Author Topic: Explorer.exe. Problem as well?  (Read 7383 times)

0 Members and 1 Guest are viewing this topic.

July 26, 2014, 12:24:20 AM

aurion45

  • Guest
Explorer.exe. Problem as well?
« on: July 26, 2014, 12:24:20 AM »
Hi There,
I seem to have problem as well, with explorer.exe it is outboard to some ip address, but Malwarebyte prevent it for connection, and it has stopped for now, but I think there still a problem?
Can you please help, thank you. Andrew

RogueKiller V9.2.4.0 [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9200 ) 32 bits version
Started in : Normal mode
User : asoul_000 [Admin rights]
Mode : Scan -- Date : 07/26/2014  08:07:29

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 10 ¤¤¤
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 61.9.195.193 61.9.194.49  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 61.9.195.193 61.9.194.49  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3E1869CF-1651-4DF2-B7B6-5632E71C2731} | DhcpNameServer : 61.9.195.193 61.9.194.49  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4D73C91C-0D46-4856-9857-F1A7C08DDAEA} | DhcpNameServer : 61.9.195.193 61.9.194.49  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3E1869CF-1651-4DF2-B7B6-5632E71C2731} | DhcpNameServer : 61.9.195.193 61.9.194.49  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{4D73C91C-0D46-4856-9857-F1A7C08DDAEA} | DhcpNameServer : 61.9.195.193 61.9.194.49  -> FOUND
[PUM.Policies] HKEY_USERS\S-1-5-21-183892547-3926755635-2953811617-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND
[PUM.Policies] HKEY_USERS\S-1-5-21-183892547-3926755635-2953811617-1001\Software\Microsoft\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0  -> FOUND
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 0 ¤¤¤

¤¤¤ Antirootkit : 30 (Driver: LOADED) ¤¤¤
[IAT:Addr] (explorer.exe) dwmapi.dll -  : Unknown @ 0xb370000
[IAT:Addr] (explorer.exe) dwmapi.dll -  : Unknown @ 0xb370014
[IAT:Addr] (explorer.exe) dwmapi.dll -  : Unknown @ 0xb370028
[EAT:Addr] (explorer.exe) SHDOCVW.dll - DllCanUnloadNow : C:\Windows\System32\netprofm.dll @ 0x683b10aa
[EAT:Addr] (explorer.exe) SHDOCVW.dll - DllGetClassObject : C:\Windows\System32\netprofm.dll @ 0x683b2003
[EAT:Addr] (explorer.exe) SHDOCVW.dll - DllRegisterServer : C:\Windows\System32\netprofm.dll @ 0x683d5fbd
[EAT:Addr] (explorer.exe) SHDOCVW.dll - DllUnregisterServer : C:\Windows\System32\netprofm.dll @ 0x683d5fe1
[EAT:Addr] (explorer.exe) ATL.DLL - NetAddAlternateComputerName : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f6466a7
[EAT:Addr] (explorer.exe) ATL.DLL - NetEnumerateComputerNames : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f6467b1
[EAT:Addr] (explorer.exe) ATL.DLL - NetGetJoinInformation : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f642b89
[EAT:Addr] (explorer.exe) ATL.DLL - NetGetJoinableOUs : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f646931
[EAT:Addr] (explorer.exe) ATL.DLL - NetJoinDomain : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f644409
[EAT:Addr] (explorer.exe) ATL.DLL - NetRemoveAlternateComputerName : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f646a89
[EAT:Addr] (explorer.exe) ATL.DLL - NetRenameMachineInDomain : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f646b91
[EAT:Addr] (explorer.exe) ATL.DLL - NetSetPrimaryComputerName : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f646c99
[EAT:Addr] (explorer.exe) ATL.DLL - NetUnjoinDomain : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f64431b
[EAT:Addr] (explorer.exe) ATL.DLL - NetUseAdd : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f643324
[EAT:Addr] (explorer.exe) ATL.DLL - NetUseDel : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f642fe8
[EAT:Addr] (explorer.exe) ATL.DLL - NetUseEnum : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f6430c1
[EAT:Addr] (explorer.exe) ATL.DLL - NetUseGetInfo : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f646da1
[EAT:Addr] (explorer.exe) ATL.DLL - NetValidateName : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f646e41
[EAT:Addr] (explorer.exe) ATL.DLL - NetWkstaGetInfo : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f642c99
[EAT:Addr] (explorer.exe) ATL.DLL - NetWkstaSetInfo : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f646fd1
[EAT:Addr] (explorer.exe) ATL.DLL - NetWkstaStatisticsGet : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f6470a9
[EAT:Addr] (explorer.exe) ATL.DLL - NetWkstaTransportAdd : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f6471b9
[EAT:Addr] (explorer.exe) ATL.DLL - NetWkstaTransportDel : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f647299
[EAT:Addr] (explorer.exe) ATL.DLL - NetWkstaTransportEnum : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f647371
[EAT:Addr] (explorer.exe) ATL.DLL - NetWkstaUserEnum : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f6474c5
[EAT:Addr] (explorer.exe) ATL.DLL - NetWkstaUserGetInfo : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f647615
[EAT:Addr] (explorer.exe) ATL.DLL - NetWkstaUserSetInfo : C:\Windows\SYSTEM32\wkscli.dll @ 0x6f647709


¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: HGST HTS721010A9E630 +++++
--- User ---
[MBR] 968b68c9ed36a3c42cfbf4ccb6686a21
[BSP] 95710b1fd0045563c6af269b8702db8b : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1092 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2238464 | Size: 749404 MB
2 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 1537017856 | Size: 203370 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Multiple Card  Reader USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )


============================================
RKreport_SCN_07262014_065345.log - RKreport_DEL_07262014_072607.log

Reply #1July 26, 2014, 02:30:42 AM

aurion45

  • Guest
Re: Explorer.exe. Problem as well?
« Reply #1 on: July 26, 2014, 02:30:42 AM »
OK I'm going to re-install computer back to a custom image, that I know is good.
 I let you know the outcome, if this fixes my problem.
« Last Edit: July 26, 2014, 08:47:39 AM by aurion45 »

Reply #2July 26, 2014, 09:23:00 AM

aurion45

  • Guest
Re: Explorer.exe. Problem as well?
« Reply #2 on: July 26, 2014, 09:23:00 AM »
OK re-imaged my computer and re-run RogueKiller here the outcome below:

RogueKiller V9.2.4.0 [Jul 11 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9200 ) 32 bits version
Started in : Normal mode
User : asoul_000 [Admin rights]
Mode : Scan -- Date : 07/26/2014  17:12:07

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 10 ¤¤¤
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters |

DhcpNameServer : 61.9.195.193 61.9.194.49  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer :

61.9.195.193 61.9.194.49  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

\{3E1869CF-1651-4DF2-B7B6-5632E71C2731} | DhcpNameServer : 61.9.195.193 61.9.194.49  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

\{4D73C91C-0D46-4856-9857-F1A7C08DDAEA} | DhcpNameServer : 61.9.195.193 61.9.194.49  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces

\{3E1869CF-1651-4DF2-B7B6-5632E71C2731} | DhcpNameServer : 61.9.195.193 61.9.194.49  -> FOUND
[PUM.Dns] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces

\{4D73C91C-0D46-4856-9857-F1A7C08DDAEA} | DhcpNameServer : 61.9.195.193 61.9.194.49  -> FOUND
[PUM.Policies] HKEY_USERS\S-1-5-21-183892547-3926755635-2953811617-1001\Software\Microsoft

\Windows\CurrentVersion\Policies\System | DisableRegistryTools : 0  -> FOUND
[PUM.Policies] HKEY_USERS\S-1-5-21-183892547-3926755635-2953811617-1001\Software\Microsoft

\Windows\CurrentVersion\Policies\System | DisableTaskMgr : 0  -> FOUND
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer

\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> FOUND
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer

\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1  -> FOUND

¤¤¤ Scheduled tasks : 1 ¤¤¤
[Suspicious.Path] \\SomotoUpdateCheckerAutoStart -- C:\Users\asoul_000\AppData\Local\FilesFrog

Update Checker\update_checker.exe (/auto) -> FOUND

¤¤¤ Files : 0 ¤¤¤

¤¤¤ HOSTS File : 0 ¤¤¤

¤¤¤ Antirootkit : 8 (Driver: LOADED) ¤¤¤
[IAT:Addr] (explorer.exe) dwmapi.dll -  : Unknown @ 0xaff0000
[IAT:Addr] (explorer.exe) dwmapi.dll -  : Unknown @ 0xaff0014
[IAT:Addr] (explorer.exe) dwmapi.dll -  : Unknown @ 0xaff0028
[EAT:Addr] (explorer.exe) MSVCR80.dll - MappingDoAction : C:\Windows\system32\elscore.dll @

0x68337834
[EAT:Addr] (explorer.exe) MSVCR80.dll - MappingFreePropertyBag : C:\Windows

\system32\elscore.dll @ 0x68331230
[EAT:Addr] (explorer.exe) MSVCR80.dll - MappingFreeServices : C:\Windows\system32\elscore.dll

@ 0x68337908
[EAT:Addr] (explorer.exe) MSVCR80.dll - MappingGetServices : C:\Windows\system32\elscore.dll @

0x68332fa1
[EAT:Addr] (explorer.exe) MSVCR80.dll - MappingRecognizeText : C:\Windows\system32\elscore.dll

@ 0x683310d0

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: HGST HTS721010A9E630 +++++
--- User ---
[MBR] 968b68c9ed36a3c42cfbf4ccb6686a21
[BSP] 95710b1fd0045563c6af269b8702db8b : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 1092 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2238464 | Size: 749404 MB
2 - [XXXXXX] EXTEN-LBA (0xf) [VISIBLE] Offset (sectors): 1537017856 | Size: 203370 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive2: Multiple Card  Reader USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )


Reply #3July 28, 2014, 11:48:36 AM

Tigzy

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 957
  • Reputation:
    91
  • Personal Text
    Owner, Adlice Software
    • View Profile
    • Adlice Software
Re: Explorer.exe. Problem as well?
« Reply #3 on: July 28, 2014, 11:48:36 AM »
Hello
When you have such Orange lines, you have to google the DLL name to see if it's known.
You can also look at the file directly (since you are supposed to have it), look the publisher and why not upload on Virus Total.

Here it looks like they are legit. I'll add them to the whitelist.

Reply #4July 29, 2014, 06:35:36 AM

aurion45

  • Guest
Re: Explorer.exe. Problem as well?
« Reply #4 on: July 29, 2014, 06:35:36 AM »
Thanks will do next time.