Persistent explorer.exe error after malware disinfection
Hello,
My computer has been infected by some malware and spyware that hijacked my desktop (possibly Trojan-Spy.HTML.Smitfraud.c) I have successfully removed them using Spybot + AdAware + Pandasoft Activescan, having everything except my Windows explorer working well.
I followed the steps shown at http://www.short-media.com/forum/showthread.php/?t=32218. There was no VirtualMaid, Serach Maid nor Security Guard, but I found (and removed) some of the bad files mentioned such as ole32.vbs and the entries detected by the anti-spyware softs.
Every time windows starts I receive the message "explorer.exe has generated errors and will be closed by Windows" (actually the message is the equivallent in Portuguese language), so even if I choose not to send Microsoft a report, it restarts Windows Explorer but pops again after about 10 seconds, and this happens in an infinite loop. This happens even if start in Safe Mode, so I suppose that's something wrong with explorer.exe, not with a virus.
Here is my Hijackthis log. I hope you can help me. Best regards from Brazil!
Logfile of HijackThis v1.99.1
Scan saved at 00:53:29, on 8/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Sissi Araujo\Desktop\antivirus\hijackthis_199\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Arquivos de programas\Arquivos comuns\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Arquivos de programas\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Arquivos de programas\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Arquivos de programas\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\j2re1.4.2_07\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Criar Favorito móvel - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Arquivos de programas\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Arquivos de programas\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Criar Favorito móvel... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Arquivos de programas\Microsoft ActiveSync\inetrepl.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: style2 - C:\WINDOWS\q7061218_disk.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
igor abreu
Salvador -Bahia - Brazil
My computer has been infected by some malware and spyware that hijacked my desktop (possibly Trojan-Spy.HTML.Smitfraud.c) I have successfully removed them using Spybot + AdAware + Pandasoft Activescan, having everything except my Windows explorer working well.
I followed the steps shown at http://www.short-media.com/forum/showthread.php/?t=32218. There was no VirtualMaid, Serach Maid nor Security Guard, but I found (and removed) some of the bad files mentioned such as ole32.vbs and the entries detected by the anti-spyware softs.
Every time windows starts I receive the message "explorer.exe has generated errors and will be closed by Windows" (actually the message is the equivallent in Portuguese language), so even if I choose not to send Microsoft a report, it restarts Windows Explorer but pops again after about 10 seconds, and this happens in an infinite loop. This happens even if start in Safe Mode, so I suppose that's something wrong with explorer.exe, not with a virus.
Here is my Hijackthis log. I hope you can help me. Best regards from Brazil!
Logfile of HijackThis v1.99.1
Scan saved at 00:53:29, on 8/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Sissi Araujo\Desktop\antivirus\hijackthis_199\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Arquivos de programas\Arquivos comuns\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Arquivos de programas\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Arquivos de programas\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Arquivos de programas\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\j2re1.4.2_07\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Criar Favorito móvel - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Arquivos de programas\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Arquivos de programas\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Criar Favorito móvel... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Arquivos de programas\Microsoft ActiveSync\inetrepl.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: style2 - C:\WINDOWS\q7061218_disk.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
igor abreu
Salvador -Bahia - Brazil
0
This discussion has been closed.
Comments
Open my computer>click tools>click folder options>
click view tab>check show hidden files>uncheck hide file extensions>click apply>click OK>exit
Please post a new log.
Hello, thanks for you reply, but I'm sure it was already done. Anyway, I've run HJT again and got a kind of different log. Here it is:
Logfile of HijackThis v1.99.1
Scan saved at 08:27:16, on 10/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Arquivos de programas\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Arquivos de programas\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Arquivos de programas\Microsoft AntiSpyware\gcasServ.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Arquivos de programas\Java\j2re1.4.2_07\bin\jusched.exe
C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe
C:\Arquivos de programas\QuickTime\qttask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe
C:\Arquivos de programas\Microsoft ActiveSync\WCESCOMM.EXE
C:\Arquivos de programas\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Arquivos de programas\Microsoft AntiSpyware\gcasDtServ.exe
C:\Arquivos de programas\OpenOffice.org1.1.4\program\soffice.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\hjt\HijackThis.exe
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Arquivos de programas\Arquivos comuns\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Arquivos de programas\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Arquivos de programas\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Arquivos de programas\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\j2re1.4.2_07\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Arquivos de programas\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Arquivos de programas\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\arquivos de programas\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\arquivos de programas\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\arquivos de programas\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Criar Favorito móvel - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Arquivos de programas\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Arquivos de programas\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Criar Favorito móvel... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Arquivos de programas\Microsoft ActiveSync\inetrepl.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120797267203
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0458DC2-0AB0-4477-B2B8-650BB96EF773}: NameServer = 200.149.55.150 200.149.55.140
O20 - Winlogon Notify: style2 - C:\WINDOWS\q7061218_disk.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
I don't see anything in your log that suggests you have anymore infection.
Please reboot and post a new log.
Thank you, everything is OK now!
Yes, although it seemed there was nothing wrong, the error message didn't disappear.
So I decided to perform a new FULL system scan, with (in this order):
Spybot, Microsoft Antispyware, AdAware, AVG, PandaSoftware ActiveScan.
I have an old hard disc that used to be my main one few time ago which I was using only for backups. AdAware and Panda found some viruses and spyware in this disk.
So I think my major mistake was to SKIP this drive when performing the scan (because I don't use it anymore). After cleaning this disk suddenly the error message went away and my system is OK now.
Shadow2018, thank you very much for your replies and I apologize for this mistake that made you spend some of your precious time.
The lesson I learned is "be patient and don't skip ANYTHING when scanning your system".
(I think this thread can be closed now.)
Best regards from Brazil
igor abreu