explorer.exe ?!

Hello everybody,
In the last 2 weeks I'm having a strange problem,
"My computer" is getting openning all the time, when I close it , it pop up again.
sometimes its doing the same thing for "My Deskop".


When iI watch a video on Windows Media Player on a full screen view, "My Computer" pop up and Windows Media Player shows :

"lost focus to explorer.exe"

I have tried ad-aware, stinger,spy sweeper , many programs ,many scans and none
of them helped found anything / fix my problem, execpt for one program that I dont remember its name that found "msg.msconfig" (something like that) problem.



I have also tried to serach for google for solution and didnt find anythig realted to same problem as I do.

I have Windows XP SP2 last updates, NOD32,scanning with Ad-aware almost everyday. I didnt install any new drivers.

Please Help , thanks

 

files attached

 

another 2 problems appeared:
1) Internet Explorer opens itself to a blank page every X time too.
2) A file named EXPLORER.EXE-082F38A9.pf has been found in
C:\WINDOWS\Prefetch
3) The same problem is on Safe Mode too

I cant watch videos or do a work word , its so anooying , thanks again

 

Hi Rin,

Please follow the link in Halo's post to our procedures so that we can help you. It's normal to have an explorer in your prefetch. It would be very bad, I think, for you to begin taking repairs on yourself without some advice. Internet explorer will open to a blank page until it's been set properly. If there is malware interrupting the settings, then the malware has to be removed first, however, we can only instruct you how to do this if we can see your logs.

Thanks.
abri

 

hey abri , I have post logs if u missed it.
I followed "READ & RUN ME FIRST. Malware Removal Guide", I did many scans with many program as much u can find in the guide - and removed all the "trojan" that they found, and scanned even more then once for some of them.

Nothing gave me a good result , even on a SAFE MODE , the problem is appearing.

Sometimes its open Deskop / Internet Explorer ( never happened befor) / too.
, "My computer" getting opens non stop , even when its open its still anooying.

It has to do something with explorer.exe , I somehow got it infected, or something else. When I watch a video on a full screen , then when My Computer pop ups , the media player says in the corner of the prgoram
"Lost Focus to explorer.exe"

well , I hope i wont have to do Format.
thanks again

 

Hi Rin,
sorry, things are a little hectic here. Please begin by rerunning AVG Antispyware only this time have it fix everything it finds. There's a trojan there it should be able to get rid of for starters. I'll look at the rest of your logs and see if there are other problems.
abri

 

Hi Rin,

Adding to my last post:

1) Your msconfig is not set to normal startup mode. Please go to Start / Run and type in msconfig. In the box that opens up, please check normal system start, accept and okay.

2) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')

Do the following belong to programs you know or want to keep? If not, please fix them as well.

O16 - DPF: {988E213A-89C7-4C4E-B15F-5B7EDA2C34C0} (GenimoWebGames Control) -

After you click fix, just close hijackthis.

3) Then run GetLogs.bat which you will find in the folder C:\MGTools. After your run GetLogs.bat by double clicking on it, please attach the new log. The log is called MGlogs.zip and is located among the files directly under C:\

4) When you finish, please attach the MGlogs.zip with your next post.

abri

 

hi abri, first I wanna thank you for your time ,

* I did more then 3+ scans with AVG Anti Spyware and deleted all the "Infection" it found . ( Delete is better then Quaratine , right?)

1) Msconfig - I changed it on purpose , to free more ram and to cansel no needed programs.

2-3-4 ) Done , file attached

 

Hi Rin,
It's necessary that you change your msconfig to normal system start so that the startup items will show up in hijackthis. Please change it and rerun the MGlogs.bat one more time and attach the M'Glogs.zip
Thanks.
abri

 

ok buddy, here the log with msconfig normal startup

for now "My Computer" didnt show up yet, sometimes it takes off for a while and coming back, well I hope it'll be gone 4ever

 

Thank you Rin,

I don't see any further signs of malware. Your computer is very vulnerable without the Windows updates. I recommend biting the bullet and grabbing a copy of XP Pro on Ebay while they are still around. If you find that the MyDocuments starts popping up again, it would be a good idea to go to Alternate Scans and run some of the rootkit scans.

Here are a few final instructions and I'll give you the final cleanup instructions as well.

1) Go to add/remove programs and uninstall the below:

Java(TM) 6 Update 3"
Java(TM) SE Runtime Environment 6 Update 1

2) Reboot after uninstalling the above.

3) Install the current version of Sun Java from: Sun Java Runtime Environment


4) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

Do you know what the following is? If not, fix it as well.
O17 - HKLM\System\CCS\Services\Tcpip\..\{9896CC6B-14DD-4F58-9625-5F3DBA929203}: NameServer = 62.219.186.7 192.117.235.235
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll

After you click fix, just close hijackthis.

And now, if your computer is running okay, these are the final cleanup instructions:

abri

 

hey abri,

well I'm not a fan of buying legal things

I wasn't home so much , but it opened "My Computer" issue only once since last time ( few mins ago) I did the thing you told me.
The frequency has decrease a lot thanks to you.

Well I did the new things you told me (1 ... 4 ),
but still I'm not sure the 100% that the issue is gone , only time will tell
the new effects of the FIX(s).

I have attached another log of Mglogs.zip

few questions :
Can I change the msconfig, to cansel anooying programs?
and what is C:\Windows\system32\PnkBstrA.exe? ( from HijackThis )
"" "" "" C:\Windows\system32\cftmon.exe? (from msconfig)



?!?!???
why to remove
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
??????????????????????????
I allmost formatted!

thanks again

 

It's important to understand the logic underlying illegal software so you know why it's more vulnerable. Anyone anywhere in the world can do anything they want to to your computer, steal your personal information, your passwords, etc. and you will never report them. Basically you give up your rights to a society governed by rules and go along with one that is governed by thugs and criminals.

You should never be using Selective Startup mode except tor when you are doing temporary debugging of problems.

How to deal with startup processes.

• First you should uninstall any software that you do not use.
• Second if you have processes still trying to load at startup even though you have uninstalled them. You can simple use HijackThis to easily remove the startup. That way you will not have to manually edit the registry.
• Third for software you do not want to uninstall but you don't want it to load at startup, look in the program for an option not to load when Windows starts and disable it this way. If you cannot find an option like that you have two possible actions:
  • if you never want it to load at startup, use HJT to permanently remove the startup.
  • if you sometimes want it to load at startup, use a program like Startup CPL to enable or disable as you see fit.

It's okay. It's from Punkbuster which is used by gaming servers.

Is your post a typo? It should be ctfmon.exe. If so it's a valid Windows file used with Office. The following article shows how to disable it.

OFFXP: What Is CTFMON and What Does It Do? (Q282599)

abri

 

Hi abri ,

* How am I more vulnerable then others? Do you say that everyone that
use illegal are more vulnerable then others?
I have last Windows Updates.
Because I wont report them?
Perhaps What I need is a good firewall .


* Can you please explain me why never using Selective Startup mode ? What
is the risk?

* My Issue disspaered for few days untill I had electrical power interruption
and then it came back somehow. ("My Computer"- opens non stop)
I'm doing scans again and attached also MGlogs.zip file again.
I'll try to do the same steps you guided me befor , but please also look
again for my problem .

* btw , O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll is the hack/crack that disable active for windows.

thanks again , waiting for you respond.

 

antiwpa.dll <-- yes, I know what it is
My point is that when you use illegal software, you make yourself a target for anyone who wants to do anything illegal to you, because they know that you can't report it.

yes, you need a firewall. In fact, this might help you more than everything at all, because I didn't really fix anything. Check the How to Protect Yourself from Malware. Zone Alarm is somewhat easier to use than Comodo.

I don't see your Windows updates. Did you change your logs?

Selective mode simply means you keep all kinds of stuff in your startup menu which could be gotten rid of using a program like I mentioned in post 14. If it isn't needed at startup, why keep it in there? Getting it out of the start menu doesn't mean getting rid of it altogether.

I'm not sure what to advise you about the pop-up problem. It's possible that it's in the crack itself. You might try uploading that one file to one of the following and see what they come up with: jotti or VirusTotal or virus.org, Kaspersky or at viruschief Let me know the results.

abri