Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

explorer.exe and Iexplore.exe infections.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

explorer.exe and Iexplore.exe infections.

Unread postby Barak » October 6th, 2009, 11:57 am

Hi guys,
First time around so how are you all doing?

Lately I got infected by a virus which I can't get rid off.
I got AVG 8.5 and it Detected the following:
Image
The list goes on and on like that.

In AVG when I click on the viruses located in the "Temp" dir it says that the infected file is located in "C:\windows\explorer.exe"

and when I click on the "Digest32.dll" virus it says that the infected file is located in "C:\program files\internet explorer\iexplore.exe".

The HiJackThis logs shows the following:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:30:19 PM, on 10/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\JulaPan.Exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\IObit\IObit Security 360\IS360tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\HijackThis\HijackThis.exe
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [JulaPan] JulaPan.Exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [IObit Security 360] C:\Program Files\IObit\IObit Security 360\IS360tray.exe
O4 - HKLM\..\Run: [Windows System Update] C:\WINDOWS\TEMP\CSRSS.EXE
O4 - HKLM\..\Run: [Windows Updater] C:\WINDOWS\TEMP\System.exe
O4 - HKLM\..\Run: [Language_Shortcut] C:\WINDOWS\TEMP\IEXPLORE.EXE
O4 - HKLM\..\Run: [SYSTRAY_UPDATE] C:\WINDOWS\TEMP\systray.exe
O4 - HKLM\..\Run: [RUNDLL32] C:\WINDOWS\TEMP\rundll32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 3225 bytes

I've tried removing all of those viruses but they just keep coming back after a few reboots.
Please help me out.
Thanks a lot.
Barak.
Barak
Active Member
 
Posts: 3
Joined: October 6th, 2009, 10:28 am
Advertisement
Register to Remove

Re: explorer.exe and Iexplore.exe infections.

Unread postby muppy03 » October 10th, 2009, 9:55 pm

Hello and welcome to Malware Removal Forums

IMPORTANT

Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
To make cleaning this machine easier:-
  • Continue to respond to this thread until I give you the All Clean!
  • Please DO NOT uninstall/install any programs unless asked to. It is more difficult when files/programs appear or disappear from the logs.
  • Please do not run any scans other than those requested and do not post any logs/reports unless specifically requested to do so.
  • Please follow all instructions in the order posted.
  • If you have any questions or do not understand instructions, please ask before continuing.
  • Please reply to this thread. Do not start a new topic.

Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:
  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Save the file to your desktop.

Please post this log on your next reply.


Security Application Check:

Please download and save SecurityCheck.exe to your Desktop from one of the links below.

Link 1
Link 2

  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt
  • Please post the contents of that document in your next reply.


Please download Malwarebytes' Anti-Malware and save to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:

    Update Malwarebytes' Anti-Malware
    Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply

    Note:
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.

Please reply with:-
  • Uninstall list
  • checkup.txt
  • MBAM log
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4798
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: explorer.exe and Iexplore.exe infections.

Unread postby Barak » October 12th, 2009, 12:00 pm

Hi muppy,
Thanks for the help.
Should have never let that technician guy install my computer, I knew he looked suspicious.
I've tried to download SecurityCheck.exe though both links don't work on both my computers, anywhere else to get it from?

For now I'll post the HJT Uninstall List and the MBAM log.

HJT Uninstal List :
_______________
Arturia minimoog V v1.6
AVG 8.5
discoDSP Discovery VSTi v2.10
HijackThis 2.0.2
IObit Security 360 Beta 2.1
iZotope Ozone 4
Microsoft Visual C++ 2005 Redistributable
Native Instruments Absynth v3.0.1
Native Instruments Battery 3
Native Instruments FM8
NVIDIA Drivers
NVIDIA PhysX
Prevx 3.0
PS01 - Keyboards
PSP Nitro 1.1.2
reFX Nexus 1.0.0
reFX Nexus 1.4.1
rgc:audio z3ta+ 1.5
Rob Papen Albino 3
Steinberg Cubase 5
Steinberg Drum Loop Expansion 01
Steinberg Groove Agent ONE Content
Steinberg HALionOne
Steinberg HALionOne Additional Content Set 01
Steinberg HALionOne Expression Set
Steinberg HALionOne GM Drum Set
Steinberg HALionOne GM Set
Steinberg HALionOne Pro Set
Steinberg HALionOne Studio Drum Set
Steinberg HALionOne Studio Set
Steinberg LoopMash Content
Steinberg REVerence Content 01
Sylenth1 v2.20
Syncrosoft License Control
Trilogy
Trojan Remover 6.8.1
USB Virus Scan 2.3
VirtualCloneDrive
V-Station 1.5.1
Waves Diamond Bundle v5.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
WinRAR archiver

MBAM Log:
_________
Malwarebytes' Anti-Malware 1.41
Database version: 2947
Windows 5.1.2600 Service Pack 2

10/12/2009 5:51:47 PM
mbam-log-2009-10-12 (17-51-47).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 191247
Time elapsed: 9 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 5
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\antiwpa.dll (Trojan.I.Stole.Windows) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32 (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows system update (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\language_shortcut (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\systray_update (Worm.Malas) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows updater (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\rundll32.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\VSTs\Absynth 3.0.1.15\Absynth 3\UNWISE.EXE (Malware.Packer.Morphine) -> Quarantined and deleted successfully.
C:\VSTs\Waves Diamond 5.0\UninstallDiamond\UNWISE.EXE (Malware.Packer.Morphine) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\antiwpa.dll (Trojan.I.Stole.Windows) -> Delete on reboot.
C:\WINDOWS\system32\digest32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\snapapi32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\CSRSS.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\IEXPLORE.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\systray.exe (Worm.Malas) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\System.exe (Trojan.Agent) -> Quarantined and deleted successfully.

P.S.
MBAM asked me to reboot inorder to complete the removal process.
For no I clicked no cause you haven't told me so, but should I do it and post a new log?

Thanks again,
Barak.
Barak
Active Member
 
Posts: 3
Joined: October 6th, 2009, 10:28 am

Re: explorer.exe and Iexplore.exe infections.

Unread postby muppy03 » October 12th, 2009, 6:16 pm

Rebooting is ok, go ahead.

WGA Diagnostic Tool

Please follow this WGA troubleshooting procedure:

Please post (reply) with the results along with NEW HJT log.
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4798
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: explorer.exe and Iexplore.exe infections.

Unread postby chryssi2001 » October 16th, 2009, 11:25 am

Due to lack of activity this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 467 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware