Ad:

Viruses, Spyware and other Nasties Discussion Thread
Unsolved
Views: 4478

You are currently viewing page 1 of this multi-page discussion thread

Nov 9th, 2009

XP Help - Explorer.exe problems

Expand Post »

Whenever I load up windows, explorer.exe will not start. I can open up task manager and launch it from there, but it will close within the next ten seconds. I have done a Malware Bytes Anti Malware scan, and it turns out I have a vundo infection.

Here is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 7:41:02 PM, on 11/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Kevin's Desktop\My Documents\Downloads\FixVundo.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Content Filter\mfp.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\HijackThis\imabunny.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=1060929
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=1060929
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\\system32\\userinit.exe
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.206.201.8 oemantivir.microsoft.com
O1 - Hosts: 91.206.201.8 oemantivir.com
O1 - Hosts: 91.206.201.8 www.oemantivir.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll (file missing)
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll (file missing)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (file missing)
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\m8F5I5cAG.exe" /runcleanupscript
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKCU\..\RunOnce: [UniblueRegistryBooster] "C:\Program Files\Uniblue\RegistryBooster 2010\launcher.exe" delay 20000
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O10 - Broken Internet access because of LSP provider 'icf.dll' missing
O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolb...lerControl.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab57176.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CDD0115A-5FED-479B-B841-811C9B5803F3}: NameServer = 192.168.0.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL ,sozewema.dll c:\windows\system32\ralasife.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: yahidetuj - {ff0c3b8e-1f28-4d76-8cc5-7f6674b75d1d} - (no file)
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Any help would be appreciated.

Similar Threads

Problem with explorer.exe not loading at login in Viruses, Spyware and other Nasties
Explorer.exe Problems in Windows NT / 2000 / XP
Erratic CPU usage and explorer.exe error in Windows NT / 2000 / XP
Explorer.exe problems in Windows NT / 2000 / XP
Buffer Overrun error in explorer.exe, popups, browser hijacks and more problems in Viruses, Spyware and other Nasties

FirstTimeUser

Reputation Points: 10

Solved Threads: 0

Light Poster

Offline

26 posts
since Nov 2009

Permalink

Nov 9th, 2009

Re: XP Help - Explorer.exe problems

I seem to have gotten rid of the Vundo infection, however explorer.exe shows as running but is not appearing at the bottom of the screen.

FirstTimeUser

Reputation Points: 10

Solved Threads: 0

Light Poster

Offline

26 posts
since Nov 2009

Permalink

Nov 10th, 2009

Re: XP Help - Explorer.exe problems

Click to Expand / Collapse Quote originally posted by FirstTimeUser ...

I seem to have gotten rid of the Vundo infection, however explorer.exe shows as running but is not appearing at the bottom of the screen.

You HJT is out of date - go ahead and delete it.

-- Can you post your MBAM scanlog?

-- Please download DDS by sUBs and save it to your Desktop
-- If your AV has a script blocker, please disable it
-- DoubleClick on dds.scr to run the tool

* A command box will open, displaying added information for your reading pleasure while DDS completes its scan.
* Upon completion, a Dialog Box should open instructing you to save and post the TWO resulting logs (DDS.txt & Attach.txt).

- Copy&Paste the DDS.txt into your next post.
- Please post Attach.txt as an attachment to your post - there is no need to Zip it. If you don’t know how to post an attachment, please Copy&Paste it along with the DDS.txt scanlog.

I or one of the other volunteers will check back as time permits.
I'll be gone until Tuesday evening EST.

Cheers

PhilliePhan

Moderator

Reputation Points: 169

Solved Threads: 106

Central Scrutinizer

Offline

1,576 posts
since Dec 2006

Permalink

Nov 10th, 2009

Re: XP Help - Explorer.exe problems

Here is DDS.txt

DDS (Ver_09-10-26.01) - NTFSx86
Run by Kevin's Desktop at 16:22:47.83 on Tue 11/10/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1278.651 [GMT -5:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Malwarebytes' Anti-Malware\m8F5I5cAG.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2010\klwtblfs.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Kevin's Desktop\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar =
uDefault_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=1060929
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1060929
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [UniblueRegistryBooster] "c:\program files\uniblue\registrybooster 2010\launcher.exe" delay 20000
mRun: [D-Link AirPlus G] c:\program files\d-link\airplus g\AirGCFG.exe
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\m8F5I5cAG.exe" /runcleanupscript
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe"
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: musicmatch.com\online
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.srtest.com/srl_bin/sysreqlab_srl.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} - hxxp://messenger.zone.msn.com/binary/WoF.cab57176.cab
TCP: {CDD0115A-5FED-479B-B841-811C9B5803F3} = 192.168.0.1
Notify: igfxcui - igfxdev.dll
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll ,c:\windows\system32\ralasife.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll,nasikaje.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: yahidetuj - {ff0c3b8e-1f28-4d76-8cc5-7f6674b75d1d} -
STS: {ff0c3b8e-1f28-4d76-8cc5-7f6674b75d1d}: tokatiluy
LSA: Notification Packages = scecli vutofudi.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kevin'~1\applic~1\mozilla\firefox\profiles\v2jw9bm7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL -
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\kevin's desktop\application data\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\kevin's desktop\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\program files\byond\bin\npbyond.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbyond.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2009-10-14 36880]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-9-3 28544]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-10-10 24652]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-3-22 450400]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-9-14 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-10-2 19472]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-11-7 38224]
S3 dsreader;MaxDrive Driver (dsreader.sys);c:\windows\system32\drivers\dsreader.sys [2007-8-4 19677]
S4 gupdate1c994aa5602f89a;Google Update Service (gupdate1c994aa5602f89a);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]

=============== Created Last 30 ================

2009-11-10 20:25:54 0 ---ha-w- c:\windows\system32\BIT2.tmp
2009-11-10 03:43:31 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-11-10 03:43:31 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-11-10 03:41:18 0 d-----w- c:\program files\Kaspersky Lab
2009-11-10 03:41:18 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-11-10 03:23:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-11-10 01:17:39 1033216 ----a-w- c:\windows\test.exe
2009-11-09 23:53:29 0 d-----w- c:\program files\Uniblue
2009-11-09 23:16:57 0 d-----w- c:\docume~1\kevin'~1\applic~1\Uniblue
2009-11-09 22:56:44 54386 ----a-w- C:\crash.dmp
2009-11-09 22:56:02 281616 ----a-w- c:\windows\sediag.exe
2009-11-08 01:17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 01:17:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-08 01:17:07 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-30 02:17:15 0 d-----w- c:\program files\LimeWire
2009-10-29 23:54:44 0 d-----w- c:\program files\common files\TI Shared
2009-10-29 23:52:01 253672 ----a-w- c:\windows\system32\drivers\windrvr6.sys
2009-10-29 23:50:44 0 d-----w- c:\program files\Vernier Software
2009-10-29 02:03:30 0 d-----w- c:\program files\Audacity
2009-10-21 01:34:56 219664 ----a-w- c:\windows\system32\klogon.dll
2009-10-15 02:18:34 36880 ----a-w- c:\windows\system32\drivers\klbg.sys

==================== Find3M ====================

2009-10-20 00:00:35 3070976 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-10-11 02:36:28 0 -c--a-w- c:\windows\system32\drivers\lvuvc.hs
2009-10-11 02:36:26 0 -c--a-w- c:\windows\system32\drivers\logiflt.iad
2009-10-03 00:39:44 19472 ----a-w- c:\windows\system32\drivers\klmouflt.sys
2009-10-01 20:11:09 38 ----a-w- c:\documents and settings\kevin's desktop\jagex_runescape_preferences.dat
2009-10-01 20:09:15 45 ----a-w- c:\documents and settings\kevin's desktop\jagex_runescape_preferences2.dat
2009-09-25 05:49:02 668672 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:49:02 668672 ----a-w- c:\windows\system32\dllcache\wininet.dll
2009-09-25 05:49:02 628224 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-09-25 05:49:02 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-09-25 05:49:02 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-09-25 05:49:01 532480 ----a-w- c:\windows\system32\dllcache\mstime.dll
2009-09-25 05:49:01 449024 ------w- c:\windows\system32\dllcache\mshtmled.dll
2009-09-25 05:49:01 39424 ------w- c:\windows\system32\dllcache\pngfilt.dll
2009-09-25 05:49:01 146432 ------w- c:\windows\system32\dllcache\msrating.dll
2009-09-25 05:48:59 96256 ----a-w- c:\windows\system32\dllcache\inseng.dll
2009-09-25 05:48:59 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-25 05:48:59 81920 ----a-w- c:\windows\system32\dllcache\ieencode.dll
2009-09-25 05:48:59 55808 ----a-w- c:\windows\system32\dllcache\extmgr.dll
2009-09-25 05:48:59 251904 ------w- c:\windows\system32\dllcache\iepeers.dll
2009-09-25 05:48:59 16384 ----a-w- c:\windows\system32\dllcache\jsproxy.dll
2009-09-25 05:48:58 357888 ------w- c:\windows\system32\dllcache\dxtmsft.dll
2009-09-25 05:48:58 205312 ------w- c:\windows\system32\dllcache\dxtrans.dll
2009-09-25 05:48:58 151040 ------w- c:\windows\system32\dllcache\cdfview.dll
2009-09-25 05:48:58 1054208 ----a-w- c:\windows\system32\dllcache\danim.dll
2009-09-25 05:48:57 1024000 ------w- c:\windows\system32\dllcache\browseui.dll
2009-09-22 23:23:04 12380 -c--a-w- c:\docume~1\kevin'~1\applic~1\wklnhst.dat
2009-09-18 09:46:06 18432 ------w- c:\windows\system32\dllcache\iedw.exe
2009-09-14 19:42:46 32272 ----a-w- c:\windows\system32\drivers\klim5.sys
2009-09-11 14:03:37 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:03:37 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 20:45:26 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 20:45:26 58880 ------w- c:\windows\system32\dllcache\msasn1.dll
2009-08-26 08:16:37 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-26 08:16:37 247326 ----a-w- c:\windows\system32\dllcache\strmdll.dll
2009-08-21 09:46:35 450560 ------w- c:\windows\system32\dllcache\jscript.dll
2009-08-18 04:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2007-07-07 20:26:43 22 -c--a-w- c:\program files\New Compressed (zipped) Folder.zip
2008-01-19 16:10:22 8 --sh--r- c:\windows\system32\7A7C3F9537.sys
2009-08-08 01:00:49 37888 --sha-w- c:\windows\system32\batujuko.dll
2009-08-10 20:25:23 52224 --sha-w- c:\windows\system32\bogerijo.dll
2009-08-09 20:25:53 61440 --sha-w- c:\windows\system32\dobonede.dll
2008-09-25 21:05:53 88 -csh--r- c:\windows\system32\E2614D71A5.sys
2009-08-09 20:25:53 38912 --sha-w- c:\windows\system32\hinirole.dll
2008-09-25 21:05:57 3558 -csha-w- c:\windows\system32\KGyGaAvL.sys
2009-08-10 20:25:56 52224 --sha-w- c:\windows\system32\vutofudi.dll

============= FINISH: 16:24:56.58 ===============

After restarting my computer, I have run another malware bytes scan and here is my log.

Malwarebytes' Anti-Malware 1.40
Database version: 2631
Windows 5.1.2600 Service Pack 2

8/15/2009 9:06:47 PM
mbam-log-2009-08-15 (21-06-47).txt

Scan type: Quick Scan
Objects scanned: 93546
Time elapsed: 9 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winhld32 (Dialer) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Tool (Fake.SystemTool) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System Tool (Fake.SystemTool) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\rscdhf\earosysguard.exe (Fake.SystemTool) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winhld32.dll (Dialer) -> Quarantined and deleted successfully.

Attached Files

Attach.txt (25.7 KB, 15 views)

FirstTimeUser

Reputation Points: 10

Solved Threads: 0

Light Poster

Offline

26 posts
since Nov 2009

Permalink

Nov 10th, 2009

Re: XP Help - Explorer.exe problems

Click to Expand / Collapse Quote originally posted by FirstTimeUser ...

. . . . explorer.exe shows as running but is not appearing at the bottom of the screen.

Can you clarify what you mean by that?

You have some baddies remaining - Let's do this:

FIRST:
Please download JavaRa.zip to your Desktop and Extract it to its own folder.

-- Make sure ALL browsers are CLOSED.
-- DoubleClick on JavaRa.exe to run it and then select your language of choice.
-- Click Remove Older Versions.
-- Follow the prompts and a log will pop up. You can post this if you wish - I really don't need it, though.
-- Then, please go to http://www.java.com/en/ to download and install the latest version of Java.

THEN:
If you already have Combofix on your machine, DELETE it.
Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/comb...o-use-combofix
Please follow the instructions in the linky very carefully to run it and then post the combofix log for me.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Will check back as time permits.

Cheers

Last edited by PhilliePhan; Nov 10th, 2009 at 11:03 pm. Reason: The Usual. . . .

PhilliePhan

Moderator

Reputation Points: 169

Solved Threads: 106

Central Scrutinizer

Offline

1,576 posts
since Dec 2006

Permalink

Nov 10th, 2009

Re: XP Help - Explorer.exe problems

Unfortunately, due to my system not letting me run explorer.exe, I cannot unzip JavaRa.zip, so far I have been using Task Manager to create new tasks to run programs. Whenever I try to run something I get the message
"The application or DLL C:\\WINDOWS\system32\nasikaje.dll is not a valid Windows image. Please check this against your installation diskette."
I can run .exe files however.

FirstTimeUser

Reputation Points: 10

Solved Threads: 0

Light Poster

Offline

26 posts
since Nov 2009

Permalink

Nov 10th, 2009

Re: XP Help - Explorer.exe problems

Click to Expand / Collapse Quote originally posted by FirstTimeUser ...

Unfortunately, due to my system not letting me run explorer.exe, I cannot unzip JavaRa.zip . . .
I can run .exe files however.

Go ahead and do the combofix step. Let me know if you run into any problems.

PP

PhilliePhan

Moderator

Reputation Points: 169

Solved Threads: 106

Central Scrutinizer

Offline

1,576 posts
since Dec 2006

Permalink

Nov 11th, 2009

Re: XP Help - Explorer.exe problems

Done and done, everything worked perfectly.

ComboFix 09-11-09.02 - Kevin's Desktop 11/10/2009 22:57.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1278.790 [GMT -5:00]
Running from: c:\documents and settings\Kevin's Desktop\My Documents\Downloads\ComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\batujuko.dll
c:\windows\system32\dobonede.dll
c:\windows\system32\hinirole.dll
c:\windows\system32\junetike.dll.tmp
c:\windows\system32\meridewa.dll.tmp
c:\windows\system32\nasikaje.dll
c:\windows\system32\nelesoye.dll.tmp
c:\windows\system32\sujuwido.dll.tmp
c:\windows\system32\vileyela.dll.tmp
c:\windows\system32\yapakati.dll.tmp
c:\windows\system32\yusifabo.dll.tmp
c:\windows\Tasks\opqdxwfu.job
c:\windows\Tasks\tdkuwcek.job
c:\windows\TEMP\logishrd\LVPrcInj05.dll

----- BITS: Possible infected sites -----

hxxp://82.98.231.98
hxxp://82.98.231.99
.
((((((((((((((((((((((((( Files Created from 2009-10-11 to 2009-11-11 )))))))))))))))))))))))))))))))
.

2009-11-10 03:53 . 2009-11-10 03:53 932368 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\profiles-1-6.dll
2009-11-10 03:53 . 2009-11-10 03:53 678416 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\content_interpreter-1-1.dll
2009-11-10 03:53 . 2009-11-10 03:53 604688 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\gsg-3-9.dll
2009-11-10 03:53 . 2009-11-10 03:53 1096208 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\filtration-4-6.dll
2009-11-10 03:53 . 2009-11-10 03:53 522768 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\KasFlt\Plugins\database-1-5.dll
2009-11-10 03:43 . 2009-11-10 03:43 95259 ----a-w- c:\windows\system32\drivers\klick.dat
2009-11-10 03:43 . 2009-11-10 03:43 108059 ----a-w- c:\windows\system32\drivers\klin.dat
2009-11-10 03:41 . 2009-11-10 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-11-10 03:41 . 2009-11-10 03:41 -------- d-----w- c:\program files\Kaspersky Lab
2009-11-10 03:23 . 2009-11-10 03:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-11-10 01:17 . 2007-06-13 10:23 1033216 ----a-w- c:\windows\test.exe
2009-11-09 23:53 . 2009-11-09 23:53 -------- d-----w- c:\program files\Uniblue
2009-11-09 23:16 . 2009-11-09 23:16 -------- d-----w- c:\documents and settings\Kevin's Desktop\Application Data\Uniblue
2009-11-09 22:56 . 2009-10-19 21:24 281616 ----a-w- c:\windows\sediag.exe
2009-11-08 01:17 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-08 01:17 . 2009-11-08 16:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-08 01:17 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-31 21:04 . 2009-10-31 21:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2009-10-30 02:17 . 2009-10-30 02:17 -------- d-----w- c:\program files\LimeWire
2009-10-29 23:54 . 2009-10-29 23:54 -------- d-----w- c:\program files\Common Files\TI Shared
2009-10-29 23:52 . 2003-05-21 22:58 253672 ----a-w- c:\windows\system32\drivers\windrvr6.sys
2009-10-29 23:50 . 2009-10-29 23:50 -------- d-----w- c:\program files\Vernier Software
2009-10-29 02:03 . 2009-10-29 02:03 -------- d-----w- c:\program files\Audacity
2009-10-21 01:34 . 2009-10-21 01:34 219664 ----a-w- c:\windows\system32\klogon.dll
2009-10-20 16:54 . 2009-10-20 16:54 59992 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 2010 9.0.0.736\English\setup.exe
2009-10-15 02:18 . 2009-10-15 02:18 36880 ----a-w- c:\windows\system32\drivers\klbg.sys
2009-10-13 19:41 . 2009-10-13 19:41 -------- d-----w- c:\documents and settings\Kevin's Desktop\Local Settings\Application Data\AIM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-10 20:25 . 2009-11-10 20:25 0 ---ha-w- c:\windows\system32\BIT2.tmp
2009-11-10 03:39 . 2009-03-12 21:36 -------- d-----w- c:\program files\Colorizer
2009-11-10 03:27 . 2009-08-29 03:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-10 00:16 . 2008-02-05 02:24 -------- d-----w- c:\program files\Red Kawa
2009-11-09 22:55 . 2006-09-29 15:18 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-08 16:58 . 2009-10-10 19:18 -------- d-----w- c:\program files\Steam
2009-11-08 03:33 . 2008-10-09 17:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-11-07 01:08 . 2006-10-08 03:54 74360 -c--a-w- c:\documents and settings\Kevin's Desktop\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-05 02:57 . 2007-02-09 01:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-04 02:42 . 2006-09-29 15:21 -------- d-----w- c:\program files\Microsoft Works
2009-10-31 02:25 . 2008-11-08 18:51 -------- d-----w- c:\documents and settings\Kevin's Desktop\Application Data\LimeWire
2009-10-29 02:03 . 2009-03-04 20:48 -------- d-----w- c:\documents and settings\Kevin's Desktop\Application Data\Audacity
2009-10-20 22:06 . 2008-10-21 20:06 -------- d-----w- c:\documents and settings\Kevin's Desktop\Application Data\CameraWindowDC
2009-10-20 22:06 . 2008-10-21 20:11 -------- d-----w- c:\documents and settings\Kevin's Desktop\Application Data\ZoomBrowser EX
2009-10-11 02:36 . 2008-12-27 03:34 0 -c--a-w- c:\windows\system32\drivers\lvuvc.hs
2009-10-11 02:36 . 2008-12-27 03:34 0 -c--a-w- c:\windows\system32\drivers\logiflt.iad
2009-10-10 19:03 . 2008-09-13 15:54 -------- d-----w- c:\program files\SystemRequirementsLab
2009-10-10 19:03 . 2009-10-10 19:03 138240 ----a-w- c:\documents and settings\Kevin's Desktop\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_13_0_d.dll
2009-10-10 19:03 . 2009-10-10 19:03 138240 ----a-w- c:\documents and settings\Kevin's Desktop\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_13_0_c.dll
2009-10-10 19:03 . 2009-10-10 19:03 138240 ----a-w- c:\documents and settings\Kevin's Desktop\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_13_0_b.dll
2009-10-10 19:03 . 2009-10-10 19:03 138240 ----a-w- c:\documents and settings\Kevin's Desktop\Application Data\SystemRequirementsLab\SRLProxy_srl_4_1_13_0_a.dll
2009-10-10 19:03 . 2008-09-13 15:54 -------- d-----w- c:\documents and settings\Kevin's Desktop\Application Data\SystemRequirementsLab
2009-10-03 00:39 . 2009-10-03 00:39 19472 ----a-w- c:\windows\system32\drivers\klmouflt.sys
2009-10-01 20:11 . 2008-07-01 16:12 38 ----a-w- c:\documents and settings\Kevin's Desktop\jagex_runescape_preferences.dat
2009-10-01 20:09 . 2009-09-02 20:42 45 ----a-w- c:\documents and settings\Kevin's Desktop\jagex_runescape_preferences2.dat
2009-09-30 21:19 . 2009-09-30 21:19 -------- d-----w- c:\program files\Poladroid
2009-09-25 05:49 . 2004-08-10 17:51 668672 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:48 . 2004-08-10 17:51 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-23 21:12 . 2006-09-29 15:18 -------- d-----w- c:\program files\McAfee
2009-09-22 23:23 . 2006-10-17 00:50 12380 -c--a-w- c:\documents and settings\Kevin's Desktop\Application Data\wklnhst.dat
2009-09-22 00:51 . 2008-11-19 22:34 -------- d-----w- c:\program files\SwiftKit
2009-09-14 19:42 . 2009-09-14 19:42 32272 ----a-w- c:\windows\system32\drivers\klim5.sys
2009-09-11 14:03 . 2004-08-10 17:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 00:01 . 2009-09-10 00:01 27675 ----a-w- c:\windows\system32\drivers\klopp.dat
2009-09-04 20:45 . 2004-08-10 17:51 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 20:29 . 2009-09-01 20:29 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-08-26 08:16 . 2004-08-10 17:51 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 04:33 . 2009-08-18 04:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 21:04 . 2009-08-14 21:04 239088 ----a-w- c:\documents and settings\Kevin's Desktop\Application Data\Mozilla\plugins\npgoogletalk.dll
2007-07-07 20:26 . 2007-07-07 20:26 22 -c--a-w- c:\program files\New Compressed (zipped) Folder.zip
2008-01-19 16:10 . 2008-01-19 16:10 8 --sh--r- c:\windows\system32\7A7C3F9537.sys
2009-08-10 20:25 . 2009-08-10 20:25 52224 --sha-w- c:\windows\system32\bogerijo.dll
2008-09-25 21:05 . 2006-11-19 15:37 88 -csh--r- c:\windows\system32\E2614D71A5.sys
2008-09-25 21:05 . 2006-11-19 15:37 3558 -csha-w- c:\windows\system32\KGyGaAvL.sys
2009-08-10 20:25 . 2009-08-10 20:25 52224 --sha-w- c:\windows\system32\vutofudi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"UniblueRegistryBooster"="c:\program files\Uniblue\RegistryBooster 2010\launcher.exe" [2009-09-29 59184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"D-Link AirPlus G"="c:\program files\D-Link\AirPlus G\AirGCFG.exe" [2005-03-18 1228800]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\m8F5I5cAG.exe" [2009-11-08 1312080]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 49152]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BYOND\\bin\\dreamseeker.exe"=
"c:\\Program Files\\BYOND\\bin\\byond.exe"=
"c:\\Program Files\\Java\\jre1.5.0_06\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\BYOND\\bin\\dreamdaemon.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\Kevin's Desktop\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Kevin's Desktop\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=
"c:\\Program Files\\AIM6\\aolsoftware.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"43594:TCP"= 43594:TCP:Mopar
"8000:TCP"= 8000:TCP

houtcast
"1080:TCP"= 1080:TCP

ream Seeker
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"88:TCP"= 88:TCP

box1
"3074:TCP"= 3074:TCP

box2

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [10/14/2009 9:18 PM 36880]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [9/3/2009 3:54 PM 28544]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/10/2007 5:03 PM 24652]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [3/22/2005 6:17 PM 450400]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [9/14/2009 2:42 PM 32272]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [10/2/2009 7:39 PM 19472]
S3 dsreader;MaxDrive Driver (dsreader.sys);c:\windows\system32\drivers\dsreader.sys [8/4/2007 3:57 PM 19677]
S4 gupdate1c994aa5602f89a;Google Update Service (gupdate1c994aa5602f89a);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-11-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-178163009-3832439473-3373767962-1007Core.job
- c:\documents and settings\Kevin's Desktop\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-04 19:32]

2009-11-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-178163009-3832439473-3373767962-1007UA.job
- c:\documents and settings\Kevin's Desktop\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-04 19:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=1060929
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
Trusted Zone: musicmatch.com\online
TCP: {CDD0115A-5FED-479B-B841-811C9B5803F3} = 192.168.0.1
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
FF - ProfilePath - c:\documents and settings\Kevin's Desktop\Application Data\Mozilla\Firefox\Profiles\v2jw9bm7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL -
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - plugin: c:\documents and settings\Kevin's Desktop\Application Data\Move Networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\Kevin's Desktop\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\program files\BYOND\bin\npbyond.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbyond.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
SharedTaskScheduler-{ff0c3b8e-1f28-4d76-8cc5-7f6674b75d1d} - (no file)
SSODL-yahidetuj-{ff0c3b8e-1f28-4d76-8cc5-7f6674b75d1d} - (no file)
SafeBoot-Lavasoft Ad-Aware Service
SafeBoot-mcmscsvc
SafeBoot-MCODS
AddRemove-Colorizer 1.0.0.1 - c:\progra~1\COLORI~1\UNWISE.EXE
AddRemove-Google Updater - c:\program files\Google\Google Updater\GoogleUpdater.exe
AddRemove-HijackThis - c:\program files\HijackThis\HijackThis.exe
AddRemove-{2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\Google\Google Toolbar\Component\GoogleToolbarManager_E582EA556D8DE101.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-10 23:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe >>UNKNOWN [0x8A7A2808]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> 0x8a7a2808
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-178163009-3832439473-3373767962-1007\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0A8CA16A-C292-5E3E-9663-94F025F4EA6E}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abkahkaadijlibbfgilalckliclgdpnmnp"=hex:61,61,00,00
"bbkahkaadijlibbfgiiaicbplhngehhepmfg"=hex:61,61,00,00

[HKEY_USERS\S-1-5-21-178163009-3832439473-3373767962-1007\Software\SecuROM\License information*]
"datasecu"=hex:cb,4a,48,8e,2c,73,8c,30,65,5e,ff,7e,b4,a7,cd,c2,d0,48,d7,37,b7,
2d,19,53,f1,29,f8,57,7b,52,b9,53,d0,99,d3,f4,0c,48,eb,e2,77,03,dd,aa,08,05,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
.
------------------------ Other Running Processes ------------------------
.
c:\program files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-11-11 23:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-11 04:32

Pre-Run: 6,068,080,640 bytes free
Post-Run: 5,902,925,824 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=4 Default=4 Failed=2 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 145F4397D0E6C5393D1E3445C6B24DC7

FirstTimeUser

Reputation Points: 10

Solved Threads: 0

Light Poster

Offline

26 posts
since Nov 2009

Permalink

Nov 11th, 2009

Re: XP Help - Explorer.exe problems

Click to Expand / Collapse Quote originally posted by FirstTimeUser ...

Done and done, everything worked perfectly.

Great! We are making some progress - still a bunch to do, though.

Please do this first:
-- Download mbr.exe to your C:\ Drive ---> C:\mbr.exe
-- Navigate to C:\mbr.exe and DoubleClick it to run it. It will run quickly and a log will appear on your C:\Drive ---> C:\mbr.log
--Please Rename that to mbr-1.log

THEN:
Click START > RUN > type or Copy&Paste mbr.exe -f ENTER
(note the space between .exe <space> -f if you type it)
-- Let the tool run and another mbr.log will appear on C:\Drive.

Please post Both logs for me and we'll go from there.

PP

PhilliePhan

Moderator

Reputation Points: 169

Solved Threads: 106

Central Scrutinizer

Offline

1,576 posts
since Dec 2006

Permalink

Nov 11th, 2009

Re: XP Help - Explorer.exe problems

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

mbr.exe -f

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

FirstTimeUser

Reputation Points: 10

Solved Threads: 0

Light Poster

Offline

26 posts
since Nov 2009

Page 1
2
3
4
5
Next

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.

Previous Thread in Viruses, Spyware and other Nasties Forum Timeline: Virus sent email to all contacts.

Next Thread in Viruses, Spyware and other Nasties Forum Timeline: trojandownload threat

DaniWeb Message

Cancel Changes

User Name
Password