Explorer in Win 7 Ent keeps crashin/restarting at boot.

[West1ey]

Greetings
My Windows 7 laptop keeps crashing the explorer.exe and subsequently restarts the explorer - this happens every time I boot my machine (after the crash everything's fine). I'm not entirely new to troubleshooting and have narrowed things down to a startup item called MSSMSGS - [quickfix =] I've disabled it for now (courtesy of the msconfig util). Antivirus/AntiMalware scanners also don't pick up anything.

Could one of the boys please help me identify why MSSMSGS crash/restart my explorer and how to remove it (apologies in advance if this turns out not to be malware).

Many thanks

[Dr Jay]

Hello, and welcome to Computer Hope.

Please note the following information about the malware forum:

• Only the Malware Specialist Team is allowed to give advice on removing malware from your computer.
  
• From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
  
• Please do not attach logs or post them in Quote/Code boxes unless requested.
  
• Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
• If you have already asked for help somewhere, please post the link to the topic you were helped.
• We try our best to reply quickly, but for any reason we do not reply in two days, reply to this topic with the word BUMP
  
• Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  
• Copy and paste the entire report in your next reply.

[West1ey]

Thanks for the speedy reply.

I've completed the mbam scan as requested (result below) but nothing was detected. Just to give you a bit of background - I'm running Symantec Endpoint Protection (up to date definitions) and Windows updates are set to automatically install updates as and when they become available.

As per msconfig util:
Startup Item = MSSMSGS
Manufacturer = Unknown
Command = rundll32.exe winups32.rom,enxRuZ
Location = HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Date Disabled = 2010/06/27

If required, I can activate the startup item (MSSMSGS) in question and send you the event viewer error results as well.

-------------------------------------------------------------
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4253

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

2010/06/29 10:58:57 AM
mbam-log-2010-06-29 (10-58-57).txt

Scan type: Quick scan
Objects scanned: 136924
Time elapsed: 9 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

--------------------------------------------------------------

Much appreciated
W

[West1ey]

Dear DragonMaster Jay

My curiosity got the better of me and therefore must confess that I ran the awesome ComboFix util. It deleted a "system" entry under c:\windows\system32 and in the process got rid of the MSSMSGS startup applet. My machine is now chirping happily once more (and I have peace of mind).

I can confirm that that MSSMSGS (instance running on my machine) is in fact Malware - my virus/malware scanners probably did pick up the malware signature but did not clean infection properly (explains why MalwareBytes scan did not pick up anything). I should mention that I ought to scan USB drives from my students as a rule (I'm a junior Cisco trainer) but Symantec is known for its long/cumbersome scans.

Thanks to this site I've stumbled upon some pretty sweet utils that I'll be adding to my troubleshooting arsenal.

Respect DragonMaster Jay and Evilfantasy

[Dr Jay]

ComboFix should not be run without the guidance of a helper. It is a powerful tool and is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private or regular use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

See this link to get more info on why it is dangerous.

To uninstall ComboFix

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in ComboFix /uninstall

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

• Then, press Enter, or click OK.
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

Topic closed.