Desperate Explorer Error after using MWAS!

G

Guest

Hello all, I'm at the end of my wits. I thought I'd give MWAS a spin and see
how it went. It seemed to quite handily find and remove 10 items. However,
after rebooting as instructed, I get the "Windows Explorer has encountered a
problem and needs to close. We are sorry for the inconvenience.",

It appears every 15 or so seconds. I can still access the internet,
everything seems to be working, but I get Dr. Watson every 15 seconds or so,
my system hangs for about 20 seeconds and then closes all the windows, except
for Internet Explorer (which is why I am able to write this).

This ONLY started happening after using MWAS. I even tried repairing Windows
today to no avail. Below I have listed the Scan Log. Perhaps something was
deleted that shouldn't have been?

Incidentally, here is the info from the error report:

AppName: explorer.exe AppVer: 6.0.2900.2180 ModName: unknown
ModVer: 0.0.0.0 Offset: 00000000


Helpfull, huh?
Please, oh please help me? To make matter worse, it appears I had system
restore off... it was off from the last time I tried to remove a malicious
piece of spyware
and forgot to turn it back on.

Thank you in advance,

Damian


Spyware Scan Details
Start Date: 11/4/2005 1:14:38 PM
End Date: 11/4/2005 1:17:17 PM
Total Time: 2 mins 39 secs

Detected Threats

MediaTickets CDT Spyware more information...
Details: Mediatickets is a spyware program that displays advertisements,
reduces the security settings for the Trusted Sites zone in Internet
Explorer, and attempts to fraudulently install trusted publishers.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such
as a security exploit, and should be removed.

Infected registry keys/values detected
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust
Providers\Software Publishing\Trust Database\0
ppcimdnnnjbeahepfabjipfginloedkg egckak
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust
Providers\Software Publishing\Trust Database\0
goicfboogidikkejccmclpieicihhlpo bihgbp
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust
Providers\Software Publishing\Trust Database\0
goicfboogidikkejccmclpieicihhlpo ejemdn
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MediaTicketsInstaller.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded
Program Files/MediaTicketsInstaller.ocx .Owner
{9EB320CE-BE1D-4304-A081-4B4665414BEF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded
Program Files/MediaTicketsInstaller.ocx
{9EB320CE-BE1D-4304-A081-4B4665414BEF}


IE Trusted Zone Hijack Spyware more information...
Details: IE Trusted Zone Hijack is a spyware related Web site that is added
to your Internet Explorer Trusted Zones.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such
as a security exploit, and should be removed.

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\skoobidoo.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains\windupdates.com


Trojan.Thun Trojan more information...
Details: Trojan.Downloader.Thun disables the Windows Firewall and changes
the computer security settings to download and allow other malicious software.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such
as a security exploit, and should be removed.

Infected files detected
C:\Documents and Settings\Damian\Local Settings\Temp\pi.sys
C:\WINDOWS\system32\thn.dll
C:\WINDOWS\system32\thn32.dll

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler {0656A137-B161-CADD-9777-E37A75727E78}


Trojan.vxgame Trojan more information...
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such
as a security exploit, and should be removed.

Infected files detected
C:\WINDOWS\system32\init32m.exe
C:\WINDOWS\system\svchost.exe


Trojan.Abwiz.B Trojan more information...
Details: Trojan.Abwiz.B is a backdoor Trojan that allows the remote attacker
to perform various malicious actions on the compromised computer.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such
as a security exploit, and should be removed.

Infected files detected
C:\WINDOWS\system32\~update.exe
C:\WINDOWS\system32\latest.exe
C:\WINDOWS\system32\win32.exe


PdPinch Password Stealer more information...
Details: Searches for passwords from various products and emails them to a
preconfigured email address.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such
as a security exploit, and should be removed.

Infected files detected
c:\windows\sys243.exe
c:\windows\sys244.exe
c:\windows\sys245.exe


Hijacker.Allstar Browser Modifier more information...
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such
as a security exploit, and should be removed.

Infected files detected
C:\Documents and Settings\Damian\Local Settings\Temp\go.exe
C:\Documents and Settings\Damian\Local Settings\Temp\pps.exe
C:\WINDOWS\system32\rch.dll
C:\WINDOWS\system32\rch32.dll
C:\WINDOWS\system32\rdrlib.dll

Infected registry keys/values detected
HKEY_CLASSES_ROOT\clsid\{03B1C4D9-BC71-8916-38AD-9DEA5D213614}
HKEY_CLASSES_ROOT\clsid\{03B1C4D9-BC71-8916-38AD-9DEA5D213614}\InProcServer32 C:\WINDOWS\System32\rch.dll
HKEY_CLASSES_ROOT\clsid\{03B1C4D9-BC71-8916-38AD-9DEA5D213614}\InProcServer32 ThreadingModel Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler {03B1C4D9-BC71-8916-38AD-9DEA5D213614}


Trojan.Downloader.dls Trojan Downloader more information...
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such
as a security exploit, and should be removed.

Infected files detected
C:\WINDOWS\system32\bre.dll
C:\WINDOWS\system32\bre32.dll

Infected registry keys/values detected
HKEY_CLASSES_ROOT\clsid\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}
HKEY_CLASSES_ROOT\clsid\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}\InProcServer32 C:\WINDOWS\System32\bre.dll
HKEY_CLASSES_ROOT\clsid\{203B1C4D9-BC71-8916-38AD-9DEA5D213614}\InProcServer32 ThreadingModel Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler {203B1C4D9-BC71-8916-38AD-9DEA5D213614}


Trojan.Downloader.msole32 Trojan Downloader more information...
Details: Trojan.Downloader.msole32 attempts to download several files, many
of which are installers for various products such as antivirus-gold,
spysheriff and spywareno.
Status: Removed
Severe threat - Severe-risk items have an extreme potential for harm, such
as a security exploit, and should be removed.

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run winlogon.exe


Popuper Adware more information...
Status: Removed
High threat - High-risk items have a large potential for harm, such as loss
of computer control, and should be removed unless knowingly installed.

Infected files detected
C:\WINDOWS\popuper.exe


Detected Spyware Cookies
No spyware cookies were found during this scan.
 
G

Guest

Hi Damian

Thats a seriously compromised system you have :) Microsoft Antispyware has
grouped some of the filenames together but they relate to different
infections including backdoor trojans and password stealers, from looking at
that log It very likely you will have more files on your system.

There is files from all these infections showing in the log

Backdoor.Fivsec
TrojanDropper.Small.acg
TrojanDropper.Small.we
Trojan Downloader.OF
Trojan LdPinch
Trojan.Abwiz.B
Trojan.ZarCry
Trojan.Secup
Trojan.Pepop
Trojan.Crypt.i
Trojan.Crypt.c

Try these removers first and then if you have more problems post back the
scan results for both, there may be a trojan filename entered with
explorer.exe in the winlogon area of the registry so they both start with
Windows but we can easily use Hijack This later to show if thats the case,
First step is to remove any files that MS Antispyware may of missed and reset
your security settings.

Download smitRem.exe and save the file to your desktop.

http://noahdfear.geekstogo.com/click counter/click.php?id=1

Double click on the file to extract it to it's own folder on the desktop
then close Smitrem

Please download the trial version of Ewido Security Suite here:

http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background
guard" and "Install scan via context menu". Click on update in the left menu,
then click the Start update button. After the update finishes close Ewido

Copt this to noepad if needed and save it so you have a copy on your pc as
you will not be able to access the internet in safe mode.

Now reboot to Safe Mode - Restart your computer and immediately begin
tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe
Mode option and press Enter.
To return to normal mode just restart your computer as you normally would

Open the smitRem folder, then double click the RunThis.bat file to start the
tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt when its finished in c:/drive,


Run Ewido: Click on scanner

Click on Complete System Scan and the scan will begin.

Run Ewido again. From the main menu click on 'scanner' then click 'Complete
System Scan' When ewido finds something, it will pop up a notification.
Select "Remove" and check the boxes "Perform action with all infections" and
"Create encrypted backup" then click on ok.When the scan finishes, click on
"Save Report" and save it to your desktop or c:/drive incase you need it
again.


Reboot Back To normal mode

To reset your wallpaper after using Smitrem, right click the desktop and
choose properties, If you have XP then set the theme to windows XP and press
Apply

Run an Antivirus scan here :

http://www.pandasoftware.com/activescan/

Choose to "Disinfect automatically," and follow the prompts then save the
log when its finished.

Reset Security Settings :

Open Internet Explorer

Go to the Tools menu on the top bar and click on Internet Options

Goto the Advanced Tab and press Restore Defualts

Goto the Programs Tab and Press "Reset Web Settings" and include the homepage

Goto the Security Tab then Press Custom Level, Select Medium and Press Reset
then press OK

Finally Goto the General Tab and enter the homepage you want to use into the
space provided, On the temporary files area press delete files and include
all offline content,click ok then press apply,

If you have XP with Service Pack 2 :

Click Start > Control Panel.
Double-click the Security Center.
In the right pane, click Windows Firewall. The Windows Firewall appears.
Select On if you use Windows Firewall and its not enabled.

In the left pane of the Security Center, select Change the way Security
Center alerts me.

Place checks next to Firewall, Virus Protection & Automatic updates if they
are not already checked and Click OK

Click Automatic Updates on the Security Centre screen. Select Automatic.
Click OK.

Exit the Security Center.

Reboot again

let us know if you have more problems

Regards

Andy
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top