explorer.exe loading virus

Go to start>msconfig>and clear all programs except the antivirus
and also download the combofix:

www.bleepingcomputer.com/combofix/how-to-use-combofix

You can also try with smitfraudfix in safe mode. http://siri.geekstogo.com/SmitfraudFix.php

Do a search for explorer.exe. Where is it found? There should only be one file obviously. many times a virus will create a rogue copy and place it somewhere other than  in the c:\windows folder, where it belongs.

Combo fix did not fix the problem, neither did smit fraud fix. The log file for combo fix is attached. Flubbster, I have explorer.exe under C:\Windows and one under C:\Windows\ServicePackFiles\i386 as well as a file called EXPLORER.EXE-082F38A9.pf under C:\Windows\Prefetch.

Any help would be appreciated. When I delete the dll it seems to come back a few minutes after reboot and I can see using process explorer that explorer.exe is creating it.
log.txt

had you try to do system restore?

System restore was disabled by this virus.

Does that mean you can't run a restore, or that there are no restore points?

There are no restore points.

had you try restore via safe mode?

Same thing, no restore points.

try this
http://www.ehow.com/how_4592369_problem-windows-xp-taskbar-disappears.html

https://www.experts-exchange.com/questions/20742062/Explorer-exe-is-virus-infected.html

One question:

Would you be confident to use this computer even if you did find a way to remove the virus from showing up?

If so, use Spybot S&D on it.  I removed the exact virus using Spybot, and haven't seen it in a few weeks.  I still will not do anything involving a password on this computer.  The computer that was infected was basically a "sacrificial lamb".

Two tools:

autoruns:
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

process explorer:
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

First use autoruns to see if you can find the other file that causes the file that you delete to come back each time you restart the computer.  What I do is I go to the menu bar and click hide all microsoft entries, an this helps to see things better.  Then I look for files / apps  that are unsigned and have weird / random filenames.  Once you get an idea of which files are the infections, restart into safe mode. Once in safe mode, open up cmd. and then ctl-alt-del and end explorer.exe (this is because the infection has a tie-in to explorer, and ending it will allow you to delete the files you found earlier).  Then go back to your command line and delete the files you found previously.  

Process explorer might allow you to see what file is tying into explorer.exe so you can be better assisted in removing it.

houssam, I tried your suggestions, they didnt work.

stlbridge, spybo search and destroy didnt find anything.

dragonfirez I have been using process explorer, I have not used autoruns before. Thank you for this awesome program. However, I can not find any suspecious files listed under it. Any ideas? The virus is still loading.

Pawel, it's time to nuke it before the infected spread throughout all of Europe.  Bad joke, I suppose, but honestly, I'd say it's time to wipe this one clean.  You may have more behind the curtains that you realize.  A single .dll could do this, but I suspect there is far more going on.

Saying nuke it as a lot easier said than done :). If I have to do this I will, but I would like to try and find a solution to this first for economical reasons. Having to format this perticular system would be a big problem, and I am yet to come across a virus that I am unable to clean off; I would hate to have to start now.

What is on this system, if you don't mind me asking?

I'm having the same issue as well with this. This came out of no where and I cannot figure out where it came from as well to get rid of it. Bad thing is that this is on my company presidents computer.

Run a viri scan while the drive is setup on as a slave on a separate box.  This works well with Norton AV 2008, custom scan, specific drive.

>>"Economical reasons"

How much time have you spent on this?  Worst case scenario, you could have done an "over the top" restore, and hoped that the registry was purged of the cancer, and been finished by lunch.

I highly suggest creating a master image for the user's workstation, where all programs are installed and configured to the fullest.  Then, I would simply reimage the computer each time the silly user has made a boo boo.  All data such as images, music, documents, videos, etc. could easily be backed up to a thumb drive before you nuke it.  Then just put all of the data back into the user's "My Documents" folder.  You could even hit their favorites.  If they need updates, so be it.  That's just my .02, and I realize every situation is unique, so please do not think I am telling you how to do your job.  I simply am sharing my methods.  

I will not get in to much detail about what is on this computer but it involves proprietary software that there isn't much documentation on. Restoring it is an option but it is an option I would like to save as a last resort. These viruses are not magical, they have to start up somewhere. All I need to do is identify where this virus starts up and eliminate it as I have done countless other times in my career.

"I will not get in to much detail about what is on this computer"
Then I suspect you won't be posting a Hijack This log.

Good Luck.

I'll be happy to post a hijack this log, I already posted a combofix log.

With that said, there really is only one entry in hijackthis that is related to this virus and thats the one I posted in the original post.

I have had some success in similar situations using a program called Unhackme:

http://www.greatis.com/unhackme/download.htm

Download and install the trial version. Click on "Check me now!" - if it says no Trojan is found, click OK, then select "Test Windows boot process". Agree the reboot. The pc will reboot.
The program will now load and run before your desktop loads. Then it will say "You have a number of suspicious programs." Click on "Fix Programs".
It will set a restore point, then give you a list of boot processes. For each one, you can select "Get it out!", "False positive" or "I'm not sure..." which gives you a report on how bad/good the program may be.
I usually terminate anything assessed to be over 30% "bad".
The app. will then need to reboot.
Once the pc is clean, you should uninstall Unhackme - it is a very intrusive program.

Good luck!!!

rpggamergirl, that might have fixed it. I will browse around the internet for a while to make sure it doesn't come back and then I'll post back, fingers crossed.

Sounds good.... fingers crossed yeah.

If it comes back can you please attach the latest Combofix log?

Looks like it is good. I checked to make sure the registry wasn't changing, made sure those files weren't coming back and monitored traffic from my nic, seems to be fine. Thanks for your help.

I'm going to try this fix as well. Does anyone have an idea how this may have been installed or what it does?

I'm pretty sure the way this installed on my system was due to a image exploit. When I went to a site a new window popped up with a broken image at which point the memory usage for ie exploded. I have the latest updates so I don't know why this happened unless there is a new GD exploit out there that hasn't been annouced yet.

Glad to know it's resolved.

To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /u
The above will remove combofix and its files, will remove the created backup and reset System Restore.


If you're not aware, you can also award points to more than one expert by clicking the "Accept Multiple Solutions" button.

Thank you!