IEXPLORE Virus

[mishav13]

Hello,

I have avast home edition and it keeps alerting me about IEXPLORE.exe virus like every 2 minutes. What is worse is that it messed up my internet connection. A lot of the times i cannot access the internet and when i can it redirects pages to 64.111.211.158. Or it will redirect to some other pages i completely did not want. I think this post might be similar:

http://forum.avast.com/index.php?topic=81122.0

Also I would like to mention that it made all my documents hidden.

Things I tried:
- system restore
- boot scan of avast anti virus
- safe mode scan of avast anti virus
- safe mode spy bot search and destroy
- safe mode smitfraudfix
- safe mode malwarebytes anti-malware

All of these tools found stuff which i deleted but end result did not change it still persists with that annoying popup every few minutes and all the behvaiours i described above still happen!

Things i wanted to try but could not:
- system recovery (no option at boot time)
- format by right click on c drive but keep getting message: "Windows cannot format this drive. Quit any disk utilities or other programs that are using this drive and make sure that no window is displaying the contents of the drive. Then try formatting again."
- re-install xp but i don't have the CD since windows xp came with the computer installed already

System specs:
- windows xp professional service pack 3
- Acer computer
- intel core 2 duo cpu @ 3.06 GHz
- 2.99 GB of RAM

Edit: sorry i posted in wrong section! I hardly got to this forum from all the redirects. please move. Thanks!

Edit 2: I ran combofix and attached log. The problem still did not go away after running combofix. I still see the popup IEXPLORE. After combofix avast does not seem to appear in system tray everytime i boot up computer like it did before but i do think its still running in the background from checking the processes running.

[Tgell]

Have you tried running a scan with HitmanPro?

http://www.surfright.nl/en/hitmanpro

[mishav13]

I just downloaded it now and ran a scan. All it found were some cookies which i deleted. Problem still persists.

[essexboy]

Hi could you give a screenshot of the Avast alert please

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS  to your Desktop

• Close ALL OTHER PROGRAMS.
  
• Double-click on OTS.exe to start the program.
  
• Check the box that says Scan All Users
  
• Under Additional Scans check the following:

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

• Under the Custom Scan box paste this in

%SYSTEMDRIVE%\*.exe
/md5start
iexplore.exe
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
CREATERESTOREPOINT

• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  

Please attach the log in your next post.

[mishav13]

I couldn't upload the file from the infected computer. Kept stopping after few percent. I saved the log file on external HD and uploaded on another computer. Hopefully I can't infect the other computer doing that?

[essexboy]

This is reminiscent of a TDL type infection

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]


[Unregister Dlls]
[Files/Folders - Created Within 30 Days]
NY ->  dD04201OlMmG04201 -> C:\Documents and Settings\All Users\Application Data\dD04201OlMmG04201
[Files/Folders - Modified Within 30 Days]
NY ->  D952.378 -> C:\Documents and Settings\Alexander\Application Data\D952.378
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

THEN

Download aswMBR.exe ( 1.8mb ) to your desktop.
 
Double click the aswMBR.exe to run it
 
Click the "Scan" button to start scan
 
 
On completion of the scan click save log, save it to your desktop and post in your next reply

[mishav13]

Attached
- OTS log
- aswMBR log

Please Note: I don't see avast icon in bottom right corner where it used to be

[essexboy]

There is the possibility of a TDL3 there

Please read carefully and follow these steps. 

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop.
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
   
   
  
   
   
  
• If an infected file is detected, the default action will be Cure, click on Continue.
   
   
  
   
   
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
   
   
  
   
   
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
   
   
  
   
   
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

[mishav13]

essexboy i can't seem to launch this program. I double click and nothing happens on the infected computer. I tried to launch it in safe mode and still can't launch it

[essexboy]

OK that confirms that diagnosis then

Download Combofix from any of the links below. You must rename it before saving  rename it to Gotcha before saving it to your desktop.

Link 1
Link 2


==================================


Double click on the renamed ComboFix.exe & follow the prompts.

When finished, it will produce a report for you. 

• Please post the C:\ComboFix.txt so we can continue cleaning the system.

[mishav13]

combofix log attached. I could not disable avast during the scan though

P.s. The 2 links you provided for combofix do not work for me. I simply get the message: "Oops! Google Chrome could not find "http"

[essexboy]

Could you now retry TDSSKiller for me please, if it should fail again could you run a fresh OTS log for me

[mishav13]

Unfortunately I still can't open TDSSKiller

Attached new OTS log

[essexboy]

DownloadMBRCheck.exe to your Desktop. Run the application.
 
If no infection is found, it will produce a report on the desktop. Post that report in your next reply.
 
If an infection is found, you will be presented with the following dialog:
 

Enter 'Y' and hit ENTER for more options, or 'N' to exit: 

 
Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

[mishav13]

Attached MBR. I hit No as requested