1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[resolved] Virus in Explorer.exe Help

Discussion in 'Virus & Other Malware Removal' started by sharbear36, Feb 14, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. sharbear36

    sharbear36 Thread Starter

    Joined:
    Dec 27, 2003
    Messages:
    350
    Can I delete that file? Nortons can't fix it but I'm thinking that the computer won't work if I get rid of it? Any Suggestions

    Shari
     
  2. sharbear36

    sharbear36 Thread Starter

    Joined:
    Dec 27, 2003
    Messages:
    350
    I tried to delete it but it won't even do that, I'm confused. I know that if I delete it the computer probably won't run but it's not running correctly now and it's very frustrating, I'm surprised I haven't thrown it out the front door yet.....lol.

    Shari
     
  3. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
    We need more information please. What is the exact message you get from Norton snd where is the file located.

    Also please post a Hijackthis log.
     
  4. sharbear36

    sharbear36 Thread Starter

    Joined:
    Dec 27, 2003
    Messages:
    350
    Hi,

    It says it won't delete because it's in use. Its location is Winnt/explorer.exe. I have posted many hijacks on this issue with deleting problems and they are coming back over and over. I have run Adaware and I was down to 2 problems and now I'm back up to 50, I correct them each time and they still keep coming. I have gone straight to the registry and deleted them from there and still no luck.

    Logfile of HijackThis v1.99.0
    Scan saved at 1:20:51 PM, on 2/14/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Yahoo!\browser\ybrwicon.exe
    C:\Program Files\Microsoft Works\WksSb.exe
    C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    C:\WINNT\isrvs\desktop.exe
    C:\Program Files\Navnt\POProxy.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\WINNT\jkoes.exe
    C:\Program Files\PC MightyMax\pcmm.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Navnt\navapw32.exe
    C:\Program Files\ISTsvc\istsvc.exe
    C:\Program Files\Efficient Networks\EnterNet 300\app\EnterNetFolder.exe
    C:\PROGRA~1\EFFICI~1\ENTERN~1\app\EnterNet.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\unzipped\jackhigh\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINNT\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.helponthe.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
    O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
    O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINNT\cerbmod.dll
    O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINNT\system32\wnim.dll
    O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINNT\system32\boln.dll
    O2 - BHO: BHO Class - {F6053709-5723-454E-AB9D-7FC7E681AFA5} - C:\WINNT\system32\WinTitle.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
    O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
    O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
    O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
    O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Navnt\POProxy.exe
    O4 - HKLM\..\Run: [¢ª¸ï0/4»}¥ ãx‡5_C:\Program Files\ISTsvc\istsvc.exe] C:\WINNT\jkoes.exe
    O4 - HKLM\..\Run: [¢ª¸ï0ÓÈÜÅè]wø*[email protected]ýžáC:\Program Files\ISTsvc\istsvc.exe] C:\WINNT\jkoes.exe
    O4 - HKLM\..\Run: [PCMMRealtime] C:\Program Files\PC MightyMax\pcmm.exe /R
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [465Nwy] C:\WINNT\jkoes.exe
    O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe boln.dll, DllRegisterServer
    O4 - HKLM\..\Run: [version] C:\WINNT\system32\Lznuam.exe
    O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
    O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: *.addictivetechnologies.com
    O15 - Trusted Zone: *.addictivetechnologies.net
    O15 - Trusted Zone: *.admin2cash.biz
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.bettersearch.biz
    O15 - Trusted Zone: *.c4tdownload.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.crazywinnings.com
    O15 - Trusted Zone: *.f1organizer.com
    O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
    O15 - Trusted Zone: *.iframe.biz
    O15 - Trusted Zone: *.megapornix.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.newiframe.biz
    O15 - Trusted Zone: *.overpro.com
    O15 - Trusted Zone: *.pizdato.biz
    O15 - Trusted Zone: *.private-dialer.biz
    O15 - Trusted Zone: *.private-iframe.biz
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.sp2admin.biz
    O15 - Trusted Zone: *.sp2****ed.biz
    O15 - Trusted Zone: *.topconverting.com
    O15 - Trusted Zone: *.vse-moe.biz
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.xxxtoolbar.com
    O15 - Trusted Zone: *.ysbweb.com
    O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} (Web Browser Applet Control) - http://game3.pogo.com/applet-6.0.4.37/jvmtest
    O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/activex/shizmoo/flipside_web18.cab
    O16 - DPF: {1F0AE8AE-951A-4327-612F-2D82448BC3DC} - http://67.19.178.86/1/rdgUS1742.exe
    O16 - DPF: {6A62BBB3-563E-028C-9DE9-46625BAB74AC} - http://67.19.178.86/1/rdgUS1742.exe
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
    O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll
    O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINNT\system32\wnim.dll
    O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
     
  5. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
  6. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
    Let's start with some downloads:
    Here's a link to a new tool to try.
    www.kaspersky.com/index.html

    Download the trial version KAV 5.0 personal.

    Install it and update the definitions.

    Set it up to use extended databases.
    Do a full system scan later when I tell you to do that.

    -------------
    Download this tool from Symantec.
    http://securityresponse.symantec.com/avcenter/FxIstbar.exe
    -------------

    Boot to Safe Mode.
    Run the Symantec tool. --FxIstbar.exe
    Run KAV 5.0 Personal
    --------------

    Run Ad-Aware again.


    Run hijackthis and if any of these are still present, fix them:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINNT\blank.htm
    O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll
    O2 - BHO: (no name) - {0F9561D0-03B2-44a3-89A6-E95E417CBA25} - C:\WINNT\cerbmod.dll
    O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINNT\system32\wnim.dll
    O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINNT\system32\boln.dll
    O2 - BHO: BHO Class - {F6053709-5723-454E-AB9D-7FC7E681AFA5} - C:\WINNT\system32\WinTitle.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
    O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe

    O4 - HKLM\..\Run: [¢ª¸ï0/4»}¥ ãx‡5_C:\Program Files\ISTsvc\istsvc.exe] C:\WINNT\jkoes.exe
    O4 - HKLM\..\Run: [¢ª¸ï0ÓÈÜÅè]wø*[email protected]ýžáC:\Program Files\ISTsvc\istsvc.exe] C:\WINNT\jkoes.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [465Nwy] C:\WINNT\jkoes.exe
    O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe boln.dll, DllRegisterServer
    O4 - HKLM\..\Run: [version] C:\WINNT\system32\Lznuam.exe
    O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe


    O15 - Trusted Zone: *.addictivetechnologies.com
    O15 - Trusted Zone: *.addictivetechnologies.net
    O15 - Trusted Zone: *.admin2cash.biz
    O15 - Trusted Zone: *.awmdabest.com
    O15 - Trusted Zone: *.bettersearch.biz
    O15 - Trusted Zone: *.c4tdownload.com
    O15 - Trusted Zone: *.clickspring.net
    O15 - Trusted Zone: *.crazywinnings.com
    O15 - Trusted Zone: *.f1organizer.com
    O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
    O15 - Trusted Zone: *.iframe.biz
    O15 - Trusted Zone: *.megapornix.com
    O15 - Trusted Zone: *.mt-download.com
    O15 - Trusted Zone: *.newiframe.biz
    O15 - Trusted Zone: *.overpro.com
    O15 - Trusted Zone: *.pizdato.biz
    O15 - Trusted Zone: *.private-dialer.biz
    O15 - Trusted Zone: *.private-iframe.biz
    O15 - Trusted Zone: *.slotch.com
    O15 - Trusted Zone: *.sp2admin.biz
    O15 - Trusted Zone: *.sp2****ed.biz
    O15 - Trusted Zone: *.topconverting.com
    O15 - Trusted Zone: *.vse-moe.biz
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: *.xxxtoolbar.com
    O15 - Trusted Zone: *.ysbweb.com
    O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} (shizmoo Class) - http://www.uproar.com/applets/activ...pside_web18.cab
    O16 - DPF: {1F0AE8AE-951A-4327-612F-2D82448BC3DC} - http://67.19.178.86/1/rdgUS1742.exe
    O16 - DPF: {6A62BBB3-563E-028C-9DE9-46625BAB74AC} - http://67.19.178.86/1/rdgUS1742.exe

    O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll
    O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINNT\system32\wnim.dll



    If present delete these files:

    C:\WINNT\jkoes.exe
    boln.dll
    C:\WINNT\system32\Lznuam.exe

    If Present delete these folders:
    C:\PROGRAM FILES\COMMON FILES\tsa
    C:\Program Files\ISTsvc
    C:\WINNT\isrvs



    Run your regular AV to scan the entire drive again.

    Boot to regular Windows.
    Run Hijackthis and post the new log.

    Let me know how everything went.
     
  7. sharbear36

    sharbear36 Thread Starter

    Joined:
    Dec 27, 2003
    Messages:
    350
    I don't know, I got frustrated. It seemed as though my problem was not solvable. So I started over to maybe get someone new. I guess I was wrong. I just don't know what else to do and all the hijacks and removals are not working because they are all coming back. Adaware is almost useless because I remove them and there they are again and I'm sure its due to the virus so I just need help getting rid of that or none of these issues are going to be resolved. My internet barely is hanging on and I run CWShredder and that will usually work for a short time and then they appear there too again.

    Thanks for your time on this matter and I won't start another thread. :)

    Shari
     
  8. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
    Hi Cybertech,

    Sorry. I didn't see your post until I had already answered. Let me know how you want to do this.

    Mo
     
  9. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    No problem Mo, thanks for your help and I'll close the other threads. (y)
     
  10. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
    Cybertech,

    Thanks. Ok We'll give it a try here then.


    sharbear,

    Add CWShredder to the list of tools to run. Before you sign off the Internet be sure all your Removal utilities are up to date.

    Anything which wont run in Safe mode, wait. Run everything else. Run Hijckthis and clean up as directed. Then boot to regular mode and run whatever didn't work in safe Mode.


    Here is an excellent source for tips to tighten security. Follow the advice and get the free downloads to help avoid some of these problems in the future.
    http://www.computercops.biz/postt7736.html


    Mo
     
  11. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    OK before any of the other fixes will work I am convinced you have a VX2 hijack and that needs fixing first

    Download L2mfix from one of these two locations:

    http://www.atribune.org/downloads/l2mfix.exe
    http://www.downloads.subratam.org/l2mfix.exe

    Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

    IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!


    once we see taht log we will know for certain
     
  12. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
    I have been trying to get some good information on a program you have installed and set to run at Startup.
    O4 - HKLM\..\Run: [PCMMRealtime] C:\Program Files\PC MightyMax\pcmm.exe /R

    Did you install this yourself? If so ,are you satisfied with it? If not, then disable it.

    EDIT: As I continue to read more on this, I am not impressed. I wouldn't use it myself. Did you pay for it or is this the free trial?
     
  13. sharbear36

    sharbear36 Thread Starter

    Joined:
    Dec 27, 2003
    Messages:
    350
    It's a free trial and I'll remove it because anything that it will fix for you, you have to pay for. So actually it's pretty useless. I'm off to do those things.

    Thanks for everything everyone.
    Shari
     
  14. sharbear36

    sharbear36 Thread Starter

    Joined:
    Dec 27, 2003
    Messages:
    350
    It won't let me go to kapersky.com at all, I get another search engine that keeps popping up and won't let me get there? What do I do?

    Thanks
    Shari
     
  15. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
    Do as Derek asked and post the l2mfix file first. Maybe it will spot the reinstaller. That's the problem, you have a file which is reinstalling this thing.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/330419

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice