1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Explorer.EXE problem - inc HJT log

Discussion in 'Virus & Other Malware Removal' started by Snorkerz, Feb 6, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. Snorkerz

    Snorkerz Thread Starter

    Joined:
    Feb 6, 2005
    Messages:
    6
    This is my HJT log

    Logfile of HijackThis v1.97.7
    Scan saved at 03:02:41, on 07/02/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\iolo\System Mechanic 5 Professional\StartupGuard.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Netscape\Netscape\Netscp.exe
    C:\Documents and Settings\Reaney\Desktop\System security\hjt\HijackThis.exe

    N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Reaney\Application Data\Mozilla\Profiles\default\t3qyvq3f.slt\prefs.js)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [System Mechanic Startup Guard] "C:\Program Files\iolo\System Mechanic 5 Professional\StartupGuard.exe"
    O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{92E8CC33-962C-4E0C-9CAD-571CAD141EEC}: NameServer = 194.106.56.6 194.106.33.42

    The HJT shows explorer.exe running, but the file name in Task Manager is Explorer.EXE, with capitals for the extension. A little research on Google (and the fact that the machine is painfully slow) tells me that this is likely to be a virus, but none of my security tools / av programs / ad-aware can pick it up. I have tried to follow other forums to solve this without success, so any ideas would be appreciated. The only vaguely suspicious HJT entry I can see is the very last one - but I bow to the forums superior knowledge :) !!!!!
     
  2. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Hi Snorkerz

    Welcome to TSG! :)

    The explorer.exe file is legit and your log is clean.


    Here are some routine maintenance practices that you should do on a regular basis to keep your machine running efficienly:

    Disk Cleanup:

    http://www.theeldergeek.com/disk_cleanup_utility.htm

    Defrag your HD:

    http://artsweb.bham.ac.uk/artsit/Info/Guides/GoodPractice/defrag-win2kxp.htm

    Run chkdsk:

    To use Chkdsk, click Start and My Computer. Right-click the hard drive you want to check, and click Properties. Select the Tools tab and click Check Now. Check both boxes. Click Start. You'll get a message that the computer must be rebooted to run a complete check. Click Yes and reboot. Chkdsk will take awhile, so run it when you don't need to use the computer for something else.

    Remove unnecessary startups

    This should be done through the System Configuration Utility. Go to Start > Run and type in msconfig.
    Click OK or hit the Enter key.

    Click on the "Startup" tab and remove the check by the items that you have determined are unnecessary. Click "Apply" then "Close"

    You will be prompted to restart. Go ahead and restart.

    Upon restart you will be confronted with a dialogue box warning about running in selective startup. Just ignore that message and put a check in the box by "Don't show me this message or launch the System Configuration Utility when Windows starts" and click "OK". You will not be bothered by the message again.

    Keep in mind that some entries will be re-enabled in the startups each time you use that particular program. Therefore, you will have to find the option in that programs preferences that says something like "Load with Windows" or "Run when Windows Starts" and disable that option.

    Go here for info on msconfig:

    http://www.pacs-portal.co.uk/startup_index.htm

    You can look up the startups here to help determine what is needed and what is not:

    http://computercops.biz/StartupList.html

    here:

    http://www.answersthatwork.com/Tasklist_pages/tasklist.htm

    And here:

    http://www.windowsstartup.com/wso/browse.php?l=8&start=50&end=75


    You might also consider checking out Black Viper's guide to disabling some of the unnecessary services in XP here:

    http://www.blackviper.com/WinXP/servicecfg.htm
     
  3. Snorkerz

    Snorkerz Thread Starter

    Joined:
    Feb 6, 2005
    Messages:
    6
    Thanks for that...
     
  4. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    You're Welcome! :)
     
  5. Snorkerz

    Snorkerz Thread Starter

    Joined:
    Feb 6, 2005
    Messages:
    6
    I think Explorer.EXE is dodgy..... It tries to make contact over the internet approx once every 12 minutes. Fortunately, Zone Alarm is stopping it. My Zone Alarm log is shown at http://tinyurl.com/57r42. Any other suggestions appreciated.
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Do a file search for explorer.exe and let me know exactly where you find it.
     
  7. Snorkerz

    Snorkerz Thread Starter

    Joined:
    Feb 6, 2005
    Messages:
    6
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    There is nothing unusual there.

    I just noticed that you are using an ols version of Hijack This so get rid of the old one and Click here to download the new one, come back here and post the log from it.
     
  9. Snorkerz

    Snorkerz Thread Starter

    Joined:
    Feb 6, 2005
    Messages:
    6
    Here we go

    Logfile of HijackThis v1.99.0
    Scan saved at 00:27:01, on 09/02/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\Search Engine Commando\ScheduleService.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZONELABS\vsmon.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\System32\dslagent.exe
    C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
    C:\Program Files\iolo\System Mechanic 5 Professional\StartupGuard.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Visicom Media\AceFTP 3 freeware\aceftp3free.exe
    C:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe
    C:\DOCUME~1\Reaney\LOCALS~1\Temp\~e5d141.tmp
    C:\DOCUME~1\Reaney\LOCALS~1\Temp\~e5d141.tmp
    C:\Program Files\Netscape\Netscape\Netscp.exe
    C:\Program Files\Jasc Software Inc\Paint Shop Pro 7\psp.exe
    C:\Documents and Settings\Reaney\Desktop\System security\hjt\hijackthis.exe

    N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Reaney\Application Data\Mozilla\Profiles\default\t3qyvq3f.slt\prefs.js)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [System Mechanic Startup Guard] "C:\Program Files\iolo\System Mechanic 5 Professional\StartupGuard.exe"
    O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
    O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
    O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{92E8CC33-962C-4E0C-9CAD-571CAD141EEC}: NameServer = 194.106.56.6 194.106.33.42
    O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
    O23 - Service: Search Engine Commando Schedule Service - Tates Creek Software, LLC - C:\Program Files\Search Engine Commando\ScheduleService.exe
    O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe


    I can't do it now, but I'll re-boot in Safe mode in a few hours and then post the 'safe' HJT log and a revised search - I suspect they'll be different.
     
  10. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    I forgot to mention that the link you posted to your Zone Alarm log earlier did not work. Please attach that ZA log here. Explorer.exe accessing the net is not necessarily bad.

    The only thing I see there is this in your processes:

    C:\DOCUME~1\Reaney\LOCALS~1\Temp\~e5d141.tmp
    C:\DOCUME~1\Reaney\LOCALS~1\Temp\~e5d141.tmp


    Restart to safe mode.

    How to start your computer in safe mode

    In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK.


    Although, explorer.exe trying to access the net is not necessarily bad, particularly if you are on a network, I'd like you to run TDS3:

    Download TDS-3 from http://tds.diamondcs.com.au/index.php?page=download

    This is a Trial version so you will have to do the update manually.
    The automatic update only works with the registered version which costs $49.

    Update it following the instructions here:
    http://tds.diamondcs.com.au/index.php?page=update

    Under the "Manual Update" right click on the radius.td3 file and choose "Save target as".
    Then in the "Save in" box browse to the C:\Program Files\TDS3 folder
    (provided that is the location of your TDS-3 directory)and save it there.
    A prompt will appear telling you that there is already a radius.td3 file there "do you want to overwrite it" click Yes.

    Run the "full System scan" , preferably in safe mode.

    Note: Temporarily disable your Antivirus program.
    Launch TDS-3 and click on "System Testing" then "Full System Scan" and the scan will begin.

    TDS-3 does not automatically remove infected files that it finds. It will display what it has found in the lower portion of the main window and it will either say "Positive Identification etc...." or "Suspicious File". Anything with a positive identification you should right click and delete. Don't do anything with the suspicious ones yet. Right click on any suspicious entry found and choose "Save as Text" then go to the TDS-3 folder (usually C:\Program Files\TDS) and look for a scandump.txt file. Open the scandump.txt file and copy and paste it's contents here. Once we see the scandump file we can determine what to do with the suspicious ones. Many times the suspicious files are harmless.
     
  11. Snorkerz

    Snorkerz Thread Starter

    Joined:
    Feb 6, 2005
    Messages:
    6
    Sorry for the delay posting this

    I have attached the logs for HJT and TDS3

    I have also attached a jpg of my ZoneAlarm log
     

    Attached Files:

  12. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    There is nothing bad in the HJT log or the ZA log.

    You didn't post the correct log from TDS3. Did it find anything?
     
  13. soz99

    soz99

    Joined:
    Feb 12, 2005
    Messages:
    1
    I've been a bit slammed by this too. I think this is something new and fairly nasty. I think that the baddies have replaced explorer.exe with a nasty version of it that downloads bad stuff. I had the same experience - about 10 or 12 minutes after blazing up IE, bad things started happening. The odd thing was that even if I wasn't connected to IE, bad things still seem to happen.

    I've been trying something different. I replaced explorer with some freeware, and the issue seems to have gone away, but the problem is that I really need to get my menu bars, etc. back, so I'm going to try to find a windows install disk and re-install explorer.

    If it's of any help, what I did was saved explorer.exe as explorer.old and then downloaded explorerxp.exe from www.explorerxp.com and saved it as explorer.exe.

    Bugs seem to be gone, But I still don't have a desktop, start menu, etc...

    D
     
  14. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Well this is the first time that you mentioned having any other problem other than just "suspecting" that there was a problem with explorer.

    I do belive that KAV will disenfet this infection, but it has to be updated with the extended databases. I'll check on that.

    I'm not so sure that it is going to fix the problems with your desktop etc.... Have you considered doing a repair install of XP?
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/327605

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice