1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

explorer.exe error black screen, white screen, about:blank

Discussion in 'Virus & Other Malware Removal' started by CACR, Mar 8, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. CACR

    CACR Thread Starter

    Joined:
    Feb 26, 2005
    Messages:
    13
    I'm not sure if this is one virus or if my computer has somehow picked up several, but it is pretty much completely screwed. I can't access ANYTHING properly so i am posting this message from another computer.

    This is what happens when I turn my computer on:

    1. blank blue screen with program error message: "explorer.exe has generated errors and will be closed by windows....".
    2. if i click "ok" the message goes away and i am left with a blank blue screen and i have to reboot the computer
    3. if i don't click ok windows starts to load up an looks normal at first but then another error message pops up (the same one) and the screen turns black and says some junk like "Warning! You're in danger!" and then some junk about spyware.
    4. then a few seconds later another error message pops up and the screen turns white and says "Active Desktop Recovery. Microsoft Windows has experienced and unexpected error..." It gives me an option to "click here to restore" but nothing happens when i do click it.
    5. and then another error message pops up and the screen goes black again, then another message and it goes white and so on.

    I can't really open any programs properly because another error message will pop up and shut down the start menu before i get a chance to open anything.

    I managed to run ad-aware and it found some problems that i cleaned up. then spybot found nothing. then i rebooted and was having the same problem so i rebooted in safe mode and scanned for spyware again and found nothing.

    I somehow managed to run hijackthis and print the log. so now i guess i'll have to type it up! :mad: (i might do some abbreviations)

    Running processes:

    c:\WINNT\system32\
    1. smss.exe (but system32 is with a capital S)
    2. csrss.exe
    3. winlogon.exe
    4. services.exe
    5. lsass.exe
    6. svchost.exe
    7. spoolsv.exe
    8. svchost.exe (but system32 is with a capital S)
    9.regsvc.exe
    10. MSTask.exe
    11. tcpsvcs.exe (but system32 is with a capital S)
    12. zonelabs\vsmon.exe
    13. WBEM\WinMgmt.exe (but system32 is with a capital S)
    14. MsPMSPSv.exe
    15. svchost.exe
    16. internat.exe
    17. wuauclt.exe

    C:\Program Files\
    1. Telstra\Signup\tbpt.exe
    2. Telstra\Cable Login\bpcable.exe
    3. Quicktime\qttask.exe
    4. Zone Labs\ZoneAlarm\zlclient.exe
    5. iTunes\iTunesHelper.exe
    6. Common Files\Real\Update_OB\realsched.exe
    7. iPod\bin\iPodService.exe
    8. Sony Corporation\Image Transfer\SonyTray.exe

    C:\winnt
    1. msmsgnce.exe
    2. nvsvws.exe

    C:\WINNT\explorer.exe

    R1- HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar= about:NavigationFailure

    R1- HKCU\Software\Microsoft\Internet Explorer\Main,Search Page= about:NavigationFailure

    R1- HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar= about:NavigationFailure

    R1- HKLM\Software\Microsoft\Internet Explorer\Main,Search Page= about:NavigationFailure

    R1- HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant= about:NavigationFailure

    R0- HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant= about:NavigationFailure

    R1- HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP= about:blank

    R1- HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP= about:blank

    [okay this is killing me,i am going to leave out stuff that i know is ok...]

    O2- BHO: (no name) - {4DEA7E54-68ED-4281-9087-5DC1BEC976F0} - C:\WINNT\openwin.dll

    O2- BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~\SPYBOT~1\SDHelper.dll

    O2- BHO: sr - {5742F79A-1D91-42c4-990C-B46CF55A6478} - C:\\WINNT\msmsgnc.dll

    O4 - HKLM\...\Run: [Synchronization Manager] mobsync.exe/logon

    O4 - HKLM\...\Run: [TkBellExe] "C:\Program Files\Common
    Files\Real\Update_OB\realsched.exe" -osboot

    O4 - HKLM\...\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe

    O4 - HKLM\...\Run: [loader32] C:\WINNT\loader.exe

    O4 - HKLM\...\RunOnce: [Srv32 spool service] C:\WINNT\System32\spoolsrv32.exe

    O4 - HKCU\...\Run:[cmsound] c:\winnt\msmsgnce.exe

    O4 - HKCU\...\Run:[winltmpv] c:\winnt\nvsvwc.exe

    O4 - HKCU\...\RunOnce: [Srv32 spool service] C:\WINNT\System32\spoolsrv32.exe

    O16- DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1109467440203

    O16- DPF: {c4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control)- https://www.navigator.com.au/viewer/activeXViewer/activexviewer.cab

    017- HKLM\System\CCS\Services\Tcpip\..\ {FCFFAD89-8D48-49EC-BA2D-4703CF71009D}: NameServer= 69.50.184.84,195.225.176.37

    017- HKLM\System\CS1\Services\VxD\MSTCP: NameServer= 69.50.184.84,195.225.176.37

    017- HKLM\System\CS2\Services\VxD\MSTCP: NameServer= 69.50.184.84,195.225.176.37

    017- HKLM\System\CCS\Services\VxD\MSTCP: NameServer= 69.50.184.84,195.225.176.37

    O18- Filter: text/html- {D64FC72D-0FFE-467-A70E-E7C0C325733C} - C:\WINNT\openwin.dll

    O18- Filter: text/plain- {D64FC72D-0FFE-467-A70E-E7C0C325733C} - C:\WINNT\openwin.dll

    023- Service: Logical Disk Manager Administrative Service (dmadmin)- VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe

    -------------------------------------------------

    Please help!!!! this is so very sad and frustrating :eek:

    why do i have so many svchost.exe's running? why do i have both WINNT and winnt? And System32 and system32?
     
  2. The_Egg

    The_Egg

    Joined:
    Sep 16, 2002
    Messages:
    1,157
    Yes, you've got a few malware entries in there (a CoolWebSearch hijack, and a couple of trojans), though it's not going to be easy to remedy without seeing the complete HJT log. Can you possibly copy the log to floppy and then post it from the other computer?

    What's the Windows OS?
    eg. Is it Windows 2000 sp4? Or is it WinXP Pro sp2?

    What version of HijackThis is it? v1.99.1 is the latest version.
    Is HijackThis.exe running from a permanent folder, and not from within a zip file in a Temp folder?
    This is important. Make sure HijackThis.exe is installed in eg.
    C:\Program Files\HijackThis


    Re: your questions at the end of your post:
    Don't worry about WINNT / winnt and System32 / system32
    They are both exactly the same (whether smallcase or uppercase or a mixture).
    svchost.exe is legitimate and is an integral part of Windows NT/2k/XP (Services Host).
    It is normal to have multiple instances of it running.

    ________________________________________________


    Anyway, try this for now...


    If possible, please download the following apps and transfer them to the infected pc.


    CWShredder (free standalone version)
    http://www.intermute.com/spysubtract/cwshredder_download.html
    http://cwshredder.net/bin/CWShredder.exe


    AboutBuster
    http://www.besttechie.net/forums/index.php?showtopic=1488 (tutorial)
    http://www.downloads.subratam.org/AboutBuster.zip

    You will need to unzip AboutBuster.zip to a folder on the good pc,
    then open AboutBuster.exe
    click the Update button
    download the updates
    then copy the entire AboutBuster folder over to the infected pc.


    Download the attached cleanup.zip file.
    The zip contains a .bat and a .reg file.
    Unzip them and copy the .bat and .reg file over to the infected pc.
    Make a copy of them on the desktop and in My Documents.
    You could also run them both directly from a floppy.
    However, don't run either just yet.
    I will tell you what they do and when to use them later in the instructions below.

    ________________________________________________


    On the infected pc...

    Boot into Safe Mode

    Close all windows.

    Run HJT scan again

    Place a checkmark next to the following entries only
    and click "Fix checked":

    R1- HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar= about:NavigationFailure

    R1- HKCU\Software\Microsoft\Internet Explorer\Main,Search Page= about:NavigationFailure

    R1- HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar= about:NavigationFailure

    R1- HKLM\Software\Microsoft\Internet Explorer\Main,Search Page= about:NavigationFailure

    R1- HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant= about:NavigationFailure

    R0- HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant= about:NavigationFailure

    R1- HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP= about:blank

    R1- HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP= about:blank

    O2- BHO: (no name) - {4DEA7E54-68ED-4281-9087-5DC1BEC976F0} - C:\WINNT\openwin.dll

    O2- BHO: sr - {5742F79A-1D91-42c4-990C-B46CF55A6478} - C:\\WINNT\msmsgnc.dll

    O4 - HKLM\...\Run: [loader32] C:\WINNT\loader.exe

    O4 - HKLM\...\RunOnce: [Srv32 spool service] C:\WINNT\System32\spoolsrv32.exe

    O4 - HKCU\...\Run:[cmsound] c:\winnt\msmsgnce.exe

    O4 - HKCU\...\Run:[winltmpv] c:\winnt\nvsvwc.exe

    O4 - HKCU\...\RunOnce: [Srv32 spool service] C:\WINNT\System32\spoolsrv32.exe

    017- HKLM\System\CCS\Services\Tcpip\..\ {FCFFAD89-8D48-49EC-BA2D-4703CF71009D}: NameServer= 69.50.184.84,195.225.176.37

    017- HKLM\System\CS1\Services\VxD\MSTCP: NameServer= 69.50.184.84,195.225.176.37

    017- HKLM\System\CS2\Services\VxD\MSTCP: NameServer= 69.50.184.84,195.225.176.37

    017- HKLM\System\CCS\Services\VxD\MSTCP: NameServer= 69.50.184.84,195.225.176.37

    O18- Filter: text/html- {D64FC72D-0FFE-467-A70E-E7C0C325733C} - C:\WINNT\openwin.dll

    O18- Filter: text/plain- {D64FC72D-0FFE-467-A70E-E7C0C325733C} - C:\WINNT\openwin.dll



    Close HJT

    ________________________________________________


    Now run CWShredder
    Simply open it, and click "Fix"

    ________________________________________________


    Now run AboutBuster
    Click the Start button and follow the prompts
    Don't reboot just yet.

    ________________________________________________


    Go to: Control Panel > Folder Options > View tab:
    Checkmark "show hidden files"
    Uncheck "hide extensions for known file types"
    Uncheck "Hide protected operating system files"

    OK everything and close Folder Options.
    (note, those are the WinXP instructions, it might be different for Win2k)

    ________________________________________________


    Go to: Control Panel > Internet Options
    General tab > Temporary Internet Files > Delete Files:
    Checkmark "Delete all offline content"
    Click OK
    Click on the Programs tab, then click the "Reset Web Settings" button.
    Click Apply then OK.

    Note: You then might need to reset your desired home page c/o General tab

    ________________________________________________


    Now run the .reg and .bat files from my attachment.

    Double click registry_fix.reg first (or right-click it and select "merge")
    This will remove references to the malware from the registry.
    Click Yes/OK to accept the merge.

    Now double click deletefiles.bat
    A command prompt will appear and start automatically deleting the malware files.
    It will also delete all Temp files.
    If you get a prompt at any point, type Y and hit Enter.
    Otherwise the command prompt will auto exit.

    ________________________________________________


    Empty the Recycle Bin


    Disable System Restore
    Control Panel > System > System Restore tab:
    Checkmark "Turn off system restore"
    Click Apply/OK
    (You can re-enable system restore once your system is confirmed clean)

    Those are WinXP instructions.

    If your Windows OS is Windows 2000, then ignore this, as there is no System Restore in Win2k.

    ________________________________________________


    Run HJT one more time
    and confirm that none of those entries we got you to fix earlier have returned.
    Make sure you checkmark only the bold-texted entries from my instructions above.

    ________________________________________________


    Now reboot into Normal Mode


    You might now need to right click the desktop,
    select "properties"
    and choose your desired wallpaper c/o the Desktop tab.


    Close all windows.


    Run AboutBuster again


    Run CWShredder again

    ________________________________________________


    If you CAN get online but can't access any web sites, then It's possible now that you might need to reinstall your ISP software. This is because your DNS/Tcpip NameServer was hijacked by one of the trojans

    The only way I could fix this for you is if I knew what DNS your ISP used for this registry entry:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{FCFFAD89-8D48-49EC-BA2D-4703CF71009D}:
    NameServer= ???

    You could try going to:
    Control Panel > Network Connections
    Right click your default connection, select "properties"
    then in the Network tab, click "Internet Protocol (TCP/IP)", then click "properties"
    Make sure both "obtain...automatically" options are checkmarked.

    Go to: Start > Run
    Type: cmd
    hit enter
    In the command prompt, type:
    ipconfig /flushdns
    hit enter
    type: exit
    hit enter

    Or you could contact your ISP and they should be able to tell you what to use for IP and DNS addresses.
    Though it might just be easier to reinstall the connection/software.

    One thing's for sure... 69.50.184.84,195.225.176.37 is a hijack and is NOT provided by your ISP.

    You could also try using one of the Open-RSC Domain Name Servers from here:
    http://support.open-rsc.org/.servers/
    http://support.open-rsc.org/How_To/

    Basically, you'd go to the Network Control Panel, and under properties for your default connection (same instructions as above), instead of using "obtain dns server address automatically", you'd checkmark "use the following dns server" and enter the Open-RSC DNS Addresses.

    The choices are:
    199.166.28.10 (Atlanta, Ga)
    199.166.29.3 (Nederlands)
    199.166.31.3 (Orlando, FL, USA)
    199.5.157.128 (Detroit, MI, USA)

    Use the two nearest to you...

    ________________________________________________


    Run SpybotSD scan
    (make sure you've got the latest detections first)


    Run Adaware SE scan
    Checkmark "do a full system scan"
    Uncheck "search for negligible risk entries"
    Click "Next" to start the scan.


    Reboot again


    Post a full HJT v1.99.1 log here
     

    Attached Files:

  3. CACR

    CACR Thread Starter

    Joined:
    Feb 26, 2005
    Messages:
    13
    Thanks for your help! My Dad has taken the computer over to a computer whiz's place to get it fixed, so hopefully it is fixable. I do have the latest unzipped version of HJT. and windows 200 sp4. I deleted most of the coolwebsearch associated files but nothing changed. It is almost too hard for me to fix because i can't really run anything plus i'm not too good with computers.

    this is a scary one, though!

    Thanks again :D
     
  4. The_Egg

    The_Egg

    Joined:
    Sep 16, 2002
    Messages:
    1,157
    Yes, well direct the "computer whizz" to this thread please... :)
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/338489

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice