TheTechGuide Forum
General Category => Tech Clinic => Topic started by: eXclusive on June 23, 2008, 12:25:08 PM
-
Okay i played runescape and after some time my computer crashed,
So like always i just shut of my computer holding my on/off button for 7 seconds and turned it on.
But now my explorer.exe is vanished from Task manager (i dont have the menu start)
Even if i try to open a new task, I see the program running for a second and disapears..
I know you, guestello fights most against spyware but maybe you could help me out here..
(my grammer is terrible beause im dutch but i can read fine)
heres my log :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:29:26, on 23-6-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\TWVubmVu\command.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jeffrey Mennen\Bureaublad\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.legacygamers.net/ (http://\"http://www.legacygamers.net/\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [{14-4D-D1-1B-DW}] C:\windows\system32\jnwnw64l.exe DWram
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\qcntokdm.exe DWram
O4 - HKLM\..\Run: [dbar_starter] C:\Documents and Settings\Jeffrey Mennen\Application Data\Deskbar_{5814E6D7-D9CE-49da-8402-48DC1FCA51FA}\starter.exe
O4 - HKLM\..\Run: [CmUsbAudio] RunDll32 cmcnfg2.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [MutlimediaKbdDriver] C:\Program Files\Multimedia Keyboard Driver\M-KbdDrv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [{0a0e24db-7645-e43b-4c99-635abbc6fead}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{145a3735-9b3d-380e-cf6c-eb6b2d80a7c2}.dll" DllStart
O4 - HKLM\..\Run: [a0214db4] rundll32.exe "C:\WINDOWS\system32\fntsxbjr.dll",b
O4 - HKLM\..\Run: [BMa3127e28] Rundll32.exe "C:\WINDOWS\system32\kseuajvp.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Nnts] "C:\DOCUME~1\JEFFRE~1\MIJNDO~1\ICROSO~1.NET\chkntfs.exe" -vt ndrv
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background
O4 - HKCU\..\Run: [Ngql] "C:\Program Files\Common Files\??stem32\?hkntfs.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\qcntokdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\jnwnw64l.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1212511711984 (http://\"http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1212511711984\")
O20 - AppInit_DLLs: lfrnaitc.dll vrhbuwuk.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWVubmVu\command.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
--
End of file - 4833 bytes
-
I only have limited time on the Internet, as I'm away for home now
But can you do the following
Download this file - Combofix.exe (http://\"http://download.bleepingcomputer.com/sUBs/ComboFix.exe\")
Save it ONLY to your desktop
After that
Reboot your computer in Safe Mode by doing the following :- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, a menu with options should appear;
- Select the first option, to run Windows in Safe Mode, then press "Enter".
- Choose your usual account.
In Safe mode
Double click on ComboFix.exe to run the program
Follow the prompts
normally this will take from 10 to 30 minutes to run
Combofix may reboot your computer, allow to boot to Normal windows if it does
ComboFix will run again, then continue to create a log, this can take a few minutes
Let it run uninterrupted please
I'll need to see this log later
Note:
[color=\"#4169E1\"]Do not mouseclick combofix's window while it's running. That may cause it to stall[/color]
By default, the location of the combofix log is located at this location
C:\combofix.txt
Post the log from ComboFix
and a fresh hijackthis log
-
are you on vista?
i have the same problem but im pretty sure it isnt a virus just stress on explorer.exe
try opening task manager
ctrl+alt+del on XP
ctrl + alt + esc on vista
and select file>>new task>> "explorer.exe"
it should restart and work fine
-
[quote name=\'MadHatter\' post=\'433537\' date=\'Jun 26 2008, 01:45 PM\']are you on vista?
i have the same problem but im pretty sure it isnt a virus just stress on explorer.exe
try opening task manager
ctrl+alt+del on XP
ctrl + alt + esc on vista
and select file>>new task>> "explorer.exe"
it should restart and work fine[/quote]
that doesnt works either, and im using windows XP
Sorry i didnt replyed in a long time since i was using my laptop instead,
Im now on school but when i come home i will do what questello told me
thx!
-
WOOT explorer is back!
But before i do something i think ill post the logs first
heres the ComboFix log:
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\ijji\\ENGLISH\\u_gunz.exe"=
"C:\\Soldat\\Soldat.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\WINDOWS\\system32\\java.exe"=
R3 cmuda2;C-Media USB Audio Interface;C:\WINDOWS\system32\drivers\cmuda2.sys [2004-01-06 09:21]
S3 FXDrv32;FXDrv32;F:\FXDrv32.sys []
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2008-06-30 17:35:42
Windows 5.1.2600 Service Pack 2 NTFS
scannen van verborgen processen ...
scannen van verborgen autostart items ...
scannen van verborgen bestanden ...
C:\WINDOWS\system32\rjbxstnf.ini 1712990 bytes
C:\WINDOWS\system32\wuapi.dll.mui 30040 bytes executable
C:\WINDOWS\system32\rwwnw64d.exe 49188 bytes executable
C:\WINDOWS\system32\msnav32.ax 93 bytes
Scan succesvol afgerond
verborgen bestanden: 4
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Voltooingstijd: 2008-06-30 17:36:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-30 15:36:55
Pre-Run: 15,115,128,832 bytes beschikbaar
Post-Run: 15,187,709,952 bytes beschikbaar
481
And the Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:40:38, on 30-6-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Multimedia Keyboard Driver\M-KbdDrv.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
c:\windows\system32\rwwnw64d.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jeffrey Mennen\Bureaublad\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.legacygamers.net/ (http://\"http://www.legacygamers.net/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {1BD4AC1C-572A-412D-9078-AEB236C71EEC} - C:\WINDOWS\system32\ddcBTMdB.dll (file missing)
O2 - BHO: (no name) - {3CADF366-6DA6-4386-9FD5-EBB0FDF95B1E} - C:\WINDOWS\system32\ddcDvTkH.dll (file missing)
O2 - BHO: mysidesearch search enhancer - {4b77efe6-4b3b-8283-1655-23b88d764aa1} - C:\WINDOWS\system32\zyrliqussxkyfkty.dll
O2 - BHO: (no name) - {4D4467E9-C176-4962-8F36-090EB6909026} - C:\WINDOWS\system32\iifecbXP.dll (file missing)
O2 - BHO: (no name) - {4F966DA3-A368-4111-A4DB-E59B4DA6FB55} - C:\WINDOWS\system32\tuvWqNDV.dll (file missing)
O2 - BHO: (no name) - {517E6CDD-33AE-41B6-9FFA-37B11430CDC4} - C:\WINDOWS\system32\byXPigEX.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7CA4920E-0D46-4672-96CB-B8470D2FDABF} - C:\WINDOWS\system32\xxywUMFW.dll (file missing)
O2 - BHO: (no name) - {7DB91C87-E6BA-4B39-8C08-BF95A99E0302} - C:\WINDOWS\system32\jkkJyAQG.dll (file missing)
O2 - BHO: (no name) - {8205EF4D-3D65-4CAA-A346-AE14FC9D801A} - C:\WINDOWS\system32\rqRiJAPJ.dll (file missing)
O2 - BHO: {8809f229-efc0-2d9a-38c4-9db35e88bd4a} - {a4db88e5-3bd9-4c83-a9d2-0cfe922f9088} - C:\WINDOWS\system32\vrhbuwuk.dll
O2 - BHO: (no name) - {A531FD18-9BCB-4BDF-8E7F-0EF16EDED66D} - C:\WINDOWS\system32\fccbAPhG.dll (file missing)
O2 - BHO: (no name) - {AACEB173-C677-45CD-8E98-9C35BF7D313B} - C:\WINDOWS\system32\jkkIYpmj.dll (file missing)
O2 - BHO: gooochi browser optimizer - {b107af60-b6d0-019f-a16e-c558b2a772f0} - C:\WINDOWS\system32\{145a3735-9b3d-380e-cf6c-eb6b2d80a7c2}.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [{14-4D-D1-1B-DW}] c:\windows\system32\rwwnw64d.exe DWram
O4 - HKLM\..\Run: [CmUsbAudio] RunDll32 cmcnfg2.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [MutlimediaKbdDriver] C:\Program Files\Multimedia Keyboard Driver\M-KbdDrv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [{0a0e24db-7645-e43b-4c99-635abbc6fead}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{145a3735-9b3d-380e-cf6c-eb6b2d80a7c2}.dll" DllStart
O4 - HKLM\..\Run: [a0214db4] rundll32.exe "C:\WINDOWS\system32\fntsxbjr.dll",b
O4 - HKLM\..\Run: [BMa3127e28] Rundll32.exe "C:\WINDOWS\system32\kseuajvp.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Nnts] "C:\DOCUME~1\JEFFRE~1\MIJNDO~1\ICROSO~1.NET\chkntfs.exe" -vt ndrv
O4 - HKCU\..\Run: [Ngql] "C:\Program Files\Common Files\??stem32\?hkntfs.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\qcntokdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1212511711984 (http://\"http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1212511711984\")
O20 - AppInit_DLLs: lfrnaitc.dll,vrhbuwuk.dll
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
--
End of file - 6791 bytes