Author Topic: Explorer.exe INFECTED win32:malware.gen  (Read 37319 times)

0 Members and 1 Guest are viewing this topic.

BradJ

  • Guest
Explorer.exe INFECTED win32:malware.gen
« on: December 06, 2009, 01:01:02 AM »
WinXP(32bit) SP2
GA-7NNXP gigabyte motherboard

Hi folks, I need some help with this one if that is ok.  Last night I finished playing WoW as normal and shut down my computer and went to bed.  This morning I turned on computer and logged in as normal at welcome screen (only have 1 user account, administrator) and the desktop would not load, computer becomes idle but with a blank background, can alt-ctrl-del.  Tried restarting a few times, same result.  My first course of action was to run a scan with Avast in safe mode.  It has detected C:\windows\explorer.exe is infected with malware called win32:malware.gen.  I cannot move to chest, repair or anything.  I have created another user account with no password in control panel and when I restart it breezes past welcome screen and I am presented with a fresh desktop.  I can use the browser and the internet, but when I try to access My Documents or My Computer I am presented with an error

C:\WINDOWS\Explorer.EXE
Windows cannot access the specified device, path or file.  You may not have the appropriate permissions to access the item.

I have scheduled a boot scan with Avast and performed it, same result detects C:\windows\explorer.exe is infected with malware called win32:malware.gen and being explorer.exe I cannot move to chest or do anything.

I have done full scans with MBAB and SAS and they are clean.  Any direction from this point would be much appreciated, thanks.
« Last Edit: December 06, 2009, 01:35:01 AM by BradJ »

shae_32

  • Guest
Re: Explorer.exe INFECTED win32:malware.gen
« Reply #1 on: December 06, 2009, 01:21:53 AM »
Hi. Welcome to the Avast forums. :)

Can you download HijackThis? If so, install it on your desktop and let it run a scan. Then save the log and post it and I'm sure someone will come along that can aide you in removing said pest from your PC.

BradJ

  • Guest
Re: Explorer.exe INFECTED win32:malware.gen
« Reply #2 on: December 06, 2009, 01:27:17 AM »
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:26:13 PM, on 12/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\sstray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.21 V1.30\WlanCU.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Global Startup: Wireless Configuration Utility.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.21 V1.30\WlanCU.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4125 bytes

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37594
  • Not a avast user
Re: Explorer.exe INFECTED win32:malware.gen
« Reply #3 on: December 06, 2009, 02:04:06 AM »
Quote
I have scheduled a boot scan with Avast and performed it, same result detects C:\windows\explorer.exe is infected with malware called win32:malware.gen and being explorer.exe I cannot move to chest or do anything.

I have done full scans with MBAB and SAS and they are clean.  Any direction from this point would be much appreciated, thanks.
If i remeber correct someone else just had the same problem, and it was solved by running
Dr.WebCureit http://www.freedrweb.com/cureit/?lng=en

you are running WinXP SP2. SP3 was released in 2008 with A total of 1,174 fixes + all later

YoKenny

  • Guest
Re: Explorer.exe INFECTED win32:malware.gen
« Reply #4 on: December 06, 2009, 02:46:22 AM »
Windows XP Service Pack 3 has been available for over a year and provides many Critical Updates plus performance improvements.

You need to start Internet Explorer then go to Tools then Windows Update and download all of the available updates.

Go to Control Panel then Automatic Updates then select Automatic (recommended) or at least Notify me but don't automatically download or install them.

IE8 is more secure than IE6 and has a lot better performance and security:
http://www.microsoft.com/windows/Internet-explorer/default.aspx

Go to Secunia Online Software Inspector then run it to see what other applications are vulnerable:
http://secunia.com/vulnerability_scanning/online

BradJ

  • Guest
Re: Explorer.exe INFECTED win32:malware.gen
« Reply #5 on: December 06, 2009, 03:45:36 AM »
Quote
I have scheduled a boot scan with Avast and performed it, same result detects C:\windows\explorer.exe is infected with malware called win32:malware.gen and being explorer.exe I cannot move to chest or do anything.

I have done full scans with MBAB and SAS and they are clean.  Any direction from this point would be much appreciated, thanks.
If i remeber correct someone else just had the same problem, and it was solved by running
Dr.WebCureit http://www.freedrweb.com/cureit/?lng=en

you are running WinXP SP2. SP3 was released in 2008 with A total of 1,174 fixes + all later

I ran this and it detected C:\windows\system32\cmdow.exe  was tool.hidewindows

The results from Secunia were as follows:
    
Scan Now
The Secunia Online Software Inspector will inspect your operating system and software for insecure versions and missing security updates. A default inspection normally lasts 5-40 seconds, while a thorough inspection may take several minutes.

Detection Statistics:
8 Applications Detected in Total
1 Insecure Version Detected
7 Patched Versions Detected

Running For:
0 Minutes, 52 Seconds

Errors with the scan:
1 Error Detected
      
Scan Options:
Enable thorough system inspection
Display only insecure programs
Status / Currently Processing:
Detection completed with 1 error
   


Programs / Result    Version Detected    Status
   Macromedia Flash Player 6.x   Macromedia Flash Player 6.x   6.0.79.0   Macromedia Flash Player 6.x
   
This installation of Macromedia Flash Player 6.x is insecure and potentially exposes your system to security threats!

The detected version installed on your system is 6.0.79.0, however, the latest patched version released by the vendor, fixing one or more vulnerabilities, is 6.0.88.0.

Update Instructions:
Apply updates.

Flash Player 9.0.45.0 and earlier (update to version 9.0.47.0):
http://www.adobe.com/go/getflash

Flash Player 9.0.45.0 and earlier - network distribution (update to version 9.0.47.0):
http://www.adobe.com/licensing/distribution

Flash CS3 Professional (update to version 9.0.47.0):
http://www.adobe.com/support/flashplayer/downloads.html

Flash Professional 8, Flash Basic (update to version 8.0.35.0):
http://www.adobe.com/support/flashplayer/downloads.html

Flex 2.0 (update to version 9.0.47.0):
http://www.stage.adobe.com/support/flashplayer/downloads.html#fp9

Flash Player version 7.0.70.0 for Linux and Solaris reportedly fixes vulnerability #2 for Opera and Konqueror browsers.


Installed on Your System in:
C:\WINDOWS\SYSTEM32\Macromed\Flash\flash.ocx

I suspect I picked up this naughty from torrent sites the other day.
« Last Edit: December 06, 2009, 05:21:21 AM by BradJ »

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Explorer.exe INFECTED win32:malware.gen
« Reply #6 on: December 06, 2009, 03:53:25 AM »
Hi

I don't think SP3 will help a whole lot with this.

Let's see if we can get a look at the account with the problems.

Log into the problem account. Once there you can open a browser with Task Manager.

Use alt-ctrl-del to open task manger.
  • In Task Manager, click the Options button
  • check mark Allways on Top
  • This will keep Taskmanager from disappearing when you click on anything else.
  • click file
  • click New Task(Run...)
  • type the following line into the open: field
    iexplore.exe
  • click ok
  • Internet Explorer should open
  • Using your left mouse button, click on the top blue portion of Task Manager and slide it down to the lower part of your screen so it's out of the way. Do not minimize it.

It is important that you do not minimize your browser, taskmanager or the tool I'm going to have you download. If you do you will loose them and will need to start over.

Note: When you download this tool to the specified location, it will not be visible to you. We will launch it via the run command.

Please download SystemLook from one of the links below by
  • right clicking the link and clicking Save Target As
  • In the Save As window, using the dropdown menu set the Save In box to Local disk (C:)
  • make sure the filename is SystemLook.exe and the type is Application
  • click Save
Download Mirror #1
Download Mirror #2


Next
  • Holding down your left mouse button, highlight all the text in the codebox below.
  • Do not copy the word CODE , please note the script starts with the :
  • right click the highlighted text and choose copy
Code: [Select]
:filefind
explorer.ex*
:reg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe

In Task Manager
  • click file
  • click New Task(Run...)
  • type the following line into the open: field
    C:\Systemlook.exe
  • click ok
SystemLook should appear on your screen.
  • Right click anywhere in the white field and choose paste.
  • the text you copied earlier should appear
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
Please post this log in your next reply.

If you loose the notepad before you can post the contents, you may retrieve it copying and pasting this command in the Task Manager open box.
%userprofile%\desktop\SystemLook.txt

Thanks

edit to fix links
« Last Edit: December 06, 2009, 04:09:10 AM by oldman »

BradJ

  • Guest
Re: Explorer.exe INFECTED win32:malware.gen
« Reply #7 on: December 06, 2009, 04:06:31 AM »
Hi, it says site was not found, please check the address and try again, from both locations.

Thanks

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Explorer.exe INFECTED win32:malware.gen
« Reply #8 on: December 06, 2009, 04:07:48 AM »
Hi Bradj,

I just fixed the links, they should work now.

BradJ

  • Guest
Re: Explorer.exe INFECTED win32:malware.gen
« Reply #9 on: December 06, 2009, 04:13:25 AM »
SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 16:12 on 06/12/2009 by Warcraft (Administrator - Elevation successful)

========== filefind ==========

Searching for "explorer.ex*"
C:\WINDOWS\explorer.exe   --a--- 1032192 bytes   [07:50 22/10/2005]   [07:50 22/10/2005] (Unable to calculate MD5)
C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf   --a--- 89728 bytes   [13:02 28/11/2009]   [10:42 04/12/2009] 972DBB5C06EA0A3AF5C16497A294173B

========== reg ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]
(Unable to open key - key not found)

-=End Of File=-

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Explorer.exe INFECTED win32:malware.gen
« Reply #10 on: December 06, 2009, 04:21:42 AM »
Hi Bradj,

You ran SystemLook from the account you are having problems with?


It looks like explorer may be patched, let's see with what.

We need some file informantion
  • Make sure to use Internet Explorer for this
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path, one at a time if more than file is listed, into  the  "Suspicious files to scan" box on the top of the page:

    C:\WINDOWS\explorer.exe

  • Click on the Upload button
  • Please ensure the scan is complete and the results saved before submitting the next.
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

Thanks
« Last Edit: December 06, 2009, 04:23:47 AM by oldman »

BradJ

  • Guest
Re: Explorer.exe INFECTED win32:malware.gen
« Reply #11 on: December 06, 2009, 04:33:25 AM »
I will take this next step you advised but first I will advise the behaviour I am observing.

I initially noticed there was a problem when I first turned on the computer this morning, I use the Administrator account and log in with its password at the Welcome Screen, it was then that I noticed that the desktop would not load.  I restarted into Safe Mode and made another User Account with no password and restarted, it booted up to the (fresh) desktop of this new user account.  If I attempt to go into My Computer or My Documents I get a system beep and system error box saying I dont have access, and Avast immediately pops up saying C:\WINDOWS\EXPLORE.Exe is infected with Win32:Malware.gen.

Right before I performed your Systemlook test I attempted to log out of the new account back to the welcome screen where I was of course presented with the user account.  I clicked on it to log straight back in but observed the same behaviour as when I first atttempted to log into Administrator, the desktop would not load, so it was at that point, since I observed same behaviour that I performed your systemlook test.  Would you like me to relog into the initial Administrator account and perform your systemlook test.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Explorer.exe INFECTED win32:malware.gen
« Reply #12 on: December 06, 2009, 04:41:24 AM »
Hi Bradj,

Sorry I sould have been clearer.

Yes, I'd like to have a look with SystemLook from within the problem account.

If you follow the instructions I posted first time you should be able to open IE via task manager and come back to this forum to follow the rest of those instructions.

You may as well do the VirScan also.

Thanks


BradJ

  • Guest
Re: Explorer.exe INFECTED win32:malware.gen
« Reply #13 on: December 06, 2009, 05:16:19 AM »
VIRSCAN results:

Scanner results :   5% Scanner(s) (2/37) found malware!
Time :   2009/12/06 17:04:51 (NZDT)
Scanner Engine Ver Sig Ver Sig Date Scan result Time
a-squared 4.5.0.8 20091206090244 2009-12-06 - 4.331
AhnLab V3 2009.12.06.00 2009.12.06 2009-12-06 - 0.982
AntiVir 8.2.1.92 7.10.1.170 2009-12-05 - 0.425
Antiy 2.0.18 20091204.3347676 2009-12-04 - 0.121
Arcavir 2009 200912050612 2009-12-05 - 0.076
Authentium 5.1.1 200912051639 2009-12-05 - 2.216
AVAST! 4.7.4 091205-1 2009-12-05 Win32:Malware-gen 0.051
AVG 8.5.288 270.14.95/2547 2009-12-06 - 0.341
BitDefender 7.81008.4697249 7.29319 2009-12-06 - 4.056
CA (VET) 35.1.0 7158 2009-12-04 - 5.565
ClamAV 0.95.2 10113 2009-12-04 - 1.115
Comodo 3.13 3152 2009-12-06 - 1.285
CP Secure 1.3.0.5 2009.12.04 2009-12-04 - 0.799
Dr.Web 4.44.0.9170 2009.12.05 2009-12-05 - 9.015
F-Prot 4.4.4.56 20091205 2009-12-05 - 2.263
F-Secure 7.02.73807 2009.12.05.02 2009-12-05 - 6.748
Fortinet 11.128- 11.128 2009-12-05 - 0.218
GData 19.9184/19.607 20091206 2009-12-06 Win32:Malware-gen [Engine:B] 6.680
Ikarus T3.1.01.74 2009.12.05.74655 2009-12-05 - 4.325
JiangMin 13.0.900 2009.12.02 2009-12-02 - 4.252
Kaspersky 5.5.10 2009.12.06 2009-12-06 - 0.076
KingSoft 2009.2.5.15 2009.12.6.9 2009-12-06 - 0.550
McAfee 5.3.00 5823 2009-12-05 - 3.312
Microsoft 1.5302 2009.12.06 2009-12-06 - 6.757
Norman 6.01.09 6.01.00 2009-12-05 - 4.005
nProtect 20091203.01 6487164 2009-12-03 - 4.404
Panda 9.05.01 2009.12.05 2009-12-05 - 3.437
Quick Heal 10.00 2009.12.05 2009-12-05 - 1.561
Rising 20.0 22.24.06.01 2009-12-06 - 1.257
Sophos 3.02.0 4.48 2009-12-06 - 2.693
Sunbelt 3.9.2381.2 5546 2009-12-05 - 2.133
Symantec 1.3.0.24 20091205.006 2009-12-05 - 0.084
The Hacker 6.5.0.2 v00086 2009-12-05 - 1.230
Trend Micro 9.000-1003 6.672.06 2009-12-06 - 0.031
VBA32 3.12.12.0 20091202.2156 2009-12-02 - 2.264
ViRobot 20091204 2009.12.04 2009-12-04 - 0.442
VirusBuster 4.5.11.10 10.115.1/2003653 2009-12-05 - 4.543

The copy to clipboard for some reason wasnt a clickable button for me so I copy pasted the results, hope its the same.

The no desktop loading thing seems to happen when there is any interraction with the Welcome Screen.  If I remove the password for the second account and restart it will boot up to a desktop fine.  If I add a password to that 2nd account and restart and type a password at Welcome Screen I will have no desktop (I can get internet access with no desktop on 2nd account by starting IE) however If I log out of 2nd account and log in to Administrator with my password I have no desktop (no internet access either this making it tricky to post a systemlook scan).

So now I have 2 Administrator accounts, in the user accounts screen I cannot see the Administrator account anymore, just the named 2nd account, which it will not let me delete because it says it needs another administrator account which there should be, Administrator.
« Last Edit: December 06, 2009, 05:38:39 AM by BradJ »

BradJ

  • Guest
Re: Explorer.exe INFECTED win32:malware.gen
« Reply #14 on: December 06, 2009, 05:47:21 AM »
This is the systemlook log from the Administrator account:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 17:46 on 06/12/2009 by Administrator (Administrator - Elevation successful)

========== filefind ==========

Searching for "explorer.ex*"
C:\WINDOWS\explorer.exe   --a--- 1032192 bytes   [07:50 22/10/2005]   [07:50 22/10/2005] (Unable to calculate MD5)
C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf   --a--- 89728 bytes   [13:02 28/11/2009]   [10:42 04/12/2009] 972DBB5C06EA0A3AF5C16497A294173B

========== reg ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]
(Unable to open key - key not found)

-=End Of File=-