Explorer.EXE problem - inc HJT log

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Snorkerz

Thread Starter
Joined
Feb 6, 2005
Messages
6
This is my HJT log

Logfile of HijackThis v1.97.7
Scan saved at 03:02:41, on 07/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iolo\System Mechanic 5 Professional\StartupGuard.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Documents and Settings\Reaney\Desktop\System security\hjt\HijackThis.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Reaney\Application Data\Mozilla\Profiles\default\t3qyvq3f.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [System Mechanic Startup Guard] "C:\Program Files\iolo\System Mechanic 5 Professional\StartupGuard.exe"
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{92E8CC33-962C-4E0C-9CAD-571CAD141EEC}: NameServer = 194.106.56.6 194.106.33.42

The HJT shows explorer.exe running, but the file name in Task Manager is Explorer.EXE, with capitals for the extension. A little research on Google (and the fact that the machine is painfully slow) tells me that this is likely to be a virus, but none of my security tools / av programs / ad-aware can pick it up. I have tried to follow other forums to solve this without success, so any ideas would be appreciated. The only vaguely suspicious HJT entry I can see is the very last one - but I bow to the forums superior knowledge :) !!!!!
 
Joined
Jul 26, 2002
Messages
46,331
Hi Snorkerz

Welcome to TSG! :)

The explorer.exe file is legit and your log is clean.


Here are some routine maintenance practices that you should do on a regular basis to keep your machine running efficienly:

Disk Cleanup:

http://www.theeldergeek.com/disk_cleanup_utility.htm

Defrag your HD:

http://artsweb.bham.ac.uk/artsit/Info/Guides/GoodPractice/defrag-win2kxp.htm

Run chkdsk:

To use Chkdsk, click Start and My Computer. Right-click the hard drive you want to check, and click Properties. Select the Tools tab and click Check Now. Check both boxes. Click Start. You'll get a message that the computer must be rebooted to run a complete check. Click Yes and reboot. Chkdsk will take awhile, so run it when you don't need to use the computer for something else.

Remove unnecessary startups

This should be done through the System Configuration Utility. Go to Start > Run and type in msconfig.
Click OK or hit the Enter key.

Click on the "Startup" tab and remove the check by the items that you have determined are unnecessary. Click "Apply" then "Close"

You will be prompted to restart. Go ahead and restart.

Upon restart you will be confronted with a dialogue box warning about running in selective startup. Just ignore that message and put a check in the box by "Don't show me this message or launch the System Configuration Utility when Windows starts" and click "OK". You will not be bothered by the message again.

Keep in mind that some entries will be re-enabled in the startups each time you use that particular program. Therefore, you will have to find the option in that programs preferences that says something like "Load with Windows" or "Run when Windows Starts" and disable that option.

Go here for info on msconfig:

http://www.pacs-portal.co.uk/startup_index.htm

You can look up the startups here to help determine what is needed and what is not:

http://computercops.biz/StartupList.html

here:

http://www.answersthatwork.com/Tasklist_pages/tasklist.htm

And here:

http://www.windowsstartup.com/wso/browse.php?l=8&start=50&end=75


You might also consider checking out Black Viper's guide to disabling some of the unnecessary services in XP here:

http://www.blackviper.com/WinXP/servicecfg.htm
 

Snorkerz

Thread Starter
Joined
Feb 6, 2005
Messages
6
I think Explorer.EXE is dodgy..... It tries to make contact over the internet approx once every 12 minutes. Fortunately, Zone Alarm is stopping it. My Zone Alarm log is shown at http://tinyurl.com/57r42. Any other suggestions appreciated.
 
Joined
Jul 26, 2002
Messages
46,331
Do a file search for explorer.exe and let me know exactly where you find it.
 
Joined
Jul 26, 2002
Messages
46,331
There is nothing unusual there.

I just noticed that you are using an ols version of Hijack This so get rid of the old one and Click here to download the new one, come back here and post the log from it.
 

Snorkerz

Thread Starter
Joined
Feb 6, 2005
Messages
6
Here we go

Logfile of HijackThis v1.99.0
Scan saved at 00:27:01, on 09/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Search Engine Commando\ScheduleService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\iolo\System Mechanic 5 Professional\StartupGuard.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Visicom Media\AceFTP 3 freeware\aceftp3free.exe
C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe
C:\DOCUME~1\Reaney\LOCALS~1\Temp\~e5d141.tmp
C:\DOCUME~1\Reaney\LOCALS~1\Temp\~e5d141.tmp
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Jasc Software Inc\Paint Shop Pro 7\psp.exe
C:\Documents and Settings\Reaney\Desktop\System security\hjt\hijackthis.exe

N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Reaney\Application Data\Mozilla\Profiles\default\t3qyvq3f.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [System Mechanic Startup Guard] "C:\Program Files\iolo\System Mechanic 5 Professional\StartupGuard.exe"
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{92E8CC33-962C-4E0C-9CAD-571CAD141EEC}: NameServer = 194.106.56.6 194.106.33.42
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
O23 - Service: Search Engine Commando Schedule Service - Tates Creek Software, LLC - C:\Program Files\Search Engine Commando\ScheduleService.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe


I can't do it now, but I'll re-boot in Safe mode in a few hours and then post the 'safe' HJT log and a revised search - I suspect they'll be different.
 
Joined
Jul 26, 2002
Messages
46,331
I forgot to mention that the link you posted to your Zone Alarm log earlier did not work. Please attach that ZA log here. Explorer.exe accessing the net is not necessarily bad.

The only thing I see there is this in your processes:

C:\DOCUME~1\Reaney\LOCALS~1\Temp\~e5d141.tmp
C:\DOCUME~1\Reaney\LOCALS~1\Temp\~e5d141.tmp


Restart to safe mode.

How to start your computer in safe mode

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK.


Although, explorer.exe trying to access the net is not necessarily bad, particularly if you are on a network, I'd like you to run TDS3:

Download TDS-3 from http://tds.diamondcs.com.au/index.php?page=download

This is a Trial version so you will have to do the update manually.
The automatic update only works with the registered version which costs $49.

Update it following the instructions here:
http://tds.diamondcs.com.au/index.php?page=update

Under the "Manual Update" right click on the radius.td3 file and choose "Save target as".
Then in the "Save in" box browse to the C:\Program Files\TDS3 folder
(provided that is the location of your TDS-3 directory)and save it there.
A prompt will appear telling you that there is already a radius.td3 file there "do you want to overwrite it" click Yes.

Run the "full System scan" , preferably in safe mode.

Note: Temporarily disable your Antivirus program.
Launch TDS-3 and click on "System Testing" then "Full System Scan" and the scan will begin.

TDS-3 does not automatically remove infected files that it finds. It will display what it has found in the lower portion of the main window and it will either say "Positive Identification etc...." or "Suspicious File". Anything with a positive identification you should right click and delete. Don't do anything with the suspicious ones yet. Right click on any suspicious entry found and choose "Save as Text" then go to the TDS-3 folder (usually C:\Program Files\TDS) and look for a scandump.txt file. Open the scandump.txt file and copy and paste it's contents here. Once we see the scandump file we can determine what to do with the suspicious ones. Many times the suspicious files are harmless.
 
Joined
Jul 26, 2002
Messages
46,331
There is nothing bad in the HJT log or the ZA log.

You didn't post the correct log from TDS3. Did it find anything?
 
Joined
Feb 12, 2005
Messages
1
I've been a bit slammed by this too. I think this is something new and fairly nasty. I think that the baddies have replaced explorer.exe with a nasty version of it that downloads bad stuff. I had the same experience - about 10 or 12 minutes after blazing up IE, bad things started happening. The odd thing was that even if I wasn't connected to IE, bad things still seem to happen.

I've been trying something different. I replaced explorer with some freeware, and the issue seems to have gone away, but the problem is that I really need to get my menu bars, etc. back, so I'm going to try to find a windows install disk and re-install explorer.

If it's of any help, what I did was saved explorer.exe as explorer.old and then downloaded explorerxp.exe from www.explorerxp.com and saved it as explorer.exe.

Bugs seem to be gone, But I still don't have a desktop, start menu, etc...

D
 
Joined
Jul 26, 2002
Messages
46,331
Well this is the first time that you mentioned having any other problem other than just "suspecting" that there was a problem with explorer.

I do belive that KAV will disenfet this infection, but it has to be updated with the extended databases. I'll check on that.

I'm not so sure that it is going to fix the problems with your desktop etc.... Have you considered doing a repair install of XP?
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top