0

Hi all,

I'm new around here and stumbled accross the site while looking for a solution to my explorer.exe crashing constantly.

I've tried many of the other fixes listed around the place; CCleaner, VundoFix, Spyware Blaster, HiJack this - all in safe mode. I've used msconfig to start windows services only and whatever I do explorer.exe just keeps restarting constantly!!

I'd be most grateful if someone could help me get to the bottom of this as I really don't want to format the computer :-(.

Anyway, if you'd like a HiJackThis log just say (although there's not much on it as I just checked all the boxes and went for it in a desperate attempt to fix explorer.exe :-))

Thanks in advance!

Dan

2
Contributors
6
Replies
7
Views
9 Years
Discussion Span
Last Post by crunchie
0

Here's the HiJack This log (just incase it helps!)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:49:55, on 10/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [BTopenworld] "c:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - c:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 2726 bytes

0

Hi and welcome to the Daniweb forums :).

==========

The first thing you need to do is to go back in to Hijackthis and go to the list of backups that it created when you for some unknown reason, decided to 'fix' everything :icon_rolleyes:
Restore every single backup that there is, then reboot your computer.
Go in to msconfig and under the Startup Tab, enable all startups and hit the apply button.

DO NOT REBOOT!!!!

Rescan with hijackthis and save the log.

0

Yeah I realised 'fixing' everything was a silly idea as soon as I pressed it. After 6 hours trying to fix it I was just trying everything and hoping for the best... never happened though!

Anyway, here's the new HiJackThis log with all back-ups done and in Safe Mode.

------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:57:12, on 10/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sky.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Sky Broadband
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [BTopenworld] "c:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: D-Link AirPlus G Wireless Utility.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.51b\bin\mysqld-nt.exe

--
End of file - 4778 bytes
---------------

Thanks for the help by the way, much appreciated!

0

Safe mode log is no good. Normal mode is the best way.

==

Please download ComboFix by sUBs from HERE or HERE

  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

0

Hurrah!

ComboFix has sorted it out! here's the log:

-------------------------
ComboFix 08-09-05.14 - Fast 2008-09-10 16:27:22.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.260 [GMT 1:00]
Running from: F:\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\actskn43.ocx
C:\WINDOWS\system32\iifcDSiF.dll
C:\WINDOWS\system32\LknWyyay.ini
C:\WINDOWS\system32\LknWyyay.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\xxyXpnnN.dll

.
((((((((((((((((((((((((( Files Created from 2008-08-10 to 2008-09-10 )))))))))))))))))))))))))))))))
.

2008-09-10 11:08 . 2008-09-10 11:08 <DIR> d-------- C:\VundoFix Backups
2008-09-10 09:53 . 2008-09-10 10:08 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-10 09:50 . 2008-09-10 09:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-10 09:49 . 2008-09-10 09:49 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-09-10 09:49 . 2008-09-10 09:49 <DIR> d-------- C:\Program Files\CCleaner
2008-09-09 23:58 . 2008-09-09 23:58 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-09 23:58 . 2008-09-09 23:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-09 23:39 . 2008-09-09 23:50 <DIR> d-------- C:\Program Files\RegCure
2008-09-09 23:14 . 2008-09-09 23:14 <DIR> d-------- C:\Program Files\Promosoft Corporation
2008-09-09 23:14 . 2008-09-09 23:14 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-09 23:09 . 2008-09-09 23:45 <DIR> d-------- C:\Program Files\Exterminate It!
2008-09-09 23:05 . 2008-09-10 12:18 <DIR> d-------- C:\WINDOWS\inf
2008-09-09 23:02 . 2008-09-09 23:02 6,144 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-09-09 19:34 . 2008-09-10 15:15 <DIR> d-------- C:\Program Files\Sophos
2008-09-09 19:33 . 2008-09-09 19:33 <DIR> d-------- C:\savxpsa
2008-09-09 18:40 . 2008-09-09 18:40 237,056 --a------ C:\WINDOWS\system32\yayyWnkL.dll
2008-09-09 18:35 . 2008-09-09 18:36 <DIR> d-------- C:\Program Files\XP Smoker
2008-09-06 21:02 . 2006-09-28 13:10 11,648 --a------ C:\WINDOWS\system32\drivers\ggsemc.sys
2008-09-06 20:01 . 2008-09-06 21:14 <DIR> d-------- C:\Program Files\Sony Ericsson
2008-08-23 16:08 . 2008-08-23 16:08 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-08-23 16:07 . 2008-08-23 16:08 <DIR> d-------- C:\Program Files\DAEMON Tools Toolbar
2008-08-23 16:07 . 2008-08-23 16:08 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-08-23 16:00 . 2008-08-23 16:00 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-08-23 15:59 . 2008-08-23 15:59 <DIR> d-------- C:\Documents and Settings\Daniel\Application Data\DAEMON Tools
2008-08-23 15:34 . 2008-08-23 15:34 <DIR> d-------- C:\Program Files\EA GAMES
2008-08-23 15:34 . 2004-08-18 09:34 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2008-08-21 21:21 . 2008-05-01 15:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-10 15:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-09-10 15:24 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-10 14:19 --------- d-----w C:\Documents and Settings\Fast\Application Data\OpenOffice.org2
2008-09-10 08:37 --------- d-----w C:\Documents and Settings\Daniel\Application Data\OpenOffice.org2
2008-09-09 22:57 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-09 22:52 --------- d-----w C:\Documents and Settings\Fast\Application Data\uTorrent
2008-09-09 17:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-01 15:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-08-01 15:45 --------- d-----w C:\Program Files\Bonjour
2008-08-01 14:14 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-07-25 19:32 --------- d-----w C:\Program Files\Sun
2008-07-25 12:30 --------- d-----w C:\Program Files\TextPad
2008-07-24 23:47 --------- d-----w C:\Program Files\Scintilla Text Editor
2008-07-23 21:16 --------- d-----w C:\Program Files\Notepad++
2008-07-23 21:16 --------- d-----w C:\Documents and Settings\Fast\Application Data\Notepad++
2008-07-23 21:05 --------- d-----w C:\Program Files\Source Viewer
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92BE235B-61BB-4C8C-B4FC-AB1AC7B616D8}]
2008-09-09 18:40 237056 --a------ C:\WINDOWS\system32\yayyWnkL.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TuneUp MemOptimizer"="C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" [2007-12-21 196864]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-16 68856]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2006-11-08 1040832]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 282624]
"NapsterShell"="C:\Program Files\Napster\napster.exe" [2006-11-08 323216]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-12 229952]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-16 1836544]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2003-07-17 184412]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2006-11-08 1040832]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-08 159744]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-11 335872]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"ATIModeChange"="Ati2mdxx.exe" [2003-10-08 C:\WINDOWS\system32\Ati2mdxx.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15360]

C:\Documents and Settings\Daniel\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 393216]

C:\Documents and Settings\Fast\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 393216]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"aawservice"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"TuneUp.Defrag"=3 (0x3)
"StarWindServiceAE"=2 (0x2)
"SoundMAX Agent Service (default)"=2 (0x2)
"SAVService"=2 (0x2)
"SAVAdminService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AGRSMMSG"=AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\wamp\\bin\\apache\\apache2.2.8\\bin\\httpd.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10019:TCP"= 10019:TCP:BitComet 10019 TCP
"10019:UDP"= 10019:UDP:BitComet 10019 UDP

R1 VBoxDrv;VirtualBox Service;C:\WINDOWS\system32\DRIVERS\VBoxDrv.sys [2008-05-31 55520]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;C:\WINDOWS\system32\DRIVERS\VBoxUSBMon.sys [2008-05-31 42048]
R2 hmonitor;hmonitor;C:\WINDOWS\system32\drivers\hmonitor.sys [2006-10-05 7188]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R2 wampapache;wampapache;c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe [2008-01-18 24635]
R2 wampmysqld;wampmysqld;c:\wamp\bin\mysql\mysql5.0.51b\bin\mysqld-nt.exe wampmysqld [ ]
S3 DLINK11G;D-Link AirPlus G Wireless Adapter;C:\WINDOWS\system32\DRIVERS\TNET1130.SYS [2004-04-06 386816]
S3 ntportio;ntportio;C:\Documents and Settings\Fast\My Documents\My Downloads\SonyEricsson_USB_Smart_SEMC_Tool_v8.4_Cracked\SEMCtool_v8.4_FREE\ntportio.sys [ ]
S4 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-01-11 306432]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{55737035-1B75-48DD-A4D8-66155D8AC7A3} - C:\WINDOWS\system32\xxyXpnnN.dll
HKLM-Run-BTopenworld - c:\program files\bt yahoo! internet\DialBTYahoo.exe
ShellExecuteHooks-{55737035-1B75-48DD-A4D8-66155D8AC7A3} - C:\WINDOWS\system32\xxyXpnnN.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Fast\Application Data\Mozilla\Firefox\Profiles\mlq770vn.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.GOOGLE.CO.UK
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-10 16:37:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????9?7?7?0??????? ?deB???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\wamp\bin\mysql\mysql5.0.51b\bin\mysqld-nt.exe
C:\Program Files\Apoint2K\ApntEx.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.bin
.
**************************************************************************
.
Completion time: 2008-09-10 16:41:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-10 15:41:02

Pre-Run: 30,214,991,872 bytes free
Post-Run: 30,494,867,456 bytes free

186 --- E O F --- 2008-09-10 08:31:49
-----------------------

Still got no idea what the problem was caused by, I'm just glad its sorted!! Thanks once again for your help.

EDIT: Sorry I thought it was sorted, just tried installing a driver for something and explorer.exe went again. So back to square one :-(

0

1. Please open Notepad Click Start , then Run
Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
KillAll::

File::
C:\WINDOWS\system32\yayyWnkL.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{92BE235B-61BB-4C8C-B4FC-AB1AC7B616D8}]Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter youre-enable all the programs that were disabled during the running of ComboFix:Combofix.txt
A new HijackThis log.
Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Attachments CFScript.gif 27.09 KB
This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.