Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

iexplorere.exe random crash; cmd/regedit restarts explorer.exe


  • This topic is locked This topic is locked
11 replies to this topic

#1 Todd Fox

Todd Fox

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 29 March 2009 - 02:13 PM

I am running XP Pro SP2, with IE6, on a Dell Lattitude. A week ago, I caught the spyguard.exe malware, and used various methods to remove it, and for a short while, all seemed fine.

Then around yesterday, I noticed that I could not reach the Windows Update site (IE hangs on the "Checking if your computer has the latest version..." page), and then IE6 began (and is still) crashing intermittently. I also noticed that RUN>regedit.exe and RUN>cmd.exe would force a restart of explorer.exe.

I have reviewed Google and BleepingComputer threads for about 10 hours, and have finally thrown in the towel. Below please see my hijack log. I seem to be having trouble running DDS (cmd console flash very briefly and disappears) when I double click it. Don't know if this is related to the CMD/REGEDIT problem.

I have downloaded Windows Defender and run it (no issues), MalwareBytes and run it (corrected two problems, which didn't help me much), and SuperAntiSpyware (no issues). The main problem with all of these is that I am unable to get the latest pattern files, presumably for the same reason I can't reach Windows Update's web site.

I use TrendMicro AVS, and I noticed that it too was having stability problems yesterday, so I fear maybe my guard was down for a while, and who knows what crept in on me. I have since reinstalled Trend, and it seems to be running fine again.

I don't know if I am dealing with one, or more, issues with my symptoms. I've seen posts on everything I'm seeing but not in this combination. Also, none of the cures appear to relate to my situation, though I certainly haven't run enough diagnostics to be certain of this. I did flush "SoftwareDistribution" (stopping and restarting wuauserv along the way), and a few other low-impact suggestions to no avail.

I'd be grateful for any guidance you can give here. I have a secondary computer I can use (and am using now) for my work-work, but my Dell is my primary machine and I am holding out hope I can provide a diagnostic that can point you toward the problem.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:53:24 PM, on 3/29/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\DSentry.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\QUICKENW\QWDLLS.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\NEWTScannerSvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Common Files\Crystal Decisions\2.5\bin\crystalras.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\mmc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forecast.weather.gov/MapClick.php?C...Field2=-86.1095
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: QAPHlprObj Class - {297caf50-e4f7-11d1-a380-00600896eccc} - C:\Program Files\Segue\SilkTest\qaphlpr.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\system32\DSentry.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://secure.crd.com/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = crd.com
O17 - HKLM\Software\..\Telephony: DomainName = crd.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = crd.com
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Crystal Report Application Server (CrystalReportApplicationServer) - Crystal Decisions - C:\Program Files\Common Files\Crystal Decisions\2.5\bin\crystalras.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: NEWTScanner Service (SvcNEWTScanner) - Komodo Laboratories LLC - C:\WINDOWS\system32\NEWTScannerSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6609 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:35 AM

Posted 29 March 2009 - 08:01 PM

Hello Todd Fox,

Posted Image

We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
  • Open Windows Defender.
  • Click on Tools, General Settings.
  • Scroll down and uncheck Turn on real-time protection (recommended).
  • After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Todd Fox

Todd Fox
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 30 March 2009 - 06:55 AM

Greetings Tea, and thank you for helping with my case.

Unfortunately, ComboFix (like DDS) also will not run at the present time (presumably due to the RUN>Cmd.exe problem).

I see that my symptoms are very similar to another forum post:

.../forums/lofiversion/index.php/t206736.html

and I am going over that one in detail again. Many other forum users were also reporting the exact same problem, speculating this was something "new".

If you have any ideas around the CMD.EXE problem, I'm happy to try all ideas. Like others, I *was* able to get CMD to run by copying cmd.exe to another name (zzzz.exe), but could not determine the block on cmd.exe.

#4 Todd Fox

Todd Fox
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 30 March 2009 - 07:49 AM

By the way, some have suggested that running ComboFix in Safe Mode both ran, and fixed things. However, there were some where this did not work, and some concern was raised about what happens after the reboot (when/if you are not in Safe Mode) and ComboFix picks up from there...

Is there a recommendation to try this method?

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:35 AM

Posted 30 March 2009 - 05:51 PM

Hello,

Try renaming ComboFix.exe to toddfox.exe and see if it will run that way. I expect you have a rootkit causing this, and it usually works renaming the .exe. :thumbup2:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 Todd Fox

Todd Fox
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 30 March 2009 - 07:09 PM

Hi Tea,

Some good news: after combing through another 40-50 forum postings (probably a hundred or more in all), I have finally determined my problem and resolved it. As was seen in a few other postings, I had a registry entry in drivers32 that pointed to a malware file. Once I removed the malware file with Hijack, and then updated the registry entry after the reboot, all appears to be well so far.

The file I deleted was

C:\windows\lot.rjr

(though this file is named differently in every instance of the malware)

and the registry entry I updated was

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32

"aux"="C:\WINDOWS\system32\..\lot.rjr"

Again, I set Hijack to delete the file on reboot, and after reboot, updated the registry key to a value of "wdmaud.drv".

Now that I again have the ability to update Windows Update, update Microsoft Defender, and update MalwareBytes pattern files, I am in the process of running all the scans again with the latest pattern files, and rerun my Trend AVS full system scan. So far, so good.

Thanks for your help - looks like the time I invested in reading forum posts all weekend has paid off. Keep your fingers crossed.

Best Regards,

tfox

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:35 AM

Posted 30 March 2009 - 07:40 PM

Hello,

Obviously there's no way I could have seen that with no logs to look at, but good on you for finding it. Why did you post here again? :) Seems like you have it all under control. :thumbup2:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 Todd Fox

Todd Fox
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 31 March 2009 - 06:20 AM

I'm sorry, Tea. You are right: my ability to generate and post logs (dds, combofix) were impacted by my inability to run CMD. It was this item I decided to focus on starting Monday morning after combofix didn't run outright. I had already succeeded in tracking down the ultimate solution by the time your "renaming the combofix script" post arrived. I was in the process of testing things out then and was away from my computer during the scans.

Please don't be put-off by my original post: at the time I did so, I was at wits end, having tried everything "safe" that was suggested in various forum posts on the topic that I could find in my first day and a half of research...

I am very thankful for this forum and its useful database of searchable topics, and for your kind assistance.

By the way, for those wanting to find similar problem topics as mine, the best search criteria appears to be "cmd regedit drivers32 aux". I did not see browser redirects myself, but my ability to download any Microsoft updates, Malwarebytes updates, and Windows Defender updates were all stifled by the bug. Further, Internet Explorer stability was horrible, crashing on average every minute of usage. This was on top of the CMD/REGEDIT problems caused by this malware.

All my scans were clean on Trend/MalwareBytes/WinDefender after the "fix".

Thanks again.

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:35 AM

Posted 31 March 2009 - 04:53 PM

Aww....you took my post too seriously. :) I'm not put out at all. I'm really glad to see that all your reading and researching here paid off for you. :thumbup2: I know it's hard to wait, and we hate that you folks have to wait. But with an average of 500 unanswered topics at any given time, we just can't get to them as fast as we'd like to. Also, every computer's problems are unique. Otherwise we'd just post some generic tutorials and everybody would be fixed. It just doesn't work that way. What worked for you stands a good chance of not working for the next person with the same symptoms. Today's malware is just too complicated and destructive.

When you're done, please be sure to delete ComboFix and Qoobox. After a certain time ComboFix becomes out of date and will not work at full capacity.

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 Todd Fox

Todd Fox
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:35 AM

Posted 31 March 2009 - 05:02 PM

Tea - I don't know how you folks keep up with the volume - it's pretty amazing!

Looks like I'm all set for now - good luck to everyone else who comes across this post.

Over and out... for now!

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:35 AM

Posted 31 March 2009 - 05:08 PM

:thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:35 AM

Posted 04 April 2009 - 06:28 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users