Help - explorer.exe restarting continuously

Advertise at AfterDawn.com

Link to us!

Private messages

Compose a private message

List of all updated threads

Threads without replies

Search messages

Thursday 28.11.2024 / 16:57

Search AfterDawn Forums:

afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > help - explorer.exe restarting continuously

Browse by topic

Forums

Start a new thread

Help - explorer.exe restarting continuously

Jump to:

Posted

Message

snoop75

Newbie

23. June 2006 @ 23:13

Link to this message

Hi all,

I had the topsecurity.net spyware on my computer and tried cleaning it with ewido. After rebooting my computer the "explorer.exe" process, ie.. the windows shell, keeps restarting itself every 2-3 seconds. Unless someone here can help me try to get rid of any spyware remnants I'm afraid this laptop will have to be reinstalled from the ground up :(

At the moment I'm surviving by killing the explorer.exe process, which stops it from respawning, and running all my applications directly from the task manager.

Below is my HijackThis log. Thanks for any help.

Logfile of HijackThis v1.99.1
Scan saved at 5:12:51 PM, on 24/06/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\VRCCfgService.exe
C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe
C:\Program Files\RACOM\RACOM Internet Client\WlanIke.exe
C:\Program Files\RACOM\RACOM Internet Client\VRCRoam.exe
C:\Program Files\RACOM\RACOM Internet Client\VRCStatus.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ESOE\ELogSrv.exe
C:\Program Files\ESOE\ESrv.exe
C:\WINNT\system32\hidserv.exe
c:\Program Files\Hewlett-Packard\eWorkplace\Inventory.exe
C:\em\opt\tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
C:\Program Files\Hewlett-Packard\eWorkplace\LogSvc.exe
C:\PROGRA~1\NETMAN~1\APPS\NFS\wlpd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\PROT_SRV.EXE
C:\WINNT\system32\pagents.exe
C:\WINNT\system32\PSTARTSR.EXE
c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe
C:\WINNT\system32\MSTask.exe
c:\Program Files\Hewlett-Packard\eWorkplace\Scheduler.exe
C:\WINNT\system32\FLRSERV.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ESOE\EDMS\ECIS.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Ati2evxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\AGRSMMSG.exe
C:\WINNT\system32\PRPCUI.exe
C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Pointsec\P95tray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ESOE\ELaunch.exe
c:\Program Files\Hewlett-Packard\eWorkplace\eWLaunch.exe
F:\temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://internal.ericsson.se/page/hub_inside/index.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\PROGRA~1\SYNAPT~1\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\PROGRA~1\SYNAPT~1\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [NetManageImport] "C:\PROGRA~1\NETMAN~1\setup\nmcpdata.exe" I
O4 - HKLM\..\Run: [NetManage LaunchNow Init] RunDLL32 C:\Progra~1\NETMAN~1\common\nmgoinn.dll,VerifyStartMenu
O4 - HKLM\..\Run: [StoreCleanup] RunDLL32 c:\progra~1\NETMAN~1\common\nmconfig.dll,StoreCleanup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SmcService] C:\progra~1\sygate\ssa\smc.exe -startgui
O4 - HKLM\..\Run: [VRCNotify] C:\Program Files\RACOM\RACOM Internet Client\VRCNotify.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Protect Tray] "C:\Program Files\Pointsec\P95tray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKCU\..\Run: [Sametime Connect] "C:\Program Files\Lotus\Sametime Client\Connect.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Ericsson Corporate Templates Check.lnk = C:\Program Files\Microsoft Office\Templates\1033\Ericsson Corporate Templates\CheckECorpTemplates.exe
O4 - Global Startup: ESOE 2000 Client Update.lnk = C:\Program Files\ESOE2000ClientUpdate\eMsgBox.exe
O4 - Global Startup: ESOE Control Center.lnk = C:\Program Files\ESOE\ECC.exe
O4 - Global Startup: ESOE2000ClientUpdate2.lnk = C:\Program Files\ESOE2000ClientUpdate\ESOE2000ClientUpdate2.exe
O4 - Global Startup: eWorkplace Control Center.lnk = C:\Program Files\Hewlett-Packard\eWorkplace\ControlCenter.exe
O4 - Global Startup: RVIMsgBox.exe.lnk = C:\Program Files\RACOM\RACOM Internet Client\RVIMsgBox.exe
O4 - Global Startup: Visio Viewer Update Check.lnk = C:\Program Files\Microsoft Office\Visio Viewer\VisioViewer.exe
O4 - Global Startup: VN User Update.lnk = C:\Documents and Settings\anzaesoe\Application Data\NetManage\Data\VN User Update.exe
O4 - Global Startup: WinVNC.lnk = C:\Program Files\ORL\VNC\WinVNC.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O16 - DPF: Documentum Content Transfer 5.2.5 SP - https://eridoc.ericsson.se/eridoc/wdk/contentXfer/ContentXfer.cab
O16 - DPF: JavaConnect - http://sametime.ericsson.se/sametime/javaconnect/JavaConnect.cab
O16 - DPF: Sametime BC 651 - http://sametime.ericsson.se/sametime/STBroadCastClient/STBroadCas...
O16 - DPF: Sametime DA 651 - http://sametime.ericsson.se/sametime/STDirectoryApplet/STDirector...
O16 - DPF: Sametime MRC 651 - http://sametime.ericsson.se/sametime/stmeetingroomclient/STMeetin...
O16 - DPF: {1BD86198-EEBA-42AF-B89B-4050DEB5C47A} - http://eaubrnt061.epa.ericsson.se/ecc_install/default.cab
O16 - DPF: {2226ED4E-6E9A-472E-97ED-B6D54F3B620B} (STURLConnection Control) - http://sametime.ericsson.se/sametime/javaconnect/STUrlConLoader.cab
O16 - DPF: {53F92AF2-3C1E-4A63-B2EA-2E33DA6286B7} (STAutoAway Control) - http://sametime.ericsson.se/sametime/javaconnect/STAutoAwayLoader.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.can.com.sg/mwf/mgaxctrl.cab
O16 - DPF: {6CEDB6B5-4859-4E3A-BCA2-FB8E565B8AD9} (JNILoader Control) - http://sametime.ericsson.se/sametime/STMeetingRoomClient/STJNILoa...
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = eapac.ericsson.se
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = eapac.ericsson.se
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = eapac.ericsson.se
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINNT\system32\btxppanel.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: cfgmngr32 - C:\WINNT\g278772623.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Visual Studio Debugger Proxy Service (DbgProxy) - Unknown owner - E:\Program Files\Visual Studio\Common7\Packages\Debugger\dbgproxy.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ESOE Client Inventory Service (ECIS) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\EDMS\ECIS.exe
O23 - Service: ESOE Log Service (ELogSrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ELogSrv.exe
O23 - Service: ESOE Process Manager (ESrv) - Hewlett-Packard Sverige AB - C:\Program Files\ESOE\ESrv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: NetManage NFS Client (InterDrive) Helper (InterDrive) - NetManage, Inc. - C:\WINNT\System32\idr3hlpr.exe
O23 - Service: eWorkplace Inventory (Inventory) - Hewlett-Packard Sverige AB - c:\Program Files\Hewlett-Packard\eWorkplace\Inventory.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\em\opt\tivoli\lcf\bin\w32-ix86\mrt\lcfd.exe
O23 - Service: eWorkplace Log (LogSvc) - TODO: <Company name> - C:\Program Files\Hewlett-Packard\eWorkplace\LogSvc.exe
O23 - Service: NetManage LPD Service (LPD Server) - NetManage, Inc. - C:\PROGRA~1\NETMAN~1\APPS\NFS\wlpd.exe
O23 - Service: NetManage FTP Server - NetManage, Inc. - C:\Program Files\NETMAN~1\apps\ftpd\ftpd.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Pointsec - Unknown owner - C:\WINNT\system32\PROT_SRV.EXE
O23 - Service: Pointsec update agent (Pointsec_agent) - Unknown owner - C:\WINNT\system32\pagents.exe
O23 - Service: Pointsec service start (Pointsec_start) - Unknown owner - C:\WINNT\system32\PSTARTSR.EXE
O23 - Service: SAVRoam - symantec - c:\PROGRA~1\SYMANT~1\SYMANT~1\SavRoam.exe
O23 - Service: eWorkplace Scheduler (Scheduler) - Hewlett-Packard Sverige AB - c:\Program Files\Hewlett-Packard\eWorkplace\Scheduler.exe
O23 - Service: Shared Folders Server (SFOLDER) - NetManage. - C:\WINNT\system32\FLRSERV.EXE
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\progra~1\sygate\ssa\smc.exe
O23 - Service: Ericsson Access Client Configuration Support (VRCCfgService) - Ericsson Enterprise AB - C:\WINNT\system32\VRCCfgService.exe
O23 - Service: Ericsson Access Client (VRCService) - Ericsson Enterprise AB - C:\Program Files\RACOM\RACOM Internet Client\VRCService.exe

[ + quote]

This message has been edited since posting. Last time this message was edited on 23. June 2006 @ 23:24

snoop75

Newbie

23. June 2006 @ 23:25

Link to this message

And here is also my SmitFraud log:

SmitFraudFix v2.62

Scan done at 17:21:30.35, Sat 24/06/2006
Run from F:\temp\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\eeaklan\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\eeaklan\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{259BA022-2005-45E9-A965-10EDB9C00605}"="Windows Updater"

[HKEY_CLASSES_ROOT\CLSID\{259BA022-2005-45E9-A965-10EDB9C00605}\InProcServer32]
@="C:\WINNT\g278772623.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{259BA022-2005-45E9-A965-10EDB9C00605}\InProcServer32]
@="C:\WINNT\g278772623.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

[ + quote]

snoop75

Newbie

26. June 2006 @ 01:31

Link to this message

ok... fixed. Had to remove a piece of spyware using the MoveOnBoot utility. After that... no more explorer restarts.

[ + quote]

Easie

Newbie

4. July 2006 @ 06:59

Link to this message

what did you have to delete i got the same problem

[ + quote]

Start a new thread

afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > help - explorer.exe restarting continuously


		User name	Password

		Not registered yet? Register here. Lost your password? Click here.