Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Explorer.exe Restart/close/restart Loop

  • Please log in to reply
1 reply to this topic

#1 attraides


  • Members
  • 3 posts
  • Local time:11:50 PM

Posted 25 March 2008 - 11:04 PM

Hello I Have a windows server 2003 machine with Clamwin anti virus and windows defender running.

i tried to download a crack for a typing tutor trial version i had found.

when running the crack window defender identified a problem and told me i should restart my machine (which i did)

after the restart i noticed that my task bar kept disappearing and then reappearing and that My Computer would close shorty after i opened it.

so i first ran windows defender again and from memory i don't believe it found anything so i ran clamwin anti virus which found several so called viruses/Trojans which weren't there previously (i have my anti virus run every night).

This scan identified 7-9 different problems mostly various Trojans either in c:/Program Files/ like antiviirus.exe was and 3 others that i can't recall but required me to delete them using the command prompt.

This brings me to my next problem. This rogue application found away to lock me out of task manager.

After finding an online tutorial i was able to get it back running and then therefore use cmd prompt to remove the remaining files that my antivirus had detected. e.g. del /A filename.exe

the others being in C:\documents and settings\administrator\Local Settings\Temporary Internet Files

Now my virus scanner and windows defender detect nothing but i still have the problem of explorer.exe being closed and then restarted constantly about every 10 seaconds or so.

this is the last remaining problem to solve from this rogue application and would appreciate any help you could give me in doing so thanks

Oh and one more thing this rogue apps name was setup.exe and i picked it up from hot-softportal.com
and it also created a duplicate quick launch menu on my taskbar.

here is the link to the rouge file if someone would like to try and duplicate my problem


thanks heaps.

Below is my most recent Hijack this report after performing the required antivirus, spyware blaster ad-aware and McAfee AVERT Stinger scans. that identified some problems but did solve my main issue.

**update** i have identified that if i end the explorer.exe process manually myself it won't restart it self, and that when explorer.exe does restart spybot warns me that something is trying to make a change in my registry. Finally the rogue processes that seem to be causing this problem only show up in task manager for less than 0.5 seconds during some explorer.exe restarts. So i suspect that would mean they may not show up in the hijack this report, if they were mot present during the scan

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:50:54 p.m., on 26/03/2008
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\Program Files\WebHost Automation\Helm4\Bin\WHA.Helm.NetworkListener.exe
C:\Program Files\WebHost Automation\Helm4\Bin\WHA.Helm.RefreshService.exe
C:\Program Files\WebHost Automation\Helm4\Bin\WHA.Helm.UpdateService.exe
C:\Program Files\hMailServer\MySQL\Bin\mysqld-nt.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\hMailServer\Bin\hMailServer.exe
C:\Documents and Settings\All Users\Application Data\tmvcjqhe\xanqfera.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Privacy Mantra 2.04\privacymantra.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [com.codeode.privacymantra] "C:\Program Files\Privacy Mantra 2.04\privacymantra.exe" -minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [pu2Updpy3x] C:\Documents and Settings\All Users\Application Data\tmvcjqhe\xanqfera.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - ESC Trusted Zone: http://www.anz.aocmonitor.com
O15 - ESC Trusted Zone: http://reviews.cnet.com
O15 - ESC Trusted Zone: http://surveys.cnet.com
O15 - ESC Trusted Zone: http://dw.com.com
O15 - ESC Trusted Zone: http://i.d.com.com
O15 - ESC Trusted Zone: http://i.i.com.com
O15 - ESC Trusted Zone: http://bwp.download.com
O15 - ESC Trusted Zone: http://www.download.com
O15 - ESC Trusted Zone: http://www.google.co.nz
O15 - ESC Trusted Zone: http://mozilla.isc.org
O15 - ESC Trusted Zone: http://www.joomlart.com
O15 - ESC Trusted Zone: http://search.live.com
O15 - ESC Trusted Zone: http://www.mininova.org
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://www.channel.philips.com
O15 - ESC Trusted Zone: http://nz.php.net
O15 - ESC Trusted Zone: http://files.sexyandfunny.com
O15 - ESC Trusted Zone: http://internap.dl.sourceforge.net
O15 - ESC Trusted Zone: http://optusnet.dl.sourceforge.net
O15 - ESC Trusted Zone: http://ufpr.dl.sourceforge.net
O15 - ESC Trusted Zone: http://chuangtzu.acc.umu.se
O15 - ESC Trusted Zone: http://www.videolan.org
O15 - ESC Trusted Zone: http://www45.virtuagirlhd.com
O15 - ESC Trusted Zone: http://download.webhostautomation.net
O15 - ESC Trusted Zone: http://www.windowsmedia.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1201764185677
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B0C21527-34CC-4889-963C-DC104FA5D709}: NameServer =
O21 - SSODL: ChkAvp - {bf5a22c3-ca00-4014-a988-18f5730aa013} - C:\WINDOWS\Installer\{bf5a22c3-ca00-4014-a988-18f5730aa013}\ChkAvp.dll
O21 - SSODL: zip - {e246ca12-b764-4f2d-b138-27775832f0f2} - C:\WINDOWS\Installer\{e246ca12-b764-4f2d-b138-27775832f0f2}\zip.dll
O21 - SSODL: dwnrpofk - {699F7703-70F1-42B7-8ADE-4A19A079F917} - C:\WINDOWS\dwnrpofk.dll
O21 - SSODL: vbgtorfd - {2E0E94D2-0AC8-45F7-89CB-111D5ACC508B} - C:\WINDOWS\vbgtorfd.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Xampp\apache\bin\apache.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: Helm 4 Network Service (Helm4NetworkListener) - WebHost Automation Ltd - C:\Program Files\WebHost Automation\Helm4\Bin\WHA.Helm.NetworkListener.exe
O23 - Service: Helm 4 Refresh Service (Helm4RefreshService) - WebHost Automation Ltd - C:\Program Files\WebHost Automation\Helm4\Bin\WHA.Helm.RefreshService.exe
O23 - Service: Helm 4 Update Service (HelmUpdateService) - WebHost Automation Ltd - C:\Program Files\WebHost Automation\Helm4\Bin\WHA.Helm.UpdateService.exe
O23 - Service: hMailServer - hMailServer - C:\Program Files\hMailServer\Bin\hMailServer.exe
O23 - Service: hMailServerMySQL - Unknown owner - C:\Program Files\hMailServer\MySQL\Bin\mysqld-nt.exe
O23 - Service: mysql - Unknown owner - C:\Xampp\mysql\bin\mysqld-nt.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
O23 - Service: XAMPP Service (XAMPP) - Unknown owner - C:\Xampp\service.exe

End of file - 10225 bytes

Edited by KoanYorel, 27 March 2008 - 08:41 AM.
To disable hot link URL above

BC AdBot (Login to Remove)


#2 random/random


  • Malware Response Team
  • 2,704 posts
  • Gender:Male
  • Local time:10:50 AM

Posted 11 April 2008 - 09:20 AM

I apologize for the very long delay. We have a huge backlog of HijackThis Logs to handle and it has been taking us greater time than normal to get caught up. If you are still having a problem, and want us to analyze your information, please post a brand new HijackThis log, along with a description of any problems you are experiencing. If we do not hear back from you within a couple of days we will need to close your topic.

When posting your logs please post them directly into the reply. Do not attach them.

Thank you for your patience.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users