explorer.exe will not stay on

my explorer.exe wont stay on and i think it has something to do with a file named rqoll.dll and i cant delete it. what should i do?

 

Hi dr2391!
Welcome to Major Geeks.

Please run Combofix as per the instructions below. After you finish Combofix, please follow the instructions in the READ & RUN ME FIRST taking care to note those which are specific to your operating system. When you come to Combofix, you do not need to run it a second time. After you finish, please attach the requested logs to your next post.

Run this utility:

You will need to attach the following logs:

- Combofix
- AVG Antispyware
- MGlogs.zip

abri

 

ok here are the logs. hope i did everything right

 

Hi dr2391!

Please do not use your computer at all right now. Especially, do not reboot.
Thanks.
abri

 

Hi dr2391!

There are a number of things to fix on your computer. Your Combofix log shows the newest form of Vundo for which there is a recent tool. This will take several steps to do this. Please begin with the following:

• Download and save to RenV.exe from following link to Desktop (must be on the Desktop)
• Doubleclick RenV.exe
  • When finished, it will produce a new log named Log.txt on the Desktop.
  • Attach this log to your next reply.

After you attach the Log.txt to your next reply here, please continue with the instructions below the line:

-------------------------------------------------------------------------------------------------------------------------------------------------------------
And now to continue...

1) First a question:

What antivirus are you using? There is a McAfee folder in your logs here:

C:\Documents and Settings\All Users\Application Data\McAfee​

and you also have two Symantec entries in your hijackthis log. It's important to remove all the files of whatever resident antivirus you are NOT using so it won't interfere with the one you are using. For both of these companies, there are special removal tools:

Norton Removal Tool (SymNRT)

McAfee Consumer Product Removal Tool (SymNRT)


3) A second question:
Is your Spyware Doctor a trial version or a paid version? If it's a trial version, please remove it via add/remove programs if possible.

4) The following folder appears in your Combofix log.

C:\WINDOWS\system32\…Drivers

Please look and see if that folder is there. Since it begins with three ...'s, it will not be in the usual place alphabetically. If you find it, please open it, but click on any of the files and tell me what is in it.

5) Next, please go to add/remove programs and uninstall the below:

- Viewpoint Media Player
- Java 2 Runtime Environment, SE v1.4.2_11
- Java(TM) 6 Update 2
Also, I recommend removing SpywareBot.

6) Next I would like for you to run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now!!

O2 - BHO: (no name) - {35B44AED-1A7A-4117-9F46-4D59FC6925E2} - C:\WINDOWS\system32\rqoll.dll
O2 - BHO: (no name) - {E0A98C4F-66DB-3A0C-DA5D-3AE677880D95} - C:\WINDOWS\system32\pszqpemt.dll (file missing)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)

After you click fix, just close hijackthis.

7) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger


8) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

7) If Avenger did not run for any reason, please make sure to reboot before continuing with this step, which is to install the current version of Sun Java from: Sun Java Runtime Environment


8) Now download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


9) And finally, please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.

Let me know how things are running now?

abri

 

heres my log from RenV and i will start on the rest and let you know how it goes

 

ok here u go

1st: right now im using avg antivirus. i used to have both norton and mcafee but they took up all my cpu so i uninstalled them. I used both removal tools just now.

2nd:

3rd: Spyware Doctor is the paid version

4th: i found a folder under system32 that was named adirvers and all that was in it was another folder called winxp which was empty

5th: done

6th: done

7th: I do use windows live messenger. is it necessary to uninstall?

I did the rest of the steps too. My explorer.exe is staying on now and my comp seems much better. i attached the logs that you wanted. I also have another computer that is running real slow. slower that this 1 and this is 700mhz i think and that one is 2ghz i think so what logs would you need from that one?

I really want to thank you sooo much for helping me out. i was about ready to reformat this comp and that would have been a huge pain since my 120gb hard drive is almost full and i wouldnt have any where to put it all. but thanks for all your help

 

Hi dr2391!
We have a ways to go yet.

1) Windows Live Messenger is not Windows Messenger. Windows Messenger (msmsgs) is a program used for internal communications within a network. Since it has a similar name to msn messenger and windows live messenger, it's often considered to be one and the same as the others. However, it's not. It's rarely used and it is an entry point for malware. Using the removal tool I listed in step 7 won't do anything to your Windows Live Messenger.

2) Next, please go to Start / Run and type in msconfig. Set your startup to normal startup mode.

3) Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
double click it and allow it to merge with the registry.

4) And finally, please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.

There are a few more entries that we need to take care of, but I need the fresh logs made after your computer is in normal startup mode.

Thanks.
abri

 

i cant run msconfig. it says it cannot find it

 

Hi dr2391,

Please be very careful with your computer right now. Use it as little as possible. Try to avoid booting, because new files are often created at boot-up. At least nine of your programs are infected. Because you can't get to msconfig, it's not possible to know which other ones may be as well. The reason you can't find msconfig is because your registry tools have been disabled.

I will get back to you asap.

abri

 

no that didnt work but then i remembered that when i was running avg antivirus that it found a virus in msconfig so it put in in the virus vault. i restored it and now i can use it but i dont know if that was a good idea since it has a virus in it

 

Hi dr2391,

What name did AVG give to the virus it put into the virus vault?

Please go ahead and set msconfig to normal mode.

Next go back to post #5 and redo the RenV instructions which will produce a log called Log.txt on the desktop.

Then run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip together with the log from the RenV scan (Log.txt). The MGlogs.zip will be directly under C:\

Have you had any messages that your administrative capabilities are restricted?

Please do not do anything further until I can look at these two sets of logs.
Thanks.
abri

 

here are the logs

 

heres the avenger log

 

heres the renv

 

Hi Dr2391!


1) If the following folder is empty, please delete it.

C:\WINDOWS\system32\ADRIVERS


2) Where did this link come from? Did you create it?

C:\Documents and Settings\David\My Documents\My Sharing Folders.lnk


3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F3 - REG:win.ini: load=C:\WINDOWS\system32\rqoll.exe
O2 - BHO: (no name) - {35B44AED-1A7A-4117-9F46-4D59FC6925E2} - C:\WINDOWS\system32\rqoll.dll (file missing)
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm


After you click fix, just close hijackthis. Do not reboot your computer.


4) Now scan your computer with your AVG antivirus again and have it put the infected msconfig back into the vault. If you can scan only that file/folder that was infected, this will save you some time. At this time, you have two msconfigs of different sizes. Both are located in the pathways shown below. I would like to know which one AVG lists as having a virus. If it is the 2nd one, this will be helpful in locating the rest of the infected files in your computer. Please have it re-quarantine the bad file, whichever one it is. Once you've done this, please try your msconfig again and see if you can still do Start / Run / msconfig and get into that menu.

C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe


3) Now, please run Combofix and C:\MGtools\GetLogs.bat again and attach the logs with your next post. The MGlogs.zip will be directly under C:\

Do not reboot your computer. Let me know how this went.
abri

 

the my sharing folders is part of windows live messenger

it was the 2nd msconfig that was infected and avg automatically deleted it and i can still run msconfig

 

Hi dr2391!

I think we're getting somewhere.

1) Please run Avenger again as per the instructions in post #5 only use the contents of this box this time:

2) After Avenger runs, please run ATF Cleaner again (also in post #5).

3) After you've completed the above two steps, I would like for you to run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.

4) Once you've attached the above log, I would like to ask you to run your AVG antivirus on specific folders: (Please note the space preceeding the .exe in each of the following files. To avoid missing copies of mulitple .exe files, please have AVG scan the folder in which the .exe files are located. In that way, it will scan both the file in the list below and any similar files that may have mulitple spaces before the .exe file or no spaces at all. If AVG antivirus finds something infected, have it QUARANTINE but NOT DELETE whatever it finds.

Code:

C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater .exe
C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\RapidCheck\RapidCheck .exe
C:\Program Files\RCrawler\RCrawler .exe
C:\Program Files\Spyware Doctor\SDTrayApp .exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe
C:\Documents and Settings\David\My Documents\Windows_WDM_6.09.07_W2KXP_DFV\sm56hlpr .exe
C:\WINDOWS\system32\cmd.exe

5) After you complete the above, please let me know if AVG antivirus found anything!


Thanks.
abri

 

here are the logs

 

avg did not detect anything in those folders. i dont know if it will help but i attached the avg virus vault log, you might want to look at the infected files

 

here are the logs

 

hey sorry its taking me so long. ive been really busy. ill try what you said and let you know asap

 

Waiting with bated breath!

 

When i ran avenger it said "error: selected file does not appear to be a valid script."

 

i didnt find a folder named install but there was a file named that. and the explorer.exe thing is fixed but the computer is running pretty slow

 

ok i deleted the install file and i used hijackthis to delete the 6 files you showed me. I used to have ares and bittorrent but i uninstalled them a while ago but i did see them in hijackthis so i deleted them to. and about my computer being slow, its general usage and i have high speed 3mbs dsl. sometimes i will have 1 internet explorer open an that will take 80%-90% of my cpu. oh and for some reason the clock changed to the 24 hour clock and i dont know how to change it back to the 12 hour one

 

hi, my computer is doing it again. I dont know what I did?

 

Hi dr2391,
Welcome again

Your computer is infected.

1) If you have not already disabled your guest account, please do this now.

2) Next go to add/remove programs and uninstall

Viewpoint Media Player
Java(TM) 6 Update 3

3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {E218A98D-AEAF-466F-AB54-8185DC08A893} - C:\WINDOWS\system32\byvur.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Policies\Explorer\Run: [WinUpdating] WinUpdating.exe
O20 - Winlogon Notify: vtutuur - C:\WINDOWS\SYSTEM32\vtutuur.dll

After you click fix, just close hijackthis.


4) Now downloadThe Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

5) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


6) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip (can be found directly under C:\) along with the Avenger log.


Let me know how things are running now?

abri

 

ok first I cant get to add/remove programs since explorer isnt working. Is there something i can type into the task manager under "new task" to open it up?

I did #3

For #4 it an error came up saying that only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program

 

Did you get a log for Avenger even though those two have to be deleted a different way? I would like to see it.

 

heres the log. explorer hasnt turned off yet so i think that might have fixed it

 

Hi dr2391,

Please do the following:

1) Download and install Erunt. Use it to create a backup of your registry.

2) Now copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

I would like for you to run GetLogs.bat (in the MGTools folder under C) one more time and attach the MGlogs.zip to your next post. If those look okay, I'll have you run the final cleanup instructions again.

3) I'm wondering why you got reinfected? Did you install the recommended software and follow the advice in the How to protect yourself from malware? Antivirus, Antispyware, Spyware Blaster, Windows Updates, two-way firewall, regular use of CCleaner to delete temp files?

abri