Author Topic: explorer.exe vanished, HELP! (Read 636 times)

eXclusive · « **on:** June 23, 2008, 12:25:08 PM »

Okay i played runescape and after some time my computer crashed,
So like always i just shut of my computer holding my on/off button for 7 seconds and turned it on.
But now my explorer.exe is vanished from Task manager (i dont have the menu start)
Even if i try to open a new task, I see the program running for a second and disapears..
I know you, guestello fights most against spyware but maybe you could help me out here..

(my grammer is terrible beause im dutch but i can read fine)
heres my log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:29:26, on 23-6-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\TWVubmVu\command.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jeffrey Mennen\Bureaublad\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.legacygamers.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [{14-4D-D1-1B-DW}] C:\windows\system32\jnwnw64l.exe DWram
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\qcntokdm.exe DWram
O4 - HKLM\..\Run: [dbar_starter] C:\Documents and Settings\Jeffrey Mennen\Application Data\Deskbar_{5814E6D7-D9CE-49da-8402-48DC1FCA51FA}\starter.exe
O4 - HKLM\..\Run: [CmUsbAudio] RunDll32 cmcnfg2.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [MutlimediaKbdDriver] C:\Program Files\Multimedia Keyboard Driver\M-KbdDrv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [{0a0e24db-7645-e43b-4c99-635abbc6fead}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{145a3735-9b3d-380e-cf6c-eb6b2d80a7c2}.dll" DllStart
O4 - HKLM\..\Run: [a0214db4] rundll32.exe "C:\WINDOWS\system32\fntsxbjr.dll",b
O4 - HKLM\..\Run: [BMa3127e28] Rundll32.exe "C:\WINDOWS\system32\kseuajvp.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Nnts] "C:\DOCUME~1\JEFFRE~1\MIJNDO~1\ICROSO~1.NET\chkntfs.exe" -vt ndrv
O4 - HKCU\..\Run: [WinUpdater] "C:\Program Files\winvi\update.exe" /background
O4 - HKCU\..\Run: [WebSUpdater] "C:\Program Files\winvi\wupda.exe" /background
O4 - HKCU\..\Run: [Ngql] "C:\Program Files\Common Files\??stem32\?hkntfs.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\qcntokdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\jnwnw64l.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1212511711984
O20 - AppInit_DLLs: lfrnaitc.dll vrhbuwuk.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWVubmVu\command.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 4833 bytes

guestolo · « **Reply #1 on:** June 24, 2008, 03:16:54 PM »

I only have limited time on the Internet, as I'm away for home now
But can you do the following

Download this file - Combofix.exe
Save it ONLY to your desktop

After that
Reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe mode

Double click on ComboFix.exe to run the program

Follow the prompts
normally this will take from 10 to 30 minutes to run
Combofix may reboot your computer, allow to boot to Normal windows if it does
ComboFix will run again, then continue to create a log, this can take a few minutes
Let it run uninterrupted please
I'll need to see this log later

Note:
[color=\"#4169E1\"]Do not mouseclick combofix's window while it's running. That may cause it to stall[/color]

By default, the location of the combofix log is located at this location
C:\combofix.txt

Post the log from ComboFix
and a fresh hijackthis log

MadHatter · « **Reply #2 on:** June 26, 2008, 01:45:13 PM »

are you on vista?

i have the same problem but im pretty sure it isnt a virus just stress on explorer.exe

try opening task manager

ctrl+alt+del on XP
ctrl + alt + esc on vista

and select file>>new task>> "explorer.exe"

it should restart and work fine

eXclusive · « **Reply #3 on:** June 30, 2008, 05:09:38 AM »

[quote name=\'MadHatter\' post=\'433537\' date=\'Jun 26 2008, 01:45 PM\']are you on vista?

i have the same problem but im pretty sure it isnt a virus just stress on explorer.exe

try opening task manager

ctrl+alt+del on XP
ctrl + alt + esc on vista

and select file>>new task>> "explorer.exe"

it should restart and work fine[/quote]

that doesnt works either, and im using windows XP

Sorry i didnt replyed in a long time since i was using my laptop instead,
Im now on school but when i come home i will do what questello told me

thx!

eXclusive · « **Reply #4 on:** June 30, 2008, 10:28:52 AM »

WOOT explorer is back!
But before i do something i think ill post the logs first

heres the ComboFix log:

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\ijji\\ENGLISH\\u_gunz.exe"=
"C:\\Soldat\\Soldat.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\WINDOWS\\system32\\java.exe"=

R3 cmuda2;C-Media USB Audio Interface;C:\WINDOWS\system32\drivers\cmuda2.sys [2004-01-06 09:21]
S3 FXDrv32;FXDrv32;F:\FXDrv32.sys []

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-30 17:35:42
Windows 5.1.2600 Service Pack 2 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

C:\WINDOWS\system32\rjbxstnf.ini 1712990 bytes
C:\WINDOWS\system32\wuapi.dll.mui 30040 bytes executable
C:\WINDOWS\system32\rwwnw64d.exe 49188 bytes executable
C:\WINDOWS\system32\msnav32.ax 93 bytes

Scan succesvol afgerond
verborgen bestanden: 4

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Voltooingstijd: 2008-06-30 17:36:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-30 15:36:55

Pre-Run: 15,115,128,832 bytes beschikbaar
Post-Run: 15,187,709,952 bytes beschikbaar

481

And the Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:40:38, on 30-6-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Multimedia Keyboard Driver\M-KbdDrv.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
c:\windows\system32\rwwnw64d.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jeffrey Mennen\Bureaublad\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.legacygamers.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {1BD4AC1C-572A-412D-9078-AEB236C71EEC} - C:\WINDOWS\system32\ddcBTMdB.dll (file missing)
O2 - BHO: (no name) - {3CADF366-6DA6-4386-9FD5-EBB0FDF95B1E} - C:\WINDOWS\system32\ddcDvTkH.dll (file missing)
O2 - BHO: mysidesearch search enhancer - {4b77efe6-4b3b-8283-1655-23b88d764aa1} - C:\WINDOWS\system32\zyrliqussxkyfkty.dll
O2 - BHO: (no name) - {4D4467E9-C176-4962-8F36-090EB6909026} - C:\WINDOWS\system32\iifecbXP.dll (file missing)
O2 - BHO: (no name) - {4F966DA3-A368-4111-A4DB-E59B4DA6FB55} - C:\WINDOWS\system32\tuvWqNDV.dll (file missing)
O2 - BHO: (no name) - {517E6CDD-33AE-41B6-9FFA-37B11430CDC4} - C:\WINDOWS\system32\byXPigEX.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7CA4920E-0D46-4672-96CB-B8470D2FDABF} - C:\WINDOWS\system32\xxywUMFW.dll (file missing)
O2 - BHO: (no name) - {7DB91C87-E6BA-4B39-8C08-BF95A99E0302} - C:\WINDOWS\system32\jkkJyAQG.dll (file missing)
O2 - BHO: (no name) - {8205EF4D-3D65-4CAA-A346-AE14FC9D801A} - C:\WINDOWS\system32\rqRiJAPJ.dll (file missing)
O2 - BHO: {8809f229-efc0-2d9a-38c4-9db35e88bd4a} - {a4db88e5-3bd9-4c83-a9d2-0cfe922f9088} - C:\WINDOWS\system32\vrhbuwuk.dll
O2 - BHO: (no name) - {A531FD18-9BCB-4BDF-8E7F-0EF16EDED66D} - C:\WINDOWS\system32\fccbAPhG.dll (file missing)
O2 - BHO: (no name) - {AACEB173-C677-45CD-8E98-9C35BF7D313B} - C:\WINDOWS\system32\jkkIYpmj.dll (file missing)
O2 - BHO: gooochi browser optimizer - {b107af60-b6d0-019f-a16e-c558b2a772f0} - C:\WINDOWS\system32\{145a3735-9b3d-380e-cf6c-eb6b2d80a7c2}.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [{14-4D-D1-1B-DW}] c:\windows\system32\rwwnw64d.exe DWram
O4 - HKLM\..\Run: [CmUsbAudio] RunDll32 cmcnfg2.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [MutlimediaKbdDriver] C:\Program Files\Multimedia Keyboard Driver\M-KbdDrv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [{0a0e24db-7645-e43b-4c99-635abbc6fead}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{145a3735-9b3d-380e-cf6c-eb6b2d80a7c2}.dll" DllStart
O4 - HKLM\..\Run: [a0214db4] rundll32.exe "C:\WINDOWS\system32\fntsxbjr.dll",b
O4 - HKLM\..\Run: [BMa3127e28] Rundll32.exe "C:\WINDOWS\system32\kseuajvp.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Nnts] "C:\DOCUME~1\JEFFRE~1\MIJNDO~1\ICROSO~1.NET\chkntfs.exe" -vt ndrv
O4 - HKCU\..\Run: [Ngql] "C:\Program Files\Common Files\??stem32\?hkntfs.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\qcntokdm.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rwwnw64d.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1212511711984
O20 - AppInit_DLLs: lfrnaitc.dll,vrhbuwuk.dll
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 6791 bytes

TheTechGuide Forum

News:

Author Topic: explorer.exe vanished, HELP! (Read 636 times)

eXclusive

explorer.exe vanished, HELP!

guestolo

explorer.exe vanished, HELP!

MadHatter

explorer.exe vanished, HELP!

eXclusive

explorer.exe vanished, HELP!

eXclusive

explorer.exe vanished, HELP!