComplete scanning result of "bhoabho.dll", received in VirusTotal at 02.27.2007, 19:55:58 (CET).

    Antivirus Version Update Result
    AntiVir 7.3.1.38 02.27.2007 TR/Dldr.ConHook.Gen
    Authentium 4.93.8 02.26.2007 no virus found
    Avast 4.7.936.0 02.27.2007 no virus found
    AVG 7.5.0.441 02.27.2007 no virus found
    BitDefender 7.2 02.27.2007 no virus found
    CAT-QuickHeal 9.00 02.27.2007 no virus found
    ClamAV devel-20060426 02.27.2007 no virus found
    DrWeb 4.33 02.27.2007 no virus found
    eSafe 7.0.14.0 02.27.2007 Suspicious Trojan/Worm
    eTrust-Vet 30.4.3438 02.27.2007 no virus found
    Ewido 4.0 02.27.2007 no virus found
    FileAdvisor 1 02.27.2007 no virus found
    Fortinet 2.85.0.0 02.27.2007 no virus found
    F-Prot 4.3.1.45 02.26.2007 no virus found
    F-Secure 6.70.13030.0 02.27.2007 no virus found
    Ikarus T3.1.1.3 02.27.2007 no virus found
    Kaspersky 4.0.2.24 02.27.2007 no virus found
    McAfee 4972 02.27.2007 no virus found
    Microsoft 1.2204 02.27.2007 no virus found
    NOD32v2 2083 02.27.2007 no virus found
    Norman 5.80.02 02.27.2007 no virus found
    Panda 9.0.0.4 02.27.2007 Suspicious file
    Prevx1 V2 02.27.2007 no virus found
    Sophos 4.14.0 02.26.2007 no virus found
    Sunbelt 2.2.907.0 02.24.2007 no virus found
    Symantec 10 02.27.2007 no virus found
    TheHacker 6.1.6.065 02.26.2007 no virus found
    UNA 1.83 02.27.2007 no virus found
    VBA32 3.11.2 02.26.2007 no virus found
    VirusBuster 4.3.19:9 02.27.2007 no virus found


    Aditional Information
    File size: 73728 bytes
    MD5: e813b9f52fb129ed16505eecb60c89f9
    SHA1: 421973e29f47f2a908459618455fb2cef6327b37
    packers: UPX

    I also followed your AVG instructions and the results of that scan report are below:

    "","","Trojan horse Generic3.AKS","C:\Program Files\HijackThis\backups\backup-20070224-094559-528.dll","26/02/2007 23:41:08","backup-20070224-094559-528.dll","129 KB"
    "","","Trojan horse Generic3.AKS","C:\WINDOWS\system32\ioldpjyu.dll"," 26/02/2007 23:41:08","ioldpjyu.dll","129 KB"
    "","","Trojan horse Generic3.AKS","C:\WINDOWS\system32\kajgaoab.dll"," 26/02/2007 23:41:08","kajgaoab.dll","129 KB"
    "","","Trojan horse Generic3.AKS","C:\WINDOWS\system32\monjjmvj.dll"," 26/02/2007 23:41:08","monjjmvj.dll","129 KB"
    "","","Trojan horse Generic3.AKS","C:\WINDOWS\system32\psodqnqk.dll"," 26/02/2007 23:41:08","psodqnqk.dll","129 KB"
    "","","Trojan horse Generic3.AKS","C:\WINDOWS\system32\urswtiil.dll"," 26/02/2007 23:41:09","urswtiil.dll","129 KB"
    "","","Trojan horse Generic3.AKS","C:\WINDOWS\system32\wiuphdcb.dll"," 26/02/2007 23:41:09","wiuphdcb.dll","129 KB"
    "","","Trojan horse Generic3.AKS","C:\WINDOWS\system32\wsrinrrc.dll"," 26/02/2007 23:41:09","wsrinrrc.dll","129 KB"
    "","","Trojan horse Generic3.AKS","C:\WINDOWS\system32\xfdcbham.dll"," 26/02/2007 23:41:09","xfdcbham.dll","129 KB"


    Finally I ran HijackThis today and have posted the new log below:

    Logfile of HijackThis v1.99.1
    Scan saved at 19:07:00, on 27/02/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\VTTimer.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\LVCOMSX.EXE
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
    C:\Program Files\Logitech\Video\FxSvr2.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
    C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    C:\PROGRA~1\McAfee\MSC\mcpromgr.exe

    I hope you can suggest something because the e-mails are really slowing down my computer. I still cannot delete the bhoabho.dll file and when i try it says - 'Cannot delete' - Access Denied

    Thanks again for your assistance

    Nina
  • 27-02-2007  #6
    ninamackie
    ninamackie is offline Newbie
    Sorry I didn't post the full HijackThis log:

    Here it is...

    Logfile of HijackThis v1.99.1
    Scan saved at 19:07:00, on 27/02/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\VTTimer.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\LVCOMSX.EXE
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
    C:\Program Files\Logitech\Video\FxSvr2.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
    C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
    c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\SiteAdvisor\6028\SAService.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\system32\svchost.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
    c:\PROGRA~1\COMMON~1\mcafee\emproxy\emtray.exe
    c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
    C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=22028
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
    O2 - BHO: (no name) - {56FA2DD4-979B-4314-A21D-399A472FA5E3} - C:\WINDOWS\system32\bhoabho.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [PCEyeLic] "C:\Program Files\PCEye2000\pceye2000.exe"
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechVideoRepair] "C:\Program Files\Logitech\Video\ISStart.exe"
    O4 - HKLM\..\Run: [LogitechVideoTray] "C:\Program Files\Logitech\Video\LogiTray.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.iqon.ie
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
    O20 - Winlogon Notify: jtanlntc - C:\WINDOWS\SYSTEM32\bhoabho.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: McAfee Application Installer Cleanup (0224761172602200) (0224761172602200mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\022476~1.EXE
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: lxby_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbycoms.exe
    O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
    O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
    O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
    O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
    O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6028\SAService.exe



    Thanks

    Nina
  • 02-03-2007  #7
    VopThis
    VopThis is offline Senior Member (Canada)
    I also followed your AVG instructions and the results of that scan report are below:

    "","","Trojan horse Generic3.AKS","C:\Program Files\HijackThis\backups\backup-20070224-094559-528.dll","26/02/2007 23:41:08","backup-20070224-094559-528.dll","129 KB"
    "","","Trojan horse Generic3.AKS","C:\WINDOWS\system32\ioldpjyu.dll"," 26/02/2007 23:41:08","ioldpjyu.dll","129 KB"
    "","","Trojan horse Generic3.AKS","C:\WINDOWS\system32\kajgaoab.dll"," 26/02/2007 23:41:08","kajgaoab.dll","129 KB"
    "","","Trojan horse Generic3.AKS","C:\WINDOWS\system32\monjjmvj.dll"," 26/02/2007 23:41:08","monjjmvj.dll","129 KB"
    "","","Trojan horse Generic3.AKS","C:\WINDOWS\system32\psodqnqk.dll"," 26/02/2007 23:41:08","psodqnqk.dll","129 KB"
    "","","Trojan horse Generic3.AKS","C:\WINDOWS\system32\urswtiil.dll"," 26/02/2007 23:41:09","urswtiil.dll","129 KB"
    "","","Trojan horse Generic3.AKS","C:\WINDOWS\system32\wiuphdcb.dll"," 26/02/2007 23:41:09","wiuphdcb.dll","129 KB"
    "","","Trojan horse Generic3.AKS","C:\WINDOWS\system32\wsrinrrc.dll"," 26/02/2007 23:41:09","wsrinrrc.dll","129 KB"
    "","","Trojan horse Generic3.AKS","C:\WINDOWS\system32\xfdcbham.dll"," 26/02/2007 23:41:09","xfdcbham.dll","129 KB"
    The above is useful feedback but does not appear to be from the requested scan. An 'AVG Anti-Spyware' LOG looks like this - so I have no indication that such a useful possibly critical scan was indeed conducted (EXAMPLE):

    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 6:35:38 PM 2/26/2007

    + Scan result:



    HKLM\SOFTWARE\Classes\AppID\{9DA1990B-9BCA-4c80-AEFB-11A40FA849F9} -> Adware.Generic : Cleaned with backup (quarantined).
    HKU\S-1-5-21-527237240-1957994488-725345543-1005\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{F7D40011-29BB-43EB-9C97-875CE89E9E36} -> Adware.Generic : Cleaned with backup (quarantined).
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
    C:\Program Files\Malware-Wipe -> Adware.MalwareWipe : Cleaned with backup (quarantined).
    C:\Program Files\MalwareWipe -> Adware.Malwarewipe : Cleaned with backup (quarantined).
    C:\Program Files\MalwareWipe\Quarantine -> Adware.Malwarewipe : Cleaned with backup (quarantined).



    Additionally, see if the following (potential bhoabho.dll
    related reinfection) files will delete in SAFE MODE:

    C:\WINDOWS\system32\ioldpjyu.dll
    C:\WINDOWS\system32\kajgaoab.dll
    C:\WINDOWS\system32\monjjmvj.dll
    C:\WINDOWS\system32\psodqnqk.dll
    C:\WINDOWS\system32\urswtiil.dll
    C:\WINDOWS\system32\wiuphdcb.dll
    C:\WINDOWS\system32\wsrinrrc.dll
    C:\WINDOWS\system32\xfdcbham.dll
  • 04-03-2007  #8
    ninamackie
    ninamackie is offline Newbie
    Hi again,

    OK thanks the problem was i downloaded the wrong AVG thats why my scan results were wrong.

    I couldn't find any of these files when i rebooted in safe mode:

    C:\WINDOWS\system32\ioldpjyu.dll
    C:\WINDOWS\system32\kajgaoab.dll
    C:\WINDOWS\system32\monjjmvj.dll
    C:\WINDOWS\system32\psodqnqk.dll
    C:\WINDOWS\system32\urswtiil.dll
    C:\WINDOWS\system32\wiuphdcb.dll
    C:\WINDOWS\system32\wsrinrrc.dll
    C:\WINDOWS\system32\xfdcbham.dll


    Also when I downloaded the correct version of AVG Spyware it told me that the 'Resident Shield' was not available in the Free Version. I followed your instructions and the results from the scan are below. It found a 'high' risk trojan and some tracking cookies which I have since quarantined.

    I have run a new HiJackThis log which follows below:

    Logfile of HijackThis v1.99.1
    Scan saved at 21:09:33, on 04/03/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\VTTimer.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\LVCOMSX.EXE
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
    C:\Program Files\Logitech\Video\FxSvr2.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
    c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\SiteAdvisor\6028\SAService.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\system32\svchost.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
    C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=22028
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
    O2 - BHO: (no name) - {56FA2DD4-979B-4314-A21D-399A472FA5E3} - C:\WINDOWS\system32\bhoabho.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [PCEyeLic] "C:\Program Files\PCEye2000\pceye2000.exe"
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechVideoRepair] "C:\Program Files\Logitech\Video\ISStart.exe"
    O4 - HKLM\..\Run: [LogitechVideoTray] "C:\Program Files\Logitech\Video\LogiTray.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.iqon.ie
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
    O20 - Winlogon Notify: jtanlntc - C:\WINDOWS\SYSTEM32\bhoabho.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: McAfee Application Installer Cleanup (0309391173006166) (0309391173006166mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\030939~1.EXE
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: lxby_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbycoms.exe
    O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
    O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
    O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6028\SAService.exe


    Incidently... I haven't seen the e-mail pop up yet - fingers crossed!

    Thanks again.

    Nina


    --------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 00:00:28 04/03/2007

    + Scan result:



    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@247realmedia[2].txt -> TrackingCookie.247realmedia : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@paypal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@sento.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina_mackie@premiumtv.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@adbrite[1].txt -> TrackingCookie.Adbrite : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@adrevolver[1].txt -> TrackingCookie.Adrevolver : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina_mackie@adtech[2].txt -> TrackingCookie.Adtech : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@advertising[2].txt -> TrackingCookie.Advertising : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@adviva[2].txt -> TrackingCookie.Adviva : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina_mackie@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
    C:\Documents and Settings\Nina Mackie\Local Settings\Temp\Cookies\nina mackie@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@casalemedia[1].txt -> TrackingCookie.Casalemedia : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@clickbank[2].txt -> TrackingCookie.Clickbank : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@ad1.clickhype[2].txt -> TrackingCookie.Clickhype : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@com[1].txt -> TrackingCookie.Com : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina_mackie@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@e-2dj6wfkyggajmdo.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@e-2dj6wfmywgczeao.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@e-2dj6wgk4sjcjwap.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@e-2dj6wjk4wpc5oep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@fastclick[2].txt -> TrackingCookie.Fastclick : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@ehg-capitalgroup.hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@ehg-veohnetworksinc.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@counter.hitslink[1].txt -> TrackingCookie.Hitslink : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@www.intelli-tracker[1].txt -> TrackingCookie.Intelli-tracker : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@mediaplex[2].txt -> TrackingCookie.Mediaplex : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@stat.onestat[2].txt -> TrackingCookie.Onestat : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina_mackie@overture[2].txt -> TrackingCookie.Overture : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina_mackie@perf.overture[1].txt -> TrackingCookie.Overture : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@questionmarket[2].txt -> TrackingCookie.Questionmarket : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@stats2.reliablestats[2].txt -> TrackingCookie.Reliablestats : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@revsci[1].txt -> TrackingCookie.Revsci : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@serving-sys[2].txt -> TrackingCookie.Serving-sys : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@www.smartadserver[1].txt -> TrackingCookie.Smartadserver : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@statcounter[2].txt -> TrackingCookie.Statcounter : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@anad.tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@anat.tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@tacoda[2].txt -> TrackingCookie.Tacoda : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina_mackie@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@trafficmp[1].txt -> TrackingCookie.Trafficmp : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@web-stat[2].txt -> TrackingCookie.Web-stat : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@weborama[2].txt -> TrackingCookie.Weborama : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : No action taken.
    C:\Documents and Settings\Nina Mackie\Cookies\nina mackie@zedo[1].txt -> TrackingCookie.Zedo : No action taken.
    C:\WINDOWS\system32\asnfzaay.dll -> Trojan.Delf.zj : No action taken.


    ::Report end
  • 06-03-2007  #9
    VopThis
    VopThis is offline Senior Member (Canada)
    The absence of evident PC problems does not guarantee that your PC is now malware free.


    I am very leary of bhoabho.dll for the following reasons:



    Recommend fixing all of the following items in HijackThis:

    O2 - BHO: (no name) - {56FA2DD4-979B-4314-A21D-399A472FA5E3} - C:\WINDOWS\system32\bhoabho.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O20 - Winlogon Notify: jtanlntc - C:\WINDOWS\SYSTEM32\bhoabho.dll



    If a file stubbornly refuses to be deleted by conventional means, HijackThis (version 1.98.2 onward) provides a method to have Windows delete the file as it boots up, before the file has the chance to load. To do this, follow these steps:

    How to use the Delete on Reboot tool (in HijackThis)
    1. Start Hijackthis
    2. Click the ‘Open the Misc Tools section’ button
    3. Click on the button labeled ’Delete a file on reboot...’
    4. A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file and click on it once, and then click on the Open button.
    5. You will now be asked if you would like to reboot your computer to delete the file. Click on the ‘Yes’ button if you would like to reboot now, otherwise click on the ‘No’ button to reboot later.



    O23 - Service: McAfee Application Installer Cleanup (0309391173006166) (0309391173006166mcinstcleanup) - McAfee, Inc.- C:\WINDOWS\TEMP\030939~1.EXE
    The above item appears to have been orphaned/left behind:

    Stop and Disable a Service
    • Go to Start » Run » type: Services.msc » OK.
    • Scroll down and find this service: (bracketed service name{s})
    • Double-click on it.
    • Under the General tab, click the Stop button.
    • Then change the Startup Type to Disabled.
    • Click Apply and then OK.
    Next:
    • Run HijackThis.
    • Click on ’Open the Misc Tools section’.
    • Click on ’Delete an NT Service’.
    • Enter the (service name identified in brackets) into that field (make sure there are NO spaces before or after the name):
      service name(s)
    • Click OK and select NO when asked to reboot.


    REBOOT and let us see a new HijackThis log. Let us know how you PC is now behaving.
  • 13-03-2007  #10
    ninamackie
    ninamackie is offline Newbie
    Save 20% on AVG Internet Security 2012 Suite!
    Hi again.

    I'm still not having much joy with this bhobhao file? I tried all of your suggestions including attempting to delete the file upon restart and it still didn't remove it.

    I am also unable to delete the file in safe mode.

    As far as fixing the 'O23 - Service: McAfee Application Installer Cleanup (0309391173006166) (0309391173006166mcinstcleanup) - McAfee, Inc.- C:\WINDOWS\TEMP\030939~1.EXE ' the file cannot be located at all so i dont know how what to do with this.

    I have posted a new hijackthis log:

    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\VTTimer.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\system32\LVCOMSX.EXE
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
    C:\Program Files\Logitech\Video\FxSvr2.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
    c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\Program Files\SiteAdvisor\6028\SAService.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\HijackThis\HijackThis.exe
    c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
    C:\WINDOWS\system32\imapi.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=22028
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
    O2 - BHO: (no name) - {56FA2DD4-979B-4314-A21D-399A472FA5E3} - C:\WINDOWS\system32\bhoabho.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [PCEyeLic] "C:\Program Files\PCEye2000\pceye2000.exe"
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
    O4 - HKLM\..\Run: [LogitechVideoRepair] "C:\Program Files\Logitech\Video\ISStart.exe"
    O4 - HKLM\..\Run: [LogitechVideoTray] "C:\Program Files\Logitech\Video\LogiTray.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.iqon.ie
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
    O20 - Winlogon Notify: jtanlntc - C:\WINDOWS\SYSTEM32\bhoabho.dll
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: lxby_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbycoms.exe
    O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
    O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
    O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6028\SAService.exe

    Sorry

    Nina
    • + Reply to Thread
    Page 1 of 2 1 2 LastLast
    « Cid Popups | Strange problem!?!?!?! »

    Similar Threads