PDA

View Full Version : Windows Explorer Has Stopped Working-Windows 7 Hijack This Log



David57
19-01-2010, 06:34 PM
Hijack This log-Windows 7 Home Premium bit 64.

Have run malwarebytes and found nothing.

Could some one please look over this log and tell me what maybe wrong.

I am getting the following message-Windows explorer has stopped working and then windowsw explorer is restarting.



Not sure why.

ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:17:02 p.m., on 19/01/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files (x86)\Internet Download Manager\IDMan.exe
C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files (x86)\Internet Download Manager\IEMonitor.exe
C:\Program Files (x86)\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files (x86)\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files (x86)\VSO\ConvertX\4\ConvertXtoDvd.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWow64\Macromed\Flash\FlashUtil10d.ex e
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\Owner\Documents\Downloads\Programs\Hijack This.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: SearchHook Class - {BC86E1AB-EDA5-4059-938F-CE307B0C6F0A} - C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\AddressBarSearch.dll
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files (x86)\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [BCU] "C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCU.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files (x86)\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [nodenable] C:\Program Files (x86)\eset\nodenable.exe /s
O4 - HKCU\..\Run: [IDMan] C:\Program Files (x86)\Internet Download Manager\IDMan.exe /onboot
O8 - Extra context menu item: Download all links with IDM - C:\Program Files (x86)\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files (x86)\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files (x86)\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files (x86)\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Acronis Nonstop Backup service (afcdpsrv) - Acronis - C:\Program Files (x86)\Common Files\Acronis\CDP\afcdpsrv.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Browser Configuration Utility Service (BCUService) - DeviceVM, Inc. - C:\Program Files (x86)\DeviceVM\Browser Configuration Utility\BCUService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\SysWOW64\IoctlSvc.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 9108 bytes

Do i need to fix all those files where it indicates (file missing)?

Please help.

Thanks


David

gary67
19-01-2010, 06:39 PM
Wait for Speedy he is our resident specialist on HJT

feersumendjinn
19-01-2010, 06:45 PM
Looks like you've been deleting important system files (or something has, or HDD corruption), probably why your Windows Explorer is complaining, may need to repair your OS installation or at least do a sfc /scannow from your Run command (at administrator level).
HJT cant even tell what OS you're running, maybe W7 is a bit new for it.
http://www.sevenforums.com/software/9596-hijackthis.html

Speedy Gonzales
19-01-2010, 06:55 PM
Nah its probably says missing files, because it doesnt know what win7 is

If windows explorer is crashing, you may have installed something that isnt compat with x64.

What version of Nero is it?

You can tick these then tick fix checked

Close browsers

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

It could be VSO, or Convertxtodvd, if these put a shell extension in windows explorer

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime

If you dont use Nero Home you can tick this

O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

Is this part of NOD?? If it is what is it / whats it do? Someone who uses NOD may want to verify this is part of it. It looks like this file is also a trojan

O4 - HKCU\..\Run: [nodenable] C:\Program Files (x86)\eset\nodenable.exe /s

feersumendjinn
19-01-2010, 07:03 PM
HJT cant even tell what OS you're running, doesn't work with Win7, disregard what I said above (see post in link).
http://forums.speedguide.net/showthread.php?t=266744.

David57
19-01-2010, 07:28 PM
ok Intel Core Duo2 E8500 3.16GHz 6M 1333MH

Gigabyte GA-EP41-UDL3L ATX LGA775.

Not sure whether this helps.

ConvertX to DVD 4 is capatable with Windows 7 64 bits according to what I am seeing.

Nod32 came with a 30 day trial.

I am assuming the version of Hijack This is okay for Windows 7 64bit!!!

I have deleted the first four entries mentioned and wonder about those entries where it indicates 'files missing', should they be retained or deleted.

I also use ccleaner, do an analysis and then run the cleaner, not sure that this should create a problem. Do not run the cleaner in the registry.

David

Speedy Gonzales
19-01-2010, 07:32 PM
Leave the missing file entries there. This version of HJT doesnt know what Windows 7 is. What version of nero is installed then?? Is it a recent version?

WHEN is explorer restarting?? What are you doing / or using at the time?

wainuitech
19-01-2010, 07:35 PM
Hijackthis does mostly work on W7 - it just doesn't know the full name of it. WinNT 6.01.3504 is the actual name /build of W7. I used it a couple of hours ago on a customers W7 PC that was infected and hijackthis picked up several nasty entries.

Just ran it on my own W7 and it worked fine just didn't name it thats all - the rest is OK.

It does look like you do have a lot of damaged missing files. On mine No.23's did have the service -( what ever its listed) but not the file missing.

As mentioned before, click start, type in cmd from the results, right click CMD / run as administrator - type in sfc /scannow ( press enter)

Edited: from what I was reading - some of the ones under service can be sitting there ready to go, but not running until needed.

example: last 3 of my log:

O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: TeamViewer 5 (TeamViewer5) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

David57
19-01-2010, 07:50 PM
Nero 8 Express version 8.3.2.2

When I get the error for explorer restarting I can be internet explorer or some times the desktop is showing.

I am using a laptop to follow this up and have deleted the first 4 entries mentioned above. Since the deletions there doesn't seem to be any problems.

When I type in cmd i get c:\Users\Owner and nothing else. excuse my ignorance.

wainuitech
19-01-2010, 08:19 PM
You should get it Like this here (http://www.imagef1.net.nz/files/cmd.jpg) click start Orb, type in cmd then up top, right click it / run as administrator. When the cmd box opens then type in sfc /scannow ( note single gap between c and /


Also if that doesn't fix it, try upgrading / reinstalling your graphic drivers.

O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)

If the graphic drivers are damaged it can also cause all sorts of problems.

Edited: what you can also look at - slick start, type in reliability, select View reliability History, where there is a error there will be a red circle with a X, click it, it will give you some sort of report -- whats a common fault ( sometimes they state the obvious)

Edited 2: can you make it lockup / stop working ??

David57
19-01-2010, 08:31 PM
Resource Protection did not find any integrity violations.

wainuitech
19-01-2010, 08:36 PM
Check my post - I added to it.

David57
19-01-2010, 09:13 PM
Reliability check results.

15/1/10
2 x Windows was not properly shutdown.

16/1/10
8 x Windows was not properly shutdown.
1 x Explorer.EXE

18/1/10
2 x Windows was not properly shutdown.

19/1/10
7 x Windows Explorer Stopped working.
1 x Windows was not properly shutdown.
3 x Windows Media Player Rich Preview Handler-Stopped Working

wainuitech
19-01-2010, 09:30 PM
Can you make it crash ?

Speedy Gonzales
19-01-2010, 09:35 PM
What I would do is install ccleaner (www.ccleaner.com) install it, then run it. Then disable (not delete) all of the entries under tools / startup. Then reboot then enable each one, one by one to see if explorer stops working. Then you'll see whats causing it. It maybe something in startup causing it

David57
19-01-2010, 10:22 PM
I enabled a screen saver after deleting the 4 items re the HJT report. After the screen saver had been on for approx 15 minutes the screnn went black and when I tried to get it out of idle the desktop icons were gone and the background remained.

I had only one option, to turn it off and power it back on again. Of course i was asked if i wanted to start windows normally.

I then did a HJT again and found that the first 3 items mentioned before were all back in the list.

No I don't recall what programs I had been using inbetween times.

David57
19-01-2010, 10:23 PM
Speedy do you mean uninstall ccleaner reinstall it then run it etc....

David57
19-01-2010, 10:26 PM
I am not sure what I need to do to make it crash?

David57
19-01-2010, 10:27 PM
the error messages re windows explorer has stopped working seemed to have stopped.

David57
19-01-2010, 10:33 PM
Speedy if I run ccleaner on the registry an entry reads Missing Startup Software and reverts to the line you indicated below in an earlier post re NOD32.


Is this part of NOD?? If it is what is it / whats it do? Someone who uses NOD may want to verify this is part of it. It looks like this file is also a trojan

O4 - HKCU\..\Run: [nodenable] C:\Program Files (x86)\eset\nodenable.exe /s