Viruses, Spyware and...

Viruses, Spyware and other Nasties RSS

Explorer windows disapear when accessing some directories and web pages

•

Join Date: Sep 2004

Posts: 1

Reputation: improp is an unknown quantity at this point

Solved Threads: 0

improp

Offline

Newbie Poster

Explorer windows disapear when accessing some directories and web pages

Sep 20th, 2004

The Problem :"Explorer windows disapear when accessing some directories and web pages and I cant access TRENDMICROS housecall"

For this matters I use Spybot, Adaware and Hijackthis...............any help would be deeply appreciated

It began when I found a WEBREBATE process running with the task manager, later I found the WEBREBATE directory on my program files. This all happened after running Spybot and Adaware several times. So I errased the directory. Then I ran Adaware and found an entry for BULLGUARD which I hadent installed, so I errased it with adaware and then did a search with windows search for BULLGUARD, so a directory with that name was found on my program files directory.

Here comes the weird part, whenever I tried to open the BULLGUARD folder.......the window closed, I would click on the BULLGUARD folder and EXplorer closed.

So I tried looking for BULLGUARD on my Browser with YAHOO!, GOOGLE, ALLTHEWEB and guess what.............after typing BULLGUARD and hitting enter...........EXPLORER would close.

I had never used Hijackthis before so I decided to run hijackthis..........and EXPLORER would close whenever I clicked on the HIJACKTHIS folder.

To add on the weirdness, whenever I tried to contact TRENDMICRO to run Housecall virus scan, the browser would say that it cant open the page........and a friend of mine has no problem doing the same thing on a computer in the next room.

So I decided to run the three programs on safemode. Since I am not very hijackthis saavy, I only errased the entry for WEBREBATES.
Now I can run everything without going into safemode and the BULLGUARD thing has dissapeared.

But I still cant contact TRENDMICRO and for some reason whenever I try to run regedit it says that the administrator (me) has disabled registry editing tools (not true becouse I dont know how to do that).

Adaware has found and errased this entrys more than once:
HKEY_USERS

-1-5-21-997928796-833337716-1005\software\microsoft\current version\policies\system"DisableTools"
HKEY_LOCAL_MACHINE:\software\microsoft\windows nt\currentversion\winlogon"Shell" (explorer.exe,regscan.exe -shell)

SPYBOT

This results always reoccur even after deleting and running spybot several times

Kazaa.Inc.Spybot13.World
HKEY-USERS\S-1-5-21-997928796-3837616676-833337716-1005\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

(and no information about the product or the company)

DSO Exploit
HKEY-USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

HKEY-USERS\S-1-5-21-997928796-3837616676-833337716-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

HKEY-USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

HKEY-USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

HKEY-USERS\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

(the product and company information is for microsoft)

HIJACKTHIS

Here is the last hijackthis log

Logfile of HijackThis v1.98.2
Scan saved at 14:57:02, on 20/09/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\UTILITIES\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vênculos
F2 - REG:system.ini: Shell=Explorer.exe,regscan.exe -shell
O1 - Hosts: 127.73.146.128 www.symantec.com
O1 - Hosts: 127.108.238.207 securityresponse.symantec.com
O1 - Hosts: 127.19.192.142 symantec.com
O1 - Hosts: 127.134.32.82 www.mcafee.com
O1 - Hosts: 127.186.179.143 mcafee.com
O1 - Hosts: 127.167.32.188 us.mcafee.com
O1 - Hosts: 127.22.205.41 www.sophos.com
O1 - Hosts: 127.183.93.142 sophos.com
O1 - Hosts: 127.192.244.7 www.viruslist.com
O1 - Hosts: 127.185.195.14 viruslist.com
O1 - Hosts: 127.138.67.199 f-secure.com
O1 - Hosts: 127.38.198.110 www.f-secure.com
O1 - Hosts: 127.8.1.125 kaspersky.com
O1 - Hosts: 127.157.83.170 www.avp.com
O1 - Hosts: 127.77.232.31 www.kaspersky.com
O1 - Hosts: 127.103.121.204 avp.com
O1 - Hosts: 127.52.223.108 www.networkassociates.com
O1 - Hosts: 127.143.225.155 networkassociates.com
O1 - Hosts: 127.197.171.51 www.ca.com
O1 - Hosts: 127.120.114.228 ca.com
O1 - Hosts: 127.150.86.10 my-etrust.com
O1 - Hosts: 127.51.178.218 www.my-etrust.com
O1 - Hosts: 127.62.44.201 secure.nai.com
O1 - Hosts: 127.12.196.64 nai.com
O1 - Hosts: 127.45.163.106 www.nai.com
O1 - Hosts: 127.0.23.92 trendmicro.com
O1 - Hosts: 127.137.140.36 www.trendmicro.com
O1 - Hosts: 127.28.25.227 housecall.trendmicro.com
O1 - Hosts: 127.224.94.210 www.pandasoftware.com
O1 - Hosts: 127.243.142.92 www.bitdefender.com
O1 - Hosts: 127.209.119.7 www.ravantivirus.com
O1 - Hosts: 127.175.103.179 www3.ca.com
O1 - Hosts: 127.249.168.94 v4.windowsupdate.microsoft.com
O1 - Hosts: 127.113.26.234 v5.windowsupdate.microsoft.com
O1 - Hosts: 127.192.110.235 v5windowsupdate.microsoft.nsatc.net
O1 - Hosts: 127.233.243.44 windowsupdate.microsoft.com
O1 - Hosts: 127.228.153.213 www.windowsupdate.com
O1 - Hosts: 127.123.223.180 windowsupdate.com
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LaunchApp] LaunApp
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\ARCHIV~1\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\ARCHIV~1\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] C:\ARCHIV~1\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\ARCHIV~1\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [Wbutton] "C:\ARCHIV~1\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Archivos de programa\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Archivos de programa\Video\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WindowsXPserv] svcnxp32.exe
O4 - HKLM\..\Run: [WinDisk16] regscan.exe -services
O4 - HKLM\..\RunServices: [WinDisk16] regscan.exe -services
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WinDisk16] regscan.exe -drivers
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\utilidades\Microsoft Office\Office10\OSA.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...ab2292e6aa4d79
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LaunchApp] LaunApp
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\ARCHIV~1\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\ARCHIV~1\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] C:\ARCHIV~1\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\ARCHIV~1\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [Wbutton] "C:\ARCHIV~1\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Archivos de programa\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Archivos de programa\Video\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WindowsXPserv] svcnxp32.exe
O4 - HKLM\..\Run: [WinDisk16] regscan.exe -services
O4 - HKLM\..\RunServices: [WinDisk16] regscan.exe -services
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WinDisk16] regscan.exe -drivers
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\utilidades\Microsoft Office\Office10\OSA.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...ab2292e6aa4d79
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab

This results always reoccur even after deleting and running spybot several times

Kazaa.Inc.Spybot13.World
HKEY-USERS\S-1-5-21-997928796-3837616676-833337716-1005\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

(and no information about the product or the company)

DSO Exploit
HKEY-USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

HKEY-USERS\S-1-5-21-997928796-3837616676-833337716-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

HKEY-USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

HKEY-USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

HKEY-USERS\DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

(the product and company information is for microsoft)