0

Yes hello folks been a while since I needed your expert help but here goes..

as soon as im on desktop it begins I lose all my desktop icons and taskbar then it opens again 5 secs later then the same again sometimes it wont even open back up and i need to ctrl alt del to bring it in thru processes. ive done a hijackthis and heres the logfile...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:03:12, on 30/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\alexander scott\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/stage6/windows/DivXBrowserPlugin.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 5097 bytes

4
Contributors
6
Replies
8
Views
9 Years
Discussion Span
Last Post by gerbil
0

30 views and no replies...cmon guys surely someone has came across this error.

0

Im sorry but after four hours solid of trying to fix this and not a reply from this forum i say your forum and tech dep sucks big time..not to even reply is bad manners in my book and this comes after as I say four hours of trying to fix this....so please take that into consideration before you ban me...but im sure I have a valid point about the help you offer. as ive watched the forums all day and theve been busy enough.

0

Your Log File Looks Good.

This is most probably caused by the malware "F-Nimda"

The SHELLFIX.REG (download below) file is used to fix Explorer startup problems
resulted from unconditional termination of F-Nimda tool during
its operation.

If F-Nimda tool is terminated by a user or operating system while
it is scanning a hard disk, there will be no icons and no taskbar
on Windows desktop. To fix the problem you will have to run the
SHELLFIX.REG file.

Info here:

ftp://ftp.f-secure.com/anti-virus/tools/shellfix.txt

Download:

http://www.mediafire.com/?nnklnmfngto
0

im not sure if that what ive got but I cant even seem to find the path to that shellfix.reg im running windows xphome sp2..with all updates...and I cant access my computer to find the path to that file as the windows explorer window doesnt stay open enough time for me to do it as it crashes then restarts or sometimes crashes and doesnt restart...anyway...i ran spybot search and destroy it found a few errors and the file that sometimes opens when I try to access the my computer icon is the first pic im going to show you called error..the second pic is the error got when I ran spybot search and destroy and the third pic is the screenie of the services that happen to chew up the bandwidth after I apply the fix soloution within spybot search and destroy which seems to give me about ten minutes of my icons and taskbar back then it all starts to happen again...

Trying to upload pics but I dont seem to have the right to do so leave it with me or could someone explain how to upload these pics?

Ok i,ll try to explain these errors without pics the first one called error is what happens when i try to open the my computer icon...I get this error message

ERROR 1

error: SysFader: explorer.exe - bad image

The application or dll C/WINDOWS/system32/xxyvTMCr.dll is not a valid windows image please check this against your installation diskette.
_______________________________________________________________________

Error 2 happens when I run spybot search and destroy and this is what it found

ERROR 2

VIRTUMONDE.DLL
"then here it gives a four other errors that seem to be registry key dll names and paths" (to much to type)
__________________________________________________________________________________

ERROR 3

This happens after I use the fix soloution within spybot s&d

The problem stops for about ten minutes and the pc is fine (apparently) then when you check task manager processes the explorer exe is using nearly 50% of cpu and the rundll.exe is using the other 50% so the pc is kinda locked at this point then ten minutes later the whole thing starts again.

_______________________________________________________________________________

0

i suggest that you run a repair install then do the scanns. when explorer is corrupted the best thing to do is a clean install or repair. so if you have a bootable XP cd pop it in and repair windows. try to run vondufix and combofix. after you do the repair.

0

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="explorer.exe"

...okay, that was the shellfix reg file you were hunting for. It just tells winlogon to start the explorer shell. Certainly won't do any harm to run it..

Anyway, your sys is infected. Run this:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
If explorer won't stay open long enough for you to load that URL into its address bar or to start your browser you can instead open Task Manager and paste it into the File> New Task [Run] box...

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.