Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Explorer Restart Window Keeps Popping Up


  • This topic is locked This topic is locked
10 replies to this topic

#1 Mosp

Mosp

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:Chile, South America
  • Local time:04:13 AM

Posted 29 February 2008 - 09:11 PM

Hello, I have Windows Vista basic, Panda: Antivirus and firewall and a pretty annoying problem.

Whenever I start my PC a window pops up saying (translated from spanish) : Windows explorer ceased to function. Windows is getting info about the problem, this may take several minutes , a few seconds later another window appears saying: Windows Explorer is restarting, then all the icons on the desktop, the menu bar and the mouse pointer flicker and the whole process starts again...over and over. Now, this is so fast I can't even open the start menu to shut down the computer properly.
Starting on Safe Mode is no good, the same thing happens.
Opening the "task administrator" (cntr, shift, esc) I can see that there are 75 to 77 active processes, and the CPU use percentage goes from 5% to 100%!
I have contacted the people from Panda Software but they have no idea what's wrong, they said it might be a Trojan.
I used every anti-malware program listed on the Preparation Guide For Use Before Posting A Hijackthis Log, but they didn't find anything.

Is this malware or did I do something wrong? I didn't want to post a Highjackthis Log until I was sure.


Please help! :thumbsup:

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:13 AM

Posted 02 March 2008 - 08:48 AM

Are you finding any suspicious processes in Task Manager? When you experience or encounter strange behavior, always check for new, unknown or suspicious processes that may be running on your system.

Anytime you come across a suspicious file or one that you do not recognize, search the name using Google or the following links:
BC's File Database
BC's Startup Programs Database
File Research Center
ThreatExpert Malware Search
If no search results are found, you are given the option to "Submit a New Sample".

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file. However, it then places itself in a different location on your computer. A file's properties may give a clue to identifying it. Right-click on the file, Properties and examine the General and Version tabs.

You can download and use Process Explorer or System Explorer to investigate all running processes and gather additional information to identify and resolve problems. These tools will show the process CPU usage, a description and its path location. If you right-click on the file in question and select properties, you will see more details about the file.

Anytime you come across a suspicious file which you cannot find any information, the file has a legitimate name but is not located where it is supposed to be, or you want a second opinion, submit it to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
-- Then post back with the results of the file analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Mosp

Mosp
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:Chile, South America
  • Local time:04:13 AM

Posted 06 March 2008 - 11:56 PM

Thank you for responding, I wrote down and looked up all the processes on the sites you gave me and checked if they were in the right folder. I found csrss.exe aka W32.Gaobot.AO Worm, how can I get rid of it?

Also there's a couple of things that worry me, I have 7 svchost.exe, one of which is using 20.780 KB and I read that this could be the W32.Mydoom.I@mm worm, but it's located on the System32 folder. And there is an Inactive Process using 98 CPU and 28KB, I can't open the file's location. Nothing happens when I right-click on it.

Thanks for your help! :thumbsup:

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:13 AM

Posted 07 March 2008 - 09:22 AM

I found csrss.exe aka W32.Gaobot.AO Worm

csrss.exe is the user-mode portion of the Win32 subsystem (Win32.sys is the kernel-mode portion) and the main executable for the Microsoft Client/Server Runtime Server Subsystem.

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file. However, it then places itself in a different location on your computer. A file's properties may give a clue to identifying it. Right-click on the file, Properties and examine the General and Version tabs.

Svchost.exe is a generic host process name for a group of services that are run from dynamic-link libraries (DLLs) and can run other services underneath itself. This is a valid system process that belongs to the Windows Operating System which handles processes executed from DLLs. It runs from the registry key, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost where details of the services running under each instance of svchost.exe can be found. At startup, Svchost.exe checks the services portion of the registry to construct a list of services that it needs to load.

It is not unusual for multiple instances of Svchost.exe running at the same time in Task manager in order to optimise the running of the various services.

svchost.exe SYSTEM
svchost.exe LOCAL SERVICE
svchost.exe NETWORK SERVICE

Each Svchost.exe session can contain a grouping of services, therefore, separate services can run, depending on how and where Svchost.exe is started. This grouping of services permits better control and easier debugging. The process ID's (PID's) are not static and can change with each logon but generally they stay nearly the same because they are running services all the time. The PID's must be checked in real time to determine what services each instance of svchost.exe is controlling at that particular time.

If svchost.exe is running as a startup (shows in msconfig), it can be bad as shown here and here. Make sure the spelling is correct. If it is scvhost.exe], then your dealing with a Trojan.

There are several ways to investigate svchost.exe and related processes. First, see "How to determine what services are running under a Svchost.exe process".

there is an Inactive Process using 98 CPU and 28KB

That's probably your System Idle process.

System Idle process is used for measuring how much idle time the CPU is having at any particular time (100% minus the sum of all tasks CPU usage). It accounts for processor time when the system is not processing other threads and will display how much CPU resources, as a percentage are 'idle' and available for use. One instance of this process operates per CPU, and runs to occupy the processor when other threads are not running. System Idle process also issues HLT commands which put unused parts of the CPU into a suspend mode, thereby cooling the processor. Normally this process should take up at least 90%+ of processor time on average (this is the value in the CPU column). Thus, in non-technical terms, this figure represents how much CPU time has not been requested by anything else on your system.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Mosp

Mosp
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:Chile, South America
  • Local time:04:13 AM

Posted 09 March 2008 - 07:26 PM

A file's properties may give a clue to identifying it. Right-click on the file, Properties and examine the General and Version tabs.

I did try to do that, but when I click on properties or open file's location nothing happens. (there are two csrss.exe, and it doesn't work with either of them).

If svchost.exe is running as a startup (shows in msconfig), it can be bad as shown here and here. Make sure the spelling is correct. If it is scvhost.exe], then your dealing with a Trojan.

It does run as a startup, but I doublechecked and all of them are svchost.exe.
They are:
1- TabletInput
2- Winmgmt and ProfSvc
3- Eventlog
4- CryptSvc
5- WinDefend
6- RpcSs
7- PlugPlay and DcomLaunch



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:13 AM

Posted 10 March 2008 - 09:10 AM

Ok, lets run a check to see if we find anything malware related.

Please print out and follow the instructions for using SDFix in BC's self-help tutorial "How to use SDFix".
-- When using this tool, you must use the Administrator's account or an account with "Administrative rights"
When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt. Please copy and paste the contents of Report.txt in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Mosp

Mosp
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:Chile, South America
  • Local time:04:13 AM

Posted 11 March 2008 - 10:40 PM

Ahh, I have a problem with this. As I said, the Explorer restart popup is very fast and prevents me from doing anything, I can't even open the start menu. The only way I've found around this is to open an Internet Explorer window. This way as long as the EW is covering the entire screen the popups stop. If even a sliver of the desktop shows they start again, so I can't click on the unzipped SDfix. I tried unzipping it to my pendrive but when I double click on the Run icon nothing happens.

I managed to run HJT and have a log. But that shouldn't be posted here right? Any other alternatives or should I open a HJT account?

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:13 AM

Posted 12 March 2008 - 07:25 AM

I managed to run HJT and have a log. But that shouldn't be posted here right?

Correct.
Post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Mosp

Mosp
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Location:Chile, South America
  • Local time:04:13 AM

Posted 16 March 2008 - 03:19 PM

Ack!! I can't install Adaware. In safe mode it says I can't install new programs, and in normal mode the mysterious malware keeps closing all of my windows! (right now I'm using my mom's computer) What can I do? :thumbsup:

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:13 AM

Posted 16 March 2008 - 05:24 PM

If you can't perform a step, then skip it and just post your log.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:13 AM

Posted 29 March 2008 - 10:46 PM

Now that you have your log posted here: http://www.bleepingcomputer.com/forums/t/136914/windows-explorer-error/ DO NOT make any further changes to your computer: deleting files, editing the registry, using special fix tools, installing or uninstalling software etc. as this will make it more difficult for the HJT team to help you.

Please be patient as the HJT team is EXTREMELY busy. DO NOT bump your log as the team may think that someone is already helping you. If you have not had a response by, lets say, April 5 add a response to the five days no response topic and paste in the link to your thread.

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users