Member Avatar for jonahshelp

Hello. I have been trying to correct a explorer desktop crash that sounds amazingly similiar to this thread. It seems to be the same but I'm at a total loss. If anyone could help I've run Hijack this using v.2.02. Here is what it gives me. I don't know what to do next.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:58:42 PM, on 6/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {6F557712-22C9-49F0-BCD8-433D4A1765A3} - C:\WINDOWS\system32\iifedETj.dll
O2 - BHO: (no name) - {9C28EAFB-FF50-4F42-8D39-A006129CC907} - C:\WINDOWS\system32\opnnoOeb.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = seafood.local
O17 - HKLM\Software\..\Telephony: DomainName = seafood.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CD2919F-3824-4F21-8D00-547771233941}: NameServer = 10.136.248.98,10.136.248.99
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = seafood.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = seafood.local
O20 - Winlogon Notify: opnnoOeb - C:\WINDOWS\SYSTEM32\opnnoOeb.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Canon NetSpot Console (Canon NetSpot Console Server) - CANON INC. - C:\Program Files\Canon\nsc\wnappsrv.exe
O23 - Service: Canon NetSpot Console Web Service (Canon NetSpot Web Service) - CANON INC. - C:\Program Files\Canon\nsc\wnwebsrv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

--
End of file - 2143 bytes

  • 2 Contributors
  • 5 Replies
  • 135 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by crunchie
Member Avatar for crunchie

Hi and welcome to the Daniweb forums :).

==========

Any reason why you didn't run hijackthis in normal mode? That is the preferred method.

==

Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Make sure that you restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Post new HJT log.

Member Avatar for jonahshelp

Malwarebytes' Anti-Malware 1.18
Database version: 894

00:17:08 2008-06-27
mbam-log-6-27-2008 (00-17-08).txt

Scan type: Full Scan (C:\|D:\|P:\|Z:\|)
Objects scanned: 168761
Time elapsed: 3 hour(s), 22 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\serauth1.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\serauth2.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\services.exe1 (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Member Avatar for jonahshelp

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:20, on 2008-06-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Canon\nsc\wnappsrv.exe
C:\Program Files\Canon\nsc\wnwebsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = seafood.local
O17 - HKLM\Software\..\Telephony: DomainName = seafood.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CD2919F-3824-4F21-8D00-547771233941}: NameServer = 10.136.248.98,10.136.248.99
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = seafood.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = seafood.local
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Canon NetSpot Console (Canon NetSpot Console Server) - CANON INC. - C:\Program Files\Canon\nsc\wnappsrv.exe
O23 - Service: Canon NetSpot Console Web Service (Canon NetSpot Web Service) - CANON INC. - C:\Program Files\Canon\nsc\wnwebsrv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

--
End of file - 2579 bytes

Member Avatar for jonahshelp

Here are the 2 log files. I seems to be much better but internet explorer is hanging. Desktop is ok...

Member Avatar for crunchie

Can you rename hijackthis.exe to analysethis and do another scan and post the log please.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.