Solved Trojan causing Explorer.exe to not start up?

[Resolved] Trojan causing Explorer.exe to not start up?

Hi all,

I'm a newbie to this forum & am a little embarrassed to send my first contribution in the form of a problem on my Toshiba Satellite laptop.
Maybe it's a coincidence but just today July 4 began to receive some strange goings on with my laptop. I first noticed an error message stating that cmds.exe could not start. Then Windows Firewall advised that it was blocking twain_x86.exe.
On boot up both these applications seem to demand 100% of CPU capacity slowing laptop down until I stop processes in task manager. A little Google research leads me to believe that I have a nasty cloaked trojan on my system.
I have run MalwareBytes Anti-Malware which found the cmds.exe file & removed it (or so I thought).
As advised I have run DDS & was slightly disappointed to see that both of the above apps appear in the pseudo HijackThis section of the DDS.txt file I have included below.
In addition to these apps causing problems explorer.exe does not start on boot up - I can only Ctrl+Alt+Delete to Task Manager & then manually start explorer.exe through New Task. I have checked the registry entry in HKLM>Software>Microsoft>Windows NT>CurrentVersion>Winlogon>Shell & can confirm that the REG_SZ entry is explorer.exe. I have also ensured that explorer.exe is checked in MSConfig>Startup. (Incidentally the twain_x86.exe application appears in MSConfig>Startup but is unchecked.
==========

DDS (Ver_09-06-26.01) - NTFSx86
Run by Mark at 0:32:53.64 on 05/07/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.751.355 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\ACS.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
c:\Toshiba\Ivp\Swupdate\swupdtmr.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\TouchED\TouchED.Exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\NewsLeecher\newsLeecher.exe
C:\Documents and Settings\Mark\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mark\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mark\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mark\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mark\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mark\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Mark\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://login.yahoo.com/config/logi...er=bt-1&.src=bt-1&.done=http://bt.yahoo.com/?
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWindow Title = www.google.co.uk
uDefault_Page_URL = https://login.yahoo.com/config/logi...er=bt-1&.src=bt-1&.done=http://bt.yahoo.com/?
mWindow Title = www.google.co.uk
uInternet Connection Wizard,ShellNext = hxxp://toshibadirect.com/
uSearchAssistant =
uCustomizeSearch =
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\cmds.exe,c:\documents and settings\mark\application data\twain_x86.exe,
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Google Update] "c:\documents and settings\mark\local settings\application data\google\update\GoogleUpdate.exe" /c
uRunServices: [System] explorer.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [SigmaTel StacMon] c:\program files\sigmatel\sigmatel ac97 audio drivers\stacmon.exe
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [00THotkey] c:\windows\system32\00THotkey.exe
mRun: [000StTHK] 000StTHK.exe
mRun: [TFncKy] TFncKy.exe
mRun: [TFNF5] TFNF5.exe
mRun: [TPSMain] TPSMain.exe
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [TouchED] c:\program files\toshiba\touched\TouchED.Exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Samsung Common SM] "c:\windows\samsung\comsmmgr\ssmmgr.exe" /autorun
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
mRun: [System] explorer.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRunServices: [System] explorer.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} - hxxp://dl.tvunetworks.com/TVUAx.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.truprint.co.uk/TruprintActivia.cab
DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} - hxxps://moneymanager.egg.com/Pinsafe/accounttracking.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1210128520386
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.co.uk/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {6F750203-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.co.uk/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} - hxxp://ax.emsisoft.com/asquared.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D9CDEFE3-51BB-4737-A12C-53D9814A148C} - hxxps://ext.fconet.fco.gov.uk/exchweb/controls/DAX.cab
DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} - hxxps://secure.storegate.com/user/Files/Cabs/ImageUploader4.cab
TCP: {5E06CF63-94E0-4D0C-8FB8-3AAB7C53FFEB} = 208.67.222.222,208.67.220.220
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-6 327688]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-6 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-6 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-4 906520]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-4 298776]

=============== Created Last 30 ================

2009-07-04 18:14 4,087,813 a------- c:\windows\installler.exe
2009-07-04 18:14 7,168 a------- c:\windows\run.exe
2009-06-30 18:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Ten Thumbs Typing Tutor
2009-06-30 18:19 <DIR> --d----- c:\program files\Ten Thumbs Typing Tutor 4.7
2009-06-30 08:14 3,255 a------- c:\windows\system32\wbem\Outlook_01c9f98d24bb57e0.mof
2009-06-15 20:12 <DIR> --d----- c:\program files\Paint.NET
2009-06-12 06:30 266,360 a------- c:\windows\system32\TweakUI.exe
2009-06-12 06:30 160,217 a------- c:\windows\system32\PowerToysLicense.rtf
2009-06-09 21:08 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-09 21:08 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-09 21:04 <DIR> --d----- C:\Power.temp

==================== Find3M ====================

2009-07-02 09:28 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-02 09:28 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-01 18:40 87,608 a------- c:\docume~1\mark\applic~1\inst.exe
2009-06-01 18:40 47,360 a------- c:\docume~1\mark\applic~1\pcouffin.sys
2009-06-01 06:56 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-05-12 23:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-07 09:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-17 06:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 08:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-07 01:00 667,136 a------- c:\windows\system32\OGACheckControl.dll
2008-06-18 22:23 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2009-01-26 23:47 23 a--sh--- c:\windows\system32\febddbeabae8_z.dll
2008-09-19 20:15 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091920080920\index.dat

============= FINISH: 0:33:18.07 ===============

I have now come to the limit of what I believe I can safely do to rectify the problems & would be grateful for any assistance.
Many thanks.
mday36

 

Hi and welcome


Download Combofix© by sUBs from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3



Example:

* IamNotMalware.exe
* PleaseDontEatMe.exe

• If you are using Firefox, make sure that your download settings are as follows:
• Tools->Options->Main tab
• Set to "Always ask me where to Save the files ".

--------------------------------------------------------------------
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

(Click on this link to see a list of programs that should be disabled.)
http://www.bleepingcomputer.com/forums/topic114351.html

Please leave the flash drive plugged in while completing the following.

Double click on Combo-Fix.exe & follow the prompts.

Please allow ComboFix to install, if needed, Windows Recovery Console. It is a simple procedure that will only take a few moments of your time.

No Validation is Required.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.



** Please Note:
At times ComboFix may appear to stall, please be patient.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Please only run the tool once, ty.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

You may need several replies to post the requested logs, otherwise they might get cut off.

 

Hi there Juliet,

Afraid things went from bad to worse. It got to the point that I couldn't get beyond the welcome screeen. I tried a few ideas to fix the laptop but then having 'invested' so much time into trying to resolve the issue I decided to reformat & restore WinXP.
Many thanks for your assistance.

mday36

 

Many times this is the best option.


Please take the time to read over a few of my preventive tips.


Please navigate to Microsoft Windows Updates and download all the "Critical Updates " for Windows.


Firefox 3
The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 2, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
*NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

WOT Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites - green to go, yellow for caution and red to stop, helping you avoid the dangerous sites. WOT has an addon available for both Firefox and IE.

How to prevent Malware: Created by Miekiemoes

Here are some additional utilities that will further enhance your safety.
# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

Scan your computer regularly for malware
Scan on a regular basis to keep your computer clean, free software such as Malwarebytes Anti-Malware (MBAM) and SUPERAntiSpyware-
Please note that these products can also be run as free without a licience as a scan on demand scanner.

Please read this article 'Safe Computing Practices'.
So how did I get infected in the first place.

Secure My Computer: A Layered Approach

Strong passwords: How to create and use them

Free Antivirus-AntiSpyware-Firewall Software


Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

Slow Computer May Not Be Malware Related, Help! My computer is slow!
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html


PC Safety and Security--What Do I Need?
http://www.techsupportforum.com/sec...115548-pc-safety-security-what-do-i-need.html

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
This site offers people who have been (or are) victims of malware the opportunity to document their story.

Extra note:
Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. http://secunia.com/software_inspector/