explorer.exe problem
-
explorer.exe problem
HI
I have a problem where i keep losing explorer.exe, i have to keep restarting it in Task manager, this is in safe mode also , i have ran the usual , Virus and Malware scanners, spybot, adaware superantispyware , ewido etc etc and cant find anything, i have also ran scannow from run to no avail, heres mt hijackthis log could someone check it out for me please
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:26:05, on 16/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Safe mode with network support
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\explorer.exe
D:\Documents and Settings\agb\Desktop\aswclnr.exe
D:\Documents and Settings\agb\Desktop\aswclnr.tmp
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\internet explorer\iexplore.exe
D:\hikack this\you.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.6.14.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] D:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] D:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\PROGRA~1\MICROS~3\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: Mozy Status.lnk = D:\Program Files\Mozy\mozystat.exe
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = D:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: MozyHome Status.lnk = D:\Program Files\Mozy\mozystat.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &ieSpell Options - res://D:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://D:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://D:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://D:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Send to &Bluetooth Device... - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Program Files\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - D:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - D:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - D:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - D:\Program Files\Mozy\mozybackup.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - D:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: WUSB54GSv2SVC - GEMTEKS - D:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
--
End of file - 8824 bytes
Last edited by barney; 16-10-2007 at 04:43 PM.
-
update
everytime i click on a desktop icon, i now lose explorer.exe and have to restart it in taskmanager, it seems to be worse when i first boot up
-
Welcome,
Since you have tried all those scanners this may not be a malware issue since they did not find anything. May have to send you over to the other side of this forum where they will know more about this problem as we deal with malware issue only here, but let's do a couple scans that you might not of done yet.
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
* Doubleclick the drweb-cureit.exe file and Allow to run the express scan
* This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
* Once the short scan has finished, mark the drives that you want to scan.
* Select all drives. A red dot shows which drives have been chosen.
* Click the green arrow at the right, and the scan will start.
* Click 'Yes to all' if it asks if you want to cure/move the file.
* When the scan has finished, look if you can click next icon next to the files found: 
* If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
* After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
* Save the report to your desktop. The report will be called DrWeb.csv
* Close Dr.Web Cureit.
* Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can use Notepad to open the DrWeb.cvs report.
1. Download this file - COMBOFIX
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Post a new hijackthis log also please.
If you have to use two posts to get it all back here that is just fine.
-
thanks for responding neal
nothing to report on the cureit!
heres the combofix log
ComboFix 07-09-10.6 - "agb" 2003-09-11 4:55:42.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1570 [GMT 1:00]
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
D:\DOCUME~1\agb\APPLIC~1\tmp1B.tmp.exe
D:\DOCUME~1\agb\APPLIC~1\tmp1D.tmp.exe
D:\DOCUME~1\agb\APPLIC~1\tmp50.tmp.exe
D:\DOCUME~1\agb\APPLIC~1\tmp52.tmp.exe
D:\DOCUME~1\agb\APPLIC~1\tmp54.tmp.exe
D:\DOCUME~1\agb\APPLIC~1\tmp56.tmp.exe
D:\DOCUME~1\agb\Desktop\internet.lnk
D:\DOCUME~1\ALLUSE~1\APPLIC~1.\gnezkdct.dll
D:\Program Files\Common Files\fnts~1
D:\Program Files\Common Files\fnts~1\F?nts\
D:\Program Files\ebsjcjab
D:\Program Files\ebsjcjab\uzolyxmf.dll
D:\Program Files\Heatsyoi
D:\Program Files\Heatsyoi\cpoatqkt.dll
D:\Program Files\SecCenter
D:\Program Files\SecCenter\scprot4.exe
D:\WINDOWS\byyxxw.dll
D:\WINDOWS\Casino.ico
D:\WINDOWS\cookies.ini
D:\WINDOWS\Free Online Dating.ico
D:\WINDOWS\Spyware Remover.ico
D:\WINDOWS\system32\tmp52.tmp.dll
D:\WINDOWS\wxxyyb.ini
((((((((((((((((((((((((( Files Created from 2007-08-10 to 2007-09-10 )))))))))))))))))))))))))))))))
.
2007-09-01 05:41 <DIR> d-------- D:\DOCUME~1\agb\APPLIC~1\ieSpell
2007-09-01 05:40 <DIR> d-------- D:\Program Files\ieSpell
2007-08-25 13:20 81,920 -ra------ D:\WINDOWS\system32\srctrl.dll
2007-08-25 13:20 <DIR> d-------- D:\Program Files\LGGSM
2007-08-23 17:31 <DIR> d-------- D:\Program Files\SUPERAntiSpyware
2007-08-23 17:31 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-23 17:31 <DIR> d-------- D:\DOCUME~1\agb\APPLIC~1\SUPERAntiSpyware.com
2007-08-23 17:14 <DIR> d--h----- D:\DOCUME~1\ALLUSE~1\APPLIC~1\{74D61F17-FFC2-41AF-96E5-1DCB0631B6D1}
2007-08-23 17:14 <DIR> d-------- D:\Program Files\Eraser
2007-08-23 05:48 614,725 --a------ D:\WINDOWS\system32\dna08e9ef4.dat
2007-08-21 21:01 97,344 --a------ D:\WINDOWS\system32\vrm.exe
2007-08-21 21:01 533,056 --a------ D:\WINDOWS\system32\vsm.exe
2007-08-21 05:28 10,240 --a------ D:\WINDOWS\system32\virport.dll
2007-08-14 18:01 <DIR> d-------- D:\DOCUME~1\agb\APPLIC~1\VideoEgg
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-09-06 11:05 94416 --a------ D:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 11:05 92848 --a------ D:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 11:03 23152 --a------ D:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 11:02 42912 --a------ D:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 11:00 26624 --a------ D:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-26 05:18 --------- d--h----- D:\Program Files\InstallShield Installation Information
2007-08-25 08:41 --------- d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\pdf995
2007-08-23 17:30 --------- d-------- D:\Program Files\Common Files\Wise Installation Wizard
2007-08-23 17:15 --------- d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-21 21:00 --------- d-------- D:\Program Files\Common Files\Scanner
2007-08-19 07:30 359808 --a------ D:\WINDOWS\system32\drivers\tcpip.sys
2007-08-05 08:42 --------- d-------- D:\Program Files\Easy Price Pro
2007-07-30 15:44 --------- d-------- D:\Program Files\Safer Networking
2007-07-24 15:08 --------- d-------- D:\Program Files\Kodak
2007-07-24 15:08 --------- d-------- D:\Program Files\Common Files\Kodak
2007-07-24 15:06 --------- d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Kodak
2007-07-24 14:50 --------- d-------- D:\Program Files\Microsoft.NET
2007-07-24 04:31 --------- d-------- D:\DOCUME~1\agb\APPLIC~1\Nokia Multimedia Player
2007-07-23 11:31 --------- d-------- D:\DOCUME~1\agb\APPLIC~1\Nokia
2007-07-23 11:30 --------- d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Suite
2007-07-23 11:00 --------- d-------- D:\Program Files\Common Files\PCSuite
2007-07-23 11:00 --------- d-------- D:\Program Files\Common Files\Nokia
2007-07-23 10:59 --------- d-------- D:\Program Files\PC Connectivity Solution
2007-07-23 10:58 --------- d-------- D:\Program Files\Nokia
2007-07-23 10:58 --------- d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Installations
2007-07-13 05:35 --------- d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Age of Empires 3
2007-07-12 17:43 --------- d-------- D:\DOCUME~1\agb\APPLIC~1\Apple Computer
2007-07-12 15:30 --------- d-------- D:\Program Files\QuickTime
2007-07-12 15:30 --------- d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-07-12 15:29 --------- d-------- D:\Program Files\Apple Software Update
2007-07-12 15:29 --------- d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-06-17 00:11 51200 --a------ D:\WINDOWS\NirCmd.exe
2007-06-13 11:23 1033216 --a------ D:\WINDOWS\explorer.exe
2007-04-11 11:25 2278097 --a------ D:\Program Files\BullZipPDFPrinter(3.0.0.186).exe
2007-04-08 17:38 4301387 --a------ D:\DOCUME~1\DOWNLO~1\Shareaza_2.2.5.0.exe
2005-07-08 12:19 3179888 --a------ D:\Program Files\Registry Mechanic 5.0.0.132.exe
2003-09-08 07:42 76004 --a------ D:\Program Files\Setup.exe
2003-09-08 07:32 98304 --a------ D:\DOCUME~1\ALLUSE~1\APPLIC~1\dufqxypq.dll
2001-10-21 01:52 1374075 --a------ D:\Program Files\StartUp.CAB
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"avast!"="D:\PROGRA~1\ALWILS~1\Avast4\ashDisp. exe" [2007-09-06 11:06]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-01 09:48 D:\WINDOWS\RTHDCPL.EXE]
"NvCplDaemon"="D:\WINDOWS\system32\NvCpl.dll" [2006-08-11 14:43]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2006-02-28 13:00]
[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\run]
"Nokia.PCSync"=D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
D:\DOCUME~1\agb\STARTM~1\Programs\Startup\
Mozy Status.lnk - D:\Program Files\Mozy\mozystat.exe [2007-04-29 10:59:08]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
R1 DcCam;Kodak Camera Proxy;D:\WINDOWS\system32\DRIVERS\DcCam.sys
R1 mozyFilter;mozyFilter;D:\WINDOWS\system32\DRIVERS\ mozy.sys
R2 DCFS2K;Kodak DCFS2K Driver;D:\WINDOWS\system32\drivers\dcfs2k.sys
R2 WUSB54GSv2SVC;WUSB54GSv2SVC;"D:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54GSv2.exe"
S1 Exportit;Exportit;D:\WINDOWS\system32\DRIVERS\expo rtit.sys
S3 BIOSCHK;BIOSCHK;\??\D:\DOCUME~1\agb\LOCALS~1\Temp\ TII2.tmp\disk1\BIOSCHK.SYS
S3 DcFpoint;DcFpoint;D:\WINDOWS\system32\DRIVERS\DcFp oint.sys
S3 DcLps;Legacy Polling Service;D:\WINDOWS\system32\DRIVERS\DcLps.sys
S3 DcPTP;dcptp;D:\WINDOWS\system32\DRIVERS\DcPTP.sys
S3 GT680x;GrandTechICNameNT;D:\WINDOWS\system32\Drive rs\gt680x.sys
S3 MEMSWEEP2;MEMSWEEP2;\??\D:\WINDOWS\system32\21.tmp
S3 umpusbxp;UPort 1 on Nokia Adapter;D:\WINDOWS\system32\DRIVERS\umpusbxp.sys
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\E]
AutoRun\command- E:\autorun.exe
directx\command- E:\DirectX9\dxsetup.exe
setup\command- E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-09-06 10:45:02 D:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- D:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
************************************************** ************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-10 04:59:36
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
Completion time: 2007-09-10 5:01:59 - machine was rebooted
D:\ComboFix-quarantined-files.txt ... 2007-09-10 05:01
.
--- E O F ---
-
Hi Neal
heres the HJt log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:13:28, on 17/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
D:\WINDOWS\system32\drivers\KodakCCS.exe
D:\Program Files\Mozy\mozybackup.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
D:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GSv2.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\WINDOWS\RTHDCPL.EXE
D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\MICROS~3\wcescomm.exe
D:\PROGRA~1\MICROS~3\rapimgr.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Mozy\mozystat.exe
D:\Program Files\SpywareGuard\sgmain.exe
D:\Program Files\SpywareGuard\sgbhp.exe
D:\Program Files\internet explorer\iexplore.exe
D:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
D:\WINDOWS\explorer.exe
D:\hikack this\you.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.6.14.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] D:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] D:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\PROGRA~1\MICROS~3\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: Mozy Status.lnk = D:\Program Files\Mozy\mozystat.exe
O4 - Startup: SpywareGuard.lnk = D:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = D:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: MozyHome Status.lnk = D:\Program Files\Mozy\mozystat.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &ieSpell Options - res://D:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://D:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://D:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://D:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Send to &Bluetooth Device... - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - D:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - D:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - D:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - D:\Program Files\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - D:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - D:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - D:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - D:\Program Files\Mozy\mozybackup.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - D:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: WUSB54GSv2SVC - GEMTEKS - D:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
--
End of file - 9461 bytes
-
Thanks for that.
I found numerous suspicious files from combofix log and each one needs to be scanned to check validity.
Go here to learn how to show hidden files/folders:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5
Re-hide after we are done
Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:
D:\WINDOWS\system32\21.tmp
Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.
If that one is to busy here is another option:
http://virusscan.jotti.org
And
http://www.kaspersky.com/scanforvirus.html
Do the same for these below please:
D:\WINDOWS\system32\dna08e9ef4.dat
D:\WINDOWS\system32\vrm.exe
D:\WINDOWS\system32\vsm.exe
D:\WINDOWS\system32\virport.dll
D:\DOCUME~1\ALLUSE~1\APPLIC~1\dufqxypq.dll
If you have trouble getting one scanned try a different scanner please and post the results for each file in case we need to kill files.
-
Hi Neal
I am having trouble finding most of those files heres
dna08e9ef4.dat
Antivirus Version Last Update Result
AhnLab-V3 2007.10.18.0 2007.10.17 -
AntiVir 7.6.0.23 2007.10.17 -
Authentium 4.93.8 2007.10.17 -
Avast 4.7.1051.0 2007.10.17 -
AVG 7.5.0.488 2007.10.17 -
BitDefender 7.2 2007.10.17 -
CAT-QuickHeal 9.00 2007.10.17 -
ClamAV 0.91.2 2007.10.17 -
DrWeb 4.44.0.09170 2007.10.17 -
eSafe 7.0.15.0 2007.10.15 -
eTrust-Vet 31.2.5218 2007.10.17 -
Ewido 4.0 2007.10.17 -
FileAdvisor 1 2007.10.17 -
Fortinet 3.11.0.0 2007.10.17 -
F-Prot 4.3.2.48 2007.10.17 -
F-Secure 6.70.13030.0 2007.10.17 -
Ikarus T3.1.1.12 2007.10.17 -
Kaspersky 7.0.0.125 2007.10.17 -
McAfee 5143 2007.10.17 -
Microsoft 1.2908 2007.10.17 -
NOD32v2 2599 2007.10.17 -
Norman 5.80.02 2007.10.17 -
Panda 9.0.0.4 2007.10.17 -
Prevx1 V2 2007.10.17 -
Rising 19.45.22.00 2007.10.17 -
Sophos 4.22.0 2007.10.17 -
Sunbelt 2.2.907.0 2007.10.17 -
Symantec 10 2007.10.17 -
TheHacker 6.2.8.096 2007.10.17 -
VBA32 3.12.2.4 2007.10.17 -
VirusBuster 4.3.26:9 2007.10.17 -
Webwasher-Gateway 6.6.1 2007.10.17 -
Additional information
File size: 614725 bytes
MD5: 238c53894af0ea8f1e15cd747dcce896
SHA1: 1b1e8691d2263190ef2d5ba2bd65d9c9accff727
and
D:\WINDOWS\system32\virport.dll was clean on kaspersky
the rest i cannot find
-
OK, now tell me what your PC is up to now please.
New hijackthis log also please.
-
Hi Neal
pretty much the same, when i click on a desktop icon i lose explorer.exe and have to start it up again from task manager
-
Did you install a program called MicroBillsys
Or maybe MBS Account Manager
I found it on your system and it is related to bill paying from visiting porn sites and such and is considered a trojan/adware of some sorts and does all kinds of crazy things to your computer.
We can remove it.
Do something for me, click start>search>type in MBS Account Manager and do a search for that on your computer, also search for this MicroBillsys and let me know if it is found please.
This is related to two of those files you could not find for scanning that showed up in combofix log.
