Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

explorer.exe application error

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

explorer.exe application error

Unread postby nadine_a » April 7th, 2009, 5:40 am

Hi,

i think my laptop is infected with a malaware. on startup, a message is displayed:
setting personalized settings:
c:\system\S-1-5-21-1482476501-1644491937-6820
and then explorer.exe displays an error.

please find below my combofix log. if anyone can help me remove the infected files.

ComboFix 09-04-04.01 - Administrator 2009-04-07 12:09:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1482 [GMT 3:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\system\S-1-5-21-1482476501-1644491937-682003330-1013
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
c:\system\S-1-5-21-1482476501-1644491937-682003330-1013\OgarD.exe

.
((((((((((((((((((((((((( Files Created from 2009-03-07 to 2009-04-07 )))))))))))))))))))))))))))))))
.

2009-04-07 10:09 . 2009-04-07 10:09 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Windows Search
2009-04-06 18:37 . 2009-04-06 18:36 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-04-06 18:36 . 2009-04-07 10:58 <DIR> d-------- c:\documents and settings\Administrator\.housecall6.6
2009-04-06 18:35 . 2009-04-06 18:35 <DIR> d-------- c:\windows\Sun
2009-04-06 17:53 . 2005-04-13 03:48 49,265 --a------ c:\windows\system32\jpicpl32.cpl
2009-04-06 17:52 . 2009-04-06 17:53 <DIR> d-------- c:\program files\Java
2009-04-06 17:50 . 2009-04-06 17:50 <DIR> d-------- c:\program files\Common Files\Java
2009-04-06 17:43 . 2009-04-06 17:55 <DIR> d-------- c:\program files\Windows Defender
2009-04-06 17:31 . 2009-04-06 17:40 <DIR> d-------- c:\program files\Microsoft AntiSpyware
2009-04-06 17:30 . 2009-04-06 17:30 <DIR> d-------- c:\windows\Downloaded Installations
2009-04-06 17:24 . 2009-04-06 17:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-04-06 15:31 . 2009-04-06 15:31 <DIR> d-------- c:\documents and settings\Administrator.BEYWL028\Application Data\Malwarebytes
2009-04-06 15:22 . 2009-04-06 15:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-06 15:22 . 2009-04-06 15:22 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-31 11:11 . 2009-03-31 11:11 45,641 --a------ c:\documents and settings\schicha\dada.exe
2009-03-30 11:56 . 2009-03-30 12:53 45,641 --a------ c:\documents and settings\schicha\update.exe
2009-03-30 11:50 . 2009-03-30 11:52 45,641 --a------ c:\documents and settings\schicha\fdadsa.exe
2009-03-20 16:16 . 2009-03-20 18:02 328 --a------ c:\documents and settings\schicha\DDxDDD.EXE
2009-03-20 15:19 . 2008-02-11 15:00 <DIR> d-------- c:\documents and settings\Administrator.BEYWL028\Application Data\Intel
2009-03-20 15:19 . 2009-03-20 15:19 <DIR> d-------- c:\documents and settings\Administrator.BEYWL028
2009-03-20 15:14 . 2009-03-20 15:14 328 --a------ c:\documents and settings\schicha\DDDDD.EXE
2009-03-16 15:37 . 2009-03-16 15:37 0 --a------ c:\documents and settings\schicha\explorery.exe
2009-03-16 15:21 . 2009-03-16 15:21 0 --a------ c:\documents and settings\schicha\explore.exe
2009-03-16 15:00 . 2009-03-16 15:00 <DIR> dr-hs---- C:\RESTORE
2009-03-16 15:00 . 2009-03-16 15:00 0 --a------ c:\documents and settings\schicha\explorer1.exe
2009-03-13 13:03 . 2009-04-07 12:13 <DIR> dr-hs---- C:\SYSTEM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-23 11:14 256 ----a-w c:\documents and settings\schicha\pool.bin
2009-03-06 18:28 --------- d-----w c:\program files\Common Files\Adobe
2009-02-27 11:55 --------- d-----w c:\documents and settings\schicha\Application Data\Microsoft Shared
2009-02-27 11:55 --------- d-----w c:\documents and settings\schicha\Application Data\Microsoft Office
2009-02-27 11:55 --------- d-----w c:\documents and settings\All Users\Application Data\Applications
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2008-09-26 07:49 6 ----a-w c:\documents and settings\schicha\Application Data\Web MeetingDocConv.dat
2008-10-26 16:28 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102620081027\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-01-25 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-30 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-30 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-12-06 69216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"Communicator"="c:\program files\Microsoft Office Communicator\communicator.exe" [2008-04-23 5723656]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-12-01 115560]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 36975]
"SigmatelSysTrayApp"="stsystra.exe" [2007-02-19 c:\windows\stsystra.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

c:\documents and settings\schicha\Start Menu\Programs\Startup\
Monitor My eRooms (V7).lnk - c:\program files\eRoom 7\ERClient7.exe [2008-04-11 153352]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
iBurst_Modem UTL.lnk - c:\program files\iBurst\iBurst_UTL.EXE [2008-07-13 311296]
VPN Client.lnk - c:\windows\Installer\{3E5562ED-69AB-4CEC-91E2-64E18EC5ACC6}\Icon3E5562ED7.ico [2008-02-26 6144]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\program files\CyberLink\PowerDVD\000.fcl [2008-02-11 15:48:23 13560]
R2 RDIConverterPrintHelper;RDI Document Conversion Helper;c:\program files\Common Files\ICWM\Printer\RDIConverterService.exe [2008-08-14 64888]
R2 TestTuner;Test-Tuner;c:\program files\marimba\tuner\Tuner.exe [2005-10-06 32871]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-26 101936]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-12-01 23888]
S3 iBcT0201;iBurst Modem Type02-01;c:\windows\system32\drivers\iBcT0201.sys [2008-07-13 37907]
S3 iBurst;iBurst Modem;c:\windows\system32\drivers\iBurst.sys [2008-07-13 36957]
S3 iBurstu;iBurst Terminal;c:\windows\system32\DRIVERS\iBurstu.sys --> c:\windows\system32\DRIVERS\iBurstu.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{67KLN5J0-4OPM-00WE-AAX5-77EF1D157322}]
c:\restore\k-1-3542-4232123213-7676767-8888886\Ogard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{67KLN5J0-4OPM-00WE-AAX5-77EF1D187322}]
c:\restore\k-1-3542-4232123213-7676767-8888886\Ogard.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Easy SpyRemover - c:\program files\Easy SpyRemover\EasySpyRemover.exe
HKLM-Run-virx - meme.exe
Notify-NavLogon - (no file)
SafeBoot-Symantec Antvirus


.
------- Supplementary Scan -------
.
uStart Page = hxxp://pepsicopvt.corp.pep.pvt/eportal/site/pepsicopvt/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {2202D225-22C1-4B8C-A4B8-6A7E7B7E1524} - hxxps://pbsg.on.intercall.com/confmgr/i ... nstall.cab
DPF: {A1B8A30B-8AAA-4A3E-8869-1DA509E8A011} - hxxp://magic.mea.pi.pvt/SCRsde/Reports/ ... viewer.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-07 12:14:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
"Policy"=hex:00,00,00,00
.
Completion time: 2009-04-07 12:15:35
ComboFix-quarantined-files.txt 2009-04-07 09:15:32

Pre-Run: 52,470,050,816 bytes free
Post-Run: 53,648,355,328 bytes free

148 --- E O F --- 2009-03-13 16:08:36


Thanks
nadine_a
Active Member
 
Posts: 1
Joined: April 7th, 2009, 5:31 am
Top
Advertisement
Register to Remove

Re: explorer.exe application error

Unread postby NonSuch » April 7th, 2009, 2:52 pm

ComboFix is not a tool that is intended to be used without the direct supervision of a qualified expert. To use ComboFix on your own is to court disaster for your computer. Please stop all attempts at self-fixes for your system's issues as that may only confuse the issue further and cause additional problems.

In order for us to help you it is necessary that you provide us with a HijackThis log. Please follow the guideline at the link below to start a new topic and post your HijackThis log. Also include your ComboFix log in the same post.

This topic is now closed. Please start a new topic by following the HijackThis Guideline posted here: >Guideline for posting your HijackThis log<
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Top
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 305 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index