Explorer.exe And other DLL virus

**j.smith**

Hi

recently i have been infected with some unknown virus which make
my pc too slow and the browser try to connect without any request from me
so run alot of antispyware and trojan but nothing found other than unknown
process detect by spyware terminator and this process start by this DLL file
"mlJdedbY.dll" i try to delete but not succeed and also the EXPLORER.exe consume alot of
memory .

Hijack Result :

Code:

aLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:40:46 ?, on 26/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\WINDOWS\vcdplayx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
D:\oracle\ora90\bin\agntsrvc.exe
D:\oracle\ora90\Apache\Apache\Apache.exe
C:\WINDOWS\SYSTEM32\cmd.exe
D:\oracle\ora90\BIN\TNSLSNR.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
D:\oracle\ora90\bin\dbsnmp.exe
d:\oracle\ora90\bin\ORACLE.EXE
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
D:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\system32\wscntfy.exe
D:\oracle\ora90\Apache\jdk\bin\java.exe
D:\oracle\ora90\Apache\Apache\Apache.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\Program Files\mDSL\bin\EV-DO.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [vcdplayx] "C:\WINDOWS\vcdplayx.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{B796373B-A6F9-419D-8855-21F9184FEC13}: NameServer = 212.0.138.10 212.0.138.11
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Oracle OLAP 9.0.1.0.1 (OLAPServer) - Oracle Corporation - D:\oracle\ora90\bin\xsolap.exe
O23 - Service: Oracle OLAP Agent - Unknown owner - D:\oracle\ora90\bin\xsaagent.exe
O23 - Service: OracleOraHome90Agent - Oracle Corporation - D:\oracle\ora90\bin\agntsrvc.exe
O23 - Service: OracleOraHome90ClientCache - Unknown owner - D:\oracle\ora90\BIN\ONRSD.EXE
O23 - Service: OracleOraHome90HTTPServer - Unknown owner - D:\oracle\ora90\Apache\Apache\Apache.exe
O23 - Service: OracleOraHome90PagingServer - Unknown owner - D:\oracle\ora90/bin/pagntsrv.exe
O23 - Service: OracleOraHome90SNMPPeerEncapsulator - Unknown owner - D:\oracle\ora90\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome90SNMPPeerMasterAgent - Unknown owner - D:\oracle\ora90\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome90TNSListener - Unknown owner - D:\oracle\ora90\BIN\TNSLSNR.exe
O23 - Service: OracleServiceKHT - Oracle Corporation - d:\oracle\ora90\bin\ORACLE.EXE
O23 - Service: Profile Monitor (PMonSvc) - Salience Corporation - C:\WINDOWS\system32\pmonsvc.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - D:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Visibroker Smart Agent (xsSmartAgent) - Unknown owner - D:\oracle\ora90\bin\osagent.exe

**tucsondirect**

download and run SmitFraudFix By S!ri

**Raymond**

Your hijackthis log looks clean. You might be infected by rootkit.
Download GMER and see if it finds anything.
http://www.gmer.net/gmer.zip

**j.smith**

Thanks , i will try it .

**j.smith**

I succeed to block the file that try to start the explorer.exe
and for my internet i found this spam
http://winanonymous.com which i s telling you infected with some simple error in the
regedit like empty register .

but my question can i suite this company that infect our PCs with any script while we surf the internet
and then telling you need to download their software to fix the problem . !!!

**Raymond**

You meant "sue" right? This method has been used before by SpySheriff. Infect user with spyware and then advertise their product that claims to be able to remove it.

If you can find concrete proof, I believe you can.

**Rusty**

That is an interesting question. I scannned my registry with Reg Mech then one day for kicks i used the online scan of Uniblue Reg Booster and it found 140= errors right after cleaning the reg so i switched to Uniblue thinking it was better. But the idea that i had been set up was in the backof my mind. I suspected that some companies did this but never could prove it

I have a question about the root kit program mentioned above. I used it and if i am reading the log properly i have many rootkits. Some are in Nero files, Iolo,Tweal ram are these dangerous or am i reading the results improperly. I could paste the file but its quite large

**j.smith**

Hi, First this not an advertisement for specific software and any one he can choose the software
that he see it as better and good, so wat i do i remove my anti virus which is Mcafee le with anti spyware
and download AVG anti virus without spyware guess how many virus he catch from my system all reside
in windows/system32 and all of them is trojan "38" !!!!!! and some he could see u don not run schedule scan but the truth is i usually do it every week, and finally my problem solved .

Thread: Explorer.exe And other DLL virus

LinkBack

Thread Tools

Similar Threads

Virus Protection vs Virus Cleaning

Magic Collage--> 2 Giveaways + Explorer View for Windows Explorer v4-Standard+MAC+...

Virus( Trojar Downloader??) made Internet Explorer unuseable an the link for the cure

Having errors in explorer.exe? crash and restarting of explorer.exe?

virus gurds which can detect unknown virus not only with