TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA
| Re: without explorere.exeHi yazdzik
I suggest printing out each set of instructions and reading the entire post before proceeding. It will make following them easier. Please follow the directions in the order listed.
Several of the items you need to remove are backdoor applications that can allow attackers to access your computer, stealing passwords and personal data. I highly recommend that from a clean, uninfected system you immediately change all the passwords on any systems you access from this system. If you do any on-line banking, or store any financial information on this system, you should immediately call your financial institution and advise them of the situation so you can secure your accounts.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. If it were on my PC I would not hesitate for a moment to do so. Please read these for more information:
How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.
If you want to try to disinfect the system:
I'm not sure what won't run when you say explorer.exe won't run, if you mean Windows Explorer won't run, and you can't open My Computer, or you also can't even go to the program menu's, such as Start > Programs > Accessories > Notepad, for instance.
Why are you trying to clean the system remotely? Can your son not access the Internet with Internet Explorer or Firefox (or another browser if installed)? It will be much easier for him to do this than for you to try to do it remotely, particularly since he will have to be in Safe mdoe at some points.
If he can't access the Internet at all, the best thing to do would be for him to have someone with a working system print out this topic for him, and download the needed files and burn them to CD or DVD for him (don't use a USB/Flash drive, it can spread infection). Since he can't run explorer in normal mode (he may be able to in Safe mode), in normal mode any program will need to be run from either the Run line, or by opening a Command window to type the command (Start > Programs > Access ories > Command Prompt. If he wants to run a program called xyz.exe that's saved to the Desktop, he can run that wil the command (either from Run or in a Command window):
%desktop%\xyz.exe
If he can't open Windows Explorer to copy the file to the desktop, this will copy the file from CD drive to the Desktop (the use of D: here assumes the D: is the CD drive letter, if not you will need to change it.
copy D:\XYZ.exe C:\docume~1\MAXIMI~1\Desktop
To run that file, you would use:
C:\docume~1\MAXIMI~1\Desktop\XYZ.exe
When you see MAXIMI~1, that's the short file/folder name for the user profile. The folder name starts with the letters MAXIMI and is followed by some additional characters.
Why has the system never been updated to Windows XP Service Pack 3? Without that, and all security updates since then, the system is unnecessarily vulnerable to numerous exploits. Don't do that now though, as updating an infected system can result in an unrecoverable mess.
I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwords that some changes were made, allow this instead of blocking it.
Please don't forget this step to disable teatimer.
Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following:
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, the Advanced Options Menu should appear;
- Select the first option, to run Windows in Safe Mode, then press Enter.
- Choose your usual account.
- Open the extracted SDFix folder and double click RunThis.bat to start the script.
If you can't do that, go to Start > Run and type:
C:\sdfix\sdfix.exe
- Type Y to begin the cleanup process.
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
- Press any Key and it will restart the PC.
- When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
- Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
- Finally paste the contents of the Report.txt back on the forum in your next reply.
Please download Malwarebytes' Anti-Malware from
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy & Paste the entire report in your next reply along with a fresh HijackThis log.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.
Now you need to run HijackThis and click "Do a system scan only." Place a check next to the following entries (if they are still there):
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: C:\WINDOWS\system32\rwhbfb873unjdfdg.dll - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\rwhbfb873unjdfdg.dll (file missing)
O4 - HKLM\..\Run: [OpenSSL] C:\WINDOWS\system32\open_ssl_irc.exe
O4 - HKLM\..\Run: [Windows Update Server] wnupdate.exe
O4 - HKLM\..\Run: [Lsuwid] rundll32.exe "C:\WINDOWS\igerakipejoxi.dll",e
O4 - HKLM\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe
O4 - HKLM\..\RunServices: [Windows Configuration Loader] winsyscfg32.exe
O4 - HKCU\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe
O4 - HKCU\..\Run: [tezrtsjhfr84iusjfo84f] C:\DOCUME~1\MAXIMI~1\LOCALS~1\Temp\csrssc.exe
O4 - HKUS\S-1-5-18\..\Run: [tezrtsjhfr84iusjfo84f] C:\WINDOWS\TEMP\csrssc.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [tezrtsjhfr84iusjfo84f] C:\WINDOWS\TEMP\csrssc.exe (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 - AppInit_DLLs: WIKI.DLL
O20 - Winlogon Notify: mamgguqb - mamgguqb.dll (file missing)
O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\rwhbfb873unjdfdg.dll (file missing)
O22 - SharedTaskScheduler: hjse7fw3jnefi7wejfndd - {C5AF42A3-94F3-42BD-F634-3604832C897D} - C:\WINDOWS\system32\gseb37dkjgfgf.dll (file missing)
O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe (file missing)
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe (file missing)
Now close all browser and other windows except for HijackThis, and click "Fix Checked" to have HijackThis fix the entries you checked.
Using Windows Exporer (I expect it will be working by this point), delete the following files if still there:
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\open_ssl_irc.exe
C:\WINDOWS\system32\wnupdate.exe
C:\WINDOWS\igerakipejoxi.dll
C:\WINDOWS\System32\rs32net.exe
C:\WINDOWS\System32\winsyscfg32.exe
C:\Documents and settings\MAXIMI~1\Localsettings\Temp\csrssc.exe
C:\WINDOWS\TEMP\csrssc.exe
C:\WINDOWS\System32\WIKI.DLL
C:\WINDOWS\System32\mamgguqb.dll
C:\WINDOWS\system32\rwhbfb873unjdfdg.dll
C:\WINDOWS\system32\gseb37dkjgfgf.dll
C:\WINDOWS\system32\ext.exe
Please restart your system and post a new HijackThis log, the log from MBAM, and note any errors encountered.
When you post your HijackThis log, if you are using Notepad, please turn off Word Wrap. That is probably what caused all the extra line breaks (the double-spacing) in your log.
--
Proud ASAP member since 2005 |
