Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 729
  • Last Modified:

explorer.exe loading virus

Hi,
One of my workstations seems to have caught a virus that Malwarebytes will not detect. The virus created a registry key called unokukowo and then it loads a dll that has a randomly generated name, IE: uwodaribiy.dll . When I run hijack this is the entry it creates:

O4 - HKLM\..\Run: [Unokukowo] rundll32.exe "C:\WINDOWS\uwodaribiy.dll",e

When I delete this DLL it comes back on reboot using a different name. using process explorer the file seems to be getting created by explorer.exe. Is there some way for me to see what explorer.exe is set up to load? Does anyone have an idea how to remove this virus short of reformatting the drive? It seems to spawn random pop ups while using internet explorer. Thanks.
0
Pawel_Kowalski
Asked:
Pawel_Kowalski
  • 12
  • 5
  • 4
  • +6
1 Solution
 
houssam_balloutCommented:
Go to start>msconfig>and clear all programs except the antivirus
and also download the combofix:

www.bleepingcomputer.com/combofix/how-to-use-combofix
0
 
KechkaCommented:
You can also try with smitfraudfix in safe mode. http://siri.geekstogo.com/SmitfraudFix.php
0
 
flubbsterCommented:
Do a search for explorer.exe. Where is it found? There should only be one file obviously. many times a virus will create a rogue copy and place it somewhere other than  in the c:\windows folder, where it belongs.
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

 
Pawel_KowalskiAuthor Commented:
Combo fix did not fix the problem, neither did smit fraud fix. The log file for combo fix is attached. Flubbster, I have explorer.exe under C:\Windows and one under C:\Windows\ServicePackFiles\i386 as well as a file called EXPLORER.EXE-082F38A9.pf under C:\Windows\Prefetch.

Any help would be appreciated. When I delete the dll it seems to come back a few minutes after reboot and I can see using process explorer that explorer.exe is creating it.
log.txt
0
 
houssam_balloutCommented:
had you try to do system restore?
0
 
Pawel_KowalskiAuthor Commented:
System restore was disabled by this virus.
0
 
flubbsterCommented:
Does that mean you can't run a restore, or that there are no restore points?
0
 
Pawel_KowalskiAuthor Commented:
There are no restore points.
0
 
houssam_balloutCommented:
had you try restore via safe mode?
0
 
Pawel_KowalskiAuthor Commented:
Same thing, no restore points.
0
 
stlbridgeCommented:
One question:

Would you be confident to use this computer even if you did find a way to remove the virus from showing up?

If so, use Spybot S&D on it.  I removed the exact virus using Spybot, and haven't seen it in a few weeks.  I still will not do anything involving a password on this computer.  The computer that was infected was basically a "sacrificial lamb".
0
 
dragonfirezCommented:
Two tools:

autoruns:
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

process explorer:
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

First use autoruns to see if you can find the other file that causes the file that you delete to come back each time you restart the computer.  What I do is I go to the menu bar and click hide all microsoft entries, an this helps to see things better.  Then I look for files / apps  that are unsigned and have weird / random filenames.  Once you get an idea of which files are the infections, restart into safe mode. Once in safe mode, open up cmd. and then ctl-alt-del and end explorer.exe (this is because the infection has a tie-in to explorer, and ending it will allow you to delete the files you found earlier).  Then go back to your command line and delete the files you found previously.  

Process explorer might allow you to see what file is tying into explorer.exe so you can be better assisted in removing it.
0
 
Pawel_KowalskiAuthor Commented:
houssam, I tried your suggestions, they didnt work.

stlbridge, spybo search and destroy didnt find anything.

dragonfirez I have been using process explorer, I have not used autoruns before. Thank you for this awesome program. However, I can not find any suspecious files listed under it. Any ideas? The virus is still loading.
0
 
stlbridgeCommented:
Pawel, it's time to nuke it before the infected spread throughout all of Europe.  Bad joke, I suppose, but honestly, I'd say it's time to wipe this one clean.  You may have more behind the curtains that you realize.  A single .dll could do this, but I suspect there is far more going on.
0
 
Pawel_KowalskiAuthor Commented:
Saying nuke it as a lot easier said than done :). If I have to do this I will, but I would like to try and find a solution to this first for economical reasons. Having to format this perticular system would be a big problem, and I am yet to come across a virus that I am unable to clean off; I would hate to have to start now.
0
 
stlbridgeCommented:
What is on this system, if you don't mind me asking?
0
 
eblkheartCommented:
I'm having the same issue as well with this. This came out of no where and I cannot figure out where it came from as well to get rid of it. Bad thing is that this is on my company presidents computer.
0
 
stlbridgeCommented:
Run a viri scan while the drive is setup on as a slave on a separate box.  This works well with Norton AV 2008, custom scan, specific drive.

>>"Economical reasons"

How much time have you spent on this?  Worst case scenario, you could have done an "over the top" restore, and hoped that the registry was purged of the cancer, and been finished by lunch.

I highly suggest creating a master image for the user's workstation, where all programs are installed and configured to the fullest.  Then, I would simply reimage the computer each time the silly user has made a boo boo.  All data such as images, music, documents, videos, etc. could easily be backed up to a thumb drive before you nuke it.  Then just put all of the data back into the user's "My Documents" folder.  You could even hit their favorites.  If they need updates, so be it.  That's just my .02, and I realize every situation is unique, so please do not think I am telling you how to do your job.  I simply am sharing my methods.  
0
 
Pawel_KowalskiAuthor Commented:
I will not get in to much detail about what is on this computer but it involves proprietary software that there isn't much documentation on. Restoring it is an option but it is an option I would like to save as a last resort. These viruses are not magical, they have to start up somewhere. All I need to do is identify where this virus starts up and eliminate it as I have done countless other times in my career.
0
 
stlbridgeCommented:
"I will not get in to much detail about what is on this computer"
Then I suspect you won't be posting a Hijack This log.

Good Luck.
0
 
Pawel_KowalskiAuthor Commented:
I'll be happy to post a hijack this log, I already posted a combofix log.
0
 
Pawel_KowalskiAuthor Commented:
With that said, there really is only one entry in hijackthis that is related to this virus and thats the one I posted in the original post.
0
 
phototropicCommented:
I have had some success in similar situations using a program called Unhackme:

http://www.greatis.com/unhackme/download.htm

Download and install the trial version. Click on "Check me now!" - if it says no Trojan is found, click OK, then select "Test Windows boot process". Agree the reboot. The pc will reboot.
The program will now load and run before your desktop loads. Then it will say "You have a number of suspicious programs." Click on "Fix Programs".
It will set a restore point, then give you a list of boot processes. For each one, you can select "Get it out!", "False positive" or "I'm not sure..." which gives you a report on how bad/good the program may be.
I usually terminate anything assessed to be over 30% "bad".
The app. will then need to reboot.
Once the pc is clean, you should uninstall Unhackme - it is a very intrusive program.

Good luck!!!

0
 
rpggamergirlCommented:
Hi,

Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
KillAll::
File::
c:\windows\ihakacega.dll
c:\windows\dpshuiz.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Unokukowo"=-
------------------------------------------------------------------------
3. Save the above as CFScript.txt on the same location as Combofix.exe which is in your --> C:\
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.


If combofix script function won't take care of it, then we'll need to run another tool to check for any hidden drivers, you have many drivers/services there that I haven't checked but they look legit.
0
 
Pawel_KowalskiAuthor Commented:
rpggamergirl, that might have fixed it. I will browse around the internet for a while to make sure it doesn't come back and then I'll post back, fingers crossed.
0
 
rpggamergirlCommented:
Sounds good.... fingers crossed yeah.

If it comes back can you please attach the latest Combofix log?
0
 
Pawel_KowalskiAuthor Commented:
Looks like it is good. I checked to make sure the registry wasn't changing, made sure those files weren't coming back and monitored traffic from my nic, seems to be fine. Thanks for your help.
0
 
eblkheartCommented:
I'm going to try this fix as well. Does anyone have an idea how this may have been installed or what it does?
0
 
Pawel_KowalskiAuthor Commented:
I'm pretty sure the way this installed on my system was due to a image exploit. When I went to a site a new window popped up with a broken image at which point the memory usage for ie exploded. I have the latest updates so I don't know why this happened unless there is a new GD exploit out there that hasn't been annouced yet.
0
 
rpggamergirlCommented:
Glad to know it's resolved.

To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /u
The above will remove combofix and its files, will remove the created backup and reset System Restore.


If you're not aware, you can also award points to more than one expert by clicking the "Accept Multiple Solutions" button.

Thank you!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 12
  • 5
  • 4
  • +6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now