Go Back   Cyber Tech Help Support Forums > Software > Malware Removal

Notices

Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs

Reply
 
Topic Tools
  #1  
Old July 10th, 2005, 09:04 PM
billymardle billymardle is offline
New Member
 
Join Date: Jul 2005
Posts: 5
Unhappy windows explorer problems

For ages now everytime i use windows explorer i get this "windows explorer has encountered a problem and needs to close".

Error Signature:
AppName: explore.exe
AppVer: 6.0.2900.2180
Mod Name: msvcrt.dll
ModVer: 7.0.2600.2180
Offset: 00037fd4

Please help if you can
Reply With Quote
  #2  
Old July 11th, 2005, 06:33 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Welcome to CTH billymardle.

Quote:
AppName: explore.exe
Is explore.exe a typo?
Reply With Quote
  #3  
Old July 11th, 2005, 08:32 PM
billymardle billymardle is offline
New Member
 
Join Date: Jul 2005
Posts: 5
yeh soz explorer.exe
Reply With Quote
  #4  
Old July 11th, 2005, 08:45 PM
billymardle billymardle is offline
New Member
 
Join Date: Jul 2005
Posts: 5
so do you know how to slove my problem?
Reply With Quote
  #5  
Old July 12th, 2005, 06:49 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
You may have a corrupted profile. Try creating a new profile and see if you still get an error. If not, you can copy your files across. See here
Reply With Quote
  #6  
Old July 12th, 2005, 07:39 PM
billymardle billymardle is offline
New Member
 
Join Date: Jul 2005
Posts: 5
Thumbs down

i tried that but i still got the error message
Reply With Quote
  #7  
Old July 13th, 2005, 05:38 AM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Can you boot to your Desktop? If so, lets see what is running on your PC. Go here and download the latest version of Hijack This. Unzip it and click on scan. Most of the files listed will be harmless and/or required so do not make any changes, just click on Save Log, copy it and post it back in this thread.
Reply With Quote
  #8  
Old July 13th, 2005, 01:16 PM
billymardle billymardle is offline
New Member
 
Join Date: Jul 2005
Posts: 5
i done what you said and got this

Logfile of HijackThis v1.99.1
Scan saved at 13:15:04, on 13/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\QuickTime\qttask.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.euljdcpounsxxkanqumhcr.or...7Kap1zwVd5.jpg
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.llkotggooxujqasthiz.uk/pp...UtKvgdDKR8.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://g.msn.com/8SE/1?http://toolba...CM=MsgrInstall
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0. dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~2\SEARCH~1.DLL
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {B1B61E18-DAD6-243B-F3D2-1773D3E31F15} - C:\DOCUME~1\WILLIA~1\APPLIC~1\STOPGR~1\corn settings.exe (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O2 - BHO: McAfee Privacy Service - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O2 - BHO: (no name) - {EA75EBBE-4708-2063-A5EB-0C95173687D9} - C:\DOCUME~1\WILLIA~1\APPLIC~1\STOPGR~1\corn settings.exe (file missing)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_17_0. dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-gb\msntb.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [Bash pure less start] C:\Documents and Settings\All Users\Application Data\ItchThunkBashPure\download web.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [spamanti] C:\DOCUME~1\WILLIA~1\APPLIC~1\16LITE~1\Axis new.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Privacy Bar - {cc4b2ee5-4803-11d7-8a38-00b0d0c6b814} - C:\Program Files\McAfee\McAfee Privacy Service\GDIEHELP.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.co.uk
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/...gameloader.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...271ab95b94951b
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - http://eu.download.games.yahoo.com/z...ylomloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0586AA3F-25EC-4DD0-854A-4FA8F82331CD}: NameServer = 194.72.9.44 194.74.65.86
O17 - HKLM\System\CS1\Services\Tcpip\..\{0586AA3F-25EC-4DD0-854A-4FA8F82331CD}: NameServer = 194.72.9.44 194.74.65.86
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: McAfee Privacy Service (GuardDogEXE) - Unknown owner - C:\Program Files\McAfee\McAfee Privacy Service\GUARDDOG.EXE" /SERVICE (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe


is that wat u wanted me to copy?
Reply With Quote
  #9  
Old July 13th, 2005, 10:14 PM
AnnMarie's Avatar
AnnMarie AnnMarie is offline
CTH Subscriber
 
Join Date: Oct 2001
O/S: Windows Vista 32-bit
Location: New Zealand
Posts: 59,810
Yes, you have a bunch of nasties onboard.

Firstly, go to Start > Run and type services.msc and OK. Look for the below service:

ZESOFT - C:\WINDOWS\zeta.exe

When you find it, stop it if it is running, doubleclick on it and change the startup type to disabled.

Next, go to Add/Remove Programs in Control Panel and uninstall BullsEye Network and Window Search (if present). You will be given a security code to insert, do so and reboot when done.

If Window Search is not there, run the below uninstallers (ignore your AV if it squawks).

http://lop.com/new_uninstall.exe
http://lop.com/toolbar_uninstall.exe

Reboot afterwards and then download Killbox from here, unzip it and have it ready to use. .

Boot into Safe Mode (restart your PC and tap F8 as it restarts)and run Hijack This again. Check the below entries and click on Fix Checked (if all are still present)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.euljdcpounsxxkanqumhcr.o...o7Kap1zwVd5.jpg

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.llkotggooxujqasthiz.uk/p...5UtKvgdDKR8.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/...arch.yahoo.com/

O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~2\SEARCH~1.DLL

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {B1B61E18-DAD6-243B-F3D2-1773D3E31F15} - C:\DOCUME~1\WILLIA~1\APPLIC~1\STOPGR~1\corn settings.exe (file missing)

O2 - BHO: (no name) - {EA75EBBE-4708-2063-A5EB-0C95173687D9} - C:\DOCUME~1\WILLIA~1\APPLIC~1\STOPGR~1\corn settings.exe (file missing)

O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [Bash pure less start] C:\Documents and Settings\All Users\Application Data\ItchThunkBashPure\download web.exe

O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe

O4 - HKCU\..\Run: [spamanti] C:\DOCUME~1\WILLIA~1\APPLIC~1\16LITE~1\Axis new.exe

O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...71 ab95b94951b

O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe

Still in Safe Mode, run Killbox now. Copy and paste the full file path of the below files in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, click "Yes". Process and Reboot now?" Click "Yes" to reboot only after the last file you enter.

C:\Documents and Settings\All Users\Application Data\ItchThunkBashPure
C:\Program Files\BullsEye Network
C:\DOCUME~1\WILLIA~1\APPLIC~1\16LITE~1
C:\WINDOWS\zeta.exe

When you have rebooted, disable your antivirus program and go here and run an online scan with BitDefender. When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee. Post back and let us know what it found (post the log).

Run Hijack This again and post a new log (if any viruses are detected and removed, reboot first)

Transferring to the Cyber Safety Forum.
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Topics
Topic Topic Starter Forum Replies Last Post
Windows Explorer problems SJoseph Windows XP 0 July 2nd, 2008 12:39 AM
windows explorer, Internet explorer problems :( earthlydelites Windows XP 11 January 25th, 2007 04:40 AM
Windows explorer problems r.mccullough Malware Removal 1 December 6th, 2004 08:33 PM
Windows explorer problems Seeker Windows 98 1 May 12th, 2003 03:07 AM
Windows 98 Explorer Problems rooster44uk Windows 98 0 December 27th, 2002 04:28 PM


All times are GMT +1. The time now is 12:15 AM.