Options

Explorer.exe in root, Can't access internet without it...

Unknown
edited May 2004 in Spyware & Virus Removal
Hi everybody,

I know it should not be there...

If I rename it or block it's access to Internet, in ZoneAlarm, I can't access any Web pages in IE6sp1 under Win98se.

In ZoneAlarm "Program Control", I have a computer icon instead of the IE logo???

I scanned my computer for trojans with TDS-3 and the only thing it did was tell me that this was a possible trojan infection. I already knew that... :tongue:

HJT log available upon request... ;)

Can anybody help me...

Comments

  • Straight_ManStraight_Man Geeky, in my own way Naples, FL Icrontian
    edited May 2004
    Well, looks like something rerouted network connection things through itself. BUT, Explorer.exe Should be on your computer, though not in C:\explorer.exe. That is the name of your computer's FILE BROWSER (Explorer.exe). iexplore.exe is your Internet Explorer. Did someone move explorer.exe for you???

    Post your HJT log here, please.

    I do not know how to explain in general terms how to know what not to post and what to post from a winipcfg run in 98 SE (Start|Run|winipcfg), but that can show you some parts of the networking without forcing you to redo it... Also try getting LSP_Fix from the downloads area (in the security part of that area) and run that.

    Essentially, what is probably happening, is that something replaced one of your network hooks with itself. When you killed it, you got part of it, but did not reestablish networking right afterwards.
  • laly
    edited May 2004
    Hi John_D,

    Thank you for your answer.

    I have two instances of "explorer.exe", the right one, under c:\Windows and the one in root.

    Both are the same size (176kb), when I doubleclick the one in root, it just opens up another file explorer window???

    I'm "stumped"... ;)

    I ran "winipcfg", no info there pointing to my problem...

    Here is my HJT log:

    Logfile of HijackThis v1.97.5
    Scan saved at 20:43:38, on 04-05-05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
    D:\PROGRAM FILES\UTIL\AVG\AVGSERV9.EXE
    C:\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\COMPAQ\COMPAQ EAB SOFTWARE\CPQEK.EXE
    D:\PROGRAM FILES\UTIL\AVG\AVGCC32.EXE
    C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
    D:\PROGRAM FILES\UTIL\MOONPHASE\MOON.EXE
    D:\PROGRAM FILES\UTIL\TRANSPARENT\TRANSPARENTD.EXE
    C:\PROGRAM FILES\SYMPATICO\ACCESS MANAGER\APP\ENTERNET.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\NOTEPAD.EXE
    D:\PROGRAM FILES\UTIL\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = <none>
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wired.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.wired.com/
    O2 - BHO: (no name) - {00000178-CD4A-447a-BCF9-6FD0096B5527} - D:\PROGRAM FILES\UTIL\PRIVACYBIRD\P3PCLIENT.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
    O4 - HKLM\..\Run: [AVG_CC] D:\PROGRAM FILES\UTIL\AVG\avgcc32.exe /startup
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
    O4 - HKLM\..\RunServices: [Avgserv9.exe] D:\PROGRA~1\UTIL\AVG\Avgserv9.exe
    O4 - Startup: moon.exe.lnk = D:\Program Files\Util\MoonPhase\moon.exe
    O4 - Startup: TransparentD.lnk = D:\Program Files\Util\Transparent\TransparentD.exe
    O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: Ouvrir le cadre dans une nouvelle fenêtre - file://C:\WINDOWS\web\reopen.htm
    O14 - IERESET.INF: START_PAGE_URL=http://www.sympatico.ca/homepage.html?blink=static
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab

    As you can see, I think, I am clean exept for C:\EXPLORER.EXE..?

    I will be looking at "LSP_Fix"

    Thanks again...
  • laly
    edited May 2004
    Hi John_D,

    I ran "LSP_Fix", tried to make sense of the text file, chinese to me, ;)

    Before doing anything, I backed up my registry file. I did'nt check "I know what I'm doing" so nothing happened... :)

    Here is the list of files "LSP_Fix" found:

    rnr20.dll
    mswsosp.dll
    msafd.dll
    rsvpsp.dll

    Does this mean that there is something wrong with those files???
  • laly
    edited May 2004
    Hi everybody,

    I need your help...
  • DexterDexter Vancouver, BC Canada
    edited May 2004
    There are some trojans which will install a phoney Explorer.exe. Best thing to do is run a scan with a good app like Norton or Macaffe.

    Here is one example, with removal instructions. You can find several more by going to: http://search.symantec.com/custom/us/query.html and searching on "explorer.exe".

    Sample:

    http://securityresponse.symantec.com/avcenter/venc/data/trojan.eurosol.html

    If you do not have access to NAV, try running their free online scan:

    http://www.symantec.com/avcenter/ (scroll down to the link "Online Virus and Security Check")

    Try these suggestions then let us know.

    Dexter...
  • laly
    edited May 2004
    Hi Dexter,

    The file seems to be OK same size, 176kb, as the original. As a matter a fact, when I doubleclick on it, it opens another instance of Explorer..?

    I ran those two virus test on the file, both came out negative...


    Kapersky Online Virus Scanner

    Current object: Explorer.exe

    Explorer.exe Ok

    Statistics:
    Known viruses: 88317 Updated: 7.05.2004
    File size (Kb): 176 Scan time: 00:00:01
    Speed (Kb/sec): 177 Virus bodies: 0
    Archives: 0 Packed: 0
    Folders: 0 Files: 1
    Suspicious: 0 Warnings: 0


    Online virus check by the latest version of Dr.Web® anti-virus

    The latest virus identities update: 06.05.2004 21:53

    Virus records: 49584
    Explorer.exe - Ok

    Thank you for your time...
Sign In or Register to comment.