PDA

View Full Version : Help, 2 explorer.exe's


suddste
2008-01-12, 11:30
Hi,

I found that there was a second 'explorer.exe' running on my computer on the 22nd December. I then found a way to get rid of it, and it didn't come back untill yesterday (Thats when I noticed it again) just after (about 50 minutes later) I entered my credit card details. In process explorer, it was showing as C:\WINDOWS\system32\explorer.exe.

In the command line in process explorer, it showed under the image tab, on the command line something to do with the path of mozila firefox.

This process only comes up from what I can see, randomly.

I am running Windows Vista if that helps. My virus scanners never found anything.
suddste
2008-01-12, 13:28
Heres a combofix report thing if you need it.

ComboFix 08-01-11.3 - Stephen Suddaby 2008-01-12 12:16:59.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.252 [GMT 0:00]
Running from: C:\Users\Stephen Suddaby\Desktop\Recently Downloaded Files\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-12-12 to 2008-01-12 )))))))))))))))))))))))))))))))
.

2008-01-12 12:14 . 2000-08-31 08:00 51,200 --a------ C:\Windows\NirCmd.exe
2008-01-11 23:34 . 2007-01-18 12:00 3,968 --a------ C:\Windows\System32\drivers\AvgArCln.sys
2008-01-11 22:01 . 2008-01-12 12:05 <DIR> d-------- C:\Users\All Users\SecTaskMan
2008-01-11 22:01 . 2008-01-12 12:05 <DIR> d-------- C:\ProgramData\SecTaskMan
2008-01-09 22:44 . 2008-01-09 22:44 802,816 --a------ C:\Windows\System32\drivers\tcpip.sys
2008-01-09 22:44 . 2008-01-09 22:44 216,760 --a------ C:\Windows\System32\drivers\netio.sys
2008-01-09 22:44 . 2008-01-09 22:44 167,424 --a------ C:\Windows\System32\tcpipcfg.dll
2008-01-09 22:44 . 2008-01-09 22:44 24,064 --a------ C:\Windows\System32\netcfg.exe
2008-01-09 22:44 . 2008-01-09 22:44 22,016 --a------ C:\Windows\System32\netiougc.exe
2008-01-09 22:43 . 2008-01-09 22:43 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-01-09 22:43 . 2008-01-09 22:43 1,686,016 --a------ C:\Windows\System32\gameux.dll
2008-01-09 22:43 . 2008-01-09 22:43 1,060,920 --a------ C:\Windows\System32\drivers\ntfs.sys
2008-01-09 22:43 . 2008-01-09 22:43 211,000 --a------ C:\Windows\System32\drivers\volsnap.sys
2008-01-09 22:43 . 2008-01-09 22:43 154,624 --a------ C:\Windows\System32\drivers\nwifi.sys
2008-01-09 22:43 . 2008-01-09 22:43 110,136 --a------ C:\Windows\System32\drivers\ataport.sys
2008-01-09 22:43 . 2008-01-09 22:43 45,112 --a------ C:\Windows\System32\drivers\pciidex.sys
2008-01-09 22:43 . 2008-01-09 22:43 21,560 --a------ C:\Windows\System32\drivers\atapi.sys
2008-01-09 22:43 . 2008-01-09 22:43 15,928 --a------ C:\Windows\System32\drivers\pciide.sys
2008-01-09 22:42 . 2008-01-09 22:42 11,776 --a------ C:\Windows\System32\sbunattend.exe
2008-01-02 18:12 . 2006-11-02 10:23 <DIR> dr------- C:\Users\Mcx1\Videos
2008-01-02 18:12 . 2006-11-02 10:23 <DIR> d-------- C:\Users\Mcx1\Saved Games
2008-01-02 18:12 . 2006-11-02 10:23 <DIR> dr------- C:\Users\Mcx1\Pictures
2008-01-02 18:12 . 2006-11-02 10:23 <DIR> dr------- C:\Users\Mcx1\Music
2008-01-02 18:12 . 2006-11-02 10:23 <DIR> dr------- C:\Users\Mcx1\Links
2008-01-02 18:12 . 2006-11-02 10:23 <DIR> dr------- C:\Users\Mcx1\Downloads
2008-01-02 18:12 . 2008-01-02 18:12 <DIR> dr------- C:\Users\Mcx1\Documents
2008-01-02 18:12 . 2008-01-02 18:12 <DIR> d--h----- C:\Users\Mcx1\AppData
2007-12-25 17:48 . 2008-01-12 11:05 <DIR> d-a------ C:\Users\All Users\TEMP
2007-12-25 17:48 . 2007-12-25 17:48 <DIR> d-------- C:\Users\All Users\eSellerate
2007-12-25 17:48 . 2008-01-12 11:05 <DIR> d-a------ C:\ProgramData\TEMP
2007-12-25 17:48 . 2007-12-25 17:48 <DIR> d-------- C:\ProgramData\eSellerate
2007-12-25 10:35 . 2007-12-25 10:35 <DIR> d-------- C:\Users\Stephen Suddaby\AppData\Roaming\InstallShield
2007-12-25 09:37 . 2007-12-25 09:37 <DIR> d-------- C:\Program Files\NaturalPoint
2007-12-25 09:37 . 2006-12-06 17:20 15,360 --a------ C:\Windows\System32\drivers\npusb.sys
2007-12-24 23:30 . 2007-12-31 23:02 <DIR> d-------- C:\System Events
2007-12-23 19:53 . 2008-01-05 19:23 <DIR> d-------- C:\Users\Stephen Suddaby\AppData\Roaming\IMVU
2007-12-23 19:53 . 2007-12-23 21:09 <DIR> d-------- C:\Program Files\IMVU
2007-12-23 17:06 . 2007-05-29 13:55 22,112 --a------ C:\Windows\System32\drivers\COH_Mon.sys
2007-12-23 17:06 . 2007-05-29 13:55 10,592 --a------ C:\Windows\System32\drivers\COH_Mon.cat
2007-12-23 17:06 . 2007-05-29 13:55 705 --a------ C:\Windows\System32\drivers\COH_Mon.inf
2007-12-22 20:05 . 2007-12-22 20:05 <DIR> d-------- C:\Users\Stephen Suddaby\AppData\Roaming\Yahoo!
2007-12-22 19:37 . 2007-12-22 19:52 123,952 --a------ C:\Windows\System32\drivers\SYMEVENT.SYS
2007-12-22 19:37 . 2007-12-22 19:52 10,740 --a------ C:\Windows\System32\drivers\SYMEVENT.CAT
2007-12-22 19:37 . 2007-12-22 19:52 805 --a------ C:\Windows\System32\drivers\SYMEVENT.INF
2007-12-22 19:35 . 2007-12-23 17:06 <DIR> d-------- C:\Users\All Users\Symantec
2007-12-22 19:35 . 2007-12-23 17:06 <DIR> d-------- C:\ProgramData\Symantec
2007-12-22 19:35 . 2007-12-23 17:06 <DIR> d-------- C:\Program Files\Symantec
2007-12-22 19:35 . 2007-12-22 19:55 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-22 19:34 . 2007-12-22 19:45 <DIR> d-------- C:\Users\All Users\Yahoo!
2007-12-22 19:34 . 2007-12-22 19:45 <DIR> d-------- C:\ProgramData\Yahoo!
2007-12-22 19:34 . 2007-12-22 19:34 <DIR> d-------- C:\graphics
2007-12-22 18:03 . 2007-12-22 19:34 <DIR> d-------- C:\Program Files\Yahoo!
2007-12-22 00:32 . 2007-12-22 19:27 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2007-12-22 00:32 . 2007-12-22 19:27 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2007-12-21 22:42 . 2007-12-22 09:42 <DIR> d-------- C:\Users\Stephen Suddaby\.housecall6.6
2007-12-21 09:33 . 2007-12-21 09:35 <DIR> d-------- C:\Users\Stephen Suddaby\AppData\Roaming\ZipGenius
2007-12-18 16:35 . 2007-12-18 16:35 <DIR> d-------- C:\Program Files\DVBPortal
2007-12-16 11:55 . 2007-12-31 11:52 42 --a------ C:\Windows\WeatherSet.ini
2007-12-16 11:55 . 2007-12-31 11:52 40 --a------ C:\Windows\WeatherSet2.ini
2007-12-15 12:39 . 2007-12-15 12:39 45 --a------ C:\Windows\System32\initdebug.nfo
2007-12-14 07:44 . 2007-12-14 07:44 <DIR> d-------- C:\Users\All Users\SupportSoft
2007-12-14 07:44 . 2007-12-14 07:44 <DIR> d-------- C:\ProgramData\SupportSoft
2007-12-14 07:43 . 2007-12-14 07:44 <DIR> d-------- C:\Program Files\Dell Support Center
2007-12-14 07:43 . 2007-12-14 07:43 <DIR> d-------- C:\Program Files\Common Files\supportsoft
2007-12-13 17:31 . 2007-12-14 23:17 <DIR> d-------- C:\Users\All Users\Dell
2007-12-13 17:31 . 2007-12-14 23:17 <DIR> d-------- C:\ProgramData\Dell
2007-12-12 22:34 . 2007-12-12 22:34 1,327,104 --a------ C:\Windows\System32\quartz.dll
2007-12-12 22:34 . 2007-12-12 22:34 223,232 --a------ C:\Windows\System32\WMASF.DLL
2007-12-12 22:34 . 2007-12-12 22:34 9,728 --a------ C:\Windows\System32\LAPRXY.DLL
2007-12-12 22:34 . 2007-12-12 22:34 2,048 --a------ C:\Windows\System32\asferror.dll
2007-12-12 22:32 . 2007-12-12 22:32 3,504,824 --a------ C:\Windows\System32\ntkrnlpa.exe
2007-12-12 22:32 . 2007-12-12 22:32 3,470,520 --a------ C:\Windows\System32\ntoskrnl.exe
2007-12-12 22:32 . 2007-12-12 22:32 2,048 --a------ C:\Windows\System32\tzres.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 23:34 --------- d-----w C:\Program Files\System Tools
2008-01-11 18:29 --------- d-----w C:\Users\Stephen Suddaby\AppData\Roaming\OpenOffice.org2
2008-01-10 20:21 3,196 ----a-w C:\Users\Stephen Suddaby\AppData\Roaming\wklnhst.dat
2008-01-10 16:36 --------- d-----w C:\Program Files\Windows Mail
2008-01-09 22:43 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-01-09 22:43 449,024 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-01-09 22:43 2,143,744 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-01-09 22:43 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-01-09 22:43 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-03 11:08 --------- d-----w C:\Users\Stephen Suddaby\AppData\Roaming\PeerNetworking
2007-12-28 00:11 --------- d-----w C:\Program Files\Flight Simulator Files
2007-12-27 00:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-26 12:34 --------- d-----w C:\ProgramData\Roxio
2007-12-16 17:27 --------- d-----w C:\Program Files\Microsoft Games
2007-12-12 22:33 84,992 ----a-w C:\Windows\system32\drivers\srvnet.sys
2007-12-12 22:33 824,832 ----a-w C:\Windows\System32\wininet.dll
2007-12-12 22:33 58,368 ----a-w C:\Windows\system32\drivers\mrxsmb20.sys
2007-12-12 22:33 56,320 ----a-w C:\Windows\System32\iesetup.dll
2007-12-12 22:33 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2007-12-12 22:33 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2007-12-12 22:33 130,048 ----a-w C:\Windows\system32\drivers\srv2.sys
2007-12-12 22:33 101,888 ----a-w C:\Windows\system32\drivers\mrxsmb.sys
2007-12-09 00:31 --------- d-----w C:\ProgramData\Coolroom
2007-12-08 18:46 --------- d-----w C:\Users\Stephen Suddaby\AppData\Roaming\vlc
2007-12-08 12:13 --------- d-----w C:\Program Files\Stardock
2007-12-08 12:13 --------- d-----w C:\Program Files\Common Files\Stardock
2007-12-02 15:50 3,261,952 --sha-w C:\Program Files\ehthumbs_vista.db
2007-11-30 23:57 43,696 ----a-w C:\Windows\system32\drivers\srtspx.sys
2007-11-30 23:57 317,616 ----a-w C:\Windows\system32\drivers\srtspl.sys
2007-11-30 23:57 279,088 ----a-w C:\Windows\system32\drivers\srtsp.sys
2007-11-30 23:57 10,549 ----a-w C:\Windows\system32\drivers\srtspx.cat
2007-11-30 23:57 10,549 ----a-w C:\Windows\system32\drivers\srtspl.cat
2007-11-30 23:57 10,545 ----a-w C:\Windows\system32\drivers\srtsp.cat
2007-11-30 23:57 1,430 ----a-w C:\Windows\system32\drivers\srtspl.inf
2007-11-30 23:57 1,421 ----a-w C:\Windows\system32\drivers\srtspx.inf
2007-11-30 23:57 1,415 ----a-w C:\Windows\system32\drivers\srtsp.inf
2007-11-29 17:30 --------- d-----w C:\ProgramData\Diskeeper Corporation
2007-11-17 18:47 1,244,672 ----a-w C:\Windows\System32\mcmde.dll
2007-11-17 16:41 --------- d-----w C:\Program Files\Ubisoft
2007-11-17 09:04 --------- d-----w C:\Program Files\Windows Live
2007-11-17 09:01 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2007-11-17 08:57 --------- d-----w C:\ProgramData\WLInstaller
2007-11-15 17:20 --------- d-----w C:\Program Files\Java
2007-11-14 22:34 8,704 ----a-w C:\Windows\System32\hcrstco.dll
2007-11-14 22:34 8,704 ----a-w C:\Windows\System32\hccoin.dll
2007-11-14 22:34 73,216 ----a-w C:\Windows\system32\drivers\usbccgp.sys
2007-11-14 22:34 5,888 ----a-w C:\Windows\system32\drivers\usbd.sys
2007-11-14 22:34 38,400 ----a-w C:\Windows\system32\drivers\usbehci.sys
2007-11-14 22:34 224,768 ----a-w C:\Windows\system32\drivers\usbport.sys
2007-11-14 22:34 193,536 ----a-w C:\Windows\system32\drivers\usbhub.sys
2007-11-14 22:34 19,456 ----a-w C:\Windows\system32\drivers\usbohci.sys
2007-11-09 17:09 704,000 ----a-w C:\Windows\System32\PhotoScreensaver.scr
2007-11-09 17:09 67,584 ----a-w C:\Windows\System32\wlanhlp.dll
2007-11-09 17:09 542,720 ----a-w C:\Windows\System32\sysmain.dll
2007-11-09 17:09 502,784 ----a-w C:\Windows\System32\wlansvc.dll
2007-11-09 17:09 47,104 ----a-w C:\Windows\System32\wlanapi.dll
2007-11-09 17:09 297,984 ----a-w C:\Windows\System32\wlansec.dll
2007-11-09 17:09 290,816 ----a-w C:\Windows\System32\wlanmsm.dll
2007-11-09 17:09 24,064 ----a-w C:\Windows\System32\wtsapi32.dll
2007-11-09 17:09 2,923,520 ----a-w C:\Windows\explorer.exe
2007-11-09 17:09 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2007-10-18 11:31 51,224 ----a-w C:\Windows\System32\sirenacm.dll
2007-09-08 07:37 174 --sha-w C:\Program Files\desktop.ini
2007-09-16 08:23 61 --sh--w C:\Windows\cnerolf.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\windows sidebar\sidebar.exe" [2008-01-09 22:42 1232896]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 12:35 125440]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 12:36 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-09-04 13:47 1006264]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-15 13:32 4390912 C:\Windows\RtHDVCpl.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-05-28 04:59 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-05-28 04:58 8429568]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-05-28 04:59 81920]
"ProfilerU"="C:\Program Files\Saitek\SD6\Software\ProfilerU.exe" [2007-05-01 11:09 233472]
"SaiMfd"="C:\Program Files\Saitek\SD6\Software\SaiMfd.exe" [2007-05-01 11:09 131072]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36 267048]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 05:59 115816]

C:\Users\Stephen Suddaby\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
DeskPins.lnk - C:\Program Files\System Tools\DeskPins\DeskPins.exe [2004-05-02 17:02:51]
GBPVRTray.exe.lnk - C:\Users\Stephen Suddaby\AppData\Roaming\Microsoft\Installer\{4E3C136A-F737-4CF0-9F89-538E733E8C7E}\Icon3C8F050B1.exe [2007-09-21 15:17:17]
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2007-12-08 12:13:11]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\Windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^TMMonitor.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\TMMonitor.lnk
backup=C:\Windows\pss\TMMonitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-11-02 18:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-10-19 20:16 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
--a------ 2007-06-26 13:48 509224 C:\PROGRA~1\Yahoo!\YOP\yop.exe

R1 IDSvix86;Symantec Intrusion Prevention Driver;C:\PROGRA~2\Symantec\DEFINI~1\SymcData\idsdefs\20080111.002\IDSvix86.sys [2007-12-04 17:51]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe /service []
R3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver;C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-11-02 07:30]
R3 BDA_Capture_220A;Digital-TV receiver Driver 3.0.1.18;C:\Windows\system32\Drivers\BDA_Capture_220A.sys [2007-02-27 09:19]
R3 NPUSB;NPUSB;C:\Windows\system32\DRIVERS\npusb.sys [2006-12-06 17:20]
R3 SaiH075C;SaiH075C;C:\Windows\system32\DRIVERS\SaiH075C.sys [2007-05-01 15:11]
R3 SYMNDISV;SYMNDISV;C:\Windows\system32\Drivers\SYMNDISV.SYS [2007-10-30 19:55]
S3 BDA_Loader_220A;Digital-TV Receiver Firmware Loader 6.7.10.0;C:\Windows\system32\Drivers\BDA_Loader_220A.sys [2006-07-10 15:17]
S3 ECS_Loader_220;Digital TV Receiver Firmware Loader 5.10.31.0;C:\Windows\system32\Drivers\ECS_Loader_220.sys [2005-10-31 10:28]
S3 Just Flight Limited License Service;Just Flight Limited License Service;"C:\Program Files\Common Files\Just Flight Limited Shared\Service\JustFlightLimitedLicSvc.exe" [2007-09-08 08:23]
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 07:36]
S3 UMPass;Microsoft UMPass Driver;C:\Windows\system32\DRIVERS\umpass.sys [2006-11-02 08:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted REG_MULTI_SZ hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1f0df810-5aab-11dc-8bed-806e6f6e6963}]
\shell\AutoRun\command - E:\stub.exe

*Newly Created Service* - AVGARCLN
*Newly Created Service* - AVG_ANTI-ROOTKIT
*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-01-07 21:46:19 C:\Windows\Tasks\Norton Security Online - Run Full System Scan - Stephen Suddaby.job"
- C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exeB/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-12 12:22:48
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe [6.00.6000.16549]
-> C:\Program Files\Stardock\ObjectDock\DockShellHook.dll
.
Completion time: 2008-01-12 12:24:42
.
2008-01-09 22:44:56 --- E O F ---