explorer.exe infected

I seem to have picked up a nasty bug somewhere. Avast is cranking out alerts every 15 seconds or so from explorer.exe. Avast doesn’t pick anything up in scans and neither does Malwarebytes so any help is appreciated.

also attach aswMBR log?
Malwarebytes was not updated when you did the scan!

malware removers are notified. it may take hours before one arrive so be patient

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
[2011/12/13 12:32:28 | 000,010,858 | --S- | C] () -- C:\Users\Bison\AppData\Local\277271h6v746o542y228t0dio2s3
[2011/12/09 13:35:31 | 000,010,110 | ---- | C] () -- C:\Users\Bison\AppData\Local\l4mp08n1tm5clc
[2011/12/09 13:35:31 | 000,010,110 | ---- | C] () -- C:\ProgramData\l4mp08n1tm5clc

:Reg
[HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-
[HKU\S-1-5-21-3453149310-1416415931-1673008695-1001\SOFTWARE\Microsoft\Internet Explorer\Main]
XMLHTTP_UUID_Default=-

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

[*] Download RogueKiller and save it on your desktop.

NOTE: If using IE8 or better Smartscreen Filter will need to be disabled

[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

https://dl.dropbox.com/u/73555776/RKScan.GIF

[]Wait for the end of the scan.
[
] The report has been created on the desktop.

thanks for the timely response, I appreciate the help. I wasn’t able to get aswMBR to run at all earlier which is why there was no log. I ran the scans but avast is still giving me alerts. Here are the new logs you asked for.

It seems as though Roguekiller has problems reading LL2

Do you have a usb drive handy ?

Download the following three programmes to your desktop :

  1. WiNTBootIc
  2. Windows 7 64 bit RC
  3. ListParts64

Extract wintoboot to your desktop
Insert a USB drive of at least 1GB
Run Wintoboot

http://dl.dropbox.com/u/73555776/wintoboot.JPG

Drag and drop the Windows 7 ISO to the programme in the space indicated
Tick the Format box and accept the warnings
Press Do It

You will see it progressing

http://dl.dropbox.com/u/73555776/usb%20progress.JPG

It will let you know when it is done
Then copy Listparts64 to the same USB

http://dl.dropbox.com/u/73555776/frstwintoboot.JPG

Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here

When you reboot you will see this although yours will say windows 7.
Click repair my computer

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg

Select your operating system

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277202.jpg

Select Command prompt

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg

At the command prompt type the following :

notepad and press Enter.
The notepad opens. Under File menu select Open.
Select “Computer” and find your flash drive letter and close the notepad.
In the command window type e:\Listparts.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.

https://dl.dropbox.com/u/73555776/listparts.GIF

Press Scan button.
It will make a log (results.txt) on the flash drive. Please copy and paste it to your reply.

I downloaded all three files, however when running WiNTBootIc, I get a “Flashing Failed” error. Tried running it on another computer with both a 15G and 4G flash drive to no avail.

OK do you have the option “repair my computer” when you reboot to the safe mode menu ?

Reboot the computer then press and hold F8

Can you burn a CD ?

Yes, I do have the “repair your computer” option, and I am able to burn a cd.

OK copy listparts64 to a USB stick

Reboot to Safe mode menu and select repair my computer
Select command prompt
Insert the USB with listparts64

At the command prompt type the following :

notepad and press Enter.
The notepad opens. Under File menu select Open.
Select “Computer” and find your flash drive letter and close the notepad.
In the command window type e:\Listparts.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.

https://dl.dropbox.com/u/73555776/listparts.GIF

Press Scan button.
It will make a log (results.txt) on the flash drive. Please copy and paste it to your reply.

Tried the “repair your computer” option, but every time I hit it the computer goes to a black screen and then hangs there.

OK we will burn the ISO you have downloaded to a CD

To do this you will need a burning software that will make it bootable, if you do not have one then download ImgBurn http://www.filehippo.com/download_imgburn/

And use that to burn the CD
http://www.imgburn.com/index.php?act=screenshots
You need the write image file to disc option

Then boot from the CD and follow the previous instructions from

When you reboot you will see this although yours will say windows 7.
Click repair my computer

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg

Followed your instructions, however, my operating system was not listed after loading the boot cd. I hit next and ran Listparts anyway. Starting to think I have bigger problems than i thought here.

OK it is a malware partition. I will now delete it and set the system partition as active
If after running this fix the system fails to boot then run the recovery console
Select Startup repair, this will reset the boot sequence if needed

Download the attached fix.txt to the same USB as listparts
Run listparts as before except this time select Fix
Once it has completed reboot the computer and run aswMBR

No more alerts, that may have done the trick. You sir, deserve many internets this day. ;D Gonna post the log for that last aswMBR scan, which was I was able to run this time without a problem. Just looking for the all clear from you before I uncork the champagne.

Nice ;D Any outstanding problems before I remove my rubbish ?

None so far, my pc is looking pretty good now. But before I go, any advice on how I can avoid viruses like this that activate out of my temp folder?

I would suggest that you get into the habit of clearing cache folders and temp folders fairly frequently

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [emptytemp] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
[] Go to this site and click Do I have Java
[
] It will check your current version and then offer to update to the latest version

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

If you use on-line banking then as an added layer of protection install Trusteer Rapport

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave: