Cleaning Explorer.exe

Microsoft Windows xp professional w/serv...
June 10, 2010 at 02:00:59
Specs: Windows XP, 2gb
Hi, Avira detected a malware on my
Explorer.exe it says it has "BDS/Small.iuj" i
don't delete this because i won't have a
desktop the next time i'll use my computer but
the problem is whenever i open my computer
Explorer.exe is not functioning, i mean it's
there but i still have no desktop. So i'll do my
daily routine, change the name of explorer.exe
and change it's name on the registry then
restart my computer, voila! i have my desktop
again.. but im getting tired doing this stuff all
over again whenever i'll use my computer..

this is the logfile of hijackthis, hope to solve
this problem..


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:39:57 PM, on 6/10/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00
(8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir
Desktop\sched.exe
C:\Program Files\Avira\AntiVir
Desktop\avguard.exe
C:\Program Files\Avira\AntiVir
Desktop\avshadow.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\123456789.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program
Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Avira\AntiVir
Desktop\avgnt.exe
C:\Program Files\HP\HP Software
Update\HPWuSchd2.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\SGStiMon.exe
E:\Program Files\FlashGet\FlashGet.exe
E:\Program
Files\QuickSolutions\QuickSolutions.exe
C:\Program Files\Common Files\Java\Java
Update\jusched.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common
Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Migs\Local
Settings\Application
Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Pando Networks\Media
Booster\PMB.exe
C:\Program Files\WIDCOMM\Bluetooth
Software\BTTray.exe
C:\Program Files\HP\Digital
Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\Logitech\Video\LowLight.exe
C:\Program
Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common
Files\LightScribe\LSSrvc.exe
C:\Documents and Settings\Migs\Local
Settings\Application
Data\Google\Chrome\Application\chrome.exe
E:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tra
y.exe
C:\Program Files\CyberLink\Shared
Files\RichVideo.exe
E:\Program Files\Alcohol 120%\Alcohol
120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth
Software\bin\btwdins.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital
Imaging\bin\hpqSTE08.exe
C:\Documents and Settings\Migs\Local
Settings\Application
Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Migs\Local
Settings\Application
Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Migs\Local
Settings\Application
Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Migs\Local
Settings\Application
Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Migs\Local
Settings\Application
Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Migs\Local
Settings\Application
Data\Google\Chrome\Application\chrome.exe
D:\Recovery\Explorer\procexp.exe
C:\Documents and Settings\Migs\Local
Settings\Application
Data\Google\Chrome\Application\chrome.exe
E:\Program Files\Trend
Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet
Explorer\Main,Start Page =
http://start.facemoods.com
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet
Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,SearchAssistant =
http://start.facemoods.com/?
a=fbpage&s={searchTerms}&f=4
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Window Title = Service Pack 3
Internet Explorer
R1 -
HKCU\Software\Microsoft\Windows\CurrentVer
sion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=123456789.exe
O2 - BHO: Octh Class - {000123B4-9B42-
4900-B3F7-F4B073EFC214} - E:\Program
Files\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-
E8AD-4283-A596-FA578C2EBDC3} -
C:\Program Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEHelperShi
m.dll
O2 - BHO: flashget urlcatch - {2F364306-
AA45-47B5-9F9D-39A8B94E7EF7} -
E:\Program Files\FlashGet\jccatch.dll
O2 - BHO: facemoods Helper - {64182481-
4F71-486b-A045-B233BD0DA8FC} -
C:\Program
Files\facemoods.com\facemoods\1.3.61.0\face
moods.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper -
{DBC80044-A445-435b-BC74-9C25C1C588A9}
- C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl -
{E7E6F031-17CE-4C07-BC86-
EABFE594F69C} - C:\Program
Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class -
{F156768E-81EF-470C-9057-481BA8380DBA}
- E:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-
48AD-9953-3609C48EACC7} - E:\Program
Files\Orbitdownloader\GrabPro.dll
O3 - Toolbar: facemoods Toolbar - {DB4E9724-
F518-4dfd-9C7C-78B52103CAB9} -
C:\Program
Files\facemoods.com\facemoods\1.3.61.0\face
moodsTlbr.dll
O4 - HKLM\..\Run: [IgfxTray]
C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence]
C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL]
RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RemoteControl]
"C:\Program
Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck]
C:\Program Files\Common
Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program
Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [HP Software Update]
C:\Program Files\HP\HP Software
Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SG310Monitor]
C:\WINDOWS\SGStiMon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed
Launcher] "E:\Program Files\Adobe\Reader
9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Flashget] E:\Program
Files\FlashGet\FlashGet.exe /min
O4 - HKLM\..\Run: [QuickFix] E:\Program
Files\QuickSolutions\QuickSolutions.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched]
"C:\Program Files\Common Files\Java\Java
Update\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task]
"E:\Program Files\QuickTime
Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechVideoRepair]
C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray]
C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [LightScribe Control Panel]
C:\Program Files\Common
Files\LightScribe\LightScribeControlPanel.exe
-hidden
O4 - HKCU\..\Run: [BitTorrent DNA]
"C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update]
"C:\Documents and Settings\Migs\Local
Settings\Application
Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Yahoo! Pager]
"E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOO
M~1.EXE" -quiet
O4 - HKCU\..\Run: [Pando Media Booster]
C:\Program Files\Pando Networks\Media
Booster\PMB.exe
O4 - HKCU\..\Run: [msnmsgr]
"C:\PROGRA~1\MSNMES~1\msnmsgr.exe"
/background
O4 - HKCU\..\Run: [Camfrog] "E:\Program
Files\Camfrog\Camfrog Video
Chat\CamfrogNet.exe" 0 E:\Program
Files\Camfrog\Camfrog Video Chat\Camfrog
Video Chat.exe
O4 - HKUS\S-1-5-19\..\Run: [msnsc]
C:\WINDOWS\system32\msnsc.exe (User
'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf]
cmd.exe /C move /Y
"%SystemRoot%\System32\syssetub.dll"
"%SystemRoot%\System32\syssetup.dll"
(User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [msnsc]
C:\WINDOWS\system32\msnsc.exe (User
'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf]
cmd.exe /C move /Y
"%SystemRoot%\System32\syssetub.dll"
"%SystemRoot%\System32\syssetup.dll"
(User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf]
cmd.exe /C move /Y
"%SystemRoot%\System32\syssetub.dll"
"%SystemRoot%\System32\syssetup.dll"
(User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf]
cmd.exe /C move /Y
"%SystemRoot%\System32\syssetub.dll"
"%SystemRoot%\System32\syssetup.dll"
(User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Digital Imaging
Monitor.lnk = C:\Program Files\HP\Digital
Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Download All
with FlashGet - E:\Program
Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download by
Orbit - res://E:\Program
Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Download
with FlashGet - E:\Program
Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &Grab video by
Orbit - res://E:\Program
Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload
selected by Orbit - res://E:\Program
Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all
by Orbit - res://E:\Program
Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to
Microsoft Excel -
res://C:\PROGRA~1\MICROS~1\OFFICE11\E
XCEL.EXE/3000
O8 - Extra context menu item: Send to
&Bluetooth Device... - C:\Program
Files\WIDCOMM\Bluetooth
Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To
Bluetooth - C:\Program
Files\WIDCOMM\Bluetooth
Software\btsendto_ie.htm
O9 - Extra button: Research - {92780B25-
18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~1\OFFICE11\REFIE
BAR.DLL
O9 - Extra button: @btrez.dll,-4015 -
{CCA281CA-C863-46ef-9331-5C8D4460577F} -
C:\Program Files\WIDCOMM\Bluetooth
Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650
- {CCA281CA-C863-46ef-9331-5C8D4460577F}
- C:\Program Files\WIDCOMM\Bluetooth
Software\btsendto_ie.htm
O9 - Extra button: FlashGet - {D6E814A0-
E0C5-11d4-8D29-0050BA6940E3} -
E:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet -
{D6E814A0-E0C5-11d4-8D29-0050BA6940E3}
- E:\Program Files\FlashGet\FlashGet.exe
O10 - Unknown file in Winsock LSP:
c:\windows\system32\nwprovau.dll
O23 - Service: Avira AntiVir Scheduler
(AntiVirSchedulerService) - Avira GmbH -
C:\Program Files\Avira\AntiVir
Desktop\sched.exe
O23 - Service: Avira AntiVir Guard
(AntiVirService) - Avira GmbH - C:\Program
Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Bonjour Service - Apple Inc. -
C:\Program
Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) -
Broadcom Corporation. - C:\Program
Files\WIDCOMM\Bluetooth
Software\bin\btwdins.exe
O23 - Service: Java Quick Starter
(JavaQuickStarterService) - Sun
Microsystems, Inc. - C:\Program
Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc
Labeling Service (LightScribeService) -
Hewlett-Packard Company - C:\Program
Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NMIndexingService - Nero AG -
C:\Program Files\Common
Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: nProtect GameGuard Service
(npggsvc) - Unknown owner -
C:\WINDOWS\system32\GameMon.des.exe
(file missing)
O23 - Service: Client Service for NetWare
(NWCWorkstation) - Unknown owner -
C:\WINDOWS\system32\svchost (file missing)
O23 - Service: Cyberlink RichVideo
Service(CRVS) (RichVideo) - Unknown owner -
C:\Program Files\CyberLink\Shared
Files\RichVideo.exe
O23 - Service: StarWind iSCSI Service
(StarWindService) - Unknown owner -
C:\WINDOWS\

--
End of file - 11389 bytes


See More: Cleaning Explorer.exe

Report •


#1
June 10, 2010 at 02:24:08
Anything with a filename of 123456789.exe, or any other random
number, should be treated as highly suspect - I'd say that'spart
of your problem...

"I've always been mad, I know I've been mad, like the most of us..."


Report •

#2
June 10, 2010 at 17:30:44
nope, the file 123456789.exe is the name i gave to my
explorer.exe after renaming it.. so think of it as explorer.exe..

Report •

Related Solutions


Ask Question