without explorere.exe in Security Cleanup

without explorere.exe in Security Cleanup http://www.dslreports.com/forum/r22507453 en Wed, 02 Dec 2009 20:13:57 EDT Wed, 02 Dec 2009 20:13:57 EDT Re: without explorere.exe http://www.dslreports.com/forum/remark,22593147 TheJoker : Hopefully that got it all then, but the ComboFix log would have been a better view. When you do go there, please let me know in advance so I have an idea when you will be posting.
--
Proud ASAP member since 2005]]> http://www.dslreports.com/forum/remark,22593147 Mon, 22 Jun 2009 19:01:57 EDT Re: without explorere.exe http://www.dslreports.com/forum/remark,22583121 yazdzik : Thanks, Joker -

This is a little like giving wireless help in ATU -

Except I know that once the victim is connected, it will work for at least 24 hours. ;)

The worst part is, convincing anyone not to run as privileged user, particularly teens whose every visit to the web is fraught with "do you want to install xyz now?"

Will post hj log next time I visit NY, combo fix was not necessary, I think, since explorer.exe and everything else I tried now work.

I did install the console, though, as I do that on every windows pc I work on.

You are the best.

Regards,
Martin
--
Life is a series of return dates. There is but one final argument, its eloquence determines who we were, and whether who we were had meaning.]]> http://www.dslreports.com/forum/remark,22583121 Sat, 20 Jun 2009 13:34:46 EDT Re: without explorere.exe http://www.dslreports.com/forum/remark,22582411 TheJoker : There is still work to do though.

If you followed the last instructions, there will be a ComboFix log that you need to post, along with a new HijackThis log. There is likely still work to do based on the log, and after that is taken care of, ComboFix will need to be uninstalled.
--
Proud ASAP member since 2005]]> http://www.dslreports.com/forum/remark,22582411 Sat, 20 Jun 2009 10:09:39 EDT Re: without explorere.exe http://www.dslreports.com/forum/remark,22581674 yazdzik : Dear Joker,

Renaming the files worked, at which point, editing the registry, which is a task I loathe, to point to the explorer.exe where it really is finished the job.

There is no way to say thank you that is not a understatement. Now, if my son learnt his lesson, all will be well.

Superb job of helping the barely literate, and a model of kindness with your patience.

Sincerely,

Martin
--
Life is a series of return dates. There is but one final argument, its eloquence determines who we were, and whether who we were had meaning.]]> http://www.dslreports.com/forum/remark,22581674 Sat, 20 Jun 2009 01:11:43 EDT Re: without explorere.exe http://www.dslreports.com/forum/remark,22510180 TheJoker :

quote:
I have both sdfix and mbam installers on the desktop, can apparently run the executable via task manager yet nothing installs.

Did the MBAM install program run successfully and install the program and it just won't run (is the folder C:\Program Files\Malwarebytes' Anti-Malware there?), or did it not even install?

There was a reason I said:

quote:
don't use a USB/Flash drive, it can spread infection

You need to quarantine that flash drive and not use it in any other computer at the moment, or you risk infecting any system you insert it into.

If MBAM didn't install, rename the installer program to a random name of your choosing and see if it will install. once installed, go to C:\Program Files\Malwarebytes' Anti-Malware and rename mbam.exe to a random name, and see if it will run. If it will, please follow the previous instructions on it's use.

If none of that works, try installing MBAM in Safe mode.

Download Bill Castner's FixPolicies.exe, a self-extracting ZIP archive, to your Desktop from here:
- Double-click FixPolicies.exe.
- Click the "Install" button on the bottom toolbar of the box that will open.
- The program will create a new Folder called FixPolicies.
- Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
- A black box will briefly appear and then close.

Download ComboFix© by sUBs from one of these locations:

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Familiarize yourself with ComboFix before running it:
»www.bleepingcomputer.com/combofi···combofix

- Disable your AntiVirus and any AntiSpyware programs you may be running (usually via a right click on the System Tray icon) to prevent them from interfering.

- Double click on ComboFix.exe & follow the prompts.

- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware. When finished, it will save a log.
Please include the contents of the log at C:\ComboFix.txt in your next reply.

Please post a new HijackThis log, the log from ComboFix (combofix.txt), and note any errors encountered.

--
Proud ASAP member since 2005]]> http://www.dslreports.com/forum/remark,22510180 Sun, 07 Jun 2009 09:09:01 EDT Re: without explorere.exe http://www.dslreports.com/forum/remark,22508202 yazdzik : For the record,

the hiack this stuff you told me to delete was deleted, but explorer.exe does not load -

this leads me to suspect something else is wrong, though what, I cannot tell.

(I am a coward, run linux with a separate home partition to avoid just this kind of thing ;) )

At any rate, I am thoroughly confused as to why explorer does not run.

Most of all, I cannot see why I can copy the files, running as admin in safe mode, the cli says the programme is executed, but, of course, nothing has been done, i e, no folders, nor files created from mbam or sd.

Many thanks, and more apologies,

Martin
--
Life is a series of return dates. There is but one final argument, its eloquence determines who we were, and whether who we were had meaning.

HT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:21:35 PM, on 6/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080320
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.1\THGuard.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe
O4 - HKUS\S-1-5-21-4281090102-2936424967-3577067745-501\..\Run: [DellAutomatedPCTuneUp] "C:\Program Files\DellAutomatedPCTuneUp\PTAgnt.exe" /startup (User 'Guest')
O4 - HKUS\S-1-5-21-4281090102-2936424967-3577067745-501\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Guest')
O4 - HKUS\S-1-5-21-4281090102-2936424967-3577067745-501\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler (User 'Guest')
O4 - HKUS\S-1-5-21-4281090102-2936424967-3577067745-501\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Guest')
O4 - HKUS\S-1-5-21-4281090102-2936424967-3577067745-501\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime (User 'Guest')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - »lads.myspace.com/upload/MySpaceU···1006.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DellAMBrokerService - Unknown owner - C:\Program Files\DellAutomatedPCTuneUp\brkrsvc.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

--
End of file - 8944 bytes]]> http://www.dslreports.com/forum/remark,22508202 Sat, 06 Jun 2009 18:21:07 EDT Re: without explorere.exe http://www.dslreports.com/forum/remark,22507982 yazdzik : I nevre maek typso -

_

Now seriously, I tried running mbam from the desktop a while back, and nothing happens, to wit, nothing.

Likewise, I just added sdfix to the desktop via copy and paste from a flash drive and nothing. task manager says the process is running. Do they depend upon explorer for their interface?

Thus, right at the moment, I have both sdfix and mbam installers on the desktop, can apparently run the executable via task manager yet nothing installs.

trojan hunter, for instance, installed and ran, as did ccleaner, and, of course, hijack this, which has always been on his pc.

I am become more curious as to why the programmes do not run, or if they do they are not seen, via an interface, to be running.

Sorry for this mess.

Peace,

Martin
--
Life is a series of return dates. There is but one final argument, its eloquence determines who we were, and whether who we were had meaning.]]> http://www.dslreports.com/forum/remark,22507982 Sat, 06 Jun 2009 17:19:59 EDT Re: without explorere.exe http://www.dslreports.com/forum/remark,22507880 TheJoker : Hi yazdzik

I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier. Please follow the directions in the order listed.

Several of the items you need to remove are backdoor applications that can allow attackers to access your computer, stealing passwords and personal data. I highly recommend that from a clean, uninfected system you immediately change all the passwords on any systems you access from this system. If you do any on-line banking, or store any financial information on this system, you should immediately call your financial institution and advise them of the situation so you can secure your accounts.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If it were on my PC I would not hesitate for a moment to do so. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

If you want to try to disinfect the system:

I'm not sure what won't run when you say explorer.exe won't run, if you mean Windows Explorer won't run, and you can't open My Computer, or you also can't even go to the program menu's, such as Start > Programs > Accessories > Notepad, for instance.

Why are you trying to clean the system remotely? Can your son not access the Internet with Internet Explorer or Firefox (or another browser if installed)? It will be much easier for him to do this than for you to try to do it remotely, particularly since he will have to be in Safe mdoe at some points.

If he can't access the Internet at all, the best thing to do would be for him to have someone with a working system print out this topic for him, and download the needed files and burn them to CD or DVD for him (don't use a USB/Flash drive, it can spread infection). Since he can't run explorer in normal mode (he may be able to in Safe mode), in normal mode any program will need to be run from either the Run line, or by opening a Command window to type the command (Start > Programs > Access ories > Command Prompt. If he wants to run a program called xyz.exe that's saved to the Desktop, he can run that wil the command (either from Run or in a Command window):
%desktop%\xyz.exe

If he can't open Windows Explorer to copy the file to the desktop, this will copy the file from CD drive to the Desktop (the use of D: here assumes the D: is the CD drive letter, if not you will need to change it.

copy D:\XYZ.exe C:\docume~1\MAXIMI~1\Desktop

To run that file, you would use:
C:\docume~1\MAXIMI~1\Desktop\XYZ.exe

When you see MAXIMI~1, that's the short file/folder name for the user profile. The folder name starts with the letters MAXIMI and is followed by some additional characters.

Why has the system never been updated to Windows XP Service Pack 3? Without that, and all security updates since then, the system is unnecessarily vulnerable to numerous exploits. Don't do that now though, as updating an infected system can result in an unrecoverable mess.

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwords that some changes were made, allow this instead of blocking it.
Please don't forget this step to disable teatimer.

Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following:
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, the Advanced Options Menu should appear;
- Select the first option, to run Windows in Safe Mode, then press Enter.
- Choose your usual account.
- Open the extracted SDFix folder and double click RunThis.bat to start the script.
If you can't do that, go to Start > Run and type:
C:\sdfix\sdfix.exe
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
- Finally paste the contents of the Report.txt back on the forum in your next reply.

Please download Malwarebytes' Anti-Malware from

Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy & Paste the entire report in your next reply along with a fresh HijackThis log.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: C:\WINDOWS\system32\rwhbfb873unjdfdg.dll - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\rwhbfb873unjdfdg.dll (file missing)
O4 - HKLM\..\Run: [OpenSSL] C:\WINDOWS\system32\open_ssl_irc.exe
O4 - HKLM\..\Run: [Windows Update Server] wnupdate.exe
O4 - HKLM\..\Run: [Lsuwid] rundll32.exe "C:\WINDOWS\igerakipejoxi.dll",e
O4 - HKLM\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe
O4 - HKLM\..\RunServices: [Windows Configuration Loader] winsyscfg32.exe
O4 - HKCU\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe
O4 - HKCU\..\Run: [tezrtsjhfr84iusjfo84f] C:\DOCUME~1\MAXIMI~1\LOCALS~1\Temp\csrssc.exe
O4 - HKUS\S-1-5-18\..\Run: [tezrtsjhfr84iusjfo84f] C:\WINDOWS\TEMP\csrssc.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [tezrtsjhfr84iusjfo84f] C:\WINDOWS\TEMP\csrssc.exe (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - AppInit_DLLs: WIKI.DLL
O20 - Winlogon Notify: mamgguqb - mamgguqb.dll (file missing)
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\rwhbfb873unjdfdg.dll (file missing)
O22 - SharedTaskScheduler: hjse7fw3jnefi7wejfndd - {C5AF42A3-94F3-42BD-F634-3604832C897D} - C:\WINDOWS\system32\gseb37dkjgfgf.dll (file missing)
O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe (file missing)
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe (file missing)

Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.

Using Windows Exporer (I expect it will be working by this point), delete the following files if still there:
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\open_ssl_irc.exe
C:\WINDOWS\system32\wnupdate.exe
C:\WINDOWS\igerakipejoxi.dll
C:\WINDOWS\System32\rs32net.exe
C:\WINDOWS\System32\winsyscfg32.exe
C:\Documents and settings\MAXIMI~1\Localsettings\Temp\csrssc.exe
C:\WINDOWS\TEMP\csrssc.exe
C:\WINDOWS\System32\WIKI.DLL
C:\WINDOWS\System32\mamgguqb.dll
C:\WINDOWS\system32\rwhbfb873unjdfdg.dll
C:\WINDOWS\system32\gseb37dkjgfgf.dll
C:\WINDOWS\system32\ext.exe

Please restart your system and post a new HijackThis log, the log from MBAM, and note any errors encountered.

When you post your HijackThis log, if you are using Notepad, please turn off Word Wrap. That is probably what caused all the extra line breaks (the double-spacing) in your log.

--
Proud ASAP member since 2005]]> http://www.dslreports.com/forum/remark,22507880 Sat, 06 Jun 2009 16:43:29 EDT without explorere.exe http://www.dslreports.com/forum/remark,22507453 yazdzik : Dear Friends in Security,

Sadly, my son, now living 130 miles away, asked me "why is my computer....?"

Since, although explorer.exe is present, but will not run, all I could do is run avg from the task thing, and get this hijack this log.

Admittedly, I have not run a windows box for, well, a long time, so please forgive my ignorance.

Inline log is:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:58:59 PM, on 6/6/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\Dell Network Assistant\hnm_svc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Dell Support Center\bin\sprtsvc.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=2080320

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = »go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = »go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = »go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = »go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = »partnerpage.google.com/smallbiz.···=2080320

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Winamp Search Class - {57BCA5FA-5DBB-45a2-B558-1755C3F6253B} - C:\Program Files\Winamp Toolbar\winamptb.dll

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: C:\WINDOWS\system32\rwhbfb873unjdfdg.dll - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\rwhbfb873unjdfdg.dll (file missing)

O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"

O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"

O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe

O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"

O4 - HKLM\..\Run: [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exe

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

O4 - HKLM\..\Run: [OpenSSL] C:\WINDOWS\system32\open_ssl_irc.exe

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Windows Update Server] wnupdate.exe

O4 - HKLM\..\Run: [Lsuwid] rundll32.exe "C:\WINDOWS\igerakipejoxi.dll",e

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\RunServices: [Windows Configuration Loader] winsyscfg32.exe

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter

O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe

O4 - HKCU\..\Run: [tezrtsjhfr84iusjfo84f] C:\DOCUME~1\MAXIMI~1\LOCALS~1\Temp\csrssc.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe

O4 - HKUS\S-1-5-18\..\Run: [tezrtsjhfr84iusjfo84f] C:\WINDOWS\TEMP\csrssc.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [tezrtsjhfr84iusjfo84f] C:\WINDOWS\TEMP\csrssc.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - »lads.myspace.com/upload/MySpaceU···1006.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: WIKI.DLL

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O20 - Winlogon Notify: mamgguqb - mamgguqb.dll (file missing)

O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\rwhbfb873unjdfdg.dll (file missing)

O22 - SharedTaskScheduler: hjse7fw3jnefi7wejfndd - {C5AF42A3-94F3-42BD-F634-3604832C897D} - C:\WINDOWS\system32\gseb37dkjgfgf.dll (file missing)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: DellAMBrokerService - Unknown owner - C:\Program Files\DellAutomatedPCTuneUp\brkrsvc.exe

O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe (file missing)

O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe

O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe

O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

--

End of file - 10502 bytes

Obviously, I am lost in the process, as the things which require ie, thus any of the things like panda, cannot be run. Plus, without explorer.exe, I cannot get him able to unlock his network manager to allow me to view his files sach as the avg log.

I full well understand if there is no help available under the circumstances.

Very best wishes,

martin yazdzik
--
Life is a series of return dates. There is but one final argument, its eloquence determines who we were, and whether who we were had meaning.]]> http://www.dslreports.com/forum/remark,22507453 Sat, 06 Jun 2009 14:27:54 EDT