0

Hello guys,

Recently I ran a Malwarebytes scan on my Windows 7, it identified a DLL file called 'XHffS.dll' as part of a trojan in the System32 folder, it then did something on the file but never remove it. After I rebooted my laptop, a message starts to pop out everytime I start Windows, saying something like "unable to run XHffS.dll, it is not one of the system's dll file". It's such an annoy keep seeing the pop out message, so i've been trying to delete it but it is untouchable. I've tried software like Eraser to unlock it from processes but it says that no locking handle found, and still fail to delete it.

Does anyone have a solution on this? Appreciate your help very much!

3
Contributors
14
Replies
16
Views
7 Years
Discussion Span
Last Post by birdking
0

Hello and welcome back to daniweb, sorry you have had to wait for a reply.
Post the MBA-M log so we can actually see what we are dealing with here. It can be found by opening the program and clicking on the Logs Tab. They are listed by date with the latest one at the bottom. Open the file and copy/paste it back here.

Edited by jholland1964: n/a

0

Here's the log:

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 6.1.7600

13/3/2010 12:45:10 AM
mbam-log-2010-03-13 (00-45-10).txt

Scan type: Quick Scan
Objects scanned: 87677
Time elapsed: 15 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (www.kzxf.net/?1027233) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\XHffS.dll (Trojan.Vundo) -> Delete on reboot.
C:\Users\Sushi\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk

0

You are running at least a 4 month old version of MBA-M. The newest version, released today is version 1.45 and the database version it at 3930. You need to update yours ASAP and run a new full scan with it. Remove all items found.
Reboot.
Then run a system scan with HiJackThis, download from HERE
Save both logs and post them back here.

0

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3937

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

31/3/2010 10:41:49 PM
mbam-log-2010-03-31 (22-41-49).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 229914
Time elapsed: 1 hour(s), 21 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{e188f7a3-a04e-413e-99d1-d79a45f78506} (Trojan.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{87ca3845-37fe-414c-81cf-e08a7d0f6779} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{e188f7a3-a04e-413e-99d1-d79a45f78506} (Trojan.Banker) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{e188f7a3-a04e-413e-99d1-d79a45f78507} (Trojan.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Thunder (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (www.kzxf.net/?1027233) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll (Trojan.BHO) -> Delete on reboot.
C:\Program Files\360\360safe\firstaid\SuperKiller.exe (Rogue.Installer) -> Delete on reboot.
C:\Program Files\vReveal\vReveal.exe (Trojan.Agent) -> Not selected for removal.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:02:59 AM, on 1/4/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\PPStream\PPSAP.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\PPStream\PPStream.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Guitar Pro 5\GP5.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Notepad++\notepad++.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: SafeMon Class - {B69F34DD-F0F9-42DC-9EDD-957187DA688D} - C:\Program Files\360\360safe\safemon\safemon.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PPS Accelerator] C:\Program Files\PPStream\ppsap.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Sushi\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Firefox Preloader.lnk = C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} (VodClient Control Class) - http://www.vexcast.com/download/vexcast.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ?÷?ˉ·àóù (ZhuDongFangYu) - 360.cn - C:\Program Files\360\360safe\deepscan\zhudongfangyu.exe

--
End of file - 7179 bytes

0

Where are you located?
One GLARING thing about your log is I note you are not running an anti-virus program or a firewall and it "appears" that you are engaged in some sort of p2p file sharing, downloading videos, etc., extremely dangerous activity in itself but to do so without a good anti-virus and firewall can be a "death sentence" for the computer and personal information.
Several of the infected items found are password stealing trojans, putting all of your personal information at very great risk...bank accounts, credit cards, etc. You immediately should contact your bank and credit card companies and alert them of the findings. You need to change all of your passwords on any private accounts immediately.

0

Thanks for the advice, I'm in south east asia region, I am aware of the risk but I don't install an antivirus so as to save more memory for heavy duties as my laptop is not very powerful. This is also the reason I never use credit card or any financial services which requires my password or important personal information over the internet. I do run scan with software like MBA-M frequently to keep my laptop clean of virus/spyware. Maybe you have any recommended antivirus which consumes just a very little memory when it's running in the background? That will be very helpful to me. :)

Anyway, did you find any solution to my problem from the logs I posted? MBA-M somehow converted the originally malicious XHffs.dll into harmless, just that I am annoyed by the error message which appears everytime after reboot.

0

Judy is away for a few days.

Can you please do the following.

===============

Scan with HijackThis and then place a check next to all the following, if present:


O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O13 - Gopher Prefix:


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Copy and paste the following bold blue text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.bat to your desktop.
Then double click on the fix.bat file on your desktop
You'll see a black screen flash,thats normal.

@echo off
sc stop ZhuDongFangYu
sc delete ZhuDongFangYu

Restart your PC.

===============

Rescan with Hijackthis and post the log.

0

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:57:10 PM, on 3/4/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\PPStream\PPSAP.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
C:\Program Files\Mozilla Firefox\firefox.exe

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: SafeMon Class - {B69F34DD-F0F9-42DC-9EDD-957187DA688D} - C:\Program Files\360\360safe\safemon\safemon.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PPS Accelerator] C:\Program Files\PPStream\ppsap.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Sushi\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Firefox Preloader.lnk = C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} (VodClient Control Class) - http://www.vexcast.com/download/vexcast.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--

0

Yup, I still getting the same error message stating that XHffs.dll is not part of the system dll and failed to run it :( It seems no way to remove this .dll from my computer. I don't find any process using it but when I try to remove it, it is said to be used by other processes.

0

I've tried the scan but it shows me the vb script error 800A0005, line 30 char 3. I'm using Windows 7, maybe it's not compatible with the OS?

0

Registry Report

Created by using RegScanner

Registry Key Name Type Data Key Modified Time Data Length
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\* 7 REG_BINARY 14 00 1F 50 E0 4F D0 20 EA 3A 69 10 A2 D8 08 00 2B 30 30 9D 19 00 2F 43 3A 5C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 52 00 31 00 00 00 00 00 6D 3C 36 22 10 00 57 69 6E 64 6F 77 73 00 3C 00 08 00 04 00 EF BE EE 3A A3 14 6D 3C 36 22 2A 00 00 00 9F B7 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 00 00 16 00 56 00 31 00 00 00 00 00 6C 3C 82 9A 10 00 53 79 73 74 65 6D 33 32 00 00 3E 00 08 00 04 00 EF BE EE 3A A4 14 6C 3C 82 9A 2A 00 00 00 9C BC 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 00 00 18 00 58 00 32 00 00 B0 00 00 EE 3A FA 09 20 00 58 48 66 66 53 2E 64 6C 6C 00 40 00 08 00 04 00 EF BE ED 3A A0 B9 ED 3A A0 B9 2A 00 00 00 6E 52 00 00 00 00 3A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 00 48 00 66 00 66 00 53 00 2E 00 64 00 6C 00 6C 00 00 00 18 00 00 00 5/4/2010 9:34:27 PM 303

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\dll 0 REG_BINARY 14 00 1F 50 E0 4F D0 20 EA 3A 69 10 A2 D8 08 00 2B 30 30 9D 19 00 2F 43 3A 5C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 52 00 31 00 00 00 00 00 6D 3C 36 22 10 00 57 69 6E 64 6F 77 73 00 3C 00 08 00 04 00 EF BE EE 3A A3 14 6D 3C 36 22 2A 00 00 00 9F B7 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 00 00 16 00 56 00 31 00 00 00 00 00 6C 3C 82 9A 10 00 53 79 73 74 65 6D 33 32 00 00 3E 00 08 00 04 00 EF BE EE 3A A4 14 6C 3C 82 9A 2A 00 00 00 9C BC 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 00 00 18 00 58 00 32 00 00 B0 00 00 EE 3A FA 09 20 00 58 48 66 66 53 2E 64 6C 6C 00 40 00 08 00 04 00 EF BE ED 3A A0 B9 ED 3A A0 B9 2A 00 00 00 6E 52 00 00 00 00 3A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 00 48 00 66 00 66 00 53 00 2E 00 64 00 6C 00 6C 00 00 00 18 00 00 00 13/3/2010 1:36:01 PM 303

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs 38 REG_BINARY 58 00 48 00 66 00 66 00 53 00 2E 00 64 00 6C 00 6C 00 00 00 64 00 32 00 00 00 00 00 00 00 00 00 00 00 58 48 66 66 53 2E 64 6C 6C 2E 6C 6E 6B 00 48 00 08 00 04 00 EF BE 00 00 00 00 00 00 00 00 2A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 00 48 00 66 00 66 00 53 00 2E 00 64 00 6C 00 6C 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 00 00 7/4/2010 10:21:15 PM 122

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.dll 0 REG_BINARY 58 00 48 00 66 00 66 00 53 00 2E 00 64 00 6C 00 6C 00 00 00 64 00 32 00 00 00 00 00 00 00 00 00 00 00 58 48 66 66 53 2E 64 6C 6C 2E 6C 6E 6B 00 48 00 08 00 04 00 EF BE 00 00 00 00 00 00 00 00 2A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 00 48 00 66 00 66 00 53 00 2E 00 64 00 6C 00 6C 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 00 00 13/3/2010 1:43:09 PM 122

HKU\S-1-5-21-2654983429-2900233412-1670260279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\* 7 REG_BINARY 14 00 1F 50 E0 4F D0 20 EA 3A 69 10 A2 D8 08 00 2B 30 30 9D 19 00 2F 43 3A 5C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 52 00 31 00 00 00 00 00 6D 3C 36 22 10 00 57 69 6E 64 6F 77 73 00 3C 00 08 00 04 00 EF BE EE 3A A3 14 6D 3C 36 22 2A 00 00 00 9F B7 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 00 00 16 00 56 00 31 00 00 00 00 00 6C 3C 82 9A 10 00 53 79 73 74 65 6D 33 32 00 00 3E 00 08 00 04 00 EF BE EE 3A A4 14 6C 3C 82 9A 2A 00 00 00 9C BC 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 00 00 18 00 58 00 32 00 00 B0 00 00 EE 3A FA 09 20 00 58 48 66 66 53 2E 64 6C 6C 00 40 00 08 00 04 00 EF BE ED 3A A0 B9 ED 3A A0 B9 2A 00 00 00 6E 52 00 00 00 00 3A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 00 48 00 66 00 66 00 53 00 2E 00 64 00 6C 00 6C 00 00 00 18 00 00 00 5/4/2010 9:34:27 PM 303

HKU\S-1-5-21-2654983429-2900233412-1670260279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\dll 0 REG_BINARY 14 00 1F 50 E0 4F D0 20 EA 3A 69 10 A2 D8 08 00 2B 30 30 9D 19 00 2F 43 3A 5C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 52 00 31 00 00 00 00 00 6D 3C 36 22 10 00 57 69 6E 64 6F 77 73 00 3C 00 08 00 04 00 EF BE EE 3A A3 14 6D 3C 36 22 2A 00 00 00 9F B7 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 00 00 16 00 56 00 31 00 00 00 00 00 6C 3C 82 9A 10 00 53 79 73 74 65 6D 33 32 00 00 3E 00 08 00 04 00 EF BE EE 3A A4 14 6C 3C 82 9A 2A 00 00 00 9C BC 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 53 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 00 00 18 00 58 00 32 00 00 B0 00 00 EE 3A FA 09 20 00 58 48 66 66 53 2E 64 6C 6C 00 40 00 08 00 04 00 EF BE ED 3A A0 B9 ED 3A A0 B9 2A 00 00 00 6E 52 00 00 00 00 3A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 00 48 00 66 00 66 00 53 00 2E 00 64 00 6C 00 6C 00 00 00 18 00 00 00 13/3/2010 1:36:01 PM 303

HKU\S-1-5-21-2654983429-2900233412-1670260279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs 38 REG_BINARY 58 00 48 00 66 00 66 00 53 00 2E 00 64 00 6C 00 6C 00 00 00 64 00 32 00 00 00 00 00 00 00 00 00 00 00 58 48 66 66 53 2E 64 6C 6C 2E 6C 6E 6B 00 48 00 08 00 04 00 EF BE 00 00 00 00 00 00 00 00 2A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 00 48 00 66 00 66 00 53 00 2E 00 64 00 6C 00 6C 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 00 00 7/4/2010 10:21:15 PM 122

HKU\S-1-5-21-2654983429-2900233412-1670260279-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.dll 0 REG_BINARY 58 00 48 00 66 00 66 00 53 00 2E 00 64 00 6C 00 6C 00 00 00 64 00 32 00 00 00 00 00 00 00 00 00 00 00 58 48 66 66 53 2E 64 6C 6C 2E 6C 6E 6B 00 48 00 08 00 04 00 EF BE 00 00 00 00 00 00 00 00 2A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 00 48 00 66 00 66 00 53 00 2E 00 64 00 6C 00 6C 00 2E 00 6C 00 6E 00 6B 00 00 00 1C 00 00 00 13/3/2010 1:43:09 PM 122

Edited by birdking: n/a

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.