C:\windows\system32\explorer.exe may have a malware infection?

[magna86]

Hi,
It is necessary that you follow instructions that is given ...


Step#1

Open notepad and copy/paste the text present inside the code box below:

Code: [Select]


KillAll::

File::
c:\windows\Tasks\OptimizerProUpdaterTask{C216DF16-E33C-4CF7-AFAD-7D410EF1B4B1}.job

Folder::
c:\programdata\Premium\OptimizerPro

ClearJavaCache::

DDS::
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} -



Save this as CFScript.txt



Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:\ComboFix.txt )
**************************

Step#2

Download TDSSKiller  and save it to your desktop

    Execute TDSSKiller.exe by doubleclicking on it.

•     Press Start Scan
  
   
•   If Suspicious object is detected, the default action will be Skip, click on Continue.
   
•   If Malicious objects are found, select Cure.
  

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please post the contents of that log in your next reply.

**************************

Step#3

Re-run OTLScan

• Make sure all other windows are closed and to let it run uninterrupted.
• Click on Scan All Users
   
  
• Paste this into Custom Scans/Fixes box at the bottom
  
  

Code: [Select]



%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
/md5stop
CREATERESTOREPOINT



• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
         
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
             
    
  • Please attach them in this thread.

[REDACTED]

My TDSSKILLER log.

[REDACTED]

The new combofix text.

[REDACTED]

New OTL text, I didn't get an Extra.txt file this time.

[REDACTED]

Also my desktop is back up I can see my profile.

[magna86]

Hi,

Re-run OTL.exe.

• Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
  
  

Code: [Select]


:Otl
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{5D6AE2F1-AFE9-4585-A47B-527225501C48}: "URL" = http://www.ask.com/web?q={searchTerms}&l=dis&o=cahpd
IE - HKLM\..\URLSearchHook: {b2ed7faf-72a0-46d1-9d9d-602226f5cb9f} - No CLSID value found
IE - HKLM\..\SearchScopes\{5D6AE2F1-AFE9-4585-A47B-527225501C48}: "URL" = http://www.ask.com/web?q={searchTerms}&l=dis&o=cahpd
IE - HKLM\..\SearchScopes\{a5b9c0f5-5616-47cd-a95f-e43b488faccf}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?p2=^XP^xdm114^LENCA^ca&si=CN-xifCKjrACFbEBQAod103BpA&ptb=4ADD6BD3-8DF2-406B-BC17-F220EF8B3E6A&psa=&ind=2012052001&st=sb&n=77ed7a21&searchfor={searchTerms}
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files (x86)\AVG\AVG10\Firefox4\ [2011/08/11 08:25:42 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files (x86)\AVG\AVG10\Toolbar\Firefox\avg@igeared
CHR - plugin: AVG Internet Security (Enabled) = C:\Users\Everett\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\10.0.0.1390_0\plugins/avgnpss.dll
O2:[b]64bit:[/b] - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG10\avgssie.dll File not found
O3 - HKU\S-1-5-21-1573336260-1148118520-3100803624-1002\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.

:files
C:\Program Files (x86)\AVG
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt /c
ipconfig /release /c
ipconfig /renew /c

:commands
[CREATERESTOREPOINT]
[emptytemp]



• Then click the Run Fix button at the top.
  
• Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

****************************



Re-run OTLScan

• Make sure all other windows are closed and to let it run uninterrupted.
• Click on Scan All Users
   
  
• Paste this into Custom Scans/Fixes box at the bottom
  
  

Code: [Select]


/md5start
explorer.exe
/md5stop
C:\windows\system32\explorer.exe /md5



• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
         
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
             
    
  • Please attach them in this thread.

[REDACTED]

Ok here is the OTL from the first step. I had to force restart and while it was restarting it just stopped and the screen went black for a long while. I had to use the shutdown button to restart it.

[REDACTED]

Once again I have not gotten an extras.txt from my scan. I just got this.

[magna86]

Re-run OTL.exe.

• Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
  
  

Code: [Select]


:processes
killallprocesses

:Otl
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{5D6AE2F1-AFE9-4585-A47B-527225501C48}: "URL" = http://www.ask.com/web?q={searchTerms}&l=dis&o=cahpd
CHR - plugin: AVG Internet Security (Enabled) = C:\Users\Everett\AppData\Local\Google\Chrome\User Data\Default\Extensions\jmfkcklnlgedgbglfkkgedjfmejoahla\10.0.0.1390_0\plugins/avgnpss.dll
O2:[b]64bit:[/b] - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.

:commands
[Reboot]



• Then click the Run Fix button at the top.
  
• Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

*********************


detected explorer.exe is leght and it's catch via heuristics.

How's your computer running now?

[REDACTED]

Here is the log after the reboot. My computer is running fine now. Thank you for all of the help

[magna86]

np 



It is necessary to uninstall ComboFix :

• Click Start (or ) then Run.
  
  
  On Windows7 or Vista you may use Start Search field if Run is not available.
  
  
• In the line of text type in (Copy) the following:

Code: [Select]

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

• then click OK (or press Enter ).

Wait for the uninstall process is complete.


------------------------------------------


> Re-run OTL and click on CleanUp! button.

You will be asked to reboot the machine to finish the cleanup process, choose Yes.
After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTL. Feel free to manually delete any tools it leaves behind.



-----------------------------------


I recommended to keep Malwarebytes and to use MCShield if you will.

You may download MCShield from one of the following links:

MyCity -  Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

[REDACTED]

Thanks again man. Also should I keep adwcleaner or not?

[magna86]

Thanks again man. Also should I keep adwcleaner or not?

You may use if you will, but before each use you need to download fresh&updated versions and after each use, uninstall AdwCleaner.