Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

Trying to recover from major virus/Trojan attack

  • Please log in to reply



    New Member

  • Member
  • Pip
  • 1 posts
I've written to many forums and getting no where, so I'll try to be as brief, but detailed as possible.

My main problem is that I have "lost" explorer.exe on my personal PC after running Kaspersky Anti-Virus Scan. Or HiJackThis, or something. I have an HP Pavillion750c running Windows XP Home (I'm currently using other hardware to communicate).

Approximately six weeks ago I ran McAfee Viruscan and there was a virus/Trojan that is didn't recognize and couldn't delete.

This is when my problems started. It disabled McAfee and I have spent much of the six weeks trying to recover from all of this. I finally came upon a forum suggesting Kaspersky and I think this one will work; I actually got a window from McAfee Security Center wanting to update my files. Haven't seen that in a long time. Prior to Kaspersky, I ran McAfee Free Viruscan; Microsoft AntiSpyware Beta.

I currently only show the desktop background and I can only access Task Manager. When I try to run C:\Windows\explorer.exe, I get the error that it cannot be found, even though I just browsed and selected it. My boot.ini reads:

[boot loader]
[operating systems]
multi(0)disk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

I have since tried to perform a restore and recovery. Nothing. I finally used my husband's copy of XP Home Edition, SP2 and loaded that yesterday. Still nothing. All I get is the desktop background, but no icons, taskbar etc. Windows is not
loading. Even SafeMode is just a black screen. So, through much procrastinating, I am finally sending you my HijackThis logfile. I would very much appreciate any hints/thoughts you might find for me to correct my situation.

I know everyone is very busy so feel free to take some time with this. I have another box I can hook up to if I have to. Thank you in advance.

Logfile of HijackThis v1.99.1
Scan sved at 9:49:39 AM, on 5/16/05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKCU\Sofware\Microsoft\Windows\CurrentVersion\Internet Setting,ProxyServer = http=
R1 - HKCU\Sofware\Microsoft\Windows\CurrentVersion\Internet Setting,ProxyOverride = localhost;<local>
02 - BHO: XMLDP Class - {60371670-81 9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll (file missing)
04 - HKLM\..\Run: [VirusScan Online] C:\Program Files\mcafee.com\VSO\mcvsshld.exe
04 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
04 - HLKM\..\Run: [SDK Codre Function22] sdkimddrpovement2.exe
04 - HLKM\..\Run: [S3TRAY2] s3tray2.exe
04 - HLKM\..\Run: [Recguard] C:\WINDOWS\System32\nsivcixdiagmox.exe
04 - HLKM\..\Run: [PX_I^'[]SHIN[YRJ] C:\WINDOWS\System32\nsivcixdagmox.exe
04 - HLKM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
04 - HLKM\..\Run: [MCUpdateExe] C:\PROGA~1\mcafee.com\agent\mcupdate.exe
04 - HLKM\..\Run: [MCAgentExe] C:\PROGA~1\mcafee.com\agent\mcaent.exe files\mcafee.com\agent\mcagent.exe
04 - HLKM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
04 - HLKM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
04 - HLKM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab]Kaspersky Anti-virus Personal\kav.exe /minimize
04 - HLKM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
04 - HLKM\..\Run: [hpsysdrv] C:\windows\system\hpsysdrv.exe
04 - HLKM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
04 - HLKM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
04 - HLKM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
04 - HLKM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
04 - HLKM\..\RunServices: [PX_I^' []SHIN[YRJ] C:\WINDOWS\System32\nsivcixdagmox.exe
04 - HLKM\..\RunServices: [SDK Codre Function22] sdkimddrovment2.exe
04 - HLKM\..\Run: [Weather] C:\PROGR~1\AWS\WEATHE~1\Weather.exe 1
04 - HLKM\..\Run: [Tmntsrv32] C:\WINDOWS\System32\Tmntsrv32.EXE
04 - HLKM\..\Run: [SMSSU] C:\WINDOWS\System32\Tmntsrv32.EXE
04 - HLKM\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
04 - HLKM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
04 - HLKM\..\Run: [ctfmon.exe] c:\WINDOWS\system32\ctfmon.exe
04 - HLKM\..\RunServices: [SDK Codre Function22] sdkimddprovment2.exe
04 - GLobal Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
04 - GLobal Startup: Dpcstart.lnk = C:\Program Files\DIRECWAY\BIN\dpcstart.exe
04 - GLobal Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
04 - GLobal Startup: hp center.lnk - C:\Program Files\hp center\137903\Program\backWeb-137903.exe
04 - GLobal Startup: internat.exe
04 - GLobal Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
08 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
08 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
08 - Extra 'Tools' menuitem: Windows messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

08 - Extra button: WeatherBug - {AF6CABAB-61F9-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
08 - Extra button: Microsoft AntiSpyware helper - {F0E91F73-FCA0-4049-A9C5-A919C18F7960} - (no file) (HKCU)
08 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F0E91F73-FCA0-4049-A9C5-A919C18F7960} - (no file) (HKCU)
012 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
012 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
016 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool -

016 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
016 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...90/mcinsctl.cab
016 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b)site.cab?1113
016 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...call/scan53.cab
016 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveXcan Installer Class) - http://www.pandasoft.../as5/asinst.cab
016 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcaf...,23/mcgdmgr.cab
016 - DPF: {E06E2E99-0AA1-11D4-AbA6-0060082AA75C} (GpcContainer Class) - https://boeing.webex...bex/ieatgpc.cab
016 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...489/mcfscan.cab
017 - HKLM\System\CCS\Services\Tcpip\..\{5E4D95AB-95F5-4AFA-86E2-C5C180D7E007}: Domain - direcway.com
017 - HKLM\System\CCS\Services\Tcpip\..\{5E4D95AB-95F5-4AFA-86E2-C5C180D7E007}: NameServer =
023 - Service: DIRECWAY Webcast (DPC_SRV_WEBCAST) Hughes network Systems - C:\PROGRA~1\DIRECWAY\bin\dpcproxy.exe
023 - Service: Hardware Clock Driver (hwclock) - unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
023 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Anti-virus Personal\kavsvc.exe
023 - Service: McAfee.com McShield (McShield) - Unknown owner - C:\Program Files\mcafee.com\VSO\mcshield.exe
023 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
023 - Service: Mcafee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - C:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

Most of the above looks relatively familiar to me, but some is foreign.
Thank you again.
  • 0




    Spyware Veteran

  • GeekU Moderator
  • 31,641 posts
Close as many programs and windows as possible.

Copy the part below into notepad and save it as unhko.reg








[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\ATLASSstp]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\HTASSstp]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\MSMsgSvc]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\SEHLPstp]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\WTLBAstp]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe]



Doubleclick the file and confirm you want to merge it with the registry.

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:


Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

After the reboot, check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWS\xmllib.dll

O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWS\System32\Tmntsrv32.EXE

Reboot once more and post a new log.

  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP