Question

Locked

windows explorer crashing and restarting

By kkildmaa ·
the same subject was posted approximately year ago, but i couldn't find answers to this problem. Is there any?
I am probably a victim of a trojan which started my Windows explorer crashing and restarting every 5 or 10 seconds. Suddenly my antivirus program (Eset nod32) went crazy popping up messages about a few virus,and malware,claiming that the problem was taken care of. But it surely is NOT. I checked task manager and explorer was missing, i put it back manually put it crashed again. I am running XP with SP3 installed. I would appreciate any assistance that may be offered. I am not very good at english or computers so please be patient with me.

This conversation is currently closed to new comments.

9 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Malware

by p.j.hutchison In reply to windows explorer crashing ...

First run Hijack This program which will produce a report of all programs that are run at startup and any registry entries and so on.

Then go through each entry and check that that program is valid or post the report here so I can check to see what should be there and what should not.

Once that is done, I can then determine the best program to remove any identified malware.

Collapse -

Logfile

by kkildmaa In reply to Malware

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:44:31, on 10.01.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\PowerMenu\PowerMenu.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft Dynamics CRM\Client\res\Web\bin\Microsoft.Crm.Application.Hoster.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\explorer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neti.ee/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [PowerMenu] C:\Program Files\PowerMenu\PowerMenu.exe -hideself on
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [MSCRM] "C:\Program Files\Microsoft Dynamics CRM\Client\ConfigWizard\CrmForOutlookInstaller.exe" /activateaddin
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [Microsoft WinUpdate] C:\WINDOWS\system32\msupdte.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSCRMStartup] "C:\Program Files\Microsoft Dynamics CRM\Client\res\Web\bin\Microsoft.Crm.Application.Hoster.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.doc.exe"
O4 - HKCU\..\Run: [Intelinet] C:\Program Files\Intelinet\Intelinet.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: TrioBet Poker - {019BB34E-96AC-4aa7-A5DE-3CC7442D4E38} - C:\Microgaming\Poker\TriobetMPP\MPPoker.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: http://*.abscrm
O15 - Trusted Zone: http://crm.alna.ee
O15 - Trusted Zone: http://*.alna.ee
O15 - Trusted Zone: http://*.alna.lt
O15 - Trusted Zone: http://crm.persimplex.com
O15 - Trusted Zone: http://*.persimplex.com
O15 - Trusted Zone: http://*.persimplex.ee
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.euro.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05CA9FB0-3E3E-4b36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1139406804265
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/DeskUpdate/isapi/activex.cab
O16 - DPF: {C75BE5CC-7F80-458C-8B66-FAB86E3B13C3} (FotkiUploader Control) - http://images.fotki.com/activex/FotkiUploader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/chuzzle/sis/popcaploader_v10.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mwmuk.webex.com/client/v_mywebex-mwm/mywebex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ee.alna.lt
O17 - HKLM\Software\..\Telephony: DomainName = ee.alna.lt
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ee.alna.lt
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ee.alna.lt
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: IntelinetSecure - Unknown owner - C:\Program Files\Intelinet\intelin2.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Message Queuing Service (MSMQSVC) - Unknown owner - C:\WINDOWS\system32\mqsv32.exe (file missing)
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9492 bytes

Collapse -

Malware

by p.j.hutchison In reply to Logfile

I could be this malware:

O23 - Service: IntelinetSecure - Unknown owner - C:\Program Files\Intelinet\intelin2.exe (file missing)

Use http://www.malwarebytes.org/ anti-malware program to clean it up.

Collapse -

Malware

by kkildmaa In reply to Malware

Thank you for your response. I cleaned it up, it is not shown in the new logfile anymore, but the explorer still crashing and restarting. What else i can do?

Collapse -

Try new forum

by p.j.hutchison In reply to Malware

There is a good forum here on Security & HJT matters:
http://www.techguy.org/

Maybe they can help more than I can.

Collapse -

See if this is of any help

by Jacky Howe In reply to windows explorer crashing ...

The first step in troubleshooting this issue is to run Internet Explorer in "No Add-ons" mode. Here's how to do it.
<br><br>
Use the Internet Explorer (No Add-ons) mode<br>
To do this, click Start, point to All Programs, point to Accessories, point to System Tools, and then click Internet Explorer (No Add-ons).
<br><br>
If this resolves the issue, follow these steps to isolate the browser add-on that is causing the issue:<br>
1. Click Tools, and then click Internet Options. <br>
2. Click the Programs tab, and then click Manage add-ons. <br>
3. Click an add-on in the Name list, and then click Disable. <br>
4. Repeat step 3 until you identify the add-on that is causing the issue.</br>

Collapse -

This worked for me(solved)

by ParachuteAdams In reply to windows explorer crashing ...

I have had the same problem for 4 months and I could never solve it until yesterday. Windows explorer crashing and restarting. I ran all of my registry cleaners and spyware cleaners and security scans but nothing would solve it. I tried sfc /scannow and it said I had corrupted files but could not repair them. Check CBS.Log. At that point, I did a reinstall of vista sp1 home premium without losing my existing files. Just take the Vista Op.Sys. sp1 disk that came with computer and run Setup and follow these directions: http://www.vistax64.com/tutorials/88236-repair-install-vista.html
Now that will take 2 or so hours and it still did not solve the problem. Be sure to run cleanup on your hard drive when finished, and delete the files from the upgrade install you just did, and choose the top choice "Recommended Settings" choice after the upgrade install(It gives you 3 choices, choose the top, "Recomended Settings" choice). Then, I did a Hijack This! scan and I chose to fix everything except the entries that said Microsoft, Dell, AVAST, or anything I was totally sure was not corrupted(about 95% of all entries I chose to fix). This erased some of my security software such as Crawler Toolbar and Spybot and Spyware Terminator, but it worked. After I rebooted, the computer contacted the Microsoft Updates site and I had 84 updates so I turned the computer off and let it install the 84 updates and then turned it back on and now I have no Windows Explorer crashes. I think it could be one of the security software packages I erased with Hijack This! Be sure not to erase your primary security program with Hijack This!. Mine was AVAST. Do not fix the AVAST entries either. Don't worry that the instructions for the upgrade install are for Vista 64 machine as mine is a 32 bit machine and it worked fine. Be sure to backup your hard drive before attempting this in case you choose the wrong install, you want to do an INSTALL UPGRADE!

Collapse -

If all fails

by DonDefy In reply to This worked for me(solved ...

I used to have a very annoying Trojan on my pc, to get rid of it I went through 3 types of anti virus software 4 malware and spyware progs and do you know what did it in the end?? Spyware doctor!! Mind you I used to hate it before as it always deleted stuff I wanted to keep... Well I am now a big fun of it as its awesome!!!

Back to Malware Forum
9 total posts (Page 1 of 1)  

Related Discussions

Related Forums