Explorer.exe disapears from process list

[telcart]

I just ran into that problem with the Spyaxe malwhere. I got it all fixed up but now I notice IE isn't displaying some sites without the www. prefix, and even some Javascript. Also, right after logon, the explorer.exe process disapears from the Task Manager. Any ideas?

This is what HiJackThis is saying, I'm not sure about that tcpR32.dll...

Logfile of HijackThis v1.99.1
Scan saved at 7:48:21 PM, on 26/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\RivaTuner v2.0 RC 15.8\RivaTuner.exe
C:\Program Files\JetMailMonitor\JetMM.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Internet Explorer\iexplore.exe
D:\Eric's Stuff\Windows Stuff\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.0 RC 15.8\RivaTuner.exe" /T
O4 - HKLM\..\Run: [svcchost.exe] C:\DOCUME~1\Eric\LOCALS~1\Temp\cdlfodjf.exe
O4 - Global Startup: jetMailMonitor.lnk = C:\Program Files\JetMailMonitor\JetMM.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1135215286453
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: tcpR32 - C:\WINDOWS\SYSTEM32\tcpR32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ccXgui - [XC]D-Ice - C:\Program Files\ccxgui\ccXservice.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[herosrest]

l can tell ya the prob here - believe it or not.

It's the lexmark printer services. They are goofed up and a ***** ts sort.
That's fer sure sure.

Also the email package and apache server look as though something is wrong.

No one does Hijack this log analysis here..


??? http://www.freewarefiles.com/program_5_58_1251.html ???

Wot u run no-ip for?

[telcart]

The Lexmark thing is running because I made the mistake of buying a Lexmark printer. And I run an Apache file server, as well as NO-IP because I don't like remembering my IP address.

[herosrest]

HI. . U should be able to disable the Lexmark server jobbie in Administrative Tools > Services. If M$ Office is installed the fast find feature is probably enabled to no particular good end.

l'm pretty sure its just a whacked install of the lexmark services, if ya don't need them maybe uninstall.

[BipolarBill]

Lexmark blows. Sometimes they get lucky and make a decent printer, but their "PRINTING STARTED!" service is like fingernails on a blackboard. Kill eet!

[telcart]

Well, how could this relate to my explorer.exe disapearing?

[BipolarBill]

If explorer.exe disappears, so would all icons and the taskbar. Does that happen?

[telcart]

Nope, Windows is still 100% functional, some things just kind of seem werid. For example, I had to use Firefox to simply sell an item on eBay, because IE couldnt display the pages properly, that has never happened before. Explorer.exe isnt even listed within process viewers that I downloaded, it's totally gone.

[BipolarBill]

Explorer and Iexplore are very different. Which is it?

[telcart]

EXPLORER.EXE, look at my HiJackThis log.

[telcart]

http://2basic.ca/caught.JPG

Ok, this is odd. As soon as I logged in I opened the task manager and took a screenshot. That's when I found the problem, both the underlined application and explorer.exe disapear after boot. I searched for the file and found only a prefetch file, nothing on Google either. In terms of eliminating this, what kind of anti-virus software should I try, I'm currently using AVG.

[telcart]

I searched my PC for this cdlfodjf.exe file and found one in my temp file. But also, I found this log file, indicating that it seems to be tied to svchost

"q-klez.log"

Q-Klez v1.20.9180
2006-01-26 23:11:24
Command line: kleztool.com /y /setup
Cannot open GK error=2
Scanning "type32": C:\Program Files\Microsoft IntelliType Pro\type32.exe ok
Scanning "AVG7_CC": C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP scan failed
Scanning "AVG7_CC": C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe ok
Scanning "NvCplDaemon": RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup scan failed
Scanning "NvCplDaemon": C:\WINDOWS\RUNDLL32.EXE scan failed
Scanning "NvCplDaemon": C:\WINDOWS\system32\RUNDLL32.EXE ok
Scanning "NvCplDaemon": RUNDLL32.EXE scan failed
Scanning "RivaTuner": C:\Program Files\RivaTuner v2.0 RC 15.8\RivaTuner.exe ok
Scanning "svcchost.exe": C:\DOCUME~1\Eric\LOCALS~1\Temp\cdlfodjf.exe ok
Scanning "Installed": C:\WINDOWS\1 scan failed
Scanning "Installed": C:\WINDOWS\system32\1 scan failed
Scanning "Installed": 1 scan failed
Scanning "Installed": C:\WINDOWS\1 scan failed
Scanning "Installed": C:\WINDOWS\system32\1 scan failed
Scanning "Installed": 1 scan failed
Scanning "NoChange": C:\WINDOWS\1 scan failed
Scanning "NoChange": C:\WINDOWS\system32\1 scan failed
Scanning "NoChange": 1 scan failed
Scanning "Installed": C:\WINDOWS\1 scan failed
Scanning "Installed": C:\WINDOWS\system32\1 scan failed
Scanning "Installed": 1 scan failed
Scanning "": C:\WINDOWS\"%1 scan failed
Scanning "": C:\WINDOWS\system32\"%1 scan failed
Scanning "": %1 scan failed
Cannot open GK error=2
Infection not found, exiting
Exit code: 0

[herosrest]

This is worth a read. http://www.pchell.com/virus/klez.shtml

[herosrest]

ps. l feel my point about Apache may be worth a sniff. Spam is such a pain.

[telcart]

Already tried that, the tool didn't find anything.