My wifes friend let an exchange student use her computer running XP Home SP1 over a period of a month and she picked up all sorts of nasty spyware, adware, viruses,trojans and who knows what else. I have been able to clean most things out but when I used AVG antivirus to clean out some trojan horse Startpage.21.AS files such as xmllib.dll, iexplore_dbg.exe and explorer32dbg.exe the desktop icons, start button, systray and taskbar are gone in normal mode. They do show up in Safe-Mode which is the mode I was in when I ran the HijackThis log. I must not completly understand AVG because I can't restore the files (hilite the file, right-click, restore). When in normal mode I can ctrl-alt-del and run programs from the task manager. I have followed other posts such as 'How to remove Begin2Search/ etc' and I have fixed some files using Hijackthis but not all files stay away. SMSSU.exe and tmntsrv32.exe keep coming back. I have tried reloading XP (not the Recovery Console) without success. I have been working on this for a week and I know I'm missing some things I've tried and I am open to any suggestions. I really don't want to scrub this thing, there are a lot of pictures and downloaded files that I'm not sure are safe to backup. I don't want to infect again and I'm reluctant to hook up to my home network since I don't trust these vermin. I am attaching the hijackthis log taken in safe-mode.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
Explorer.exe hijacked
- Thread starter HLOSNOW
- Start date
- Status
- Not open for further replies.
RealBlackStuff
Posts: 6,450 +3
You have a fair bit of junk on that PC.
Boot in Safe Mode.
Switch System restore OFF.
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
SMSSU.EXE
Tmntsrv32.EXE
dupccz.exe
danevent.exe
odb07.exe
cytnpc.exe
IEXPLOR.exe ==>> watch the spelling!
dxdllreg.exe
msvcp70.exe
nwpc32gt.exe
Next, run a HJT scan and place a tick-mark in the little square before (if still there):
...................................................................................................
C:\WINDOWS\System32\SMSSU.EXE
C:\WINDOWS\System32\Tmntsrv32.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll
O4 - HKLM\..\Run: [dupccz] "C:\WINDOWS\System32\dupccz.exe"
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [AutoLoaderv03v1PNSLPPd] "C:\WINDOWS\System32\danevent.exe" /HideDir /HideUninstall /PC="CP.SAV" /ShowLegalNote="nonbranded"
O4 - HKLM\..\Run: [v7sT35Q] odb07.exe
O4 - HKLM\..\Run: [cytnpc] C:\WINDOWS\System32\cytnpc.exe
O4 - HKLM\..\Run: [AtxBrw] C:\WINDOWS\IEXPLOR.exe ==>> watch the spelling!
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxdllreg.exe
O4 - HKCU\..\Run: [msvcp70] C:\WINDOWS\System32\msvcp70.exe
O4 - HKCU\..\Run: [ew33RRc6Q] nwpc32gt.exe
O4 - HKCU\..\Run: [SMSSU] C:\WINDOWS\System32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWS\System32\Tmntsrv32.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
...................................................................................................
Now click on the Fix Checked button in HJT.
When done, from between the dotted lines, delete the highlighted bold files.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
In IE, select Tools/Internet Options. Clear the Temporary Internet Files and the Cookies.
Boot normal. When all OK, switch System Restore back on.
If you haven't got it yet go to www.getfirefox.com and install Firefox.
In future, only use IE for windoze-updates, for everything else there is Firefox!
Boot in Safe Mode.
Switch System restore OFF.
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
SMSSU.EXE
Tmntsrv32.EXE
dupccz.exe
danevent.exe
odb07.exe
cytnpc.exe
IEXPLOR.exe ==>> watch the spelling!
dxdllreg.exe
msvcp70.exe
nwpc32gt.exe
Next, run a HJT scan and place a tick-mark in the little square before (if still there):
...................................................................................................
C:\WINDOWS\System32\SMSSU.EXE
C:\WINDOWS\System32\Tmntsrv32.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll
O4 - HKLM\..\Run: [dupccz] "C:\WINDOWS\System32\dupccz.exe"
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [AutoLoaderv03v1PNSLPPd] "C:\WINDOWS\System32\danevent.exe" /HideDir /HideUninstall /PC="CP.SAV" /ShowLegalNote="nonbranded"
O4 - HKLM\..\Run: [v7sT35Q] odb07.exe
O4 - HKLM\..\Run: [cytnpc] C:\WINDOWS\System32\cytnpc.exe
O4 - HKLM\..\Run: [AtxBrw] C:\WINDOWS\IEXPLOR.exe ==>> watch the spelling!
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxdllreg.exe
O4 - HKCU\..\Run: [msvcp70] C:\WINDOWS\System32\msvcp70.exe
O4 - HKCU\..\Run: [ew33RRc6Q] nwpc32gt.exe
O4 - HKCU\..\Run: [SMSSU] C:\WINDOWS\System32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWS\System32\Tmntsrv32.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
...................................................................................................
Now click on the Fix Checked button in HJT.
When done, from between the dotted lines, delete the highlighted bold files.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
In IE, select Tools/Internet Options. Clear the Temporary Internet Files and the Cookies.
Boot normal. When all OK, switch System Restore back on.
If you haven't got it yet go to www.getfirefox.com and install Firefox.
In future, only use IE for windoze-updates, for everything else there is Firefox!
exploere.exe gone again
The plan you gave me was really good and things were going fine with only "about:blank" left to get rid of. I did a search in the registry to get rid of 'about:blank' and did fine. The last time I booted up, Microsft antispyware did a scan, found some more junk and cleaned it. Now the desktop icons, start button, task bar and system tray are gone in normal and safe mode. opening task manager shows explorer.exe is missing as does the attached Hijackthis log. I tried to click on 'explorer.exe' in C:/Windows directory and I get a message stating "Windows cannot find 'C:\WINDOWS\explorer.exe.' Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search." I'm browsing directly to the file. It seems that the link for the shell and 'explorer.exe' is broken but I don't know where to look for it. Any ideas you have will be greatly appreciated. As you can see from the HJT log, alot has been cleaned up. Thanks.
The plan you gave me was really good and things were going fine with only "about:blank" left to get rid of. I did a search in the registry to get rid of 'about:blank' and did fine. The last time I booted up, Microsft antispyware did a scan, found some more junk and cleaned it. Now the desktop icons, start button, task bar and system tray are gone in normal and safe mode. opening task manager shows explorer.exe is missing as does the attached Hijackthis log. I tried to click on 'explorer.exe' in C:/Windows directory and I get a message stating "Windows cannot find 'C:\WINDOWS\explorer.exe.' Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search." I'm browsing directly to the file. It seems that the link for the shell and 'explorer.exe' is broken but I don't know where to look for it. Any ideas you have will be greatly appreciated. As you can see from the HJT log, alot has been cleaned up. Thanks.
RealBlackStuff
Posts: 6,450 +3
What log?
Have your Windows CD handy, click on Start/Run and type in cmd and click OK.
In the command-window, type sfc /scannow and hit the Enter key.
That should restore any missing files.
Run a fresh HJT and don't forget to POST it as an attachment!
Have your Windows CD handy, click on Start/Run and type in cmd and click OK.
In the command-window, type sfc /scannow and hit the Enter key.
That should restore any missing files.
Run a fresh HJT and don't forget to POST it as an attachment!
Sorry about the missing log, the attachment didn't stick. Things are going downhill quickly. I have gone from wallpaper without anything else to a plain blue screen, but still able to access task manager thru con-alt-del. I ran the sfc /scannow without any changes. The highjackthis log is done in normal mode. It's frustrating because everything is still on the hard drive and so close yet so far away. I'm afraid I may have shot myself in the foot because I have tried so many 'fixes'. I've lostcount of the number of virus scans and adware/spyware scans I've done as well as the number of times I've tried to repair XP. I'm not ready to give up yet unless you say to. Open to any and all ideas. Thanks so much for your time. It's Miller time.
Attachments
OK, with things as they are, it can't really hurt. REPAIRing windows XP from the XP boot CD. Instructions for repairing xp if you can't boot into windows (one of the Windows OS stickies at the top of the forum) will assist you. Ignore the first step though, in this case (the problem her is not knowing what the original problem is).
This should restore windows system files and registry entries to their CD versions.
On the other hand, it does delete a lot of stuff before reinstalling it, so if it fails there's a bit of a problem, but that doesn't really happen all that often,. Repairing it is like installing windows again from the CD, excet for the fact that your data and programs remain, and most of your settings remain intact. It's up to you really.
This should restore windows system files and registry entries to their CD versions.
On the other hand, it does delete a lot of stuff before reinstalling it, so if it fails there's a bit of a problem, but that doesn't really happen all that often,. Repairing it is like installing windows again from the CD, excet for the fact that your data and programs remain, and most of your settings remain intact. It's up to you really.
RealBlackStuff
Posts: 6,450 +3
I can't find anything wrong with your HJT-file.
You may have forgotten to 'fix' this one:
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxdllreg.exe
This only needs to be fixed, not deleted. I does no harm if you don't fix it.
With the limited information that I have about your PC, there is nothing else I can do.
Try the various online-scanners from
Panda Software
Trend Micro
Stinger from McAfee
whatever else shows up in a Google for online AV scanners
You may have forgotten to 'fix' this one:
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxdllreg.exe
This only needs to be fixed, not deleted. I does no harm if you don't fix it.
With the limited information that I have about your PC, there is nothing else I can do.
Try the various online-scanners from
Panda Software
Trend Micro
Stinger from McAfee
whatever else shows up in a Google for online AV scanners
I was doing some experimenting and I renamed 'explorer.exe' to'zexplorer.exe', started it manually and it came up. I then went into the registry and changed the string for 'HKEY_LOCLA_MACHINES\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon' Shell to 'zexplorer.exe' and the desktop came up fine. I then changed 'iexplore.exe' to 'ziexplore.exe' and now I can hook up to the internet. When I tried to go to Panda and Trend for online scans the computer froze up for a while then thawed out but would not connect to those sites. I can log onto other sites. It seems as though something has corrupted this software so it won't allow me to connect to a site that might find the little nasty and it has changed something that won't allow 'explorer.exe and iexplore.exe' to start with it's real name but will allow a masked version to operate. Any ideas?? This is getting good.
RealBlackStuff
Posts: 6,450 +3
Go here and get the trial version of TrojanRemover
http://www.simplysup.com/tremover/
Update the definitions before you run it.
http://www.simplysup.com/tremover/
Update the definitions before you run it.
- Status
- Not open for further replies.
Similar threads
Latest posts
-
Microsoft VASA tech can create realistic deepfakes using a single photo and one audio track- Squid Surprise replied
-
Amazon denies reports it started a business just to spy on rivals- nitebird replied
-
Nvidia GeForce RTX 3050 6GB Review: Quiet Release, Dodgy Name- captaincranky replied
-
TechSpot is dedicated to computer enthusiasts and power users.
Ask a question and give support.
Join the community here, it only takes a minute.