Explorer.exe INFECTED win32:malware.gen

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-07 08:46:45
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\Warcraft\LOCALS~1\Temp\kxtdqpog.sys

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xAA6336B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xAA633574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xAA633A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xAA63314C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xAA63364E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xAA63308C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xAA6330F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xAA63376E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xAA63372E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xAA6338AE]

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\nvax.sys entry point in “init” section [0xF7C2CB1E]
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF6570000, 0x1B601E, 0xE8000020]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[848] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00370002
IAT C:\WINDOWS\system32\services.exe[848] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00370000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----

Hi Bradj,

Ok, no rootkits.

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer’s settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you – please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post the combofix log.

Thanks

Im a complete idiot, even after reading instructions carefully I started combofix with Avast not disabled, heres the report hope its ok, do you want me to do a re-run with AV disabled, sorry for brain freeze.

There is a change in behaviour.

Opening My Documents and My Computer no longer alerts Avast to an infected explorer.exe

Scanning C:\WINDOWS\explorer.exe now comes up clean, it wasnt last night.

Hi Bradj,

Thanks for the update. Combofix still find a problem with it.

We still need to locate a good copy of explorer.exe plus another file.

Click your Start button, click Run. Copy and paste the following line and click OK

C:\SystemLook.exe

SystemLook should open. Use this script this time. Note it starts with the :

:filefind
wscntfy.ex*

Next

We will use combofix again but run it differently.

Please follow all previous instructions regarding security programs.

Open a new Notepad session
[*]Click the Start button, click run
[*]in the run box type notepad
[*]click ok
[*]In the notepad, Click “Format” and be certain that Word Wrap is not checked.

[*]Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE


SRPeek::
c:\windows\explorer.exe
c:\windows\System32\wscntfy.exe

In the notepad
[*]Click File, Save as…, and set the Save in to your Desktop
[*]In the filename box, type (including quotation marks) as the filename: “CFScript.txt”
[*]Click save

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Please post back with
[]SystemLook log
[
]combofix log

Thanks

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 12:18 on 07/12/2009 by Warcraft (Administrator - Elevation successful)

========== filefind ==========

Searching for “wscntfy.ex*”
No files found.

-=End Of File=-

Hi Bradj,

Combofix did remove a trojan when we ran it so that may explain why explorer.exe is not being currently flagged by avast. Also combofix was able to read the MD5 number this time.

Unfortunately there isn’t a ggod copy of wscntfy.exe to be found anywhere.

I’d like you to test a couple of files. The files paths may look strange, as if 2 paths are squashed together, but that is the actual file path.

We need some file informantion

[]Make sure to use Internet Explorer for this
[
]Please go to VirSCAN.org FREE on-line scan service
[*]Copy and paste the following file path, one at a time if more than file is listed, into the “Suspicious files to scan” box on the top of the page:
[*]Ensure that he scan is complete and the results saved before submitting the next.
.

[b]C:\Qoobox\Quarantine\c\windows\system32\sstray.exe.vir

C:\Qoobox\Quarantine\c\program files\ATI Technologies\ATI.ACE\Core-Static\atIAcmxx.dll.vir [/b]

[*]Click on the Upload button
[*]Please ensure the scan is complete and the results saved before submitting the next.
[*]If a pop-up appears saying the file has been scanned already, please select the ReScan button.
[*]Once the Scan is completed, click on the “Copy to Clipboard” button. This will copy the link of the report into the Clipboard.
[*]Paste the contents of the Clipboard in your next reply.

Have tried entering your problem account?

Are you experiencing any redirects or similar problems?

Please post back with the VirScan results.

Thanks

I just ran a test, in User Accounts changed the way users log on to not use the welcome screen (so it would stop at welcome screen and make me type account name ie. Administrator), restarted and entered the Administrator account which is where I first encountered these problems, it logged in fine, desktop appeared, things appear normal at the moment. These symptoms would occur even with the “2nd” user account if Id chosen to not use the welcome screen, thus typing in its account name and password (or no password if I removed a password for that account - did both when experimenting). It wasnt until I opted in User Accounts to “use the welcome screen” and removing the password, so it wouldnt stop at welcome screen, that it would carry on and load the desktop thus giving me some functionality. At that point trying to open My Documents or My Computer would alert Avast to C:\WINDOWS\explorer.exe being infected. It is doing none of these things now.

As for redirects, are you referring to my desktop functionality or strange browser behaviour, if so no, no wierd browser redirects that Iv noticed.

Hi Bradj,

I meant browser redirects or search redirects.

Just for clarification, you can now log in with passwords?

µTorrent
You have µTorrent, a P2P/file sharing program installed on your computer. P2P applications like it are the largest source of malware we see. You’ll be doing yourself a favor by removing it. It’s not the program itself but what can be downloaded with it, usually from an unknown source.

References for the risk of these programs can be found in these links:
http://www.microsoft.com/canada/athome/security/online/p2p_file_sharing.mspx

http://www.microsoft.com/protect/data/downloadfileshare/filesharing.aspx

http://www.internetworldstats.com/articles/art053.htm

I would recommend that you uninstall µTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

Next

Download and save to your desktop Malwarebytes Anti-Malware

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next

[b]Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don’t go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.

Please go to Kaspersky website and perform an online antivirus scan.

[*]Read through the requirements and privacy statement and click on Accept button.
[*]It will start downloading and installing the scanner and virus definitions.
[*]You will be prompted to install an application from Kaspersky. Click Run.
[*]When the downloads have finished, click on Settings.
[*]Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button

[*]Spyware, Adware, Dialers, and other potentially dangerous programs
[*]Archives
[*]Mail databases

[*]Click on My Computerr under Scan.
[*]Once the scan is complete, it will display the results. Click on View Scan Report.
[*]You will see a list of infected items there. Click on Save Report As
[*]Change the Files of type to Text file (.txt)
[*]Set the Save In to Desktop
[]click the Save button.
[
]Please post this log in your next reply.

Please post back wit the MBAM log and the Kaspersky log.

Thanks

Hi

I have not noticed any browser redirects.

I can log into Windows with passwords.

I have removed Utorrent, have learned my lesson with these dirty files.

Windows XP Service Pack 3 has been available for over a year and provides many Critical Updates plus performance improvements.

You need to start Internet Explorer then go to Tools then Windows Update and download all of the available updates.

Go to Control Panel then Automatic Updates then select Automatic (recommended) or at least Notify me but don’t automatically download or install them.

IE8 is more secure than IE6 and has a lot better performance:
http://www.microsoft.com/windows/Internet-explorer/default.aspx

Go to Secunia Online Software Inspector then run it to see what other applications are vulnerable:
http://secunia.com/vulnerability_scanning/online

Hi Bradj,

Looks good. Don’t worry about the file MBAM deected, it was a legitamate tool we downloaded, MBAM was just complaining about it’s location.

Kaspersky detected a quarintined file and an old system Restore point that will be romoved when we clean up the tools.

First we need to restore a file mistakenly removed so I will need to see this file

C:\Qoobox\ComboFix-quarantined-files.txt

Thanks

Hi, heres the file

Hi Bradj,

Please follow all previous instructions regarding security programs.

Open a new Notepad session
[*]Click the Start button, click run
[*]in the run box type notepad
[*]click ok
[*]In the notepad, Click “Format” and be certain that Word Wrap is not checked.

[*]Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE


DEQUARANTINE::
C:\Qoobox\Quarantine\c\program files\ATI Technologies\ATI.ACE\Core-Static\atIAcmxx.dll.vir 

Quit::


In the notepad
[*]Click File, Save as…, and set the Save in to your Desktop
[*]In the filename box, type (including quotation marks) as the filename: “CFScript.txt”
[*]Click save

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Only a DeQuarantine.txt will be produced, please post it’s contents.

Everything OK?

Thanks

Hi, yes everything has been ok.

C:\Qoobox\Quarantine\c\program files\ATI Technologies\ATI.ACE\Core-Static\atIAcmxx.dll.vir → c:\program files\ATI Technologies\ATI.ACE\Core-Static\atIAcmxx.dll ( 704512 bytes )

Hi Bradj,

If no other problems, we can clean up our tools.

From your desktop, please delete
, if present
[]any notepads/logs that we created
[
]Win32kDiag.exe
[]GMER.zip
[
]GMER.exe

Next

Click the Start button, click Run. Copy and paste the following line into the run box and click OK
Combofix /uninstall

Open OTL then click the Clean Up button. You may get prompted by your firewall that OTL wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.

I suggest you keep MBAM. Keep MBAM updated and use it regularly.

Some Recommendations and prevention tips

Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall. You have an antivirus program and an on demand antispyware program.

I suggest you use an antispyware program with resident (real time) scanning. You could enable Spybot’s TeaTimer.

  • If you are behind a router Windows firewall should be fine. Otherwise a 3rd party firewall with outbound monitoring is recommended.

Click FIREWALL for tips, reviews and links to good, free and paid for firewalls. (Note: Zone Alarm is becoming bloatware)

You should also use Spyware Blaster to help immunize your computer.

  • SpywareBlaster will add a large list of programs and sites into your Internet Explorer
    settings that will protect you from running and downloading known malicious programs.

OR

A guide to understanding and using the hosts file.

Learn how your Hosts file can protect you and how you can protect it.
Besides the Hosts file information, there are links to a very good updated hosts file, a host file manager. and some programs that can protect your hosts file.
HOSTS

Please read the info on disabling the DNS Client before installing a custom hosts file.

-Secure your Internet Explorer

From within Internet Explorer click on the Tools menu and then click on Options.
[*]Click once on the Security tab
[*]Click once on the Internet icon so it becomes highlighted.
[*]Click once on the Custom Level button.
[*]Change the Download signed ActiveX controls to Prompt
[*]Change the Download unsigned ActiveX controls to Disable
[*]Change the Initialize and script ActiveX controls not marked as safe to Disable
[*]Change the Installation of desktop items to Prompt
[*]Change the Launching programs and files in an IFRAME to Prompt
[*]Change the Navigate sub-frames across different domains to Prompt
[*]When all these settings have been made, click on the OK button.
[*]If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

  • Keeping your Windows up-to-date is crucial to your computer’s security. Please go to the Windows Update Site (using Internet Explorer) and download and install all critical updates on a regular basis

  • Ensure that Automatic Update is turned on so you get all the latest patches.
    Click start, control panel, click Security Center.

  • Keep your antivirus program updated, as well as any other security programs you have.

  • You may also want to read this article By Tony Klein
    http://www.freedomlist.com/forum/viewtopic.php?t=22879

Take care

Thanks for everything.

Hi Bradj,

You are welcome, glad I could b of help.

There is a explorer.exe infection and to get rid of it, you need to get a fresh explorer.exe from a different pc, or run the sfc file checker.
Sfc: Insert your operating system disk (Windows XP, Vista, 7 etc), then Start>Run>type cmd>type sfc /scannow and it will scan and repair missing/corrupted windows files.

I think my issues have been dealt with well beyond this point but thanks though. I also do not believe explorer.exe was infected but that it was somehow hooked by the malware / trojan.