Hello, yesterday i sudenly had Explorer of my system crashing
(giving the message “Explorer found a problem and have to be closed”).
I scaned with Avast and Malwarebytes to see what could be the problem but
only “Spybot Search and Destroy” found a trojan that was probably messing with my system explorer?
Seems i have an unknown spyware around…
Everytime i open the Recycle or open a folder, the Explorer gives an error message
saying it found a problem and will close, maybe i should use SuperAntiSpyware too…?
Here is the report in detail of the trojan found by spybot: (but its probably another unknown spyware…)
Program & Tutorial - Also useful as a diagnostic tool - [url=http://filehippo.com/download_hijackthis/][b]FileHippo Download - HiJackThis[/b][/url] and post the contents of the HJT log file here. - HJT Information [url=http://www.bleepingcomputer.com/forums/tutorial42.html][b]HiJackThis Tutorial[/b][/url].
Download and run HJT and post the contents of the log file (cut and paste or attach the log file) into this topic, you may need to split it over two or more posts depending on how large it is.
>>>>
Yes I think you should also run SAS and MBAM (again) but from safe mode.
I would like you to fix this one: R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://home.sweetim.com
It is flagged is Adware-Sweetbar,
The removal of mDNSResponder.exe because it connects out to the Internet is optonal, it will free some memory resources, and will make the computer react better. It is not malware:
removal - it’s not part of windows, if you’ve installed photoshop cs3 it comes with that, there’s a tool TurnOffBonjour that can disable it, download it from here > http://download.gizmoproject.com/jasmine/TurnOffBonjour.exe
Thanks^^ done everything, just didnt understood this part:
The removal of mDNSResponder.exe because it connects out to the Internet is optonal, it will free some memory resources, and will make the computer react better. It is not malware:
Your telling me to remove that with some other program or something? i didnt find that in the log.
I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/.
Close all browser windows, run HJT again.
Fix:
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
O2 - BHO: SWEETIE Class - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - (no file)
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
See, http://www.mywot.com/en/scorecard/sweetim.com.
Another way to get around the inability to access your antivirus program is to check your system for the presence of a particular rogue device driver:
• Step 1: Click Start, Control Panel, Performance and Maintenance (in Categories view), System.
• Step 2: Select the Hardware tab and click Device Manager.
• Step 3: Choose the View menu and select Show hidden devices.
• Step 4: Scroll to the Non-plug and play drivers section and expand the tree.
• Step 5: If you see an item labeled TDSSserv.sys, right-click it and select Disable.
After you reboot your computer, you’ll be able to access your antivirus program and browse to anti-malware sites to remove the pest from your PC. Once you’ve cleaned your system, make certain that you update your antivirus software every day to avoid reinfection.
Ok here is updated and complete log now, i did everything as you said and now going to Check TDSS Rootkit and the quoted you mentioned to try too.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:45:17, on 13-02-2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal
My great friends, this is like taking a shot in the Dark :-\
MBAM and Avast doesnt detect anything, only SperAntiSpyware could detect those 2 registrys.
IE Explorer or Firefox worked fine while my system = everything is up to date.
I only recieve a crash on my system explorer if i go to control panel (closing it) wich gives me the message “explorer found a problem and it will close” same goes if i open a folder and close it (by clicking close on top window of the folder) same will hapen.
Im going to scan again with SAS that detected 2 Registrys “Rootkit.TDSServ-Trace.Process” and see if its still there too…
Ok i even scaned again with SAS and theres nothing detected on my system, theres single nothing i can detect and this still hapens when i open folder/ close it or go control panel/ close it.
The additional information I offered was basically to check if there might be anything else there. perhaps something that might possibly cause the issues you mention with the explorer crash.
So it looks like SAS was cleaning up remnants from the registry, which without any associated files aren’t a problem. However, since this is rootkit related I would suggest trying these tools.
Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm. Try these as they are some of the more efficient and user friendly anti-rootkit tools.
I haven’t forgotten any anti-rootkit, just that the greatest majority are very complex and user unfriendly and require a degree of user knowledge or they could do some serious damage.
As for the best I would think that would be GMER but that isn’t too user friendly either. Or even RootkitRevealer also unfriendly.
The three suggested are of the more user friendly ones with any known degree of success.
Sorry but I don’t see how this would help the original posters problem.
It also has a script association to this IP 64.22.126.18 and there is nothing more suspicious as hiding behind an IP address rather than a domain name (I wonder what they are trying to hide). Doing a whois search on that IP times out without result.
Not to mention there doesn’t seem to be any language choices.
Ok since i was tired already of not detecting anything anymore (hopefuly it should have been free from spyware)
I went to search more info by typing on google “explorer crash by closing control panel” and found this: http://www.helpwithwindows.com/techfiles/explorer-crashes.html
seems an unknown shell was screwing my system everytime i would close a folder, at least it stoped hapening now by disabling this unknown extension o.o; (my good god it seems finaly fixed my problem)
I still am very thankfull for the help as i still had javascript out of date and all
Thanks for the help Polunos andd DavidR
I didn’t think the folder issue in this particular case was malware related as it seemed so out of context, as malware really doesn’t want to draw attention to itself in this way; although it does happen, but with the battery of scans you did, that was more or less ruled out.
Good job in tracking it down though and this may help others in the future.
