Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Task Manager constantly shows two (2) explorer.exe processes running


  • This topic is locked This topic is locked
28 replies to this topic

#1 JackOLantern

JackOLantern

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 15 January 2011 - 08:18 PM

I run XP SP3 32-bit version 2002

- My task manager shows two explorer.exe tasks, right from the time I start up my laptop; it's doing this all the time;

- One task shows a fairly-constant memory usage of 42,000KB, using CPUs 01 and 02;

- The other task's memory usage fluctuates up and down between 80,000KB and 190,000KB, using a multiplicity of CPUs from low (02) to mid (49, 52, etc.) double-digits;

- Is this normal? If not, what can be done to solve this?

- If it's of any help, I ran a HijackThis scan and I have a .log file available with the results, which I I'll go ahead and copy & paste below. I don't dare erase anything without guidance.

Thank you!



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:40:42 pm, on 2011-Jan-15
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17093)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\BitDefender\BitDefender 2011\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Bonjour\mDNSResponder.exe
C:\Archivos de programa\Archivos comunes\LightScribe\LSSrvc.exe
C:\Archivos de programa\Common Files\Motive\McciCMService.exe
C:\ARCHIV~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Archivos de programa\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\Archivos de programa\Windows Desktop Search\WindowsSearch.exe
C:\Archivos de programa\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\BitDefender\BitDefender 2011\updatesrv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Documents and Settings\Juan M\Datos de programa\air\mute\1.0.0.0\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Juan M\Mis documentos\A.A - Juan's files & programs\Downloaded software\MailWasher Pro\MailWasher.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Archivos de programa\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Archivos de programa\Microsoft Office\Office12\GrooveShellExtensions.dll
O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4F90-B10D-FC6124A40F8C} - C:\Archivos de programa\BitDefender\BitDefender 2011\IEToolbar.dll
O4 - HKLM\..\Run: [mute] C:\Documents and Settings\Juan M\Datos de programa\air\mute\1.0.0.0\updater.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\ARCHIV~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [RegistryBooster] "C:\Archivos de programa\Uniblue\RegistryBooster\launcher.exe" -w
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Archivos de programa\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\Hp\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = C:\Archivos de programa\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
O4 - Global Startup: Windows Search.lnk = C:\Archivos de programa\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm265YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARCHIV~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARCHIV~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARCHIV~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A8E4827-8E1B-4A06-9397-BE4ECBBA8376}: NameServer = 85.255.112.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{967C6E6E-F138-4009-98FD-B33935C29E39}: NameServer = 93.188.164.129,93.188.160.209
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.164.129,93.188.160.209
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.129,93.188.160.209
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Archivos de programa\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Precargador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demonio de caché de las categorías de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Bonjour Service - Apple Inc. - C:\Archivos de programa\Bonjour\mDNSResponder.exe
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Registro de sucesos (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Archivos de programa\Archivos comunes\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Archivos de programa\Archivos comunes\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Archivos de programa\Archivos comunes\LightScribe\LSSrvc.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Archivos de programa\Common Files\Motive\McciCMService.exe
O23 - Service: Escritorio remoto compartido de NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: My Web Search Service (MyWebSearchService) - MyWebSearch.com - C:\ARCHIV~1\MYWEBS~1\bar\1.bin\mwssvc.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Tarjeta inteligente (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Registros y alertas de rendimiento (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: BitDefender Update Server v2 (Update Server) - BitDefender - C:\Archivos de programa\Archivos comunes\BitDefender\BitDefender Arrakis Server\bin\arrakis3.exe
O23 - Service: BitDefender Desktop Update Service (Updatesrv) - BitDefender S.R.L. - C:\Archivos de programa\BitDefender\BitDefender 2011\updatesrv.exe
O23 - Service: Instantáneas de volumen (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Archivos de programa\BitDefender\BitDefender 2011\vsserv.exe
O23 - Service: Adaptador de rendimiento de WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe

--
End of file - 9301 bytes

¡¡¡ News flash !!!

I had to do something last night; it was either do something or throw my laptop out the window, because it wasn't even crawling anymore; it had almost stopped moving:

- With Task Manager I stopped the explorer.exe process that was using the most memory resources (of the two active explorer.exe processes going at the time)... and I was able to work fine with my laptop until I turned it off at about 1 am;

- This morning, right after I turned the laptop on, there the evil explorer.exe process was again, pestering as usual, going up and down in memory usage; so I stopped the process again with Task Manager, and here I am working fine with my laptop;

- I don't mean with this that the problem has been solved, my any means; it's only a temporary fix until you fine pc gurus get around to tackling this issue.

Awaiting for further instructions,
JackOLantern

EDIT: Posts merged ~BP

Jan-18 update:

No change in status:

- Laptop keeps showing the same fastidious explorer.exe process that goes up and down in memory usage ("... up and down between 80,000KB and 190,000KB, using a multiplicity of CPUs from 02 to 49, 52...") Task Manager allows me to stop this malicious process and operate without troubles until next time I turn on the computer, when it shows up again.

- Up-to-date BitDefender has not been able to detect any malware or viruses, either via deep- or full-system scans. CCleaner also comes out empty handed.

EDIT: Posts merged ~BP

Edited by Budapest, 18 January 2011 - 04:13 PM.


BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:46 AM

Posted 20 January 2011 - 10:47 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 JackOLantern

JackOLantern
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 20 January 2011 - 09:10 PM

Hello Casey,

- Thank you very much for your help. The laptop has not changed its up-and-down usage of memory by the mysterious explorer.exe process; only a few minutes ago, this process was using up to 300,000KB of memory.

- Per your instructions I performed 3 scans with the programs you had me download; they're hereby attached (DDS.txt, Attach.txt and ark.log).

Thanks again,
Juan

Attached Files



#4 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:46 AM

Posted 21 January 2011 - 11:17 AM

Hi,

My name is Casey and I will be helping you with your malware problems.

As you may have noticed, I am currently in training which means that all of my responses will first be verified by a malware removal coach. As such, there may be a little delay in my responses to you. On the plus side, there will be two sets of eyes looking over your logs.

Whilst I research the problems in your logs, it is very important that you do not make any changes to this PC. Specifically, do not run any further malware removal tools or try to remove anything yourself.

You may wish to "Watch Topic" so that you are immediately informed of any replies I make. I also ask that you reply to my posts within 5 days else your topic will be closed as stale.

Throughout the removal process, if you have any questions then you should ask them. If you are unsure of my instructions or something does not go as planned - then please tell me. Conversely, it is also important that you answer any questions I have and that you keep me updated on the state of the PC.

Regards,

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#5 JackOLantern

JackOLantern
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 21 January 2011 - 03:13 PM

Hello Casey,

With regards to your last input, I think I should tell you that I cannot not stop the process referred to in my original report as the malicious "explorer.exe" one. I did let the rascal run yesterday while I was performing the three scans you asked me to; but after that, and also today, I stopped the unwanted "explorer.exe" process (via the Task Administrator).

I can always bring the malicious process back online by restarting the laptop. If I let it run unchecked, the RAM memory fills up and the pc freezes totally; when this happens I have cut the electricity from the laptop and turn it on again.

Cheers,
Juan

#6 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:46 AM

Posted 23 January 2011 - 07:29 AM

Hi,

Tracker warning
I recommend you uninstall myBabylon toolbar. It is a Conduit toolbar, some of which contain tracking functionality. You should be able to remove it via add/remove programs.



Download and run ComboFix
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If you are prompted to install the Recovery Console, then please do so.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: If you have trouble running ComboFix, then please rename ComboFix.exe to Caseyboy.exe and re-run.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#7 JackOLantern

JackOLantern
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 23 January 2011 - 03:17 PM

Hello Casey,

Per instructions, I:

- Disabled Babylon and BitDefender 2001;
- Downloaded ComboFix from your site;
- ComboFix ran as expected, but only to the point where it said, in a blue window, that it would "... take 10+ minutes" scanning; one minute after that announcement the blue window closed down and no log scan log ever appeared.
- I was not prompted to install Recovery Console.

That's it. The memory-munching explorer.exe process is still there, munching memory away until I stop it via the Task Manager.

Should I try the ComboFix process again, renaming the file Caseyboy.exe?

What now?
Thanks,
JackOLantern

#8 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:46 AM

Posted 23 January 2011 - 04:02 PM

Should I try the ComboFix process again, renaming the file Caseyboy.exe?


Yes please.

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#9 JackOLantern

JackOLantern
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 23 January 2011 - 04:41 PM

Tried ComboFix with Caseyboy.exe, and it didn't work either; same result as before; blue window, same message, etc., and... no log.

#10 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:46 AM

Posted 24 January 2011 - 06:42 AM

Hi,

Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#11 JackOLantern

JackOLantern
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 24 January 2011 - 11:31 AM

Hello,

I'm attaching the Report.txt file you requested.

Thank you.

Attached Files



#12 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:46 AM

Posted 24 January 2011 - 03:25 PM

Hi,

That log was clean, so let's try running ComboFix again but this time in Safe Mode.

Boot into Safe Mode
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.
Please see here for additional details.

Run ComboFix

Using the instructions I gave you earlier.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#13 JackOLantern

JackOLantern
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 24 January 2011 - 05:25 PM

Casey,

I was unable to run the laptop in safe mode. I've done that before, but today I couldn't. First, the laptop's screen went out of service recently, so I'm using an external monitor that comes on only when the system is already asking for a password. Then, with the suggested alternate method via msconfig, when I get to the screen with the BOOT.INI tab, the bottom of that screen with the /SAFEBOOT option is not activated, I can't access it.

The good news is... the pestilent explorer.exe process that was filling up my RAM went away sometime today, I think after I ran the Rootkit Unhooker. FYI: After running Rootkit Unhooker I turned BitDefender back on, ran a quick virus scan, and it deleted from the system a Trojan Rootkit had brought. I don't know what happened, I have no idea... but I just realized that the laptop is now running fine, without me having to manually delete the unwanted explorer.exe process that was pestering me.

Thank you very much for your time and effort. Can I bother you again if the trouble resurfaces?

Cheers,
JackOLantern

#14 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:08:46 AM

Posted 25 January 2011 - 03:23 AM

Hi,

I would like for you to exercise extreme caution here, whilst it certainly sounds like promising news, it may be that you still have malware problems which, currently, are not displaying symptoms.

For my peace of mind, and yours, I'd like you to re-run DDS and post me the resultant log. I would also like to see the BitDefender scan/removal log.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#15 JackOLantern

JackOLantern
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 25 January 2011 - 02:36 PM

Hello Casey,

I'm attaching the logs you requested.

Thank you,
JackOLantern

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users