|
| ||
| EXPLORER.EXE keeps restarting I honestly have no clue how I got this problem. I've tried doing system restore but i dont have a restore point before the virus. I also tried making a new account but that didn't work too. It happens in safe mode too. I've tried avenger, vundofix, and combofix but they may be outdated. Heres my hijackthis log. Thanks for any help. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:08:25 PM, on 12/4/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\arservice.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\ehome\RMSvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\imapi.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\taskmgr.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [oovoo.exe] C:\Program Files\ooVoo\oovoo.exe /minimized O4 - S-1-5-18 Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe (User 'SYSTEM') O4 - .DEFAULT Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe (User 'Default user') O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000 O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe -- End of file - 3969 bytes |
| ||
| Re: EXPLORER.EXE keeps restarting Quote:
Vundofix is a very specific tool for removing a very specific Trojan, that is all. If you have it on your system this tool "may" remove it. You should never run a tool without checking for an update. VundoFix IS updated regularly. Read This from the creator of The Avenger Quote:
Combofix Info ComboFix is not a general purpose cleaning tool and should not be as such. ComboFix should only be used when asked by someone experienced in the use of this tool. Using this tool without supervision can cause problems with your computer. Post the combofix log here and then, Please uninstall all of these programs from your system. Then do the following: Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop. * DoubleClick mbam-setup.exe and follow the prompts to install MBA-M. * Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. * If an update is found, it will download and install the latest version. * Once the program has loaded, select Perform full scan, then click Scan. * When the scan is complete, click OK, then Show Results to view the results. * Be sure that everything is checked, and click Remove Selected. * When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt. Post back here with the MBA-M log and the combofix log. Judy |
| ||
| Re: EXPLORER.EXE keeps restarting It got fixed somehow. Thanks so much for you help. I apperciate it and I'll take note on your advice. thanks. |
| ||
| Re: EXPLORER.EXE keeps restarting Quote:
|
| ||
| Re: EXPLORER.EXE keeps restarting Actually it didn't get fixed. It went away for a day for some reason. Back to trying to fix it =(. I'm doing the malware scan and combo fix right now. |
| ||
| Re: EXPLORER.EXE keeps restarting I think it is fixed for now. Here is the log. I'll let you know if it returns. thanks so much for your help! Malwarebytes' Anti-Malware 1.31 Database version: 1471 Windows 5.1.2600 Service Pack 3 12/8/2008 7:01:39 PM mbam-log-2008-12-08 (19-01-39).txt Scan type: Full Scan (C:\|D:\|) Objects scanned: 286466 Time elapsed: 1 hour(s), 25 minute(s), 33 second(s) Memory Processes Infected: 0 Memory Modules Infected: 2 Registry Keys Infected: 8 Registry Values Infected: 1 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 26 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\efcayVnL.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\nnnoNgHb.dll (Trojan.Vundo) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1f12b9c8-e40f-4834-92a6-755084097127} (Trojan.Vundo.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{1f12b9c8-e40f-4834-92a6-755084097127} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nnnonghb (Trojan.Vundo.H) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\efcayvnl -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\efcayvnl -> Delete on reboot. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\efcayVnL.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\LnVyacfe.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\LnVyacfe.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\WINDOWS\system32\nnnoNgHb.dll (Trojan.Vundo.H) -> Delete on reboot. C:\Qoobox\Quarantine\C\WINDOWS\system32\gebCrrqn.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\nnnnKEwt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Qoobox\Quarantine\C\WINDOWS\system32\yayxyabB.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\T8R9N1IG\mslog[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\2WYDIO7F\mslog[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\7IFB200M\mslog[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\96F5BTXQ\mslog[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\ED04380S\mslog[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\KP6N777Z\mslog[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\O6E72O64\mslog[2] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\O6E72O64\mslog[1] (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP82\A0137021.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP85\A0139995.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP85\A0139996.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP86\A0143995.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP89\A0145995.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP91\A0156218.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP96\A0160339.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\pmnlljHY.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\youtubex.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\qoMdDwVN.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\rqRHwTMc.dll (Trojan.Vundo) -> Quarantined and deleted successfully. |
| ||
| Re: EXPLORER.EXE keeps restarting Beautiful. Can you pls post a fresh hijackthis log. Also, how is your system running now??? Cohen :) |
| ||
| Re: EXPLORER.EXE keeps restarting Ok heres the new HIJACK-THIS log: My computer is running fine now, explorer.exe is now stable. thanks for all the help. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:59:34 PM, on 12/10/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16762) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\arservice.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\ehome\RMSvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\Safari\Safari.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: ooVoo Toolbar - {A057A204-BACC-4D26-8087-36EE87E26986} - C:\PROGRA~1\oovooToolbar\oovooToolbar.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - S-1-5-18 Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe (User 'SYSTEM') O4 - .DEFAULT Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe (User 'Default user') O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe -- End of file - 4475 bytes |
| ||
| Re: EXPLORER.EXE keeps restarting OK, Nice, well from what i can see your log is clean. So you should be all fixed now, just wait for another member, like jholland, to confirm that it is clean and then this thread is solved :) Thanks, Cohen :) |
| ||
| Re: EXPLORER.EXE keeps restarting Looks to me as if all is clean but one glaring piece of info shows in the log and that is a java program that is way, way out of date. This certainly will lessen the security of the browsers and then of course the computer. You need to first download the latest version of Java which is version 6 update 11. Choose the Offline Install and save the installation file to your desk top. After you have downloaded that then go to Start, Control Panel, Add/Remove and Uninstall ALL older versions of Java you find there. When all the uninstalls are complete then double click that install file on the desktop and install the new version. When that completes go back to the download page noted above and on the right side you will see Verify Now. Click there to go to the verification page where you can test to be sure the installation was complete. Judy |
| All times are GMT -4. The time now is 1:35 pm. |
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC