Mobile/PDA About Us Advertise here
User User name Password  
  Not registered yet? Register here.
Lost your password? Click here. 		 
  Home   News   Guides   Downloads   Glossary   Hardware   Profiles   Forums  
 Advertise at AfterDawn.com     Link to us!     Private messages     Compose a private message     List of all updated threads     Threads without replies     Search messages
Saturday 4.7.2009 / 16:03
Search:        In English   Suomeksi   Pĺ svenska
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > explorer keeps closing
Show topics
 
Forums
Forums
explorer keeps closing
  Jump to:
 
Posted Message
BALLATONY
Junior Member
_ 		20. February 2008 @ 19:38 _ Link to this message    Send private message to this user   
i need help explorer keeps closing i did a scan and i cant delete these
win32/vundo
win32/harnig
win32/look2me

heres the hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 6:34:43 PM, on 2/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dsl.sbc.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customiz...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customiz...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Malware Scanner] C:\Program Files\MalwareRemover.com\Malware Scanner\MalScr.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\AMV Convert Tool 3.70\AMVConverter\grab.html
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/2006...ex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resourc...wlscbase370.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1159410450625
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/v...5/installer.exe
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/v...l/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://candystand.com/assets/activex/virtools/CacheManager.CAB
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by115fd.bay115.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
[ + quote]
Advertisement
_ 		__
QuikDraw
Senior Member
_ 		20. February 2008 @ 20:38 _ Link to this message    Send private message to this user   
EDIT
[ + quote]

This message has been edited since posting. Last time this message was edited on 21. February 2008 @ 03:46
Ltangel
Member
_ 		20. February 2008 @ 21:19 _ Link to this message    Send private message to this user   
Quikdraw,

Why ask him so many questions when you can have a look at his log first? From his log, I already see a software that is not supposed to be there.

BALLATONY,

Please hold on a moment, I'll have a look at your log.
[ + quote]
Ltangel
Member
_ 		20. February 2008 @ 22:00 _ Link to this message    Send private message to this user   
Hey BALLATONY,

I need you to enable "View hidden files and folders" as some of the files are not showing in the HijackThis logs.

Enable view hidden files and folders

* Please go to Start>Control Panel>Appearance and themes>Folder options.
* Under view tab, "Hidden files and folders", ensure that "Show hidden files and folders" is selected.

Now, please post a fresh HijackThis log.

Thanks.

~Ltangel~
[ + quote]
BALLATONY
Junior Member
_ 		21. February 2008 @ 01:55 _ Link to this message    Send private message to this user   
is there another way
because i dont have the bar at the bottom where the start button is
because windows explorer keeps closing
[ + quote]
QuikDraw
Senior Member
_ 		21. February 2008 @ 02:01 _ Link to this message    Send private message to this user   
EDIT
[ + quote]

This message has been edited since posting. Last time this message was edited on 21. February 2008 @ 03:44
BALLATONY
Junior Member
_ 		21. February 2008 @ 02:06 _ Link to this message    Send private message to this user   
Originally posted by QuikDraw:
 How long have you been experiencing this problem?
Are you receiving any error message?
How long has it been: Since you ran a registry cleaner,
Cleaned your cashe and cookies, ran disc cleanup and disc defragmenter?

EDIT:
Have you tried a browser RESET?
How much RAM is installed?
how long about a week
no error messages
never done a registry clean doing one right now
cleaned cashe and cookies today, havent done a disk cleanup or defrag
browser reset? how do i do that
ram installed 512mb i think dont really know
[ + quote]
QuikDraw
Senior Member
_ 		21. February 2008 @ 02:14 _ Link to this message    Send private message to this user   
EDIT
[ + quote]

This message has been edited since posting. Last time this message was edited on 21. February 2008 @ 03:42
Ltangel
Member
_ 		21. February 2008 @ 02:36 _ Link to this message    Send private message to this user   
BALLATONY,

Sorry for the hassle, but can you download the latest version of HijackThis?

* Click here to download HJTsetup.exe

* Save HJTsetup.exe to your desktop.
* Doubleclick on the HJTsetup.exe icon on your desktop.
* By default it will install to C:\Program Files\Hijack This.
* Put a check by Create a desktop icon then click Next.
* Continue to follow the rest of the prompts from there.
* Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
* Paste the log in your next reply.

Note: DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Thanks.
[ + quote]

This message has been edited since posting. Last time this message was edited on 21. February 2008 @ 02:42
QuikDraw
Senior Member
_ 		21. February 2008 @ 02:50 _ Link to this message    Send private message to this user   
EDIT
[ + quote]

This message has been edited since posting. Last time this message was edited on 21. February 2008 @ 03:47
Ltangel
Member
_ 		21. February 2008 @ 03:11 _ Link to this message    Send private message to this user   
Originally posted by QuikDraw:
 Yeah, maybe you can help Ballatony just like you helped this other guy. http://forums.afterdawn.com/thread_view.cfm/628015 Days and days go by and the guys computer and HJK log is still screwed up! CLUELESS! Some Mr. Malware specialist, huh? LOL

Get a life!
Oh, and how good are you at this? I have gone through proper training , even though I'm still in training, I do know how to research for specific infections, and I do know what tools to use for what infections. So you say the other guy's log is messed up? Give an example entry?

Have YOU gone through ANY training? No, I doubt so, because from your post I can see it. Let's take Ballatony's log for example. Do you know that he has a rogue anti-spyware program on his computer? That rogue program could have caused the problem he is having now. Instead of urging him to remove the program, you ask him a series of questions which are not even required to do the fixing.

There is another problem with Ballatony's log, he has multiple anti-virus softwares on his computer. Do you know what the consequences of that is? You don't, because you don't even know the basics of malware removal.

Lastly, do you know that just fixing the entries in HijackThis is NOT ENOUGH? Hijackthis cannot delete the offending files in certain entries, and you need to do it in safe mode.

Tell me if you know all this, before you tell me to "get a life". Because if you don't even know the above, you are NOT a qualified helper.

If you have ANYTHING against me, please PM me and not post it on another member's log. It's not only impolite, it does not give anyone a good impression of you.
[ + quote]

This message has been edited since posting. Last time this message was edited on 21. February 2008 @ 03:13
QuikDraw
Senior Member
_ 		21. February 2008 @ 03:55 _ Link to this message    Send private message to this user   
EDIT
[ + quote]

This message has been edited since posting. Last time this message was edited on 21. February 2008 @ 22:10
Ltangel
Member
_ 		21. February 2008 @ 03:59 _ Link to this message    Send private message to this user   
Originally posted by BALLATONY:
Originally posted by QuikDraw:
 How long have you been experiencing this problem?
Are you receiving any error message?
How long has it been: Since you ran a registry cleaner,
Cleaned your cashe and cookies, ran disc cleanup and disc defragmenter?

EDIT:
Have you tried a browser RESET?
How much RAM is installed?
how long about a week
no error messages
never done a registry clean doing one right now
cleaned cashe and cookies today, havent done a disk cleanup or defrag
browser reset? how do i do that
ram installed 512mb i think dont really know



Please DO NOT do a registry clean. Registry is not something to be tampered with, especially when you don't know anything about them. Please follow my previous instructions and do a scan with HiajckThis and post a log.

Thanks.
[ + quote]
BALLATONY
Junior Member
_ 		21. February 2008 @ 09:33 _ Link to this message    Send private message to this user   
ok heres the log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:30:39 AM, on 2/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dsl.sbc.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customiz...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customiz...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Malware Scanner] C:\Program Files\MalwareRemover.com\Malware Scanner\MalScr.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/2006...ex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resourc...wlscbase370.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1159410450625
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/v...5/installer.exe
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/v...l/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://candystand.com/assets/activex/virtools/CacheManager.CAB
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by115fd.bay115.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 8602 bytes
[ + quote]
Ltangel
Member
_ 		21. February 2008 @ 22:02 _ Link to this message    Send private message to this user   
Thanks, I'm reviewing it now. Please wait for my reply.

:)


[ + quote]
Windows and system security is my priority.
Ltangel
Member
_ 		21. February 2008 @ 23:40 _ Link to this message    Send private message to this user   
Hey BALLATONY,

From your log, you have multiple anti-virus and anti-spyware protection on your computer. This can cause conflicts, I recommend that you do the following:

Please remove these programs from Add/Remove Programs in the Control Panel:

Yahoo! Antivirus
Eset Anti-virus
Symantec AntiVirus
Windows Defender

We'll keep Avast anti-virus and Spyware doctor as your protection for viruses and spywares. Before we proceed with the fix, I need you to temporarily disable Spyware Doctor protection, as it can hinder with the fix.

1. From within Spyware Doctor, click the "OnGuard" button on the left side.
2. Uncheck "Activate OnGuard".
--------------------------------------------------------------------

Please read the entire instructions before commencing, if you have anything you don't understand, feel free to ask. It's best that you print out the instructions for later reference, we may need to reboot in between the fixing.

Fix Vundo infection

Please download VundoFix.exe to your desktop.

* Double-click VundoFix.exe to run it.
* When VundoFix re-opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.

--------------------------------------------------------------------

Fix Look2Me

We'll use F-Look2Me to remove Look2Me. (Make sure you are logged in with administrative privileges)

1. Go to www.f-secure.com/tools/f-look2me.zip and download and unzip f-look2me.zip to your Desktop.
2. Run f-look2me.exe
3. Reboot the machine

---> F-Look2Me loads itself as a service to gain system privileges. The service renames infected files and patches the adware in memory. It also restores Debug Privileges for group Administrators.


--------------------------------------------------------------------

Fix HJT entries

In the HJT entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customiz...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customiz...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [Malware Scanner] C:\Program Files\MalwareRemover.com\Malware Scanner\MalScr.exe (http://www.hijackfree.com/en/processdetails/?id=1332)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe


O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" - This is a rogue anti-spyware program, while it is not malware, it is recommended that you remove it. Please take a look at the following list of rogue anti-spyware and decide if you want to remove it.

O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll - This is a toolbar associated with SpywareTerminator, it's recommended that you remove it, along with SpywareTerminator.

Please close all other browsers/windows. Put a check next to the entries above and then click "Fix checked".

Now reboot into safe mode. (Restart Windows and press F8 continuously before Windows icon appear)

Go to Add/Remove Programs in Control Panel, remove the following programs (if present):

MalwareRemover.com
Crawler
Spyware Terminator

Reboot into normal windows, and post a fresh HJT log.

--------------------------------------------------------------------

Do an online scan with Panda Activescan

Let's try an online scan to see if there are any infections. You will need IE to do the scan.

Go here

1. Click the Scan your PC button
2. A new window will open, click the Check Now button
3. Enter your Country, State/Province and e-mail address and click send
4. Select Home User
5. Click the Scan Now button
8. Allow any installation of ActiveX component(s)
9. It will start downloading the files it requires for the scan (Note: It may take a while)
10. When done, click on My Computer
11. When the scan completes, click the See Report button, then save it to desktop. Post the contents of the ActiveScan report on here.

--------------------------------------------------------------------

In your next reply, please include:

Fresh HJT log
Activescan report
Description of how your PC is doing

Go!

~Ltangel~
[ + quote]
Windows and system security is my priority.

This message has been edited since posting. Last time this message was edited on 21. February 2008 @ 23:53
BALLATONY
Junior Member
_ 		23. February 2008 @ 15:35 _ Link to this message    Send private message to this user   
ok heres the hjt log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:31:39 PM, on 2/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dsl.sbc.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://att.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/2006...ex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resourc...wlscbase370.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1159410450625
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/v...5/installer.exe
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/v...l/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://candystand.com/assets/activex/virtools/CacheManager.CAB
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by115fd.bay115.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: ddcbyvu - C:\WINDOWS\SYSTEM32\ddcbyvu.dll
O20 - Winlogon Notify: ljjggfc - ljjggfc.dll (file missing)
O20 - Winlogon Notify: mllmj - C:\WINDOWS\
O20 - Winlogon Notify: rqrsqom - rqrsqom.dll (file missing)
O20 - Winlogon Notify: vtutt - C:\WINDOWS\
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 6189 bytes


here the activescan log


Incident Status Location

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\User\Cookies\user@adrevolver[1].txt
Spyware:Cookie/AdDynamix Not disinfected C:\Documents and Settings\User\Cookies\user@ads.addynamix[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\User\Cookies\user@ads.pointroll[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\User\Cookies\user@advertising[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\User\Cookies\user@advertising[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\User\Cookies\user@apmebf[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\User\Cookies\user@apmebf[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\User\Cookies\user@atdmt[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\User\Cookies\user@atdmt[3].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\User\Cookies\user@bravenet[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\User\Cookies\user@casalemedia[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\User\Cookies\user@doubleclick[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\User\Cookies\user@doubleclick[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\User\Cookies\user@fastclick[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\User\Cookies\user@fastclick[3].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\User\Cookies\user@media.adrevolver[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\User\Cookies\user@mediaplex[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\User\Cookies\user@mediaplex[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\User\Cookies\user@questionmarket[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\User\Cookies\user@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\User\Cookies\user@realmedia[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\User\Cookies\user@statse.webtrendslive[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\User\Cookies\user@trafficmp[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\User\Cookies\user@trafficmp[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\User\Cookies\user@tribalfusion[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\User\Cookies\user@tribalfusion[3].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\User\Cookies\user@zedo[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\User\Cookies\user@zedo[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\User\Local Settings\Temp\nsbC.tmp
Virus:Generic Trojan Not disinfected C:\Program Files\3gp_Video_converter.rar[3gp Video converter\all.xilisoft.products.2.00.keygen\All XiliSoft Products Keygen.exe]
Adware:Adware/VideoExtension Not disinfected C:\Program Files\True Sword 4\backuped\3\main_uninstaller.exe


Well explorer is know working and it seems a little faster
thanks for your help
[ + quote]

This message has been edited since posting. Last time this message was edited on 23. February 2008 @ 15:36
Ltangel
Member
_ 		23. February 2008 @ 20:53 _ Link to this message    Send private message to this user   
Your log looks slightly better now, great work! ;)

I'm currently reviewing your log, please be patient. Try not to download anything/visit any other sites during this while so as to prevent yourself from getting infected again.

Thanks for your cooperation. :)

~Ltangel
[ + quote]
Windows and system security is my priority.
Ltangel
Member
_ 		23. February 2008 @ 21:43 _ Link to this message    Send private message to this user   
Oops, I forgot something. Can you go to C:/ and post the VundoFix.txt on here? Thanks. :)


[ + quote]
Windows and system security is my priority.
BALLATONY
Junior Member
_ 		24. February 2008 @ 16:27 _ Link to this message    Send private message to this user   
aight here it is

VundoFix V6.7.8

Checking Java version...

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 5:08:29 PM 2/22/2008

Listing files found while scanning....

C:\WINDOWS\system32\hggdefg.dll
C:\WINDOWS\system32\jjjlm.ini
C:\WINDOWS\system32\jjjlm.ini2
C:\WINDOWS\system32\mljjj.dll
C:\WINDOWS\system32\pmkhe.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\hggdefg.dll
C:\WINDOWS\system32\hggdefg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jjjlm.ini
C:\WINDOWS\system32\jjjlm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\jjjlm.ini2
C:\WINDOWS\system32\jjjlm.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\mljjj.dll
C:\WINDOWS\system32\mljjj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmkhe.dll
C:\WINDOWS\system32\pmkhe.dll Has been deleted!

Performing Repairs to the registry.
Done!
[ + quote]
BALLATONY
Junior Member
_ 		25. February 2008 @ 21:34 _ Link to this message    Send private message to this user   
ok what do i do next
is my computer almost clean?
[ + quote]
Ltangel
Member
_ 		26. February 2008 @ 02:08 _ Link to this message    Send private message to this user   
Sorry for the delay, real life is keeping me packed.

I'll reply to you shortly. :)

Thanks.

~Ltangel~
[ + quote]
Windows and system security is my priority.
Ltangel
Member
_ 		26. February 2008 @ 02:59 _ Link to this message    Send private message to this user   
Hey BALLATONY,

Yes, we are almost done. One last round of scanning and we can close this. :)

Please read the entire instructions before commencing, if you have anything you don't understand, feel free to ask. It's best that you print out the instructions for later reference, we may need to reboot in between the fixing.

Fix entries with HJT

Please reopen HijackThis and "Do a system scan only".

Put a check on the entries below:

O20 - Winlogon Notify: ddcbyvu - C:\WINDOWS\SYSTEM32\ddcbyvu.dll
O20 - Winlogon Notify: ljjggfc - ljjggfc.dll (file missing)
O20 - Winlogon Notify: mllmj - C:\WINDOWS\
O20 - Winlogon Notify: rqrsqom - rqrsqom.dll (file missing)
O20 - Winlogon Notify: vtutt - C:\WINDOWS\


Close all windows/browsers and then click "Fix checked". Close HJT.

Now please reboot into safe mode. Press the F8 key on restart before the Windows icon appear.

Go to Add/Remove Programs in control panel and remove the following programs (if present):

3gp Video converter
True Sword 4

Then go to Windows Explorer, search for the following folders/files and delete them (if present):

Folders
C:\Program Files\True Sword 4
C:\Program Files\Spyware Terminator\
C:\Program Files\Crawler\

Files

C:\Program Files\3gp_Video_converter.rar
C:\WINDOWS\SYSTEM32\ddcbyvu.dll
C:\WINDOWS\SYSTEM32\ljjggfc.dll
C:\WINDOWS\SYSTEM32\mllmj
C:\WINDOWS\SYSTEM32\rqrsqom
C:\WINDOWS\SYSTEM32\vtutt.dll

Reboot back into normal windows.

--------------------------------------------------------------------

Clean your temporary files

Download ATF Cleaner.

*Double-click ATF-Cleaner.exe.
* Under Main tab choose "Select All".
* Click the Empty Selected button.

If you use Firefox browser

Click Firefox and choose Select All
Click the Empty Selected button.

If you use Opera browser

Click Opera at the top and choose Select All
Click the Empty Selected button.

Click Exit to close the program.

--------------------------------------------------------------------

Scan with Dr Web CureIT

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe


* Doubleclick the drweb-cureit.exe file and Allow to run the express scan.
* This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
* Once the short scan has finished, mark the drives that you want to scan.
* Select all drives. A red dot shows which drives have been chosen.
* Click the green arrow at the right, and the scan will start.
* Click 'Yes to all' if it asks if you want to cure/move the file.
* When the scan has finished, look if you can click next icon next to the files found:
* If so, click it and then click the next icon right below and select Move incurable.

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)

* After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the report to your desktop. The report will be called DrWeb.csv.
* Close Dr.Web Cureit.
* Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.


--------------------------------------------------------------------

In your next reply, please include:

Fresh HijackThis log
Dr web scan report
Description of how your PC is doing (any more problems?)

Go!

~Ltangel~
[ + quote]
Windows and system security is my priority.

This message has been edited since posting. Last time this message was edited on 28. February 2008 @ 02:33
Ltangel
Member
_ 		3. March 2008 @ 05:48 _ Link to this message    Send private message to this user   
Do you still need help? If so, please do the instructions above and post a fresh HijackThis log. Thanks.

~Ltangel~
[ + quote]
Windows and system security is my priority.
Advertisement
_ 		__
 
_
Ltangel
Member
_ 		7. March 2008 @ 07:41 _ Link to this message    Send private message to this user   
Due to the lack of response to the thread, I will stop assisting. If you still need help, please follow the latest instructions given and PM me.

Thanks.

~Ltangel~
[ + quote]
Windows and system security is my priority.
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > explorer keeps closing
 

Digital video: AfterDawn.com | AfterDawn Forums
Music: MP3Lizard.com
Gaming: Blasteroids.com | Blasteroids Forums | Compare game prices
Software: Software downloads
Blogs: User profile pages
RSS feeds: AfterDawn.com News | Software updates | AfterDawn Forums
International: AfterDawn in Finnish | AfterDawn in Swedish | download.fi
Navigate: Search | Site map
About us: About AfterDawn Ltd | Advertise on our sites | Rules, Restrictions, Legal disclaimer & Privacy policy
Contact us: Send feedback | Contact our media sales team
 
  © 1999-2009 by AfterDawn Ltd.