So this morning I wake up and check my email as usual, after finishing my work later the same day, when I open the IE avast tells me that it has found a trojan with original file name: wkgszvx.exe, in system32. I do as avast suggested and move it to the chest. The problem is that after moving this file to the chest my IE won’t open, I get a pop up that internetexplorer.exe cannot be found. Though I go to C:/program files/internet explorer/ and see that the exe is actually there, even when I click it from inside the file it says that it cannot be found.
So what can I do to fix my IE? I tried reinstalling it but I get the same thing again (exe cannot be found).

Some extra info about the virus: Virus description: Win32:Small-MMH [trj]
Also I don’t know if it matters, but the last modification time of the file was like 2 months ago, I had done some virus scans between today and that time but there was no virus found.

Forgot to tell that between the 2 times that I opened IE the computer was online but no one was using it, so the only thing that could have changed was avast with an update.

I am using Windows XP SP3 home edition and IE7.

Thanks for your time, hopefully you can help me out.

Well iexplore.exe is the executable for Internet Explorer (I think that is the same for IE7, I don’t use it) so this internetexplorer.exe is a bogus file. See http://www.auditmypc.com/process/internetexplorer.asp and http://www.prevx.com/filenames/98890089820220354-0/INTERNETEXPLORER2EEXE.html and http://forums.techguy.org/malware-removal-hijackthis-logs/781369-internetexplorer-exe-malware-virus.html.

It looks like your file association/shortcut to iexplore.exe have been

Upload internetexplorer.exe to VirusTotal - Multi engine on-line virus scanner and report the findings of these files here. If any are detected by multiple scanners send example to avast, see below.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.

Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

Program & Tutorial - Also useful as a diagnostic tool - FileHippo Download - HiJackThis and post the contents of the HJT log file here. - HJT Information HiJackThis Tutorial.
Download and run HJT and post the contents of the log file (cut and paste or attach the log file) into this topic, you may need to split it over two or more posts depending on how large it is.

Yes i made a mistake iexplorer.exe is the executable that cannot be found, even though it is there when I open the internet explorer file.

Basically my problem is that the file from system32 that I moved to the chest is needed for the IE to run, and because it is in the chest I cannot use it.

I have already sent the file to Alwil Software by right while it was at the infected files section, not user files.

Here is the log of HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:13:03 μμ, on 6/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Dropbox\dropbox.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\PnkBstrA.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: D - {07960106-BF5F-3CF5-AFE0-375A999947C0} - C:\WINDOWS\system32\xel50531.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Βοηθός εισόδου του Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [StartCCC] “C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe” MSRun
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [DAEMON Tools Lite] “C:\Program Files\DAEMON Tools Lite\daemon.exe” -autorun
O4 - HKCU..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: Dropbox.lnk = C:\Program Files\Dropbox\dropbox.exe
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: hpdj - HP - C:\DOCUME~1\Pan\LOCALS~1\Temp\hpdj.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

–
End of file - 7438 bytes

Yes if avast had detected it it would be iun the Infected Files section and as such it didn’t really need to go to avast since it is already able to detect it. I was talking about the internetexplorer.exe you mentioned, which you say was an error.

Fix (close browser windows, run HJT again, tick the box to the left of the entry and click the Fix selected button):
[b]First find the file and upload it to virustotal for scanning, add it to the user files section of the chest, send it to Alwil.

[/b]O2 - BHO: D - {07960106-BF5F-3CF5-AFE0-375A999947C0} - C:\WINDOWS\system32\xel50531.dll
Zero hits for this file name on a google search and for something in the system32 folder that is suspicious.

Other than that I don’t see anything obvious, though the log is relatively small, something could be hiding from hijackthis.exe, rename the hijackthis.exe file to say grcpan-HJT.exe and run it again.

You don’t appear to have an active firewall - It should be capable of blocking unauthorised outbound Internet Connections. - What is your firewall ?

I don’t have a firewall atm, only the windows firewall.

Seems that I get some results for this
O2 - BHO: D - {07960106-BF5F-3CF5-AFE0-375A999947C0} - C:\WINDOWS\system32\xel50531.dll

AVG 8.0.0.199 2009.01.06 Agent.ASSS
BitDefender 7.2 2009.01.06 Trojan.Agent.ALSK
CAT-QuickHeal 10.00 2009.01.06 -
ClamAV 0.94.1 2009.01.06 -
Comodo 884 2009.01.06 -
DrWeb 4.44.0.09170 2009.01.06 -
eTrust-Vet 31.6.6294 2009.01.06 -
Ewido 4.0 2008.12.31 -
F-Prot 4.4.4.56 2009.01.06 -
F-Secure 8.0.14470.0 2009.01.06 -
Fortinet 3.117.0.0 2009.01.06 -
GData 19 2009.01.06 Trojan.Agent.ALSK
Ikarus T3.1.1.45.0 2009.01.06 -
K7AntiVirus 7.10.578 2009.01.06 -
Kaspersky 7.0.0.125 2009.01.06 Trojan.Win32.Agent.bcxg
McAfee 5486 2009.01.05 -
McAfee+Artemis 5487 2009.01.06 -
Microsoft 1.4205 2009.01.07 Trojan:Win32/Chepdu.F
NOD32 3744 2009.01.06 Win32/BHO.NLA
Norman 5.80.02 2009.01.06 -
Panda 9.0.0.4 2009.01.06 W32/Conficker.C.worm
PCTools 4.4.2.0 2009.01.06 -
Prevx1 V2 2009.01.07 Malicious Software
Rising 21.11.12.00 2009.01.06 Trojan.Win32.Nodef.gf
SecureWeb-Gateway 6.7.6 2009.01.06 -
Sophos 4.37.0 2009.01.06 -
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2009.01.06 -
TheHacker 6.3.1.4.209 2009.01.06 -
TrendMicro 8.700.0.1004 2009.01.06 -
VBA32 3.12.8.10 2009.01.06 Trojan.Win32.Agent.bcxg
ViRobot 2009.1.6.1546 2009.01.06 Trojan.Win32.Agent.176128.R
VirusBuster 4.5.11.0 2009.01.06 -

Should I first send it to alwil or use the fix of hijackthis?

Step 1 : Use Windows File Search Tool to Find Trojan.Agent-ZD Path

1. Go to Start > Search > All Files or Folders.
2. In the “All or part of the the file name” section, type in “Trojan.Agent-ZD” file name(s).
3. To get better results, select “Look in: Local Hard Drives” or
   “Look in: My Computer” and then click “Search” button.
4. When Windows finishes your search, hover over the “In Folder” of “Trojan.Agent-ZD”,
   highlight the file and copy/paste the path into the address bar.
   Save the file’s path on your clipboard
   because you’ll need the file path to delete Trojan.Agent-ZD in the following manual removal steps.

Step 2 : Use Windows Command Prompt to Unregister Trojan.Agent-ZD DLL Files

1. To open the Windows Command Prompt, go to Start > Run > type cmd and then click the “OK” button.

2. Type “cd” in order to change the current directory, press the “space” button, enter the full path to where you believe the Trojan.Agent-ZD DLL file is located and press the “Enter” button on your keyboard. If you don’t know where Trojan.Agent-ZD DLL file is located, use the “dir” command to display the directory’s contents.

3. To unregister “Trojan.Agent-ZD” DLL file, type in the exact directory path + “regsvr32 /u” + [DLL_NAME] (for example, :C\Spyware-folder> regsvr32 /u Trojan.Agent-ZD.dll) and press the “Enter” button. A message will pop up that says you successfully unregistered the file.

4. Search and unregister “Trojan.Agent-ZD” DLL files: xel50531.dll
   Step 3 : Detect and Delete Other Trojan.Agent-ZD Files

5. To open the Windows Command Prompt, go to Start > Run > type cmd and then press the “OK” button.

6. Type in “dir /A name_of_the_folder” (for example, C:\Spyware-folder), which will display the folder’s content even the hidden files.

7. To change directory, type in “cd name_of_the_folder”.

8. Once you have the file you’re looking for type in “del name_of_the_file”.

9. To delete a file in folder, type in “del name_of_the_file”.

10. To delete the entire folder, type in “rmdir /S name_of_the_folder”.

11. Select the “Trojan.Agent-ZD” process and click on the “End Process” button to kill it.

12. Remove the “Trojan.Agent-ZD” processes files: xel50531.dll

See picture for Start - Run

polonus

Yes as I suspected it is malware, make sure that you send the sample to avast to help improve detections.

Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.

Any malware that manages to get past your defences (and it just has) will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

• There are many freeware firewalls such as, Comodo (care required now it is a suite not to install the anti-virus element), PCTools Firewall Plus, Jetico, etc. - Zone Alarm free works fine with avast and has a reasonably friendly user interface, however, the free version is becoming bloated with trial ware and is also crippled as far as outbound protection goes In the Program Control, configuration area, the slider will only goes as far as Medium protection, if you want more you have to buy the Pro version.

See A Forum discussion on free firewalls http://forum.avast.com/index.php?topic=30808.0
See http://www.matousec.com/projects/firewall-challenge/results.php.

@polonus
The search had no results

I have sent the file to alwil, should I use Hijackthis now to delete the dll?

I Installed the free version of PC Tools firewall plus too.

rescan your system, conficker worm should be detected as Win32:Confi with current VPS…

You mean with avast right?

I will let you know of the results when the scan is finished.

scanning the windows folder with avast (with current virus database) should be enough to catch possible remaining traces of the infection… let’s see

After a standard search there were no signs of a virus.
I still can’t use IE, I guess the dll that is at the chest is infected and needed to run IE.
Well I use opera to browse anyway, I am just used to watch my emails using IE by clicking the email button at msn.

I also used hijackthis to delete the dll.

Well I will be formating in a month, I just want to be sure that I have no virus till that time in my computer. Though I do most of my work on UNIX so I don’t have anything of great improtance on windows anyway.

Search in the registry for this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

After deleting it I expect that IE will work again (it did the job for me).
I do not know if you have to make other changes to the registry.
Before making changes to the registry make a copy of it!

How do I do that?

Hi grcpan,

All the info to do this you will find here, read this:
http://free-backup.info/how-to-make-a-backup-of-your-registry-using-regedit.html

Where you find this to do, well see the picture attached:

Do everything meticulously, first make a print out of what to do, and do it step by step.

The copy will stay there to be restored if you made a mistake.
It is not really all that difficult and after it has been accomplished,
you feel a lot better you have acquired this new skill, loads of success!

polonus

wow it actually worked!
Thanks for the help my friend!