Author Topic: Explorer.exe INFECTED win32:malware.gen  (Read 37330 times)

0 Members and 1 Guest are viewing this topic.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Explorer.exe INFECTED win32:malware.gen
« Reply #15 on: December 06, 2009, 05:57:57 AM »
Hi Bradj,

Thanks.

There is something going on with explorer even though those scan results say otherwise. I just tested mine and neither Avast or the online scan detected anything.


Do you have an XP CD?

As there are problems in the new account you created, lets use that one, at least you have a desktop to work from.


Download OTL to your desktop.
  • Double click on OTL.exe  to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output
  • Check the boxes beside LOP Check and Purity Check.
  • Copy and paste the following bold text into the box under  Custom Scan
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
/md5stop
%systemroot%\*.* /r /s
CREATERESTOREPOINT


  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in. You will probly need to attch them as this forum has small pages.

Please post back with
  • both OTL logs


BradJ

  • Guest
Re: Explorer.exe INFECTED win32:malware.gen
« Reply #16 on: December 06, 2009, 06:12:14 AM »
Sorry no XP CD

I am getting a stop error a bit into the scanning with OTL:

Invalid time flag! [r]
Must be numerical.
« Last Edit: December 06, 2009, 06:20:00 AM by BradJ »

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Explorer.exe INFECTED win32:malware.gen
« Reply #17 on: December 06, 2009, 07:03:25 AM »
    Hi Bradj,

    I asked about the XP Cd because I'm looking for a good copy of explorer.exe.


    Ok, let's see if we can get a look with these tools

Download and run Win32kDiag:
[list=1]
  • Download Win32kDiag from any of the following locations and save it to your Desktop.
  • Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
  • When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
  • Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.
    • To ensure the entire contents are copied, right click anywhere in the notepad and click Select All
    • Right click the highlited text and click copy
Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

Please attach the second file; Attach.txt. To attach a file.

BradJ

  • Guest
Re: Explorer.exe INFECTED win32:malware.gen
« Reply #18 on: December 06, 2009, 07:55:05 AM »
Running from: C:\Documents and Settings\Warcraft\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Warcraft\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Finished!

-------------------------------------------------------------------------------------


DDS (Ver_09-12-01.01) - NTFSx86  
Run by Warcraft at 19:47:30.95 on Sun 12/06/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1023.467 [GMT 13:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\sstray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.21 V1.30\WlanCU.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Warcraft\Desktop\dds.scr

============== Pseudo HJT Report ===============

mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [nForce Tray Options] sstray.exe /r
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll"
dRunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wirele~1.lnk - c:\program files\802.11 wireless lan\802.11g wireless cardbus & pci adapter hw.21 v1.30\WlanCU.exe
uPolicies-explorer: NoInternetIcon = 1 (0x1)
uPolicies-explorer: NoInstrumentation = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: NoInternetIcon = 1 (0x1)
dPolicies-explorer: NoInstrumentation = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\warcraft\applic~1\mozilla\firefox\profiles\xcwahe5d.default\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-29 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-11-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-23 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-29 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-11-29 138680]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-11-29 254040]
R3 TNET1130;IEEE 802.11g Wireless Cardbus/PCI Adapter;c:\windows\system32\drivers\TNET1130.sys [2004-6-17 386688]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-11-29 352920]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-23 7408]

=============== Created Last 30 ================

2009-12-06 05:53:44   0   d--h--w-   c:\windows\PIF
2009-12-06 03:10:28   102660   ----a-w-   C:\SystemLook.exe
2009-12-06 03:02:25   0   d-s---w-   c:\documents and settings\warcraft\UserData
2009-12-06 02:08:49   0   d-----w-   c:\documents and settings\warcraft\DoctorWeb
2009-12-06 00:25:55   0   d-----w-   c:\program files\Trend Micro
2009-12-06 00:16:21   0   d-----w-   c:\program files\Spybot - Search & Destroy
2009-12-06 00:16:21   0   d-----w-   c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-12-05 23:12:53   0   d-----w-   c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-12-05 23:12:43   0   d-----w-   c:\program files\SUPERAntiSpyware
2009-12-05 23:12:43   0   d-----w-   c:\docume~1\warcraft\applic~1\SUPERAntiSpyware.com
2009-12-05 22:46:37   0   d-----w-   c:\docume~1\warcraft\applic~1\Malwarebytes
2009-12-05 22:46:33   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-05 22:46:32   0   d-----w-   c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-05 22:46:31   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-12-05 22:46:31   0   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-12-05 22:18:56   221184   ----a-w-   c:\windows\system32\wmpns.dll
2009-12-03 07:44:48   0   d-----w-   c:\program files\IObit
2009-12-01 20:14:41   116   ----a-w-   c:\windows\NeroDigital.ini
2009-12-01 20:10:55   133211   ------w-   c:\windows\UNNeroVision.cfg
2009-12-01 20:10:54   2277376   ------w-   c:\windows\UNNeroVision.exe
2009-12-01 20:03:38   106496   ------w-   c:\windows\system32\TwnLib20.dll
2009-12-01 20:03:35   471040   ------w-   c:\windows\system32\ImagXRA7.dll
2009-12-01 20:03:35   364544   ------w-   c:\windows\system32\TwnLib4.dll
2009-12-01 20:03:35   262144   ------w-   c:\windows\system32\ImagXR7.dll
2009-12-01 20:03:34   476320   ------w-   c:\windows\system32\ImagXpr7.dll
2009-12-01 20:03:34   1568768   ------w-   c:\windows\system32\ImagX7.dll
2009-12-01 20:03:33   38912   ------w-   c:\windows\system32\picn20.dll
2009-12-01 20:03:30   155648   ----a-w-   c:\windows\system32\NeroCheck.exe
2009-12-01 19:59:02   0   d-----w-   c:\windows\system32\appmgmt
2009-12-01 19:01:53   24064   ------w-   c:\windows\system32\msxml3a.dll
2009-12-01 11:26:24   0   d-----w-   c:\program files\VideoLAN
2009-12-01 11:09:06   0   d-----w-   c:\program files\uTorrent
2009-11-30 19:15:39   0   d-----w-   c:\program files\common files\Blizzard Entertainment
2009-11-30 13:06:05   0   d-----w-   c:\program files\Ventrilo
2009-11-30 13:06:00   262   ----a-w-   c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2009-11-30 13:05:46   0   d-----w-   c:\program files\common files\Wise Installation Wizard
2009-11-29 18:48:17   0   d-----w-   c:\docume~1\alluse~1\applic~1\Blizzard Entertainment
2009-11-29 01:48:29   0   d-----w-   c:\program files\common files\ODBC
2009-11-29 01:48:26   0   d-----w-   c:\program files\common files\SpeechEngines
2009-11-29 01:48:00   0   d-----r-   c:\documents and settings\all users\Documents
2009-11-28 22:16:52   0   d-----w-   c:\docume~1\alluse~1\applic~1\Blizzard
2009-11-28 21:05:24   0   d-----w-   c:\program files\World of Warcraft
2009-11-28 14:37:14   0   d-----w-   c:\program files\ATI
2009-11-28 13:53:48   0   d-----w-   c:\program files\Driver Cleaner Pro
2009-11-28 13:22:08   0   d-----w-   c:\program files\ATI Technologies
2009-11-28 13:07:09   0   d-----w-   c:\program files\802.11 Wireless LAN
2009-11-28 13:06:57   0   d-----w-   c:\docume~1\alluse~1\applic~1\{3BF7B6DE-D2D6-4888-83BE-488663791EB5}
2009-11-28 13:00:22   0   d-sh--w-   c:\documents and settings\all users\DRM
2009-11-28 13:00:19   0   d-----w-   c:\program files\Messenger
2009-11-28 12:58:46   0   d--h--w-   c:\program files\WindowsUpdate
2009-11-28 12:58:42   0   d-----w-   c:\program files\Online Services
2009-11-28 12:58:12   0   d-----w-   c:\program files\common files\MSSoap
2009-11-28 12:57:04   0   d-----w-   c:\program files\MSN Gaming Zone
2009-11-28 12:56:49   0   d-----w-   c:\program files\Windows NT

==================== Find3M  ====================

2009-11-28 14:53:00   411368   ----a-w-   c:\windows\system32\deploytk.dll
2009-11-28 13:06:57   62865   ----a-w-   c:\windows\system32\drivers\odysseyIM3.sys
2009-11-28 12:57:35   21640   ----a-w-   c:\windows\system32\emptyregdb.dat

============= FINISH: 19:47:38.25 ===============


« Last Edit: December 06, 2009, 08:31:48 AM by BradJ »

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Explorer.exe INFECTED win32:malware.gen
« Reply #19 on: December 06, 2009, 05:26:27 PM »
Hi Bradj,

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work. GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop
                                                                                                                                                                                                                             

Please post the GMER log.

Thanks                                                         

BradJ

  • Guest
Re: Explorer.exe INFECTED win32:malware.gen
« Reply #20 on: December 06, 2009, 08:47:45 PM »
GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-07 08:46:45
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Warcraft\LOCALS~1\Temp\kxtdqpog.sys


---- System - GMER 1.0.15 ----

SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                         ZwClose [0xAA6336B8]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                         ZwCreateKey [0xAA633574]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                         ZwDeleteValueKey [0xAA633A52]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                         ZwDuplicateObject [0xAA63314C]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                         ZwOpenKey [0xAA63364E]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                         ZwOpenProcess [0xAA63308C]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                         ZwOpenThread [0xAA6330F0]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                         ZwQueryValueKey [0xAA63376E]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                         ZwRestoreKey [0xAA63372E]
SSDT            \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)                         ZwSetValueKey [0xAA6338AE]

---- Kernel code sections - GMER 1.0.15 ----

init            C:\WINDOWS\system32\drivers\nvax.sys                                                                          entry point in "init" section [0xF7C2CB1E]
.text           C:\WINDOWS\system32\DRIVERS\ati2mtag.sys                                                                      section is writeable [0xF6570000, 0x1B601E, 0xE8000020]

---- User IAT/EAT - GMER 1.0.15 ----

IAT             C:\WINDOWS\system32\services.exe[848] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW]  00370002
IAT             C:\WINDOWS\system32\services.exe[848] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW]        00370000

---- Devices - GMER 1.0.15 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                        aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                      aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                     aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                     aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                   aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Explorer.exe INFECTED win32:malware.gen
« Reply #21 on: December 06, 2009, 09:05:53 PM »
Hi Bradj,

Ok, no rootkits.

Please read through these instructions to familarize yourself with what to expect when this tool runs


Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.  Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Notes:

1.[color="red"]Do not mouse-click Combofix's window while it is running. That may cause it to stall.[/color]
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.   
4. CF disconnects your machine from the internet.  The connection is automatically restored before CF completes its run.  If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post the combofix log.

Thanks

BradJ

  • Guest
Re: Explorer.exe INFECTED win32:malware.gen
« Reply #22 on: December 06, 2009, 10:10:41 PM »
Im a complete idiot, even after reading instructions carefully I started combofix with Avast not disabled, heres the report hope its ok, do you want me to do a re-run with AV disabled, sorry for brain freeze.


BradJ

  • Guest
Re: Explorer.exe INFECTED win32:malware.gen
« Reply #23 on: December 06, 2009, 11:10:24 PM »
There is a change in behaviour.

Opening My Documents and My Computer no longer alerts Avast to an infected explorer.exe

Scanning C:\WINDOWS\explorer.exe now comes up clean, it wasnt last night.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Explorer.exe INFECTED win32:malware.gen
« Reply #24 on: December 07, 2009, 12:01:03 AM »
Hi Bradj,

Thanks for the update. Combofix still find a problem with it.

We still need to locate a good copy of explorer.exe plus another file.

Click your Start button, click Run. Copy and paste the following line and click OK

C:\SystemLook.exe

SystemLook should open. Use this script this time. Note it starts with the :

Code: [Select]
:filefind
wscntfy.ex*


Next

We will use combofix again but run it differently.

Please follow all previous instructions regarding security programs.

Open a new Notepad session
  • Click the Start button, click run
  • in the run box type notepad
  • click ok
  • In the notepad, Click "Format" and be certain that Word Wrap is not checked.

  • Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE
Code: [Select]
SRPeek::
c:\windows\explorer.exe
c:\windows\System32\wscntfy.exe

In the notepad
  • Click File, Save as..., and set the Save in to your Desktop
  • In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
  • Click save
Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.[color="red"]Close  all browser/windows first.[/color]

[color="blue"]**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**[/color]



Please post back with
  • SystemLook log
  • combofix log
Thanks


BradJ

  • Guest
Re: Explorer.exe INFECTED win32:malware.gen
« Reply #25 on: December 07, 2009, 12:28:24 AM »
SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 12:18 on 07/12/2009 by Warcraft (Administrator - Elevation successful)

========== filefind ==========

Searching for "wscntfy.ex*"
No files found.

-=End Of File=-

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Explorer.exe INFECTED win32:malware.gen
« Reply #26 on: December 07, 2009, 05:22:28 AM »
Hi Bradj,

Combofix did remove a trojan when we ran it so that may explain why explorer.exe is not being currently flagged by avast. Also combofix was able to read the MD5 number this time.

Unfortunately there isn't a ggod copy of wscntfy.exe to be found anywhere.

I'd like you to test a couple of files. The files paths may look strange, as if 2 paths are squashed together, but that is the actual file path.

We need some file informantion
  • Make sure to use Internet Explorer for this
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path, one at a time if more than file is listed, into  the  "Suspicious files to scan" box on the top of the page:
  • Ensure that he scan is complete and the results saved before submitting the next.

.

C:\Qoobox\Quarantine\c\windows\system32\sstray.exe.vir

C:\Qoobox\Quarantine\c\program files\ATI Technologies\ATI.ACE\Core-Static\atIAcmxx.dll.vir


  • Click on the Upload button
  • Please ensure the scan is complete and the results saved before submitting the next.
  • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

Have tried entering your problem account?

Are you experiencing any redirects or similar problems?

Please post back with the VirScan results.

Thanks


BradJ

  • Guest
Re: Explorer.exe INFECTED win32:malware.gen
« Reply #27 on: December 07, 2009, 08:53:16 AM »
I just ran a test, in User Accounts changed the way users log on to not use the welcome screen (so it would stop at welcome screen and make me type account name ie. Administrator), restarted and entered the Administrator account which is where I first encountered these problems, it logged in fine, desktop appeared, things appear normal at the moment.  These symptoms would occur even with the "2nd" user account if Id chosen to not use the welcome screen, thus typing in its account name and password (or no password if I removed a password for that account - did both when experimenting).  It wasnt until I opted in User Accounts to "use the welcome screen" and removing the password, so it wouldnt stop at welcome screen, that it would carry on and load the desktop thus giving me some functionality.  At that point trying to open My Documents or My Computer would alert Avast to C:\WINDOWS\explorer.exe being infected.  It is doing none of these things now.

As for redirects, are you referring to my desktop functionality or strange browser behaviour, if so no, no wierd browser redirects that Iv noticed.
« Last Edit: December 07, 2009, 08:54:53 AM by BradJ »

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Explorer.exe INFECTED win32:malware.gen
« Reply #28 on: December 08, 2009, 06:40:36 AM »
Hi Bradj,

I meant browser redirects or search redirects.

Just for clarification, you can now log in with passwords?

µTorrent
You have µTorrent, a P2P/file sharing program installed on your computer. P2P applications like it are the largest source of malware we see. You'll be doing yourself a favor by removing it. It's not the program itself but what can be downloaded with it, usually from an unknown source.

References for the risk of these programs can be found in these links:
http://www.microsoft.com/canada/athome/security/online/p2p_file_sharing.mspx

http://www.microsoft.com/protect/data/downloadfileshare/filesharing.aspx

http://www.internetworldstats.com/articles/art053.htm

I would recommend that you uninstall µTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

Next

Download and save to your desktop Malwarebytes Anti-Malware

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
                                                                                                                                                                                                                      

Next

*Note*
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.


Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions.
  • You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computerr under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Change the Files of type to Text file (.txt)
  • Set the Save In to Desktop
  • click the Save button.
  • Please post this log in your next reply.

Please post back wit the MBAM log and the Kaspersky log.

Thanks
« Last Edit: December 08, 2009, 06:52:27 AM by oldman »

BradJ

  • Guest
Re: Explorer.exe INFECTED win32:malware.gen
« Reply #29 on: December 08, 2009, 09:50:21 PM »
Hi

I have not noticed any browser redirects.

I can log into Windows with passwords.

I have removed Utorrent, have learned my lesson with these dirty files.