Explorer.exe Infected

[essexboy]

The express scan would have found any indication of an infected system file

Are the alerts still occuring ?

[Acorogia]

I shut off explorer.exe yesterday and have been running everything from task manager.  I turned it back on and within 5 minutes im back to getting ie popups.  No alerts yet however...

[Acorogia]

Update: as soon as I logged on today Avast informed me that it had detected a threat.  I took a screen shot of what was going on.  See attached

[essexboy]

Clear Cache/Temp Files
Download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.  Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

THEN

Re-run Combofix and allow it to update if it asks

[Acorogia]

Here is the new combofix log.

EDIT:

The ie popups are still occurring, no Avast notifications of virus's yet though...

[essexboy]

Still no sign of infection from that - lets check for file corruption

Go to start > All Programs > Accessories
Right Click Command Prompt and select run as administrator
When the prompt opens type the following bolded text and press enter

sfc /scannow (Note: There is a space between sfc and /scannow)

On completion reboot

[Acorogia]

As before, no violations or corruptions found.

[essexboy]

OK lets look at it from a different angle

Download avz4.zip from here

• Unzip it to your desktop to a folder named avz4
  
• Double click on AVZ.exe to run it.
  
• Run an update by clicking the Auto Update button on the Right of the Log window:
  
• Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

• Start AVZ.
• Choose from the menu "File" => "Standard scripts " and mark the "Advanced System Analysis with Malware removal mode enabled " check box.

• Click on the “Execute selected scripts”.
• Automatic scanning, healing and system check will be executed.
• A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
  
• It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
• All applications will work properly after the system restart.

When restarted

• Start AVZ.
• Choose from the menu "File" => "Standard scripts " and mark the “Advanced System Analysis " check box.

• Click on the "Execute selected scripts".
• A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

Upload both virusinfo_syscure.zip and virusinfo_syscheck.zip to Mediafire and post the sharing link.

[Acorogia]

AVZ4 Logs:

http://www.mediafire.com/?2v359prvsqp9e9l

http://www.mediafire.com/?j2murkpuroq8864

[essexboy]

On completion of this run can you let me know if the problem persists

AVZ FIX

• Double click on AVZ.exe
• Click File > Custom scripts
• Copy & paste the contents of the following codebox in the box in the program (start with begin and end with end )
  

Code: [Select]

begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
SetAVZPMStatus(True);
 TerminateProcessByName('c:\windows\explorer.exe');
 DelBHO('{472734EA-242A-422b-ADF8-83D1E48CC825}');
 DeleteFile('C:\Windows\System32\Drivers\spwm.sys');
 BC_DeleteFile('C:\Windows\System32\Drivers\spwm.sys');
BC_ImportDeletedList;
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

• Note: When you run the script, your PC will be restarted
• Click Run
• Restart your PC if it doesn't do it automatically.

[

[Acorogia]

I had my fingers crossed, but the problem persists. 

[essexboy]

So explorer is still crashing ?  This is explorer and not interet explorer

[Acorogia]

yup, regular old explorer.exe.  It doesnt really crash, it just barrages me with ie popups, download requests for fake spyware protection and tries to open pdf files.  I know it is all coming through explorer.exe because it consumes huge amounts of resources (10% of CPU and 100,000k of RAM) during normal operations and as soon as I kill the explorer.exe process things go back to normal.

[essexboy]

OK lets get the latest Combofix on the job in case it sees something that I missed, if it doesn't I will use it to replace the windows copy with one from one of the SP areas on your system

Delete your current copy of combofix and download a fresh copy please  then run

[Acorogia]

Well this is an interesting development, upon downloading a fresh copy of combofix avast immediately tells me that it is infected with 'Win32:Agent-AMLR [Trj]'  I went back and tried the other mirror that you gave me, both yield the same result.  Explorer.exe was not running when this happened either.