Avast WEBforum
Other => Viruses and worms => Topic started by: Acorogia on November 21, 2010, 02:04:28 AM
-
Hey guys, first time poster, long time unregistered lurker.
I have been fighting the virus for a month or so now and am throwing in the towel and asking for help. Here is what I know:
explorer.exe is infected with something (I dont think anything else is, but I could be wrong)
Symptoms: Internet Explorer popups constantly, sometimes 20-30 of them within a few minutes
Unauthorized downloads attempted but stopped by UAC
Huge amounts of resources taken up.
What I have hit it with:
Avast
Hitman Pro 3.5
AdAware
Spybot Search and Destroy
AVG Free
Combofix
Malwarebytes
Windows Defender
Reinstalling Vista SP2 (to hopefully rewrite architecture and replace explorer.exe)
Nothing has succeeded in killing the virus, some of them picked up other little things but never the main explorer.exe virus, although I regularly get pop ups from Avast/AVG/AdAware about harmful sites being accessed all referencing explorer.exe as the source.
I have resorted to running everything from task manager and using an alternate file browser.
I have also run through just about every explorer.exe virus thread or writeup online but none of them seem to help nor be exactly what my problem is.
Please help me! Im all ears guys, I wasnt sure if I should post Hijack This (OTL) logs straight away or if I should wait, so I held off.
Thanks a ton in advance!
-
Follow this guide from our expert malware remover Essexboy, and post the log`s here
http://forum.avast.com/index.php?topic=53253.0
To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt. and Malwarebytes scan log)
-
In 3 parts:
OTL.txt
-
part 2. Extras.txt and for some reason the malwarebytes log was too big to be attached, so its c&p below.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 5159
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975
11/20/2010 5:37:14 PM
mbam-log-2010-11-20 (17-37-14).txt
Scan type: Quick scan
Objects scanned: 161138
Time elapsed: 9 minute(s), 29 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
-
Hello Acorogia,
Yes, you are infected with several types of malware. I wish you had come to us sooner, but we will help you out.
In the meantime, do you have another machine you can use to check the forum and use for email?
- Please limit (or do not use as much as possible) this infected machine, especially for any social networking, syncing of devices, etc.
- If you are on a network, disconnect this machine from the network.
- If this machine is connected to a router, please reset the router.
- Please do not make any further changes to your machine now that you have provided the logs.
I am going to refer you to our Certified Malware expert, named Essexboy. He will also review your logs and give you further instructions, however he comes on the forum late UK time. He will respond to you in this thread, so remember to check this thread daily. I will continue to provide assistance in the meantime, then remain in the background while he works with you.
Let me know if you have any questions. Thank you.
-
Hi there
Run OTL
- Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 0.0.0.0:80
FF - prefs.js..network.proxy.ftp: "109:169:26:139"
FF - prefs.js..network.proxy.ftp_port: 3128
FF - prefs.js..network.proxy.gopher: "109:169:26:139"
FF - prefs.js..network.proxy.gopher_port: 3128
FF - prefs.js..network.proxy.http: "109:169:26:139"
FF - prefs.js..network.proxy.http_port: 3128
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "109:169:26:139"
FF - prefs.js..network.proxy.socks_port: 3128
FF - prefs.js..network.proxy.ssl: "109:169:26:139"
FF - prefs.js..network.proxy.ssl_port: 3128
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {783840E6-0A18-4087-9EC7-A1CC131DF0D4} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No CLSID value found.
[2009/09/24 23:07:07 | 000,000,016 | -H-- | C] () -- C:\Windows\System32\iobcfeo.dll
[2009/09/24 23:07:07 | 000,000,016 | -H-- | C] () -- C:\Windows\System32\hnmobfd.dll
[2009/09/24 23:07:06 | 000,000,016 | -H-- | C] () -- C:\Windows\System32\vb0va0g.dll
[2009/09/24 23:07:06 | 000,000,016 | -H-- | C] () -- C:\Windows\System32\je1pkjv.dll
[2009/09/24 23:07:06 | 000,000,016 | -H-- | C] () -- C:\Windows\System32\iz9g894.dll
[2009/09/24 23:07:05 | 000,000,016 | -H-- | C] () -- C:\Windows\System32\xg865ij.dll
[2009/09/24 23:07:05 | 000,000,016 | -H-- | C] () -- C:\Windows\System32\iokz40o.dll
[2009/09/24 23:07:05 | 000,000,016 | -H-- | C] () -- C:\Windows\System32\g0efyts.dll
[2009/09/24 23:07:04 | 000,000,016 | -H-- | C] () -- C:\Windows\System32\kg7i665.dll
[2009/09/24 23:06:54 | 000,000,016 | -H-- | C] () -- C:\Windows\System32\qsfaqqr.dll
[2009/09/24 23:06:51 | 000,000,016 | -H-- | C] () -- C:\Windows\System32\oro2h6n.dll
[2009/09/24 23:06:47 | 000,001,024 | ---- | C] () -- C:\Windows\System32\ufh8ea7.dll
[2009/09/24 23:06:47 | 000,001,024 | ---- | C] () -- C:\Windows\System32\grcauth2.dll
[2009/09/24 23:06:47 | 000,001,024 | ---- | C] () -- C:\Windows\System32\grcauth1.dll
[2009/09/24 23:06:47 | 000,000,016 | -H-- | C] () -- C:\Windows\System32\iz8rxkx.dll
[2009/09/24 23:06:29 | 000,001,024 | ---- | C] () -- C:\Windows\System32\clauth2.dll
[2009/09/24 23:06:29 | 000,001,024 | ---- | C] () -- C:\Windows\System32\clauth1.dll
[2009/09/24 23:06:29 | 000,000,072 | ---- | C] () -- C:\Windows\System32\ssprs.dll
[2009/09/24 23:06:29 | 000,000,016 | -H-- | C] () -- C:\Windows\System32\w4yzvjq.dll
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
- Then click the Run Fix button at the top
- Let the program run unhindered, reboot the PC when it is done
- Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN
Delete your current copy of combofix and download a fresh one
Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-
Logs attached as requested, you guys are life savers.
-
Hi explorer is reporting as legitimate - what are your current problems ?
-
Everything appears to be acting normal, resource consumption of explorer.exe looks normal, ill sit on it for a day or so and see if any symptoms pop up and report back regardless. Thanks again Essexboy.
-
I lied, not all is well.
Avast just blocked a network connection and a infected file
Last file infected: C:\Users\Nick\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L8U349Y3\clgmjtftaojucv[1].htm
In the little pop up window that warms you where something has been detected, it said that (above) and that the process was C\windows\explorer.exe
Is there any way to retrieve that information or will it just tell me what the infected file was?
Im running an Avast scan now just to be safe.
Thanks.
-
Lets see if windows detects a problem with explorer
Go to start > All Programs > Accessories
Right Click Command Prompt and select run as administrator
When the prompt opens type the following bolded text and press enter
sfc /scannow (Note: There is a space between sfc and /scannow)
On completion reboot
-
According to the scan there were no discrepancies.
-
OK lets get my second opinion to work ;D
Download Dr Web from here http://www.freedrweb.com/?lng=en link on the top right of the page, tick the EULA and then download
It will download as an 8 digit file save it to your desktop
Restart in safe mode and run
Accept the enhanced version
Then run the quick scan
About halfway through you will be prompted to buy - just X the box closed
Once finished it will generate a log please attach that
-
Follow this guide from our expert malware remover Essexboy, and post the log`s here
http://forum.avast.com/index.php?topic=53253.0
To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt. and Malwarebytes scan log)
Yes it is still around I got it on IE9, could no get rid of it, and returned to IE 8, no problem. Reloded IE9 again, and the same problem startet over now back to IE 8.
I also got hit by a ransome virus program antivirus soft, got rid of that tough, but it left 3 files pup d11host.exe.
Avast close down as I was hit, and could only be activated after the clean up with other programs, and now i fails to find the left pup d11host.exe in 3 location, i can get at them, seach dont reveal, advice is welcome.
-
I cant seem to locate where it saved the log to, but it didn't find a single thing, I did only run it on express mode however.
-
The express scan would have found any indication of an infected system file
Are the alerts still occuring ?
-
I shut off explorer.exe yesterday and have been running everything from task manager. I turned it back on and within 5 minutes im back to getting ie popups. No alerts yet however...
-
Update: as soon as I logged on today Avast informed me that it had detected a threat. I took a screen shot of what was going on. See attached
-
Clear Cache/Temp Files
Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
- Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
- It will close all programs when run, so make sure you have saved all your work before you begin.
- Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
- Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
THEN
Re-run Combofix and allow it to update if it asks
-
Here is the new combofix log.
EDIT:
The ie popups are still occurring, no Avast notifications of virus's yet though...
-
Still no sign of infection from that - lets check for file corruption
Go to start > All Programs > Accessories
Right Click Command Prompt and select run as administrator
When the prompt opens type the following bolded text and press enter
sfc /scannow (Note: There is a space between sfc and /scannow)
On completion reboot
-
As before, no violations or corruptions found.
-
OK lets look at it from a different angle
Download avz4.zip from here (http://z-oleg.com/avz4.zip)
- Unzip it to your desktop to a folder named avz4
- Double click on AVZ.exe to run it.
- Run an update by clicking the Auto Update button on the Right of the Log window: (http://i768.photobucket.com/albums/xx326/perplexus13/malware/avz-update-button.png)
- Click Start to begin the update
Note: If you recieve an error message, chose a different source, then click Start again
- Start AVZ.
- Choose from the menu "File" => "Standard scripts " and mark the "Advanced System Analysis with Malware removal mode enabled " check box.
(http://perplexus.geekstogo.com/avz-standardscripts-asa-removal.png)
- Click on the “Execute selected scripts”.
- Automatic scanning, healing and system check will be executed.
- A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
- It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
- All applications will work properly after the system restart.
When restarted
- Start AVZ.
- Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis " check box.
(http://i768.photobucket.com/albums/xx326/perplexus13/malware/avz-standardscripts.png)
- Click on the "Execute selected scripts".
- A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.
Upload both virusinfo_syscure.zip and virusinfo_syscheck.zip to Mediafire (http://www.mediafire.com/) and post the sharing link.
-
AVZ4 Logs:
http://www.mediafire.com/?2v359prvsqp9e9l
http://www.mediafire.com/?j2murkpuroq8864
-
On completion of this run can you let me know if the problem persists
AVZ FIX
- Double click on AVZ.exe
- Click File > Custom scripts
- Copy & paste the contents of the following codebox in the box in the program (start with begin and end with end )
begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
SetAVZPMStatus(True);
TerminateProcessByName('c:\windows\explorer.exe');
DelBHO('{472734EA-242A-422b-ADF8-83D1E48CC825}');
DeleteFile('C:\Windows\System32\Drivers\spwm.sys');
BC_DeleteFile('C:\Windows\System32\Drivers\spwm.sys');
BC_ImportDeletedList;
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.- Note: When you run the script, your PC will be restarted
- Click Run
- Restart your PC if it doesn't do it automatically.
[
-
I had my fingers crossed, but the problem persists.
-
So explorer is still crashing ? This is explorer and not interet explorer
-
yup, regular old explorer.exe. It doesnt really crash, it just barrages me with ie popups, download requests for fake spyware protection and tries to open pdf files. I know it is all coming through explorer.exe because it consumes huge amounts of resources (10% of CPU and 100,000k of RAM) during normal operations and as soon as I kill the explorer.exe process things go back to normal.
-
OK lets get the latest Combofix on the job in case it sees something that I missed, if it doesn't I will use it to replace the windows copy with one from one of the SP areas on your system
Delete your current copy of combofix and download a fresh copy please then run
-
Well this is an interesting development, upon downloading a fresh copy of combofix avast immediately tells me that it is infected with 'Win32:Agent-AMLR [Trj]' I went back and tried the other mirror that you gave me, both yield the same result. Explorer.exe was not running when this happened either.
-
Yes it is a false positive that I have reported - disable webshield long enough to download it
-
Doesnt look like combofix found anything new, but I attached the log just in case.
-
I will use combofix now to replace your current explorer with a backed up copy from the cache to see if that alleviates the problem
1. Please open Notepad- Click Start , then Run
- Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
KillAll::
Fcopy::
C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.0.6002.18005_none_53a0201e76de3a0b\explorer.exe|C:\Windows\explorer.exe
3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
4. Save the above as CFScript.txt
5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:- Combofix.txt
- A new OTListit log.
-
Yes it is a false positive that I have reported - disable webshield long enough to download it
That FP has been corrected, in VPS update 101118-0.
-
Logs attached. As of now, now no popups, but CPU and RAM usage still seem high.
-
Vista utilises as much RAM as possible to save disc swapping - what programme is using the greatest amount of CPU
-
Unfortunately, the popups remain, I was optimistic at first too...
-
OK here is my little spiel for Memtest
The Windows Memory Diagnostics Tool (http://oca.microsoft.com/en/windiag.asp) is an easy to create, easy to use application available from Microsoft that is a valuable tool in troubleshooting suspected RAM problems. Download the tool and save the file to your desktop. Double click on the downloaded file to open the disk creation application.
When the downloaded file is opened, the creation software will start and you will be presented with a license agreement...accept that and you will see the options to create a bootable floppy diskette or to copy the CD image to a location on your computer as shown below.
(http://i197.photobucket.com/albums/aa249/thesparkman/createit.png)
When the "Create Startup Disk..." button is clicked, you will be prompted to select the floppy drive to use to create the disk. In the majority of cases, there will be only one choice and it will be selected by default as shown in the example below. Insert a diskette into the floppy drive and click on the "Create" button.
(http://i197.photobucket.com/albums/aa249/thesparkman/createflop.png)
When the "Save CD Image to Disk..." button is clicked, you will be prompted to save the CD image to a location on your computer. Save it to a location you will remember such as your My Documents folder or the desktop. In the example below, I've created a folder on the desktop named windiag to save the file to.
(http://i197.photobucket.com/albums/aa249/thesparkman/savetodisk.png)
Once the image has been saved to a location on your computer, you can use your burning software to burn the image to a cd. If your software doesn't support burning ISO Images or you do not have burning software installed, you can use a tool like ISO Recorder (http://"http://isorecorder.alexfeinman.com/isorecorder.htm") which will add a "Copy Image to CD" option to the right click context menu. You can simply right click on the saved image and choose that option...the burning tool will open.
Use the disk you create to boot the computer. The diagnostics will run automatically and will continue to do so until it is terminated. It should be left to run for a minimum of four complete passes. If you have the time, an hour or two is better.
If the RAM module(s) is good, each test in each pass will display a green "Succeeded" message in the Pass field as shown in the image below.
(http://i197.photobucket.com/albums/aa249/thesparkman/good.png)
If the RAM module(s) is bad, one or more passes will display a red "Failed" message in the Pass field as shown in the image below.
(http://i197.photobucket.com/albums/aa249/thesparkman/bad.png)
Any failure in any test may indicate a bad module. If there is more than one module installed on the machine when a failure is indicated, remove all but one module and begin the test again, testing each module by itself until the failing module is found.
To terminate the diagnostics, remove the disk and press the X key or power the machine off.
Other things to try when faced with suspected memory problems:- Set the BIOS Fail Safe Defaults in Setup.
- Reset the CMOS. (Advanced)
- Adjust RAM voltage/timing. (Advanced)
Some platforms provide for changes to the RAM settings, some offer limited adjustment, and some will not have the option to change the RAM settings. Making changes to RAM settings in the BIOS is best left to advanced users.
-
Sorry for the delay, there was no memory problems, I ran 2 regular passes and 1 advanced pass. Why do you think there is a problem with my memory?
-
I see that you now have 20 posts which will permit you to update your profile to include signature information.
Go to PROFILE then Modify Profile then Forum Profile Information then Please select your country: then Signature: and put information about your system just like my signature and DavidR avast! a Technical advisor so that the helpers can offer pertinent advice.
-
Aye as I can see no apparent malware that would cause explorer to behave like that. I will have a quick rummage around to see if I can find any other possible causes
-
Thank ya sir.
-
Are you running any specific programme when explorer crashes ?
-
Nothing I can think of, sometimes Ill turn on my computer log on and walk away and come back with 10+ ie windows open and Avast notifications. So unless its something running in the background, there is no smoking gun.
-
Sorry I thought it was an explorer problem and not internet explorer
Do you use a router ?
Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).
-
It is an explorer.exe problem. The symptoms are ie popups. Ill try the router reset and report back.
-
Nada. Im trying to avoid a reinstall, but I feel that we are running out of ideas. Any more thoughts on what could be the issue?
-
It is something deeply embeded that none of my tools are seeing or there is a corruption within your file system, and not necessarily a system file
-
So where do we go from here?
-
We could initiall try a repair install - there are details on this page
http://www.vistax64.com/tutorials/88236-repair-install-vista.html
If you have the CD it would be easier as you could fool the system into thinking it is an upgrade install
-
Alright, Ill give it a go, may take some time, I have to slipstream Vista SP2, but thanks for the advice.
-
Sorry we could not get to the root of the problem