Author Topic: explorer.exe (Read 6588 times)

everville · « **on:** July 22, 2014, 09:17:36 PM »

hey guys, running roguekiller and getting rans.gendarm although not got any web blocking.

system does occasionally lock for a few seconds repetativly, so sounds like I've got something.

however malware bytes says there's no infection?

removed the explorer and ran "scannow" which replaced the file, but this also shows as rans.gendarm

Tigzy · « **Reply #1 on:** July 24, 2014, 10:53:14 AM »

Hello
Can you please provide the report?

everville · « **Reply #2 on:** July 25, 2014, 02:24:14 PM »

RogueKiller V9.2.4.0 (x64) [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : me [Admin rights]
Mode : Scan -- Date : 07/25/2014 13:14:33

¤¤¤ Bad processes : 2 ¤¤¤
[Rans.Gendarm] explorer.exe -- C:\Windows\Explorer.exe[7] -> KILLED [TermProc]
[Proc.Hidden] --

-> KILLED [TermThr]

¤¤¤ Registry Entries : 2 ¤¤¤
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0 -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 1 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost

¤¤¤ Antirootkit : 8 (Driver: LOADED) ¤¤¤
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_CREATE[0] : Unknown @ 0x69e52c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_CLOSE[2] : Unknown @ 0x69e52c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_DEVICE_CONTROL[14] : Unknown @ 0x69e52c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_INTERNAL_DEVICE_CONTROL[15] : Unknown @ 0x69e52c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_POWER[22] : Unknown @ 0x69e52c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_SYSTEM_CONTROL[23] : Unknown @ 0x69e52c0
[IRP:Addr(Hook.IRP)] \SystemRoot\System32\drivers\mountmgr.sys - IRP_MJ_PNP[27] : Unknown @ 0x69e52c0
[Filter(Kernel.Filter)] \Driver\atapi @ \Device\CdRom0 : \Driver\GEARAspiWDM @ Unknown (\SystemRoot\system32\DRIVERS\Rt64win7.sys)

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: SAMSUNG HD204UI ATA Device +++++
--- User ---
[MBR] 9492072906a8152001eed0513e7b6e64
[BSP] bc953a5abfb9721f2ff199a056df4e57 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 1907627 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Generic Storage Device USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

============================================
RKreport_DEL_07222014_175839.log - RKreport_SCN_07212014_234311.log - RKreport_SCN_07222014_001407.log - RKreport_SCN_07222014_175825.log
RKreport_SCN_07222014_182029.log

Tigzy · « **Reply #3 on:** July 28, 2014, 11:36:43 AM »

That's strange...
Can you please make a FULL dump of explorer with process explorer (sysinternal tool)
right click on the process -> full dump

Please zip it, and attach to the answer

Author Topic: explorer.exe (Read 6588 times)

everville

explorer.exe

Tigzy

Re: explorer.exe

everville

Re: explorer.exe

Tigzy

Re: explorer.exe