Explorer restarts

hey all,

i just ahd a virus and im pretty sure i got rid of it. i dont know what virus cos when norton caught ti it was just called "Trojan Horse" there was no specific name. I went to the symantec website and followed their instructions to get rid of it and norton doesnt see it anymore and the file it listed is gone. Im still having some problems though because sometimes when i start up IE my comp decides it should restart explorer for some reason. This is kinda annoying because i lose most of my tray icons. Also i seem to be getting lots of random pop ups advertising for something called Win Tasks pro 5 or sumthin that i hadnt been getting since i looked up some of my processes at http://www.processlibrary.com/ but neither norton or spybot S&D find adware that would cause this.

any ideas or suggestion would be very helpful

 

malaware has been put on your computer do a system restore to a point before the problem began

 

symantec told me turn off system restore when i got rid of my virus so all the back ups were deleted. They said that windows could accidently restore the virus so i shud turn system restore off until the virus was gone and when i did that it erased all my previous restore points and the problem has been there since i removed the virus so i dont have a restore point to use :/

 

Most AV programs have a really hard time getting rid of trojan virus type malware. It's best to use an Anti-trojan or AT, program like Ewido, a2 Anti-Trojan, Spybot Search & Destroy (if your pariticular virus is included in the definitions list).

Symantec (Norton), McAfee and AVG Free versions will most likely not even be able to quarantine the trojan, much less remove it.

If you need help in manually removing the virus, please post back here with the name of the trojan (Norton may have said "no name" but you will have to find out by using another program to find it), and I'll be happy to show you how to get rid of it.

 

well im not usin a free version of norton its full version norton 2006 and ill search google, but spybot doesnt find anything and hwen it does the stuff seems to come back even after i fix it, but ill try to get ewido or sumthin and see if it gives me a name then post back thx for ur help

 

ooook i got ewido and ran a scan and it found all this stuff:
Name: Risk: recommended action:
Downloader.small.bwy high Quarentine
dialer.generic high Quarentine
downloader.INService high Quarentine
Trojan.Dialer.pz high Quarentine
Trojan.Pakes High Quarentine
Adware.DeaktopSpyAgent Med Quarentine
Adware.WebSearch Med Quarentine
Adware.TrustCleaner Med Quarentine
TrackingCookie.2o7 med delete
TrackingCookie.Yieldmanager med delete
TrackingCookie.Adbrite med delete
TrackingCookie.Euroclick med delete
TrackingCookie.Pointroll med delete
TrackingCookie.Burstnet med delete
TrackingCookie.Com med delete
TrackingCookie.Questionmarket med delete
TrackingCookie.Adjuggler med delete
TrackingCookie.Reliablestats med delete
TrackingCookie.Tacoda med delete
TrackingCookie.Trafficmp med delete
TrackingCookie.Tribalfusion med delete
TrackingCookie.Burstbeacon med delete
TrackingCookie.Myaffiliateprogram med delete
TrackingCookie.Adserver med delete
TrackingCookie.Zedo med delete
Adware.Apropos med Quarentine
Adware.Aws med Quarentine

shud i take the recommended actions even though the files will just be quarentined? or shud i have it delete them? or sumthin else?

edit: hmm gthat didnt come out formatted like i wanted but i think u can figure it out

 

I would delete them

 

Delete them if you can, otherwise quarantine. Quarantining a file from a program like that, locks the file from being accessed by encrypting it. You don't to worry about launching the virus again.

 

ok it was able to delete all of them so it shud be fixed right?

 

Post a HJT log in the Spyware And Virus forums to be safe

 

ok ill do that a lil later

 

ok the prolbem is definitely not fixed because it just happened 2x to me. It seems to happen whenever i open a maximized IE window. It works fine if i keep the window @ restore or minimize but as soon as i hit maximize on a new IE window explorer decides to restart and i lose all my non essential tray icons, which is really annoying. You said to post a hjt so here it is:

Logfile of HijackThis v1.99.1
Scan saved at 12:27:23 PM, on 8/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\BELKIN USB Wireless Monitor\WLService.exe
C:\Program Files\BELKIN USB Wireless Monitor\WLanCfgG.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_02\bin\jucheck.exe
C:\Program Files\Common Files\AOL\1127013306\ee\AOLSoftware.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\BELKIN USB Wireless Monitor\InfoMyCa.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe
C:\Program Files\eFax Messenger Plus\HotTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HotDocs 6\hdfill6.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\common files\aol\1127013306\ee\aim6.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Martha\Desktop\Bryce\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.yahoo.com/config/login?.partner=sbc&.done=http://sbc.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [5smQ34S] msrtfp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1127013306\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Getca] C:\Program Files\BELKIN USB Wireless Monitor\InfoMyCa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Outlook.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {0D706C01-1B2C-11D1-9566-00C04FC9DF81} (MmaFill Control) - http://courts.countyofventura.org/JCF-Web/filler/mmafill.cab
O16 - DPF: {11A25865-7179-4A9E-BCEA-456F497871EA} - http://www.xspouse.com/XspouseDemo/XspouseDemo.cab
O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} (HGPlugin7USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin7USA.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://204.102.114.12/wg_webeye.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{08F84EAB-A802-49FE-ABFC-823B28C6E686}: NameServer = 192.168.1.1,192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EB1DEE1-5D42-41BC-9E90-8C58885CEBFD}: NameServer = 192.168.0.1,192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{08F84EAB-A802-49FE-ABFC-823B28C6E686}: NameServer = 192.168.1.1,192.168.0.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Belkin 54Mbps Wireless USB Network Service (Belkin 54Mbps Wireless USB) - Unknown owner - C:\Program Files\BELKIN USB Wireless Monitor\WLService.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

 

Wow.

A couple things I seen at a quick glance. You've got way too many unneeded services and programs running at startup, but those suggestions can be made later.

This I find suspicious right off the bat simply because a search revealed no information about the file.

O4 - HKLM\..\Run: [5smQ34S] msrtfp.exe

This file might be prevented from running by going into your registry and deleting this entry. Go to start, run, type in regedit. Go to HKEY_Local_Machine\Software\Microsoft\Windows\Currentversion\Run and delete the entry on the right hand side called msrtfp.exe. Once you have that file disabled, restart the computer. You can also try your shot using online AV scanners from Panda* or TrendMicro. However, if I may...I'd highly recommend trying NOD32 as your main anti-virus program. You'll have to fully remove Symantec (Norton) before using another AV.


Now, as far as your startup entries are concerned, removing these from starting up with the system won't prevent them from running normally when you need them, but it will greatly improve system startup time and all around performance.

Go to start, run, and type in msconfig.

Uncheck (if listed):
realsched.exe - an update program
jusched.exe - java update program
NMBgMonitor.exe - system monitor
msrtfp.exe - unknown
qttask.exe - quicktime update program
HPWuSchd2.exe - hewlett packard update program
NeroCheck.exe - nero's drive monitor program
nwiz.exe - nvidia monitor program should you install a new graphics card
Adobe Gamma Loader.exe - adobe gamma adjustment program
BigFix.exe - a tool used to download support information from hardware manufacturers and software vendors
hpqtra08.exe - printer monitor program
hpqthb08.exe - printer program
OSA9.EXE - Microsoft office
bagent.exe - quicken update program

MSN Messenger can be prevented by going to Tools, Options, General and unchecking "Automatically run messenger when I log on to Windows".

After reboot, run your scans again.

* - Panda no longer removes the virus, but it will give you a text file of the report from any virus it finds. That info we can use to determine the correct course of action.

 

wow thx for all the info. I knew that that file seemed suspicious because i had tried searching it before aand didnt find anything but i was worried it might mess up the comp if i removed it from the registry so i was hesitating. Ill also remove a lot of those things from startup because i definitely dont need them running. About switching AV programs thats gonna be pretty impossible as its not my comp and my mother can be well... lets just say shes not the brightest bulb in the box. She got upset when i downloaded Ewido to her computer because she thought it might be a virus -_- so i dont think im gonna be able to convince her to get a new AV program that shes never heard of before.

edit: i was in msconfig at the startup tab and there seems to be a blank entry that refers to HKLM..../RUN but i dont know what it is as the name spot is blank. This seems suspicious to me so i thougght i sud put it here btw i havent restarted my comp since deleteing that registry entry yet.