Member Avatar for jej1997

Howdy,

I see that many people have posted with similar problems. I apologize for the repetetiveness, but I'm not able to figure out from the previous posts how to proceed.

I've got some kind of virus that causes explorer to continually restart every few seconds. Strangely, I can keep it from restarting my running an extra instance of explorer.exe. I would appreciate any advice you can give me.

I've tried installing AVG Anti-Spyware, but the installer crashes at the License Agreement screen with the error signature: "AppName:avgas-setup-7.5.1.43.exe AppVer:0.0.0.0 ModName:kernel32.dll ModVer:5.1.2600.3119 Offset:00018943". I can supply the "more details" screen if that would help.

I ran hijackthis.exe and got the following log, which didn't tell my untrained eye very much:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:18:48 AM, on 11/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware SE Professional\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\KSE\nHancer 32bit\nHancerService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\poweroff.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\SamsungODD\Magic Speed\MagicSL.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wpabaln.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
F:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.phpbbserver.com/griffinsrevenge/index.php?mforum=griffinsrevenge
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\QTSystem\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MagicSpeed] C:\Program Files\SamsungODD\Magic Speed\MagicSL.exe /autorun
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra 'Tools' menuitem: IE7pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7pro\IE7pro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1184028423921
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware SE Professional\aawservice.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: nHancer Support (nHancer) - KSE - Korndörfer Software Engineering - C:\Program Files\KSE\nHancer 32bit\nHancerService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Poweroff - Jorgen Bosman - C:\WINDOWS\system32\poweroff.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 1: Aqua Real - 7db39a0d-580f-4be9-9195-8bfcd226f6c2

--
End of file - 8406 bytes

Your time is much appreciated.

  • 2 Contributors
  • 7 Replies
  • 115 Views
  • 4 Days Discussion Span
  • Latest Post Latest Post by gerbil

Recommended Answers

All 7 Replies

Member Avatar for gerbil

USe hijackthis to fix this installer:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
.. and then try again after uninstalling and deleting all AVG AS components you can find.
No go? Then...
ATF Cleaner:
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
Panda Online Scan:
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here.

Member Avatar for jej1997

Thanks, I'll get back to you.

Member Avatar for jej1997

Deleting the "O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - " entry allowed me to install and run AVG Anti-Spyware. Here is what it found:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:32:34 AM 11/8/2007

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo -> Adware.Generic : Cleaned with backup (quarantined).
F:\TOOLS\Ahead Nero Burning ROM v6.3.1.6 Ultra Edition\KEYGEN.EXE -> Hijacker.Befins.b : Cleaned with backup (quarantined).
C:\Documents and Settings\Ken\My Documents\Downloads\Norton Ghost 9.0 crak+manual.rar/Norton Ghost 9.0 Espanish+crak+manual\KeyGen.exe -> Trojan.Keygen.s : Cleaned with backup (quarantined).
C:\Documents and Settings\Ken\My Documents\Downloads\SAMBC\SAM.Broadcaster.3.4.3+Keygen+SHOUTCast.Server.rar/keygen.exe -> Worm.Mytob.lu : Cleaned with backup (quarantined).


::Report end

The problem is still there, so I went ahead and ran ATF Cleaner, which deleted 4 MB of stuff.

Some other interesting observations: When explorer restarts, I also see imapi.exe briefly in the task manager. If I delete all copies of explorer.exe and imapi.exe, they get recreated. I even overwrote imapi.exe with a zero-length file, and it was somehow restored the next time I started explorer.

I'm now running Panda ActiveScan. Thanks for the help.

Member Avatar for jej1997

Panda ActiveScan keeps quitting for some reason, after running for about an hour. It finds at least one virus and two instances of spyware, but at some point later in time, it quits. When I come back into the room it's not running any more. Unfortunately, I can't get the report until the scan finishes (which it never does).

I aborted after about 45 minutes and the report showed the following:

Incident Status Location

Adware:adware/cws Not disinfected C:\Documents and Settings\Ken\Favorites\Health
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Ken\Cookies\ken@searchportal.information[1].txt
Virus:Generic Trojan Not disinfected C:\Documents and Settings\Ken\My Documents\Downloads\Adobe_Photoshop.CS3.Beta.20061208.HAPPY.NEW.YEAR-ENGiNE\e-apcs3.rar[Crack\photoshop.cs3.beta.20061208.exe]

I've killed all non-essential processes. The only processing that are running are the following:

csrss.exe
iexplore.exe
lsass.exe
services.exe
smss.exe
svchost.exe
System
System Idle Process
taskmgr.exe
winlogon.exe

Any ideas? ...Thanks

Member Avatar for gerbil

jej, dump all those files from AVG AS quarantine.....[some groups put out clean keygens cos they are proud of their work, but I won't tell you on this site].
"If I delete all copies of explorer.exe and imapi.exe, they get recreated." - that is the windows file protection system at work; it will replace any protected system file that it finds corrupted. imapi.exe is used with CD image recording, it will flick off when you are not doing that.
This one found by Panda will not be deleted by it because it is not considered a virus by it, more spyware [trojan]:
C:\Documents and Settings\Ken\My Documents\Downloads\Adobe_Photoshop.CS3.Beta.20061208.HAPPY.NEW.YEAR-ENGiNE\e-apcs3.rar[Crack\phot... - you should remove it yourself. It may be breaking Panda, but I doubt it. Some bad infections will halt scans. Try this one:
==Kaspersky Online Scan, from http://www.kaspersky.com/virusscanner -press the Kaspersky Online Scanner button, follow through....

Member Avatar for jej1997

That did the trick. Thanks again for your help!

Member Avatar for gerbil

Happy to help. [if you read this, pls tap the solved button, je...]
Cheers.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.