Error -- Explorer! Window

Hello,

I have followed the instructions regarding spyware removal in the 'READ ME FIRST' post and 99% of the problems have been resolved. However, I have a few remaining issues, and I think they are all tied to one problem. When I open 'My Computer', 'Control Panel', 'Search', etc, I get a window that appears in the center of my screen first with the title "Error" and the word 'Explorer!' in the window. There is a close button on the title bar and an 'OK' button in the window. If I close the window with either, it goes away and the desired object appears (My Computer, Control Panel, etc.). This does not happen in Safe Mode. Turning off everything using MSConfig does not change this behaviour in regular mode. I believe my explorer.exe is hooked, but I don't know how to verify that nor how to fix it if it is. If anyone could please help, it would be greatly appreciated.

Thanks in advance.

Troy K.

 

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an ATTACHMENT.
All instructions are covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting


Now post a Hijack This log as an ATTACHMENT to your message (Do NOT copy/paste the log into your post). Please close unnecessary running programs before you run HijackThis. You must close each of the following: your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc.

DO NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

The log is attached.

 

Is this log from Safe Mode?

 

No, regular boot.

 

Very few processes running just making sure. Please allow me a moment to post you a fix.

 

Yes, very little running. I tried to get as simple an environment as possible via msconfig - everything is unchecked (diagnostic startup).

 

Enable ALL of the startup items in MSCONFIG, BUT DO NOT REBOOT!

Choose NO when it ask to reboot!

Then scan with HJT and attach the new log so we can get those old baddies out of the startup!

 

New log file attached.

 

Do another scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://texags.com/main/main.asp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O1 - Hosts: 192.9.200.5 192.9.200.5
O1 - Hosts: 192.9.200.5 192.9.200.5

O2 - BHO: (no name) - {50192F5F-08EC-17FB-E678-BCD4CD0E22FD} - C:\WINNT\fiju.dll (file missing)
O2 - BHO: ServerSide - {7FC56022-4EDA-472E-8830-7CA92CCBD025} - C:\Program Files\NetMeeting\SS\ServerSide.dll (file missing)
O2 - BHO: KGhost - {968BC8A3-7660-4B12-B2BF-3334775835E1} - C:\Program Files\NetMeeting\KG\KGhost.dll
O2 - BHO: (no name) - {A9576D42-D2F9-EA7B-D34E-FC1DF61840B6} - C:\WINNT\system32\ypumdgv.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)

O4 - HKLM\..\Run: [SStb.exe] C:\WINNT\SStb.exe
O4 - HKLM\..\Run: [ssqb.exe] ssqb.exe
O4 - HKLM\..\Run: [QBRSR] C:\WINNT\QuickBrowser.exe
O4 - HKLM\..\Run: [msmc] C:\WINNT\system32\msmc.exe

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)


Again, make sure All Browser Windows are Closed when you Click FIX.


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\NetMeeting\KG ←–– Delete this whole folder if it exist!

C:\WINNT\system32\ypumdgv.dll

C:\WINNT\SStb.exe

C:\WINNT\QuickBrowser.exe

C:\WINNT\system32\msmc.exe



NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

When I logged back on, an error that I was getting previously returned. svchost.exe has generated errors and will be closed by Windows. This went away when I turned everything off using msconfig, so I can probably find it by process of elimination. As far as the Explorer! box, it is gone!!! Thanks so much. I have not checked Windows Update yet (it was not previously working), but I will try it now. Here is the HJT log file generated after the most recent boot...

 

Just as an fyi, the cause of the svchost crash was a service called iprip, which is a backdoor Trojan horse that allows unauthorized access to your computer (Backdoor.Portless). This has been fixed. Thanks again for your wonderful help. Maybe I can contribute someday.

Troy Kelso, MCSE

 

Do another scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)


Again, make sure All Browser Windows are Closed when you Click FIX.


Reboot and see if problem exist.