codbas-14 detected but not stopped

[paper]

Hi,

Browse the Net in IE. Got hit by codbas-14 [Trj] that is detected by Avast. Actions taken:

1. Let Avast delete files
2. Delete IE temporary files.
3. Scan again
The Trojan is not found again. It seems OK.

However, I find that Windows Explorer is started on startup and is set to be allowed to connect Internet in my firewall (Zonealarm). Actually I never allow Windows Explorer to connect  Internet. The file is c:\windows\explorer.exe, file size is 1008k. My OS is XP-sp2. When I rename the file, the new file is created on startup and try to connect 239.255.255.250: port 1900.
So My computer has been infected.

Any body knows how to get rid of this bug, please?

Cheers.

[DavidR]

If avast found this whilst browsing, which provider detected it, Web Shield or Standard Shield, there is a difference, check the avast log viewer for more details.

Web Shield would have only one option abort the connection, e.g. stop downloading that item. So nothing shpould have reached the HDD so you wouldn't find anything. If it was Standard Shield that detected it then it would give several options, move to chest, delete, etc. and would have shown a location on your HDD where the file was located.

I to never allow explorer to connect, it is blocked by my firewall.

Mine is 1,032,192 bytes, last modified 04 Aug 2004, version 6.00.2900.2180, I think windows may be doing some form of self healing and getting a copy from the windows\servicepackfiles\i386 folder or protecting it because it is in the windows folder.

You could also check the offending/suspect file at: Jotti - Multi engine on-line virus scanner if any other scanners here detect them it is less likely to be a false positive. You can't do this with the file in the chest, you will need to move it out.
Or VirusTotal - Multi engine on-line virus scanner

How is it trying to connect, are you able to do a screenshot ?

Try downloading this program and running it, this is a more specialised trojan detector Ewido Security Suite.

[paper]

Hi DavidR,

My explorer.exe has the same filesize, date and version as yours. The zonealarm showed the message as the screenshot.

The online scanners found nothing with explorer.exe. However, ewido did as the screenshot.

Scanned the system in safemode by ewido and found g_server2.0.exe in c:\windows.
After being scanned, the zonealarm message appeared once only, and it no long appears now.

Thank you, DavidR.

[paper]

If still no images, I am sorry  that I do not know how to upload images.

[CharleyO]

***

Welcome to the forums, paper!   

Did you preview the 2 posts first? If so, that will cause the pictures to not show. Do not preview the message/attachments before. Use only the POST button after making an attachment.

More info at the post in this link:

http://forum.avast.com/index.php?topic=8982.0

I hope this helps.   


***

[paper]

Thanks, CharleyO.

Hope it is working now.

Sorry guys, Actually, I am still seeing zonearlarm message, just no more ewido message.

[DavidR]

The two files are different, one is explorer.exe (windows explorer) and the other is Iexplore.exe (Internet Explorer. It is possible that a program is calling explorer.exe to connect to the internet (because explorer can connect). You can use the remember this setting box and click Deny, that will stop explorer.exe from connecting in the future. Whilst that doesn't resolve the issue it blocks it until such time as resolve the problem and decide to allow access (personally for me that is never, I use my browser to connect to the internet).

So the ewido would appear to have taken care of the Iexplore.exe issue but we still have to find the program using explorer.exe.

Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2
For an on-line analysis - HiJackThis Log file - On-line Analysis OR HiJackThis Log file - On-line Analysis 2
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.
OR - Post your hijackthis-Log here for a diagnosis: tomcoyote.org/hjt

[paper]

Sorry, DavidR. My mistake.

My system is not stable after being hit. I usually reinstall OS 3,4 time a year with my old 98 box. I think that I have to do the same with my new xp box now.

Thank you for all the help.

[CharleyO]

***

You need to be sure that is an "i" and not a small "L". There are several worms that can install an exe that looks like it is IE exe but is really LE exe using a small L instead of a capital I. Read below for more info from a Google search I did ......

http://www.auditmypc.com/process/lexplore.asp

http://startup.networktechs.com/srch-LEXPLORE.exe.html

http://www.pcreview.co.uk/startup/lexplore.exe.php


***

[paper]

Thank you, CharleyO.