Explorer.exe Infected

[Acorogia]

Hey guys, first time poster, long time unregistered lurker.

I have been fighting the virus for a month or so now and am throwing in the towel and asking for help.  Here is what I know:

explorer.exe is infected with something (I dont think anything else is, but I could be wrong)
     Symptoms: Internet Explorer popups constantly, sometimes 20-30 of them within a few minutes
               Unauthorized downloads attempted but stopped by UAC
               Huge amounts of resources taken up.

What I have hit it with:
Avast
Hitman Pro 3.5
AdAware
Spybot Search and Destroy
AVG Free
Combofix
Malwarebytes
Windows Defender

Reinstalling Vista SP2 (to hopefully rewrite architecture and replace explorer.exe)

Nothing has succeeded in killing the virus, some of them picked up other little things but never the main explorer.exe virus, although I regularly get pop ups from Avast/AVG/AdAware about harmful sites being accessed all referencing explorer.exe as the source.

I have resorted to running everything from task manager and using an alternate file browser.

I have also run through just about every explorer.exe virus thread or writeup online but none of them seem to help nor be exactly what my problem is.

Please help me! Im all ears guys, I wasnt sure if I should post Hijack This (OTL) logs straight away or if I should wait, so I held off.


Thanks a ton in advance!

[Pondus]

Follow this guide from our expert malware remover Essexboy, and post the log`s here
http://forum.avast.com/index.php?topic=53253.0

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt. and Malwarebytes scan log)

[Acorogia]

In 3 parts:

OTL.txt

[Acorogia]

part 2. Extras.txt  and for some reason the malwarebytes log was too big to be attached, so its c&p below.


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5159

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975

11/20/2010 5:37:14 PM
mbam-log-2010-11-20 (17-37-14).txt

Scan type: Quick scan
Objects scanned: 161138
Time elapsed: 9 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[SafeSurf]

Hello Acorogia,

Yes, you are infected with several types of malware.  I wish you had come to us sooner, but we will help you out.

In the meantime, do you have another machine you can use to check the forum and use for email? 

- Please limit (or do not use as much as possible) this infected machine, especially for any social networking, syncing of devices, etc. 

- If you are on a network, disconnect this machine from the network.

- If this machine is connected to a router, please reset the router.

- Please do not make any further changes to your machine now that you have provided the logs.

I am going to refer you to our Certified Malware expert, named Essexboy.  He will also review your logs and give you further instructions, however he comes on the forum late UK time.  He will respond to you in this thread, so remember to check this thread daily.  I will continue to provide assistance in the meantime, then remain in the background while he works with you.

Let me know if you have any questions.  Thank you.

[essexboy]

Hi there

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = 0.0.0.0:80
  FF - prefs.js..network.proxy.ftp: "109:169:26:139"
  FF - prefs.js..network.proxy.ftp_port: 3128
  FF - prefs.js..network.proxy.gopher: "109:169:26:139"
  FF - prefs.js..network.proxy.gopher_port: 3128
  FF - prefs.js..network.proxy.http: "109:169:26:139"
  FF - prefs.js..network.proxy.http_port: 3128
  FF - prefs.js..network.proxy.share_proxy_settings: true
  FF - prefs.js..network.proxy.socks: "109:169:26:139"
  FF - prefs.js..network.proxy.socks_port: 3128
  FF - prefs.js..network.proxy.ssl: "109:169:26:139"
  FF - prefs.js..network.proxy.ssl_port: 3128
  O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {783840E6-0A18-4087-9EC7-A1CC131DF0D4} - No CLSID value found.
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No CLSID value found.
  [2009/09/24 23:07:07 | 000,000,016 | -H-- | C] () -- C:\Windows\System32\iobcfeo.dll
  [2009/09/24 23:07:07 | 000,000,016 | -H-- | C] () -- C:\Windows\System32\hnmobfd.dll
  [2009/09/24 23:07:06 | 000,000,016 | -H-- | C] () -- C:\Windows\System32\vb0va0g.dll
  [2009/09/24 23:07:06 | 000,000,016 | -H-- | C] () -- C:\Windows\System32\je1pkjv.dll
  [2009/09/24 23:07:06 | 000,000,016 | -H-- | C] () -- C:\Windows\System32\iz9g894.dll
  [2009/09/24 23:07:05 | 000,000,016 | -H-- | C] () -- C:\Windows\System32\xg865ij.dll
  [2009/09/24 23:07:05 | 000,000,016 | -H-- | C] () -- C:\Windows\System32\iokz40o.dll
  [2009/09/24 23:07:05 | 000,000,016 | -H-- | C] () -- C:\Windows\System32\g0efyts.dll
  [2009/09/24 23:07:04 | 000,000,016 | -H-- | C] () -- C:\Windows\System32\kg7i665.dll
  [2009/09/24 23:06:54 | 000,000,016 | -H-- | C] () -- C:\Windows\System32\qsfaqqr.dll
  [2009/09/24 23:06:51 | 000,000,016 | -H-- | C] () -- C:\Windows\System32\oro2h6n.dll
  [2009/09/24 23:06:47 | 000,001,024 | ---- | C] () -- C:\Windows\System32\ufh8ea7.dll
  [2009/09/24 23:06:47 | 000,001,024 | ---- | C] () -- C:\Windows\System32\grcauth2.dll
  [2009/09/24 23:06:47 | 000,001,024 | ---- | C] () -- C:\Windows\System32\grcauth1.dll
  [2009/09/24 23:06:47 | 000,000,016 | -H-- | C] () -- C:\Windows\System32\iz8rxkx.dll
  [2009/09/24 23:06:29 | 000,001,024 | ---- | C] () -- C:\Windows\System32\clauth2.dll
  [2009/09/24 23:06:29 | 000,001,024 | ---- | C] () -- C:\Windows\System32\clauth1.dll
  [2009/09/24 23:06:29 | 000,000,072 | ---- | C] () -- C:\Windows\System32\ssprs.dll
  [2009/09/24 23:06:29 | 000,000,016 | -H-- | C] () -- C:\Windows\System32\w4yzvjq.dll
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]

  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

THEN

Delete your current copy of combofix and download a fresh one

Link 1
Link 2

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

[Acorogia]

Logs attached as requested, you guys are life savers.

[essexboy]

Hi explorer is reporting as legitimate - what are your current problems ?

[Acorogia]

Everything appears to be acting normal, resource consumption of explorer.exe looks normal, ill sit on it for a day or so and see if any symptoms pop up and report back regardless.  Thanks again Essexboy.

[Acorogia]

I lied, not all is well.

Avast just blocked a network connection and a infected file

Last file infected:  C:\Users\Nick\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L8U349Y3\clgmjtftaojucv[1].htm

In the little pop up window that warms you where something has been detected, it said that (above) and that the process was C\windows\explorer.exe

Is there any way to retrieve that information or will it just tell me what the infected file was? 

Im running an Avast scan now just to be safe.

Thanks.

[essexboy]

Lets see if windows detects a problem with explorer

Go to start > All Programs > Accessories
Right Click Command Prompt and select run as administrator
When the prompt opens type the following bolded text and press enter

sfc /scannow (Note: There is a space between sfc and /scannow)

On completion reboot

[Acorogia]

According to the scan there were no discrepancies.

[essexboy]

OK lets get my second opinion to work 

Download Dr Web from here http://www.freedrweb.com/?lng=en link on the top right of the page, tick the EULA and then download
 
It will download as an 8 digit file save it to your desktop

Restart in safe mode and run
Accept the enhanced version
Then run the quick scan
About halfway through you will be prompted to buy - just X the box closed
Once finished it will generate a log please attach that

[s3it]

Follow this guide from our expert malware remover Essexboy, and post the log`s here
http://forum.avast.com/index.php?topic=53253.0

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt. and Malwarebytes scan log)

Yes it is still around I got it on IE9, could no get rid of it, and returned to IE 8, no problem. Reloded IE9 again, and the same problem startet over now back to IE 8.
I also got hit by a ransome virus program antivirus soft, got rid of that tough, but it left 3 files pup d11host.exe.
Avast close down as I was hit, and could only be activated after the clean up with other programs, and now i fails to find the left pup d11host.exe in 3 location, i can get at them, seach dont reveal, advice is welcome.

[Acorogia]

I cant seem to locate where it saved the log to, but it didn't find a single thing, I did only run it on express mode however.