Hi All,
I recently discovered that I had the virus in the title, and looked up what to do. I downloaded ComboFix and ran it, but I didn’t realize that I wasn’t supposed to have other programs open while it was running, and it didn’t run correctly. In the thread where it said to download ComboFix it also said not to run it again if it doesn’t work the first time, but to try to figure out another issue. However, in my case, ComboFix just didn’t run correctly, which I know by the fact that ComboFix is supposed to restart the computer when it’s done running, but it didn’t in my case. What should I do?
[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs
It is reporting C:\Windows\explorer.exe. Also, I’m slightly reluctant to run the program you suggested, because in the other thread I read you suggested that and the person’s internet stopped working. Is that a common problem with that program?
:Commands
[CREATERESTOREPOINT]
:OTL
FF - prefs.js..keyword.URL: "http://feed.snapdo.com/?publisher=SnapdoGOblidooYB&dpid=GOB1&co=US&userid=d0834b7d-d15e-7452-7abe-972cc2d3e3bd&searchtype=ds&installDate={installDate}&q="
O2:64bit: - BHO: (no name) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - No CLSID value found.
O2:64bit: - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {b278d9f8-0fa9-465e-9938-0c392605d8e3} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-474631609-1521078636-1054246077-1001\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
:Commands
[resethosts]
[emptytemp]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
I don’t know what it means to patch your explorer.exe, so I’m assuming I haven’t. And if by the alerts you mean avast! telling me that explorer.exe is malicious, yes.
Download ComboFix from one of the following locations: Link 1 Link 2
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks
Ok, but real quick: I realize you said when you run OTL your desktop and icons could disappear, but mine are still gone after reboot…I had to use the task manager to get my browser running. Did you mean the reboot caused by OTL or that you need to reboot after OTL auto-reboots?
This might be very important. I am experiencing exaclty the same on Windows 7 Home 64. I do have a patched version of explorer, I modified it something like 1 year ago, but what it important is that after replacing it with an old backup (I luckily have Ubuntu installed) the system is back working.
I will test it and see if it comes back with the same problem then cases are two:
Everything goes on working as usual - meaning that it was a fp due to the patch or the patch itself did contain a virus which slmehow activated only now or I somehow deleted the virus (I deleted temp and temporary internet files from Ubuntu).
At next reboot I get back to the same - then it means that the infection is not a fp and it is not related with patching.
Anyway it is also worth to mention that yesterday Chrome was reporting me a dangerous download, which actually was not but could potentially be as it contained programs related with bioses which anyway I didn’t open there since were for another laptop. But the point is that this virus has been probably downloaded by some other malware which xould have been there for a long time…
The problem occured for me because I had a patched version of explorer.exe. See here. If you had knowingly modified explorer.exe (with a program such as W7SBC) and trust that program, then you may do as I did and whitelist explorer.exe in Avast for now.
Of course, there is still the chance that explorer.exe is malware. So do it at your own risk.
I used exactly W7SBC and as I said backup files created by that program are safe. Then it would really be the first time that I see a malware creating safe backup copies for you…
Maybe there is a new malware which affecta only modified copies of explorer.exe maybe exploiting some bugs. So I think that the best advice is to possibly unpatch/restore explorer.exe.