New explorer imposter? "Moved"

I have just run into something new (to me) that I thought I would share here.

I have a user who was having an intermittant problem getting online with her browser, tho her computer would still be connected and I was able to log on to her using VNC (though Hamachi). She is a Firefox user, who has BOClean and Avira on her system and up to date. She (or I) periodically runs SuperAntiSpyware and Spybot.

When she tried to browse she was getting a plain white screen in Firefox. IE would do the equivalent, saying that the server was unavailable no matter where she tried to go. If she rebooted her system, everything would work correctly until the same problem would return.

When I remoted into her system I found that an old version of Netscape had been installed along with WinRAR and a version of WSFTP. A version of "mailbomber" had also been installed.

There was also a bogus subfolder in her IE folder called "explorer" with subs that had numbers for name and an "explorer.exe" file that had a heart for an icon. The description of the exe read ICE211 Microsoft???? or something very similar. I didn't find this the first time I was troubleshooting her system.

On my first pass through her system I had found and deleted all the above mentioned folders files and logs but I had missed the errant explorer.exe and it's parent folder, stuck in the IE hierarchy. She continued to have intermittent browsing problems that were temporarily cured by rebooting. None of the other folders or files came back. Then I found and removed the fake explorer directories and I am hoping the browsing problem is 'solved'.

This user is quite distant from me and it will be some time before I can access the machine directly. She does not have her install disks, nor the money to pay for a rebuild. I understand that after this kind of event she needs a wipe and rebuild, but that isn't too likely to happen, at least any time soon. I don't mind working on her system remotely at no cost. She does not shop, bank, or trade stocks on her computer, so the practical danger of a RAT on her system is limited to a privacy risk to her email. She doesn't seem terribly concerned about that.

I'm wondering if anyone recognizes the details I have described and/or has any further suggestions on how I might be able to manage her problem from here. If her system doesn't continue to have a browsing problem I will probably just let it go for now. If her browsing problem continues I will continue to look for solutions.

Edit: I forgot to include that I ran MalwareBytes and Cureit on the system and they found nothing.

Edited by cyberhelp, 13 February 2009 - 07:07 PM.

Would love to have you remote into mine!!! I am deleting files every 10 minutes with ATF Scanner, Shredding Files with S&D, and while uninstalling items with Ccleaner.

Malwarebytes - No infection
OneCare Live Scanner - no infection
S&D either.

BECUASE THEY ARE INTERCEPTED AND IMMUNIZED. this thing is so bad that it hides all the real files, and replaces all the file types so that you cannot open anything. Running at breakneck speed until all systems are rendered useless. Anyone that is trying to fight this thing ... here are the items that you need to go after:


Graphics Adapters - all approved graphics drivers are uninstalled and VGASAVE replaces them
Network Adapters - I started with one 6 hours ago and now have a dozen mostly wan miniport one of each flavor pppoe, pptp, l2to, ip , ip - packet scheduler minniport, parellel.... oh did i mention they are all hidden. You have to show them from the view > show hidden devices

c:/program files/

InstallShield Installation Information
NET HOOD
PrintHood
NT Windows

• Active Voice &cop; Dialer (look for /pin ball and you will find the dialer files

LOOK FOR NT AUTHORITY Ace_ logins

Does a virus have arms?
Mine on top of the video and network adapters like this evil sounding mouse driver MOUHIDE and MOUCLASS located here:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\



it is extensive I actually got a non mutated version of runalazer going... oh if you have trouble with getting bam to run just rename the exe and it will take off. Basically the registry is suppressing the real BAM and loads


Also if you are on a laptop PULL THE PLUG. I have found in the scripts orders to shut down in the event of on battery power status!!


Lastly go for the RemoteProcedureCall it has all services running...

Nobody has seen this, before or since I posted it?

I still have this ongoing but intermittent problem with this user losing the ability to browse on her connected box. I haven't found anything new that gives me any more confidence that there isn't still some kind of pest at work here. I would really like to avoid a rebuild, but since the box is still experiencing this issue I don't see how I can reasonably ignore it.

I am moving this topic from the Breaking Virus forum to the Am I Infected forum where it can get the attention it deserves. ~ OB

Doesn't seem to have helped.

Among other things I found a pest on her system that I sent to ThreatExpert. Here is what they found:

http://www.threatexpert.com/report.aspx?md...33fc12a49e15111

VirusTotal shows that vendors are catching up on it, as they originally reported 12/36 and are now up to 19/36

http://www.virustotal.com/analisis/b1b33b4...850dc0b0a545099

I think I have slain the beast on her box, but only time will tell...