• CONTEST ALERT - Experience the power of DDR5 memory with Kingston Click for details

Help Me two instances of Explorer :(

Status
Not open for further replies.

saurabh kakkar

D i s t i n c t l y Ahead
Two instances of explorer.exe is running in my computer Kaspersky ,nod32 r unbale to show any Virus on my system
My system is running very slow

This is my HijackThis log file
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:37 kakkar, on 3/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\cisvc.exe
D:\WINDOWS\system32\inetsrv\inetinfo.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\tcpsvcs.exe
D:\WINDOWS\System32\snmp.exe
D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
D:\WINDOWS\system32\cidaemon.exe
D:\WINDOWS\system32\cidaemon.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Google\Update\GoogleUpdate.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\WinRAR\WinRAR.exe
D:\DOCUME~1\saurabh\LOCALS~1\Temp\Rar$EX00.109\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = sa
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - D:\Program Files\IEPro\iepro.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Encarta &Definition - http://encarta.msn.com/encnet/features/dictionary/quickDictionary.htm
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - D:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - D:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - D:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD44/JSCDL...-jc.cab&File=jinstall-6u7-windows-i586-jc.cab
O23 - Service: Google Software Updater (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: OracleOraHome92TNSListener - Unknown owner - D:\oracle\ora92\BIN\TNSLSNR.exe (file missing)
O23 - Service: OracleServiceSK - Oracle Corporation - d:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4246 bytes

Help me
 

Cool Buddy

Wise Old Owl
close all folders/my computer/my documents that are open and see it then. if it shows only one instance, then open my computer. go to tools>folder options. go to view tab and uncheck "launch folder windows in a separate process". you are done.

if this is not the case, I can't help.
 

i dont exist

^^^^^^^^^
[FONT=Arial,Helvetica][SIZE=-1]Infection Method[/SIZE][/FONT]
[FONT=Arial,Helvetica][SIZE=-1]The dlder.exe spyware file, also functioning as a trojan dropper, is installed by Grokster (1.33), Bearshare (2.4.0b7), LimeWire (2.02), Net2Phone (unspecified versions) and KaZaA (unspecified versions). It may have also been installed by some versions of BonziBUDDY, but this has not been confirmed. The dlder.exe file is normally written to C:\Windows\dlder.exe. According to multiple sources, the user is asked whether or not they wish to install the "ClickTillUWin" component (carrier of the dlder.exe trojan), but the component may be installed even if the user chooses "NO".[/SIZE][/FONT]
[FONT=Arial,Helvetica][SIZE=-1]Upon installation, the dlder.exe trojan first connects to the web site www.2001-007.com and transmits data, including a GUID, the user's IP address and browser version. According to this site (Spanish), the request is in the form: http://www.2001-007.com/index.asp?UserURL=GET+/&User_IP=127.0.0.1&userid=127&User_Browser=IE . This URL returns a numeric value that appears to count the number of unique installations.[/SIZE][/FONT]
[FONT=Arial,Helvetica][SIZE=-1]The dlder.exe software then downloads and installs a trojan file named Explorer.exe from the same site, to [/SIZE][/FONT]C:\Windows\explorer\Explorer.exe[FONT=Arial,Helvetica][SIZE=-1] (do not confuse this with the required Windows file explorer.exe, located at [/SIZE][/FONT]C:\Windows\explorer.exe[FONT=Arial,Helvetica][SIZE=-1])[/SIZE][/FONT][FONT=Arial,Helvetica][SIZE=-1]. The dlder.exe file then places a Run key in the Registry so that the new Explorer.exe trojan runs at startup.[/SIZE][/FONT]
[FONT=Arial,Helvetica][SIZE=-1]The dlder.exe trojan will also add a Registry key, [/SIZE][/FONT]HKLM\SOFTWARE\Games\Clicktilluwin
source
 
Status
Not open for further replies.
Top Bottom