explorer.exe virus W32:Malware virus

[Pondus]

If you read the guide by Essexboy, you see that there is a program called OTL.....

Run OTL and it will produce the log`s that Essexboy like to have...OTL.Txt and Extras.Txt.

then you post them as attahments

[jmelaniehunt]

I clicked on OTL and it took me to this website http://http//oldtimer.geekstogo.com/OTL.exe where I got a message from Internet Explorer saying that they could not display the page.  Do you know of another place where I can download the file?  Sorry but nothing seems to be working for me.

[!Donovan]

This is just what I found, it could be wrong though so don't remove anything until we're positive.

Could Be Bad:
C:\Windows\System32\igfxpers.exe (http://www.bleepingcomputer.com/startups/igfxpers.exe-23118.html)
O4 - HKLM\..\Run: [Persistence] C:\windows\system32\igfxpers.exe

FROM YAHOO INC.
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)


ADWARE (OPTIONAL TO REMOVE)
O2 - BHO: ALOT Toolbar Helper - {14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6} - C:\Program Files\alot\bin\BHO\alotBHO.dll
O2 - BHO: Megaupload Toolbar - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O3 - Toolbar: Megaupload Toolbar - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O3 - Toolbar: ALOT Toolbar - {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files\alot\bin\alot.dll

Looks Suspicious:
O4 - HKCU\..\Run: [efhlsdok] C:\Users\Hunt\AppData\Local\Temp\tjxexdgre\ywdciudlanw.exe

O4 - HKCU\..\Run: [avsi] C:\Program Files\Antivirus IS Basic\avsi.exe /tray

Edit: Same here, the sight might be down.

[Pondus]

Essexboy have posted 3 download links there.....

Have PM him so he is on the way....

[!Donovan]

Did some research, you got this virus:
http://www.sophos.com/security/analyses/viruses-and-spyware/trojdelfezz.html

[Altarir.]

I clicked on OTL and it took me to this website http://http//oldtimer.geekstogo.com/OTL.exe

uhh. Remove one of "http//" thingies in url adress bar.

@essexboy - one of links in your post has two http in it(link is attached to "OTL" word).

[essexboy]

Fixt the link  

@jmelaniehunt

Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Click on Minimal Output at the top
  
• Select All Users
  
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic
    

.
As you have 7 there is a fairly quick fix that sometimes works

From the Start menu, select Run.
In the Open field, type sfc /scannow (Note: There is a space between sfc and /scannow)
Select the OK button.
Follow the prompts throughout the System File Checker process.
Reboot the computer when System File Checker completes.

[jmelaniehunt]

I think these are the files you need.  I tried running the scannow file but nothing happened (left the space correctly).

[essexboy]

OK lets start - there are many variants of this malware and the ease of removal varies

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:27811
  O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - No CLSID value found.
  [2010/10/09 09:27:12 | 000,000,120 | ---- | C] () -- C:\Users\Hunt\AppData\Local\Bfajoziyijevulas.dat
  [2010/10/09 09:27:12 | 000,000,000 | ---- | C] () -- C:\Users\Hunt\AppData\Local\Xwiseviwepasuleb.bin
  [2010/10/09 09:57:43 | 000,000,000 | ---D | M] -- C:\Users\Hunt\AppData\Roaming\Ahbyyv
  [2010/10/15 19:25:35 | 000,000,000 | ---D | M] -- C:\Users\Hunt\AppData\Roaming\Ezuzva
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]

  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

THEN

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

[jmelaniehunt]

Thank you for the help.   I am going to run a full scan before I start this process, so it will be some time before I get back to you.

[essexboy]

No problem - just ensure that explorer is not deleted

Off to bed now back tomorrow

[jmelaniehunt]

Is it possible that it is Avast! that is causing the problem?   Malwarebyte did not find this virus.  Apart from Avast! saying that I had a virus, the only other indication was that I was unable to get into Windows Explorer through the shortcut which is at the bottom of the page on Windows 7.   When I tried to do it, it said that it couldn't because there was a virus.   However while I was following your instructions, I disabled Avast! and it went into Windows Explorer from the short cut with no problem.  Also I typed in explorer.exe through task manager and it went into it, though it wouldn't when I had the Avast! working.

I followed your instructions as far as I could.  In the first part with the OTL file, I am not sure if it completed it because I got a message saying there was a serious error and windows closed down.   I did not try running it again.   I am enclosing the text file from when I ran the virus scan in OTL.  For some reason there was only one file which I am enclosing.  I then downloaded ComboFix and tried to run it.   It said it was running and task manager said it was running but nothing happened.  I left it for about 30 minutes hoping something would come up but nothing did.

Should I try reinstalling Avast!?

[essexboy]

Hi this is from the first OTL run prior to running SFC
PRC - C:\Windows\explorer.exe ()

This is from the second run after SFC
PRC - C:\Windows\explorer.exe (Microsoft Corporation)

Notice that explorer is now reported as a legitimate file with the MS name

Malwarebyte did not find this virus.  It won't as it is an infection of a system file

Could you run Combofix from safe mode please

[jmelaniehunt]

You are probably going to think I am the biggest pain out but I really do appreciate the help you are giving me.   I tried to run ComboFix in safety mode but it said that an antivirus was still running.   I checked the task manager and could not find anything which resembled an antivirus.   I did not continue but I did not want to harm the computer.   Any suggestions?

[essexboy]

Yes ignore the warning it will run OK

EDIT: OK reading that it doesn't sound right

you are not a pain, so rephrased ignore the combofix warning as Avast in safe mode will not hamper it

That sounds better