0

I am running Win98Se. I have ran Adaware & Spybot search & destroy. Adaware didn't find the Vbouncer but Spybot did. Spybot could not remove...restarted and ran Spybot on start up - it still can't remove Vbouncer (7 entries). HIjackthis log to follow. Any help would be greatly appreciated!!
Regards,
Georgia
Logfile of HijackThis v1.97.7
Scan saved at 12:33:25 AM, on 8/15/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.51 SP1 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\MWW32\MANAGER\MWSSW32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\PROGRAM FILES\SONY\IMAGESTATION\USB DIRECT CONNECT\SONYC2W.EXE
C:\PROGRAM FILES\EXPLOREANYWHERE\HYPERTIME2\SB32MON.EXE
C:\PROGRAM FILES\D-LINK AIRPLUS\AIRPLUS.EXE
C:\WINDOWS\DESKTOP\YPTF$075.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\FOTONATION\EVLSTNR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & DestroyNEW\SDHelper.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [1Win32Cfg] C:\PROGRAM FILES\EXPLOREANYWHERE\ASSIST1\ASSIST.EXE
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [SonyC2W] C:\Program Files\Sony\ImageStation\USB Direct Connect\SonyC2W.exe
O4 - HKLM\..\Run: [System32] C:\PROGRAM FILES\EXPLOREANYWHERE\HYPERTIME2\SB32MON.EXE
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - Startup: D-Link AirPlus Utility.lnk = C:\Program Files\D-Link AirPlus\AIRPLUS.EXE
O4 - Startup: ThinkPad Modem Copyright.lnk = C:\WINDOWS\MWW32\MANAGER\MWCPYRT.EXE
O4 - Startup: windows clock patch.lnk = C:\WINDOWS\Desktop\yptf$075.exe
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/classes/BPImageEditor.cab?ver=1,1,0,30
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
O16 - DPF: {DF304508-B304-11D3-B860-00201857EBF5} (Pixami Print Layout Control) - http://www.imagestation.com/common/classes/BPPrintClient.cab?ver=2,0,0,50
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

2
Contributors
3
Replies
4
Views
13 Years
Discussion Span
Last Post by crunchie
0

Hi. First of all you need to update hijackthis to version 1.98.2. Run hijackthis & go to *Config\Misc Tools\Check for update on-line*. If the site is down, go here. Remove the old version by deleting the file manually. Unzip the new version into the hijackthis folder.
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.

Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

O4 - Startup: windows clock patch.lnk = C:\WINDOWS\Desktop\yptf$075.exe

Delete this file yptf$075.exe from your startup folder & from the desktop.
Run a search for virtualbouncer & manually delete all references to it. You may have to be in safe mode.
Upgrade IE to version 6 for better security.
Post another log from the newer version of hijackthis.
Check in add/remove programs for virtualbouncer.

0

i downloaded new hijackthis and also the update for Internet Explorer. After the Internet Explorer update I was unable to perform any functions on my computer...I unistalled and was finally able to get some programs working...I was able to delete the files associated w/ Vbouncer (7 of them) but now having bigtime computer problems. Won't let me start in safe mode - won't let me run Adaware or Spybot - it starts then locks up. Computer shutting down on it's own then tries to run scandisk on startup w/ surface analysis - which also gets hung up....I am at wit's end!
When I try to run scandisk after Windows has started it states there is something writing to drive C and it can't complete the scanning process.
This is my most recent hijackthis log - if anyone can help I would appreciate it!!!!
Regards,
Georgia
Logfile of HijackThis v1.98.2
Scan saved at 3:06:18 PM, on 8/22/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.51 SP1 (5.51.4807.2300)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\MWW32\MANAGER\MWSSW32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\PROGRAM FILES\SONY\IMAGESTATION\USB DIRECT CONNECT\SONYC2W.EXE
C:\PROGRAM FILES\D-LINK AIRPLUS\AIRPLUS.EXE
C:\PROGRAM FILES\COMMON FILES\FOTONATION\EVLSTNR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [SonyC2W] C:\Program Files\Sony\ImageStation\USB Direct Connect\SonyC2W.exe
O4 - HKLM\..\Run: [ScanSys32] C:\PROGRAM FILES\EXPLOREANYWHERE\HYPERTIME2\SB32MON.EXE
O4 - Startup: D-Link AirPlus Utility.lnk = C:\Program Files\D-Link AirPlus\AIRPLUS.EXE
O4 - Startup: ThinkPad Modem Copyright.lnk = C:\WINDOWS\MWW32\MANAGER\MWCPYRT.EXE
O4 - Startup: windows clock patch.lnk = C:\WINDOWS\Desktop\yptf$075.exe
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/classes/BPImageEditor.cab?ver=1,1,0,30
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
O16 - DPF: {DF304508-B304-11D3-B860-00201857EBF5} (Pixami Print Layout Control) - http://www.imagestation.com/common/classes/BPPrintClient.cab?ver=2,0,0,50
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

0

You have hijackthis running from a temp folder. Please do the following before we continue;
Click My Computer, then C:\
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.

You have a keylogger called *spybuddy* on your comp that needs to be removed.

You need an antivirus & firewall.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.