Hello,

from yesterday I have a lot of notifications/popup from Avast which tell that Avast has blocked explorer.exe to a strange random URL (added attachment). Worse than this Windows Explorer doesn’t work well and blocks from time to time so I’m not able to work properly with my machine. When I kill Explorer.exe same popups come from dllhost.exe. Tried to do a scan with Avast and it found some PUP that I have eliminated but this hasn’t solved the issue.

I am very worried that this can be malware, so any help from you would be very appreciated.

Best regards. R Pane

Do you have gadgets enabled ? As MS has disowned them due to the intense security problems

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

[*]Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
[*]Select additions at the bottom
[*]Press Scan button.

https://dl.dropboxusercontent.com/u/73555776/frst.JPG

[*]It will produce a log called FRST.txt in the same directory the tool is run from.
[*]Please attach both logs generated.

Hello essexboy,

thank you very much for your time. About gadgets don’t know really, my machine has Windows Xp Professional Sp3 ITALIAN, maybe I can look for some more information about it.

Here you find the two logs. Let me know.

Roberto

I have checked about gadgets, no they are not installed.

Regards. Roberto.

Did you install this programme ?

2015-09-21 09:47 - 2015-09-21 09:59 - 00000000 ____D C:\Programmi\ExplorerXP
2015-09-21 09:47 - 2015-09-21 09:47 - 00001544 _____ C:\Documents and Settings\a-robep\Desktop\ExplorerXP.lnk
2015-09-21 09:47 - 2015-09-21 09:47 - 00000000 ____D C:\Documents and Settings\a-robep\Menu Avvio\Programmi\ExplorerXP
C:\Programmi\zabkat\xplorer2_lite

Yes because I have the problem that Windows Explorer hangs and blocks and tried to install another file manager tool (ExplorerXP, xplorer2 Lite) to move and delete files. Installation was successful but the tools are very slow and sometimes hang too. To perform operations on file system I have to use cmd.exe.

If I kill Explorer.exe using taskmgr.exe the Avast popups come from dllhost.exe. To kill dllhost.exe I have to use Process Explorer and in this case Avast popups stop.

dllhost normally indicates a poweliks infection but I cannot see that

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature, Detect TDLFS file system and Use KSN to scan objects , then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please attach its contents on your next reply.

Here is the log, was really fast, there is an unsigned and suspect service “XRNADB” but should be from Xerox for printing and I have effectively a Xerox Workcentre printer. So I chose to skip removal of this particular service.

I see you have run combofix could I see that log please

Here you are, after combofix run nothing changed apparently in the behaviour of the machine.

About Poweliks, yesterday afternoon (when the machine showed signs of malfunction) I ran FixPoweliks32.exe but result has been negative as you may see from log attached.

Let me know if this has any affect

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION HKU\S-1-5-21-796845957-484763869-839522115-1003\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Programmi\Java\jre7\bin\ssv.dll No File BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Programmi\Alwil Software\Avast5\aswWebRepIE.dll No File BHO: Skype Browser Helper -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Programmi\Skype\Toolbars\Internet Explorer\skypeieplugin.dll No File BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Programmi\Java\jre7\bin\jp2ssv.dll No File Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Programmi\Skype\Toolbars\Internet Explorer\skypeieplugin.dll No File CHR HKLM\...\Chrome\Extension: [jfmjfhklogoienhpfnppmbcbjfjnkonk] - 2015-09-20 15:59 - 2015-09-20 16:01 - 00000000 ___HD C:\Documents and Settings\All Users\Dati applicazioni\{8C52DBFA-C81C-41D9-9B03-9572DBCFBF4D} RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Done, first time FRST hanged so I am posting two logs.

Rebooted, no sign of Avast popups and Windows Explorer is running apparently properly.

You know I was a Computer Professional in the past and worked for Mr. Gates too but I cannot understand exactly what happened.

Keeping machine under monitoring but so far I am confident!

Did you reboot the system ? As this is my prime candidate

"C:\Documents and Settings\All Users\Dati applicazioni\{8C52DBFA-C81C-41D9-9B03-9572DBCFBF4D}" folder move: Could not move "C:\Documents and Settings\All Users\Dati applicazioni\{8C52DBFA-C81C-41D9-9B03-9572DBCFBF4D}" => Scheduled to move on reboot.

Confirm I did reboot the system. And now I checked the directory, is not present anymore.

Sounds good, you might want to test the system to ensure that all is well

Sure essexboy, until now it is doing well, and I was trying to understand the mechanics of this nasty piece of software.

I saw that in FRST.txt {8C52DBFA-C81C-41D9-9B03-9572DBCFBF4D} was created yesterday exactly when the machine experienced the first signs of malfunction. So this fits in the accident dynamic.

It would be interesting to have a look to what was in the directory. Was it destroyed?

That’s OK I found it in C:\FRST\Quarantine

It’s a copy of msvcp60.dll, very different from the correct system file. I was wondering what was trying to do this software on the internet downloading or uploading information.

Very interesting.

It looks like it was trying to download some exploit malware but, avast was blocking it

Once you are happy let me know and we will tidy up

I’ll let you know in any case!

You have been great, really!

Best regards. Roberto.