Two Instances of explorer.exe Found!!!

Two Instances of explorer.exe Found!!!

Post by Jerry McMo » Sat, 29 May 2004 00:55:31


Hi all,

When I pressed Ctrl-Alt-Del, I found 2 instances of explorer.exe!
I then further looked into the problem, and I captured some screenshots in the threads of this post.
I'm afraid of directly deleting that strange explorer.exe.
Wish someone could help me to solve the problem safely.

Thanks in advance!

Jerry McMorran
 
 
 

Two Instances of explorer.exe Found!!!

Post by sgopu » Sat, 29 May 2004 02:34:34

Nobody worth their salt is going to view that screenshot!
too much chance of a virus or hijack, you need to approach
this problem on a different tack.
get hijackthis




explorer.exe!
some screenshots in the threads of this post.

 
 
 

Two Instances of explorer.exe Found!!!

Post by Jerry McMo » Sat, 29 May 2004 03:32:04

've just got hijackthis and let me post the log here:

=================================
Logfile of HijackThis v1.97.7
Scan saved at 02:19:57, on 2004/5/28
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\GlobalSCAPE\Secure FTP Server 1.0\cftpstes.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Trend Micro\PC-cillin 2004\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2004\tmproxy.exe
C:\Program Files\Trend Micro\PC-cillin 2004\PccPfw.exe
c:\windows\system32\explorer.exe
c:\windows\explorer.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\WINDOWS\PowerS.exe
C:\Program Files\SamsungOpticalWheelMouse\gnetmous.exe
C:\Program Files\DaemonTools\daemon.exe
C:\Program Files\SysMetrix\SysMetrix.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\Trend Micro\PC-cillin 2004\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2004\PCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2004\TMOAgent.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Kirby Alarm\kirbyalarm.exe
C:\Program Files\No-IP\DUC20.exe
C:\Documents and Settings\Edward Lam\Desktop\HijackThis.exe

O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\NetTransport 2\NTIEHelper.dll
O2 - BHO: CSBHO - {D14D6793-9B65-11D3-80B6-00500487BDBA} - C:\Program Files\Comet\Bin\csbho.dll
O2 - BHO: (no name) - {EBBFE27C-BDF0-11D2-BBE5-00609419F467} - C:\WINDOWS\System32\amcis.dll
O3 - Toolbar: ????? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Comet Toolbar - {FE6BC4EF-5676-484B-88AE-883323913256} - C:\Program Files\Comet\Bin\csietb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [PowerS] C:\WINDOWS\PowerS.exe
O4 - HKLM\..\Run: [Gnetmous] C:\Program Files\SamsungOpticalWheelMouse\gnetmous.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\DaemonTools\daemon.exe" -lang 1033 -lock
O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [EPSON Stylus C41 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C41 S
 
 
 

Two Instances of explorer.exe Found!!!

Post by sgopu » Sat, 29 May 2004 06:12:30

erry, you really need to read the instructions that come
with hijackthis, DONOT post your HJT log on this forum.
You need to take it to the proper people for help.
I'm no expert however, I do see one item that certainly
needs to be removed and that's comet cursor.

Follow this link for removal instructions, and PLEASE
follow them step by step.

http://www.kephyr.com/spywarescanner/library/cometcursor/in
dex.phtml


Software\Diskeeper\DkService.exe
\cftpstes.exe
Lam\Desktop\HijackThis.exe
0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
B2868B609932} - C:\Program Files\NetTransport 2
\NTIEHelper.dll
C:\Program Files\Comet\Bin\csbho.dll
00609419F467} - C:\WINDOWS\System32\amcis.dll
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
883323913256} - C:\Program Files\Comet\Bin\csietb.dll
0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
\IME\TINTLGNT\TINTSETP.EXE /SYNC
\IME\TINTLGNT\TINTSETP.EXE /IMEName
C:\WINDOWS\System32\NvCpl.dll,NvStartup
Files\ASUS\Probe\AsusProb.exe
Files\SamsungOpticalWheelMouse\gnetmous.exe
Files\DaemonTools\daemon.exe" -lang 1033 -lock
Files\SysMetrix\SysMetrix.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3
\E_S10IC2.EXE /P23 "EPSON Stylus C41 Series"
Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
Micro\PC-cillin 2004\pccguide.exe"
Micro\PC-cillin 2004\PCClient.exe"
Files\Trend Micro\PC-cillin 2004\TMOAgent.exe" /run
\ctfmon.exe
Files\TGTSoft\StyleXP\StyleXP.exe -Hide
Transport - C:\PROGRA~1\NETTRA~1\NTAddList.html
C:\PROGRA~1\NETTRA~1\NTAddLink.html
C:\Program Files\FlashGet\jc_link.htm
C:\Program Files\FlashGet\jc_all.htm
(CS15Cursor Class) -
http://files.cometsystems.com/cometcursor/comet.cab
o.apple.com/bonnie/us/win/QuickTimeInstaller.exe
(WTHoster Class) -
nblackII/install.cab
(Shockwave Flash Object) -
flash.cab
SearchList = roots-servers.net
SearchList = roots-servers.net
SearchList = roots-servers.net
Lam\Desktop\HijackThis.EXE
Software\Diskeeper\DkService.exe
\cftpstes.exe
Lam\Desktop\HijackThis.exe
Menu\Programs\Startup]
Menu\Programs\Startup]
Files\Common\Bin\WinCinemaMgr.exe
Alarm\kirbyalarm.exe
NT\CurrentVersion\Winlogon]
\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
\IME\TINTLGNT\TINTSETP.EXE /SYNC
\IME\TINTLGNT\TINTSETP.EXE /IMEName
\NvCpl.dll,NvStartup
Files\SamsungOpticalWheelMouse\gnetmous.exe
Files\DaemonTools\daemon.exe" -lang 1033 -lock
\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus
C41 Series" /O6 "USB001" /M
Files\InterVideo\SchSvr\SchSvr.exe"
2004\pccguide.exe"
2004\PCClient.exe"
cillin 2004\TMOAgent.exe" /run
Hide
E8CA-11D3-9CD9-0090271D075B}
\NTIEHelper.dll - {C56CB6B0-0D96-11D6-8C65-B2868B609932}
9B65-11D3-80B6-00500487BDBA}
BDF0-11D2-BBE5-00609419F467}
Lam.job
_STAR_Administrator.job
Lam.job
_STAR_Administrator.job
http://files.cometsystems.com/cometcursor/comet.cab
http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info
.apple.com/bonnie/us/win/QuickTimeInstaller.exe
http://install.wildtangent.com/bgn/partners/shockwave/menin
blackII/install.cab
\macromed\flash\Flash.ocx
http://download.macromedia.com/pub/shockwave/cabs/flash/swf
lash.cab
data
sections
running on WinNT
running on Win9x
regardless of platform
 
 
 

Two Instances of explorer.exe Found!!!

Post by sgopu » Sat, 29 May 2004 06:20:37

ry this link for the proper forum for the HJT log

http://www.spywareinfo.com/



Software\Diskeeper\DkService.exe
\cftpstes.exe
Lam\Desktop\HijackThis.exe
0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
B2868B609932} - C:\Program Files\NetTransport 2
\NTIEHelper.dll
C:\Program Files\Comet\Bin\csbho.dll
00609419F467} - C:\WINDOWS\System32\amcis.dll
00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
883323913256} - C:\Program Files\Comet\Bin\csietb.dll
0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
\IME\TINTLGNT\TINTSETP.EXE /SYNC
\IME\TINTLGNT\TINTSETP.EXE /IMEName
C:\WINDOWS\System32\NvCpl.dll,NvStartup
Files\ASUS\Probe\AsusProb.exe
Files\SamsungOpticalWheelMouse\gnetmous.exe
Files\DaemonTools\daemon.exe" -lang 1033 -lock
Files\SysMetrix\SysMetrix.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3
\E_S10IC2.EXE /P23 "EPSON Stylus C41 Series"
Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
Micro\PC-cillin 2004\pccguide.exe"
Micro\PC-cillin 2004\PCClient.exe"
Files\Trend Micro\PC-cillin 2004\TMOAgent.exe" /run
\ctfmon.exe
Files\TGTSoft\StyleXP\StyleXP.exe -Hide
Transport - C:\PROGRA~1\NETTRA~1\NTAddList.html
C:\PROGRA~1\NETTRA~1\NTAddLink.html
C:\Program Files\FlashGet\jc_link.htm
C:\Program Files\FlashGet\jc_all.htm
(CS15Cursor Class) -
http://files.cometsystems.com/cometcursor/comet.cab
o.apple.com/bonnie/us/win/QuickTimeInstaller.exe
(WTHoster Class) -
nblackII/install.cab
(Shockwave Flash Object) -
flash.cab
SearchList = roots-servers.net
SearchList = roots-servers.net
SearchList = roots-servers.net
Lam\Desktop\HijackThis.EXE
Software\Diskeeper\DkService.exe
\cftpstes.exe
Lam\Desktop\HijackThis.exe
Menu\Programs\Startup]
Menu\Programs\Startup]
Files\Common\Bin\WinCinemaMgr.exe
Alarm\kirbyalarm.exe
NT\CurrentVersion\Winlogon]
\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
\IME\TINTLGNT\TINTSETP.EXE /SYNC
\IME\TINTLGNT\TINTSETP.EXE /IMEName
\NvCpl.dll,NvStartup
Files\SamsungOpticalWheelMouse\gnetmous.exe
Files\DaemonTools\daemon.exe" -lang 1033 -lock
\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus
C41 Series" /O6 "USB001" /M
Files\InterVideo\SchSvr\SchSvr.exe"
2004\pccguide.exe"
2004\PCClient.exe"
cillin 2004\TMOAgent.exe" /run
Hide
E8CA-11D3-9CD9-0090271D075B}
\NTIEHelper.dll - {C56CB6B0-0D96-11D6-8C65-B2868B609932}
9B65-11D3-80B6-00500487BDBA}
BDF0-11D2-BBE5-00609419F467}
Lam.job
_STAR_Administrator.job
Lam.job
_STAR_Administrator.job
http://files.cometsystems.com/cometcursor/comet.cab
http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info
.apple.com/bonnie/us/win/QuickTimeInstaller.exe
http://install.wildtangent.com/bgn/partners/shockwave/menin
blackII/install.cab
\macromed\flash\Flash.ocx
http://download.macromedia.com/pub/shockwave/cabs/flash/swf
lash.cab
data
sections
running on WinNT
running on Win9x
regardless of platform
 
 
 

Two Instances of explorer.exe Found!!!

Post by sgopu » Sat, 29 May 2004 06:40:27


log snipped

You need to do the following, enable your firewall, or get
a better one than XP contains, zonealarm (do this first)
is good and free. install and configure it, for no notices
lots of this stuff is just normal traffic, and the
firewall doing it's job, no need to get notified.

get adaware download it update it, then scan your machine.
get cwshredder, do the same download update scan, get
spywareblaster, this will stop some of these
hijacker/helper programs from installing.
 
 
 

Two Instances of explorer.exe Found!!!

Post by Jerry McMo » Sat, 29 May 2004 09:34:15

Thanks for your help

"sgopus" < XXXX@XXXXX.COM > ???????:13a2601c44433$3977cd30$ XXXX@XXXXX.COM ...