Topic: Explorer restarting

[DJ]

Hi All,

I am currently trying to fix a problem that explorer.exe crashes and restarts after about 5 mins of boot up.  I have done a "Hijack" can anyone point out the bits that need fixing.

Thanks

DJ
------------------------

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\spoolsv.exe
C:\COMPAQ\ACLIENT\ACLIENT.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\Windows\Cpqdiag\Cpqdfwag.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Windows\System32\NMSSvc.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Windows\SYSTEM32\USRmlnkA.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Windows\System32\PROMon.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\Windows\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Windows\System32\qttask.exe
C:\Windows\SYSTEM32\USRshutA.exe
C:\Windows\SYSTEM32\USRmlnkA.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\freeserve\freeserveconnectionkit\atdialler1.exe
C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\3M\PSN2Lite\PSNGive.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Documents and Settings\Administrator\My Documents\HijackThis.exe
C:\Windows\explorer.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=http://www-cache.freeserve.com:8080;http=http://www-cache.freeserve.com:8080
R3 - URLSearchHook: (no name) - {} - C:\Program Files\TV Media\TvmBho.dll
R3 - URLSearchHook: (no name) - {}_ - (no file)
O2 - BHO: (no name) - {} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {} - C:\Program Files\TV Media\TvmBho.dll
O3 - Toolbar: &Radio - {} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Toolbar - {} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-gb\msntb.dll
O4 - HKLM\..\Run: [USRpdA] C:\Windows\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\Windows\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] C:\Windows\System32\qttask.exe
O4 - HKLM\..\Run: [ICQ Net] C:\Windows\winlogon.exe -stealth
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\Windows\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msmc] C:\Windows\System32\msmc.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - Global Startup: Freeserve Connection Kit.lnk = C:\freeserve\freeserveconnectionkit\atdialler1.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Post-itŪ Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: {} (preload control) - http://216.82.66.200/build/preload.cab
O16 - DPF: {} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {} - https://www.freeserve.com/time/anytimereg_dialer/dialer/dialers/sd0101_4.exe
O16 - DPF: {} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
O16 - DPF: {} (RdxIE Class) - http://software-dl.real.com/netzip/RdxIE601.cab
O16 - DPF: {} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab
O16 - DPF: {} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Simon]

It seems this one could be iffy, DJ:

O4 - HKCU\..\Run: [msmc] C:\Windows\System32\msmc.exe

but as I'm no expert, and just using Google, I would wait for someone else to confirm.

Have you used Ad Aware and Spybot?  You might need to run them in Safe Mode, with System Restore disabled to get rid of persistant problems.

[Dack]

LOTS of nasties.

First thing uninstall Messenger plus - as that installs the Lop.com hijacker as a standard. http://www.spywareinfo.com/newsletter/archives/june-2003/3.php

Then run HJT and fix whichever of these that are left.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
R3 - URLSearchHook: (no name) - {} - C:\Program Files\TV Media\TvmBho.dll Hijacker
R3 - URLSearchHook: (no name) - {}_ - (no file)
O2 - BHO: (no name) - {} - C:\Program Files\TV Media\TvmBho.dll ditto
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [ICQ Net] C:\Windows\winlogon.exe -stealth trojan from ICQ
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msmc] C:\Windows\System32\msmc.exe Hijacker
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O16 - DPF: {} (preload control) - http://216.82.66.200/build/preload.cab
O16 - DPF: {} (RdxIE Class) - http://software-dl.real.com/netzip/RdxIE601.cab

[DJ]

Wow! Thanks all.

The PC isn't local to me so trying to fix it remotely and by phone etc.

I'll pass on the message and hopefully that'll sort a few things out.

Cheers again

DJ