944,214 Members | Top Members by Rank

Hardware and Software > Microsoft Windows > Viruses, Spyware and other Nasties > Yet another "explorer keeps restarting" thread (sorry)
Ad:
Permalink
Nov 7th, 2007
0

Yet another "explorer keeps restarting" thread (sorry)

Expand Post »
Howdy,

I see that many people have posted with similar problems. I apologize for the repetetiveness, but I'm not able to figure out from the previous posts how to proceed.

I've got some kind of virus that causes explorer to continually restart every few seconds. Strangely, I can keep it from restarting my running an extra instance of explorer.exe. I would appreciate any advice you can give me.

I've tried installing AVG Anti-Spyware, but the installer crashes at the License Agreement screen with the error signature: "AppName:avgas-setup-7.5.1.43.exe AppVer:0.0.0.0 ModName:kernel32.dll ModVer:5.1.2600.3119 Offset:00018943". I can supply the "more details" screen if that would help.

I ran hijackthis.exe and got the following log, which didn't tell my untrained eye very much:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:18:48 AM, on 11/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\KSE\nHancer 32bit\nHancerService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\poweroff.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\SamsungODD\Magic Speed\MagicSL.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wpabaln.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
F:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.phpbbserver.com/griffinsr...riffinsrevenge
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\QTSystem\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MagicSpeed] C:\Program Files\SamsungODD\Magic Speed\MagicSL.exe /autorun
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra 'Tools' menuitem: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1184028423921
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware SE Professional\aawservice.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: nHancer Support (nHancer) - KSE - Korndörfer Software Engineering - C:\Program Files\KSE\nHancer 32bit\nHancerService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Poweroff - Jorgen Bosman - C:\WINDOWS\system32\poweroff.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 1: Aqua Real - 7db39a0d-580f-4be9-9195-8bfcd226f6c2

--
End of file - 8406 bytes

Your time is much appreciated.
Similar Threads
Reputation Points: 10
Solved Threads: 0
Newbie Poster
jej1997 is offline Offline
5 posts
since Nov 2007
Permalink
Nov 7th, 2007
0

Re: Yet another "explorer keeps restarting" thread (sorry)

USe hijackthis to fix this installer:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
.. and then try again after uninstalling and deleting all AVG AS components you can find.
No go? Then...
ATF Cleaner:
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
Panda Online Scan:
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.
Reputation Points: 239
Solved Threads: 296
Industrious Poster
gerbil is offline Offline
4,169 posts
since May 2005
Permalink
Nov 8th, 2007
0

Re: Yet another "explorer keeps restarting" thread (sorry)

Thanks, I'll get back to you.
Reputation Points: 10
Solved Threads: 0
Newbie Poster
jej1997 is offline Offline
5 posts
since Nov 2007
Permalink
Nov 8th, 2007
0

Re: Yet another "explorer keeps restarting" thread (sorry)

Deleting the "O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - " entry allowed me to install and run AVG Anti-Spyware. Here is what it found:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:32:34 AM 11/8/2007

+ Scan result:



HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo -> Adware.Generic : Cleaned with backup (quarantined).
F:\TOOLS\Ahead Nero Burning ROM v6.3.1.6 Ultra Edition\KEYGEN.EXE -> Hijacker.Befins.b : Cleaned with backup (quarantined).
C:\Documents and Settings\Ken\My Documents\Downloads\Norton Ghost 9.0 crak+manual.rar/Norton Ghost 9.0 Espanish+crak+manual\KeyGen.exe -> Trojan.Keygen.s : Cleaned with backup (quarantined).
C:\Documents and Settings\Ken\My Documents\Downloads\SAMBC\SAM.Broadcaster.3.4.3+Keygen+SHOUTCast.Server.rar/keygen.exe -> Worm.Mytob.lu : Cleaned with backup (quarantined).


::Report end

The problem is still there, so I went ahead and ran ATF Cleaner, which deleted 4 MB of stuff.

Some other interesting observations: When explorer restarts, I also see imapi.exe briefly in the task manager. If I delete all copies of explorer.exe and imapi.exe, they get recreated. I even overwrote imapi.exe with a zero-length file, and it was somehow restored the next time I started explorer.

I'm now running Panda ActiveScan. Thanks for the help.
Reputation Points: 10
Solved Threads: 0
Newbie Poster
jej1997 is offline Offline
5 posts
since Nov 2007
Permalink
Nov 8th, 2007
0

Re: Yet another "explorer keeps restarting" thread (sorry)

Panda ActiveScan keeps quitting for some reason, after running for about an hour. It finds at least one virus and two instances of spyware, but at some point later in time, it quits. When I come back into the room it's not running any more. Unfortunately, I can't get the report until the scan finishes (which it never does).

I aborted after about 45 minutes and the report showed the following:

Incident Status Location

Adware:adware/cws Not disinfected C:\Documents and Settings\Ken\Favorites\Health
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Ken\Cookies\ken@searchportal.information[1].txt
Virus:Generic Trojan Not disinfected C:\Documents and Settings\Ken\My Documents\Downloads\Adobe_Photoshop.CS3.Beta.20061208.HAPPY.NEW.YEAR-ENGiNE\e-apcs3.rar[Crack\photoshop.cs3.beta.20061208.exe]

I've killed all non-essential processes. The only processing that are running are the following:

csrss.exe
iexplore.exe
lsass.exe
services.exe
smss.exe
svchost.exe
System
System Idle Process
taskmgr.exe
winlogon.exe

Any ideas? ...Thanks
Reputation Points: 10
Solved Threads: 0
Newbie Poster
jej1997 is offline Offline
5 posts
since Nov 2007
Permalink
Nov 8th, 2007
0

Re: Yet another "explorer keeps restarting" thread (sorry)

jej, dump all those files from AVG AS quarantine.....[some groups put out clean keygens cos they are proud of their work, but I won't tell you on this site].
"If I delete all copies of explorer.exe and imapi.exe, they get recreated." - that is the windows file protection system at work; it will replace any protected system file that it finds corrupted. imapi.exe is used with CD image recording, it will flick off when you are not doing that.
This one found by Panda will not be deleted by it because it is not considered a virus by it, more spyware [trojan]:
C:\Documents and Settings\Ken\My Documents\Downloads\Adobe_Photoshop.CS3.Beta.20061208.HAPPY.NEW.YEAR-ENGiNE\e-apcs3.rar[Crack\phot... - you should remove it yourself. It may be breaking Panda, but I doubt it. Some bad infections will halt scans. Try this one:
==Kaspersky Online Scan, from http://www.kaspersky.com/virusscanner -press the Kaspersky Online Scanner button, follow through....
Reputation Points: 239
Solved Threads: 296
Industrious Poster
gerbil is offline Offline
4,169 posts
since May 2005
Permalink
Nov 11th, 2007
0

Re: Yet another "explorer keeps restarting" thread (sorry)

That did the trick. Thanks again for your help!
Reputation Points: 10
Solved Threads: 0
Newbie Poster
jej1997 is offline Offline
5 posts
since Nov 2007
Permalink
Nov 11th, 2007
0

Re: Yet another "explorer keeps restarting" thread (sorry)

Happy to help. [if you read this, pls tap the solved button, je...]
Cheers.
Last edited by gerbil; Nov 11th, 2007 at 7:55 am.
Reputation Points: 239
Solved Threads: 296
Industrious Poster
gerbil is offline Offline
4,169 posts
since May 2005

This thread is solved

Either the thread starter or a moderator has marked this thread as solved. You can most likely trust the responses and answers given. There is most likely no reason for any further responses to be posted here. If you have a related question, please start a new thread in this forum instead.

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.
Message:
Previous Thread in Viruses, Spyware and other Nasties Forum Timeline: booting problem
Next Thread in Viruses, Spyware and other Nasties Forum Timeline: My Desktop Background is stuck





About Us | Contact Us | Advertise | Acceptable Use Policy
Forum Index | Build Custom RSS Feed


Follow us on Twitter


© 2011 DaniWeb® LLC