View Full Version : Vundo Trojans in REGISTRY KEYS
Ok so after scanning my system with XoftSpySE... i found out i have so much infected files that i didnt know of. But ill start by asking for help for Vundo Trojans in registry keys. To avoid being flamed i installed VundoFix and used it to scan for Vundos but no results were found.... Well there are 5 of them in my computer and its complete name is "Vundo-Troj/Agent-DJ". The are listed to be in...ill only type in one of the five Vundo's location becaus they have ridiculously long names...:
software\microsoft\windws\currentversion\explorer\browser helper objects\{8e13dde1-e013-47ec-9c4c-27c2f78bdd26}
Hope i get replies with help soon... thanks...
PS: Srry if my grammar sucks but im not originally from North America
Angelfire777
2007-01-14, 13:40
Hi, welcome to Safer Networking Forums!
To avoid being flamed i installed VundoFix and used it to scan for Vundos but no results were found....
You won't get flamed just because of that..Moreover, there are no flamers here..All the helpers, warriors and team spybot here are very friendly..
_________________________
Click HERE (http://ralphcaddell.com/Uploads/HjThis.exe) to download a self-extracting version of Hijackthis. Double click on the file, by default it will extract itself to C:\Hijackthis
Next, double click on Hijackthis.exe. Click "Scan System and Save a Logfile." A Notepad will appear in your screen, copy and paste the contents of the notepad to your next reply.
Oh ok...well to get back on topic may anyone help me?
Click HERE (http://ralphcaddell.com/Uploads/HjThis.exe) to download a self-extracting version of Hijackthis. Double click on the file, by default it will extract itself to C:\Hijackthis
Next, double click on Hijackthis.exe. Click "Scan System and Save a Logfile." A Notepad will appear in your screen, copy and paste the contents of the notepad to your next reply.
Please follow your helper's instructions. ;)
Ohhh ohhh lol im srry i thought that was his signature lmao
ok thanks for your help btw... =]... and about the VNC server...I dont think its a threat even though its listed as one in spyware scans because my dad installed it in my computer so he can control and fix my computer even if hes in Hong Kong.
--------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 11:31:50 AM, on 1/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Internet Apps\No-IP\DUC20.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Apps\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\program files\steam\steam.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Internet Apps\No-IP\DUC20.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TELUS eCare\bin\mpbtn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {8E13DDE1-E013-47ec-9C4C-27C2F78BDD26} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TELUS] M:\Install\TELUS.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [avnort] C:\WINDOWS\msmbw.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - Startup: No-IP DUC.lnk = C:\Program Files\Internet Apps\No-IP\DUC20.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricochetlostworlds/sis/ReflexiveWebGameLoader.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.survival.com.my/tech/xmlsetup/msxml4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: explorer - explorer.dll (file missing)
O20 - Winlogon Notify: req - C:\WINDOWS\system32\req.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\Internet Apps\No-IP\DUC20.exe
O23 - Service: WinFast(R) Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\Internet Apps\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
Angelfire777
2007-01-15, 11:32
ok thanks for your help btw...
You're welcome.
I dont think its a threat even though its listed as one in spyware scans because my dad installed it in my computer so he can control and fix my computer even if hes in Hong Kong.
Yes some scanners flag it as a suspicious program because it can be used to remotely control your computer by hackers..
____________________________
Did you have Norton Antivirus before in your system?
Download FixSflog.exe by Symantec from here:
http://securityresponse.symantec.com/avcenter/FixSflog.exe
Save the file to a convenient location, such as your Windows desktop.
Close all the running programs.
If you are on a network or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.
Locate the file that you just downloaded.
Double-click the FixSflog.exe file to start the removal tool.
click Start to begin the process, and then allow the tool to run.
Restart the computer.
Run the removal tool again to ensure that the system is clean.
*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {8E13DDE1-E013-47ec-9C4C-27C2F78BDD26} - (no file)
O20 - Winlogon Notify: req - C:\WINDOWS\system32\req.dll (file missing)
Close your browsers and all open windows except for HijackThis, then click "Fix checked".
*Configure your machine to view hidden files:
Windows XP
Click Start.
Open My Computer..
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the "Hidden files and folders" heading select Show hidden files and folders.
Uncheck the Hide Protected Operating System Files Option.
Click Yes to confirm.
Click OK.
*Using Windows Explorer, find and delete these files:
C:\WINDOWS\system32\req.dll
Empty your Recycle Bin.
*Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, Click Options > Change settings
Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
Back at the main window, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply
_______________________________________
*Click Start > Search > Click "All Files and Folders".
Under "Advanced Options", make sure the following are checked:
Search System Folders.
Search Hidden Files And Folders.
Search Subfolders.
Then into the search box, copy and paste the following (one at a time):
explorer.dll
Then, click Search after you copy and paste each of those. Take note of where the file is located.
*I would like you to scan that file for me.
Please go HERE (http://virusscan.jotti.org/). Click browse then, navigate to the file that you have searched for..
In the box there, type the exact location of where you found explorer.dll
Then click submit.
Please post the results to your next reply.
If Jotti is too busy, you can go HERE (www.virustotal.com) and do the same as above.
On your next reply, please include a fresh HijackThis log, CureIt log, results of the jotti scan and a description on how your machine is running.
hmmm....one problem... when i search for "explorer.dll" i only see MTVNExplorer.dll...... is that the same one? Here are the two logs...
HijackThis
----------------
Logfile of HijackThis v1.99.1
Scan saved at 8:11:20 PM, on 1/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Internet Apps\No-IP\DUC20.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Apps\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\program files\steam\steam.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Internet Apps\No-IP\DUC20.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TELUS eCare\bin\mpbtn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\XoftSpySE\XoftSpy.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {8E13DDE1-E013-47ec-9C4C-27C2F78BDD26} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TELUS] M:\Install\TELUS.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [avnort] C:\WINDOWS\msmbw.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - Startup: No-IP DUC.lnk = C:\Program Files\Internet Apps\No-IP\DUC20.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricochetlostworlds/sis/ReflexiveWebGameLoader.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.survival.com.my/tech/xmlsetup/msxml4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: explorer - explorer.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\Internet Apps\No-IP\DUC20.exe
O23 - Service: WinFast(R) Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\Internet Apps\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
CureIt
------------------
1.] lf_E8.tmp;C:\;Trojan.DownLoader.2778;Deleted.;
2.] CFD.exe;C:\Program Files\BroadJump\Client Foundation;Adware.Cfd;Deleted.;
3.] FND90.NFI;C:\Program Files\ESET\cache;Trojan.LowZones.150;Deleted.;
4.] Serv-U5@ttdown.com.exe;C:\Program Files\Internet Apps\Serv-U;Tool.ASEye.2;Deleted.;
5.] ServUDaemon.BAK;C:\Program Files\Internet Apps\Serv-U;Program.ServUServer.5201;Deleted.;
6.] ServUDaemon.exe.org;C:\Program Files\Internet Apps\Serv-U;Program.ServUServer.60;Moved.;
7.] patch.exe;C:\Program Files\WinRAR;Tool.ASEye.2;Renamed.;
8.] 00053966.DLL;C:\RECYCLER\NPROTECT;Trojan.AproposAd;Deleted.;
9.] 00053970.dll;C:\RECYCLER\NPROTECT;Trojan.AproposAd;Deleted.;
10.] A0144137.dll;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP570;Trojan.AproposAd;Deleted.;
11.] A0144138.dll;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP570;Adware.Apropos;Renamed.;
12.] A0144139.exe;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP570;Trojan.AproposAd;Deleted.;
13.] A0144140.dll;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP570;Trojan.AproposAd;Deleted.;
14.] A0144141.exe;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP570;Trojan.AproposAd;Deleted.;
15.] A0144142.dll;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP570;Trojan.AproposAd;Deleted.;
16.] A0144143.dll;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP570;Trojan.AproposAd;Deleted.;
17.] A0144144.dll;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP570;Trojan.AproposAd;Deleted.;
18.] A0144145.DLL;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP570;Trojan.AproposAd;Deleted.;
19.] A0144146.EXE;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP570;Trojan.AproposAd;Deleted.;
20.] A0149985.exe;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP583;Adware.Relevant;Renamed.;
21.] A0150203.exe;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP586;Adware.Relevant;Renamed.;
22.] A0150280.dll;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP586;Program.ProxyOSS;Renamed.;
23.] MFEX-1.DAT;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP586\snapshot;Adware.Relevant;Renamed.;
24.] A0151771.sys;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP587;Trojan.NtRootKit.47;Deleted.;
25.] A0151831.exe;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP587;Adware.NewDotNet;Renamed.;
26.] A0152058.dll;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP590;Trojan.AproposAd;Deleted.;
27.] A0152059.dll;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP590;Trojan.AproposAd;Deleted.;
28.] A0152073.exe;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP590;Tool.Prockill;Renamed.;
29.] A0152075.exe;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP590;Tool.ShutDown.11;Renamed.;
30.] A0152377.DLL;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP590;Trojan.AproposAd;Deleted.;
31.] A0152378.dll;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP590;Trojan.AproposAd;Deleted.;
32.] Process.exe;C:\WINDOWS\system32;Tool.Prockill;Renamed.;
hmmm....one problem... when i search for "explorer.dll" i only see MTVNExplorer.dll...... is that the same one? Here are the two logs...
HijackThis
----------------
Logfile of HijackThis v1.99.1
Scan saved at 8:11:20 PM, on 1/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Internet Apps\No-IP\DUC20.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Apps\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\program files\steam\steam.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Internet Apps\No-IP\DUC20.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TELUS eCare\bin\mpbtn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\XoftSpySE\XoftSpy.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {8E13DDE1-E013-47ec-9C4C-27C2F78BDD26} - (no file)
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TELUS] M:\Install\TELUS.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [avnort] C:\WINDOWS\msmbw.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - Startup: No-IP DUC.lnk = C:\Program Files\Internet Apps\No-IP\DUC20.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricochetlostworlds/sis/ReflexiveWebGameLoader.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.survival.com.my/tech/xmlsetup/msxml4.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: explorer - explorer.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\Internet Apps\No-IP\DUC20.exe
O23 - Service: WinFast(R) Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\Internet Apps\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
CureIt
------------------
1.] lf_E8.tmp;C:\;Trojan.DownLoader.2778;Deleted.;
2.] CFD.exe;C:\Program Files\BroadJump\Client Foundation;Adware.Cfd;Deleted.;
3.] FND90.NFI;C:\Program Files\ESET\cache;Trojan.LowZones.150;Deleted.;
4.] Serv-U5@ttdown.com.exe;C:\Program Files\Internet Apps\Serv-U;Tool.ASEye.2;Deleted.;
5.] ServUDaemon.BAK;C:\Program Files\Internet Apps\Serv-U;Program.ServUServer.5201;Deleted.;
6.] ServUDaemon.exe.org;C:\Program Files\Internet Apps\Serv-U;Program.ServUServer.60;Moved.;
7.] patch.exe;C:\Program Files\WinRAR;Tool.ASEye.2;Renamed.;
8.] 00053966.DLL;C:\RECYCLER\NPROTECT;Trojan.AproposAd;Deleted.;
9.] 00053970.dll;C:\RECYCLER\NPROTECT;Trojan.AproposAd;Deleted.;
10.] A0144137.dll;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP570;Trojan.AproposAd;Deleted.;
11.] A0144138.dll;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP570;Adware.Apropos;Renamed.;
12.] A0144139.exe;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP570;Trojan.AproposAd;Deleted.;
13.] A0144140.dll;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP570;Trojan.AproposAd;Deleted.;
14.] A0144141.exe;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP570;Trojan.AproposAd;Deleted.;
15.] A0144142.dll;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP570;Trojan.AproposAd;Deleted.;
16.] A0144143.dll;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP570;Trojan.AproposAd;Deleted.;
17.] A0144144.dll;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP570;Trojan.AproposAd;Deleted.;
18.] A0144145.DLL;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP570;Trojan.AproposAd;Deleted.;
19.] A0144146.EXE;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP570;Trojan.AproposAd;Deleted.;
20.] A0149985.exe;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP583;Adware.Relevant;Renamed.;
21.] A0150203.exe;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP586;Adware.Relevant;Renamed.;
22.] A0150280.dll;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP586;Program.ProxyOSS;Renamed.;
23.] MFEX-1.DAT;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP586\snapshot;Adware.Relevant;Renamed.;
24.] A0151771.sys;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP587;Trojan.NtRootKit.47;Deleted.;
25.] A0151831.exe;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP587;Adware.NewDotNet;Renamed.;
26.] A0152058.dll;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP590;Trojan.AproposAd;Deleted.;
27.] A0152059.dll;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP590;Trojan.AproposAd;Deleted.;
28.] A0152073.exe;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP590;Tool.Prockill;Renamed.;
29.] A0152075.exe;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP590;Tool.ShutDown.11;Renamed.;
30.] A0152377.DLL;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP590;Trojan.AproposAd;Deleted.;
31.] A0152378.dll;C:\System Volume Information\_restore{BD25047C-8356-49D4-B45F-25DDEF305BC1}\RP590;Trojan.AproposAd;Deleted.;
32.] Process.exe;C:\WINDOWS\system32;Tool.Prockill;Renamed.;
PS: And why the **** cant i log into my account in ANY website? Everyone i log in i just get redirected to the fill in your username and password page.
Oh and before i posted here on this forum, i manually got rid of some spyware like SurfSideKick by deleting files and registries....did i make a smart or dumb move?
Angelfire777
2007-01-16, 14:22
You didn't answer my question..
Did you have Norton Antivirus before in your system?
when i search for "explorer.dll" i only see MTVNExplorer.dll...... is that the same one? Here are the two logs...
No, I don't think they are.
Are you sure you posted the whole cureit log? And did you run the symantec tool I asked you to run?
PS: And why the **** cant i log into my account in ANY website? Everyone i log in i just get redirected to the fill in your username and password page.
We'll dig deeper.
Oh and before i posted here on this forum, i manually got rid of some spyware like SurfSideKick by deleting files and registries....did i make a smart or dumb move?
You should've asked me first..
*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\RunServices: [avnort] C:\WINDOWS\msmbw.exe
O20 - Winlogon Notify: explorer - explorer.dll (file missing)
Close your browsers and all open windows except for HijackThis, then click "Fix checked".
*Download combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
1. Double click combofix.exe & follow the prompts.
2. When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
ok im so srry its taking me so long to reply but ive been so busy with school exams that i dun even have time to follow your instructions, i promise ill get back to working on this as soon as my exams are done...thanks...just wanted you to know that im still here
Angelfire777
2007-01-19, 15:52
That's alright, you need to study well..Good luck with your exams, hope you get high grades:bigthumb:
Thanks for stopping by to notify us of your situation. We'll be standing by when you're ready:D:
This topic has been closed to prevent others with similar issues posting in it.
When you need it re-opened please send me a private message (pm) and provide a link to the thread. :)
Applies only to the original poster, anyone else with similar problems please start a new topic.