Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Trojan.Bamital!inf and possibly another virus.


  • This topic is locked This topic is locked
97 replies to this topic

#61 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:22 AM

Posted 09 December 2010 - 06:37 PM

Hello, Skitz69.

Not too bad. The OTL detection we already quarantined. The tracking cookie can be removed if you want. The registrycleaner can also be removed if you want. We don't recommend registry cleaners here.




Registry Cleaner Warning


I also see that you have a registry cleaner installed (in your case ). Here at BC, we do not recommend using registry cleaners. If you do use it, make sure to use a tool like ERUNT to back up your registry first. Merely backing it up yourself via regedit wont' help you if you can't boot up as a result!

See here for more information:
http://www.bleepingcomputer.com/forums/index.php?showtopic=238799&st=0&p=1326578&#entry1326578












Step 1

Next, we need to update Java.
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 23 and save it to your desktop.
  • Scroll down to where it says "JDK 6 Update 23 (JDK or JRE)...allows end-users to run Java applications".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) or Java™ in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version(s) shown below:
    Java™ 6 Update 17
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u23-windows-i586-p.exe to install the newest version.




Step 2

Your Adobe Reader software is out of date and has known security holes. Please launch it, go to Help --> Check for Updates and let it update the main program if needed. Updates the languages and/or dictionaries is optional.



Step 3


How is your computer now? Any remaining symptoms?

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


BC AdBot (Login to Remove)

 


#62 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:22 AM

Posted 14 December 2010 - 05:05 PM

still with me?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#63 Skitz69

Skitz69
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 19 December 2010 - 05:28 AM

Hey sorry, I've been away from home most days. I'll get onto those instructions now.
I just wanted to say that I still get the explorer.exe error where it wants me to restart it in order for it to respond. If i dont click the restart I can't use the task bar.
Again sorry for the delay of the response.

#64 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:22 AM

Posted 20 December 2010 - 11:09 PM

Hello, Skitz69.

We replaced wininit.exe...that infection often infects explorer.exe as well. Let's look at that.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\windows\explorer.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#65 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:22 AM

Posted 29 December 2010 - 03:17 PM

Still with me?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#66 Skitz69

Skitz69
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 30 December 2010 - 03:16 AM

Hey, was away from Christmas and will be going away for New Years for a couple of days. I'll quickly do this now and than I wont have access to a computer for a few days. Sorry about that. I'll edit this post when I've scanned explorer.

#67 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:22 AM

Posted 30 December 2010 - 04:55 PM

OK, I will keep an eye out. Thanks for the update. Please post the result in a new post, otherwise I won't be notified that this thread is updated now that I have replied.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#68 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:22 AM

Posted 06 January 2011 - 06:54 PM

HI...are you back?


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#69 Skitz69

Skitz69
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 07 January 2011 - 04:43 AM

Hey, I'm really sorry, I was sure I had replied before I went away. When I scanned about a week ago nothing was found on Jotti. I scanned again just today with Jotti but again nothing was found. While using the computer explorer.exe had the same problem where it had to be refreshed to be usable again.

#70 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:22 AM

Posted 07 January 2011 - 07:21 PM

Hello, Skitz69.
Let's replace explorer.exe to be safe. The infection you have often infects it. Hopefully you have a good one in your computer, unlike winlogon.

Download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • A blank Windows shall open with the title "SystemLook v1.0-by Jpshortstuff".
  • Copy and Paste the content of the following codebox into the main textfield under "File":
    :filefind
    explorer.*
    
  • Please Confirm everything is copied and Pasted as I have provided above
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan.
  • Please post this log in your next reply.


Note: The log can also be found on your Desktop entitled SystemLook.txt
2nd Note: The scan may take a while from several seconds to a minute or more depending on the number of files you have and how fast your computer can perform the task


etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#71 Skitz69

Skitz69
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 08 January 2011 - 02:46 AM

Heres the results:

SystemLook 04.09.10 by jpshortstuff
Log created at 15:39 on 08/01/2011 by USER
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== filefind ==========

Searching for "explorer.*"
C:\Windows\explorer.exe --a---- 2870272 bytes [01:49 05/03/2010] [06:34 31/10/2009] F47DFDA363D37960D3713260F4BBC160
C:\Windows\de-DE\explorer.exe.mui --a---- 25600 bytes [04:02 05/11/2009] [11:00 13/07/2009] 64E8A52EA68A8C36D0152F3108DA02D0
C:\Windows\en-US\explorer.exe.mui --a---- 22016 bytes [05:35 14/07/2009] [02:26 14/07/2009] 4B87EEFDC8E253F846A7DFB49A8E6C70
C:\Windows\fr-FR\explorer.exe.mui --a---- 26624 bytes [07:36 06/11/2009] [11:08 13/07/2009] BE31703AC133F7C80896D7898687BEF0
C:\Windows\it-IT\explorer.exe.mui --a---- 25088 bytes [08:13 06/11/2009] [11:00 13/07/2009] 23D5A51BD481152EEF04E2F1125B4C1B
C:\Windows\ja-JP\explorer.exe.mui --a---- 16896 bytes [05:49 09/11/2009] [11:15 13/07/2009] EECE6BBAA594B165A9D62451D2A29EE8
C:\Windows\ko-KR\explorer.exe.mui --a---- 15872 bytes [08:30 06/11/2009] [12:15 13/07/2009] BD688D0CB84FFC27BF4AFD8595C13A7A
C:\Windows\PolicyDefinitions\Explorer.admx --a---- 3836 bytes [21:48 13/07/2009] [20:53 10/06/2009] AD131A834808E6AFF4A3918DE05BFCF6
C:\Windows\PolicyDefinitions\de-DE\Explorer.adml --a---- 4226 bytes [04:02 05/11/2009] [11:01 13/07/2009] EE23420A7C0E74A9D316221F8BFB2477
C:\Windows\PolicyDefinitions\en-US\Explorer.adml --a---- 3695 bytes [05:35 14/07/2009] [02:30 14/07/2009] 7A4C7F3CB156543113596988479CAFCE
C:\Windows\PolicyDefinitions\fr-FR\Explorer.adml --a---- 4366 bytes [07:36 06/11/2009] [11:08 13/07/2009] 08B7C46F43CAF60319B5DE61EDCCA056
C:\Windows\PolicyDefinitions\it-IT\Explorer.adml --a---- 4183 bytes [08:13 06/11/2009] [11:00 13/07/2009] 4CF10EA9BAB7750F41A7E154AECAF977
C:\Windows\PolicyDefinitions\ja-JP\Explorer.adml --a---- 4765 bytes [05:50 09/11/2009] [11:21 13/07/2009] 93AABD2885B004C34E64863724AEA621
C:\Windows\PolicyDefinitions\ko-KR\Explorer.adml --a---- 4077 bytes [08:30 06/11/2009] [12:09 13/07/2009] 8762C7617062B48018B4CF640326A270
C:\Windows\PolicyDefinitions\zh-CN\Explorer.adml --a---- 3660 bytes [05:06 09/11/2009] [12:09 13/07/2009] EB8EC2773976226EC9FCCD8D42B62E54
C:\Windows\PolicyDefinitions\zh-TW\Explorer.adml --a---- 3552 bytes [05:21 09/11/2009] [12:16 13/07/2009] 32F91728269CD01FAEC4F9E0363D38FA
C:\Windows\Prefetch\EXPLORER.EXE-7A3328DA.pf --a---- 327494 bytes [14:02 24/06/2010] [09:33 07/01/2011] 1546534791AEB8956914780FFAE185B2
C:\Windows\System32\explorer.exe --a---- 2614272 bytes [01:49 05/03/2010] [05:45 31/10/2009] 2626FC9755BE22F805D3CFA0CE3EE727
C:\Windows\System32\de-DE\explorer.exe.mui --a---- 25600 bytes [04:02 05/11/2009] [10:47 13/07/2009] EB67605F636687E5F3C988B0059A8C46
C:\Windows\System32\en-US\explorer.exe.mui --a---- 22016 bytes [05:35 14/07/2009] [02:06 14/07/2009] B9F4B1CA23D60775736059D72BA48526
C:\Windows\System32\fr-FR\explorer.exe.mui --a---- 26624 bytes [07:36 06/11/2009] [10:48 13/07/2009] FD173730E78468962F9AF98C274B723B
C:\Windows\System32\it-IT\explorer.exe.mui --a---- 25088 bytes [08:14 06/11/2009] [10:40 13/07/2009] D871BB5958AEF9F493B330FCB533DE6B
C:\Windows\System32\ja-JP\explorer.exe.mui --a---- 16896 bytes [05:50 09/11/2009] [12:00 13/07/2009] 4A0670BE08EFA7504B75D0955CEC7CD8
C:\Windows\System32\ko-KR\explorer.exe.mui --a---- 15872 bytes [08:30 06/11/2009] [12:00 13/07/2009] E8948167041A135FFD63FD4172598833
C:\Windows\System32\zh-CN\explorer.exe.mui --a---- 13312 bytes [05:07 09/11/2009] [11:53 13/07/2009] ECD0D6CAA227CEDB28528A08762764DB
C:\Windows\System32\zh-TW\explorer.exe.mui --a---- 13312 bytes [05:21 09/11/2009] [12:00 13/07/2009] A566E879D8850B59EAFA8116FFA2ECE1
C:\Windows\SysWOW64\explorer.exe --a---- 2614272 bytes [01:49 05/03/2010] [05:45 31/10/2009] 2626FC9755BE22F805D3CFA0CE3EE727
C:\Windows\SysWOW64\de-DE\explorer.exe.mui --a---- 25600 bytes [04:02 05/11/2009] [10:47 13/07/2009] EB67605F636687E5F3C988B0059A8C46
C:\Windows\SysWOW64\en-US\explorer.exe.mui --a---- 22016 bytes [05:35 14/07/2009] [02:06 14/07/2009] B9F4B1CA23D60775736059D72BA48526
C:\Windows\SysWOW64\fr-FR\explorer.exe.mui --a---- 26624 bytes [07:36 06/11/2009] [10:48 13/07/2009] FD173730E78468962F9AF98C274B723B
C:\Windows\SysWOW64\it-IT\explorer.exe.mui --a---- 25088 bytes [08:14 06/11/2009] [10:40 13/07/2009] D871BB5958AEF9F493B330FCB533DE6B
C:\Windows\SysWOW64\ja-JP\explorer.exe.mui --a---- 16896 bytes [05:50 09/11/2009] [12:00 13/07/2009] 4A0670BE08EFA7504B75D0955CEC7CD8
C:\Windows\SysWOW64\ko-KR\explorer.exe.mui --a---- 15872 bytes [08:30 06/11/2009] [12:00 13/07/2009] E8948167041A135FFD63FD4172598833
C:\Windows\SysWOW64\zh-CN\explorer.exe.mui --a---- 13312 bytes [05:07 09/11/2009] [11:53 13/07/2009] ECD0D6CAA227CEDB28528A08762764DB
C:\Windows\SysWOW64\zh-TW\explorer.exe.mui --a---- 13312 bytes [05:21 09/11/2009] [12:00 13/07/2009] A566E879D8850B59EAFA8116FFA2ECE1
C:\Windows\winsxs\amd64_microsoft-windows-explorer.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b8f6a2cb9e74c5d6\explorer.exe.mui --a---- 25600 bytes [04:02 05/11/2009] [11:00 13/07/2009] 64E8A52EA68A8C36D0152F3108DA02D0
C:\Windows\winsxs\amd64_microsoft-windows-explorer.resources_31bf3856ad364e35_6.1.7600.16385_en-us_61e778c48d52d19b\explorer.exe.mui --a---- 22016 bytes [05:35 14/07/2009] [02:26 14/07/2009] 4B87EEFDC8E253F846A7DFB49A8E6C70
C:\Windows\winsxs\amd64_microsoft-windows-explorer.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_046a4ba7804bd9a2\explorer.exe.mui --a---- 26624 bytes [07:36 06/11/2009] [11:08 13/07/2009] BE31703AC133F7C80896D7898687BEF0
C:\Windows\winsxs\amd64_microsoft-windows-explorer.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ee9241ee577dbf20\explorer.exe.mui --a---- 25088 bytes [08:13 06/11/2009] [11:00 13/07/2009] 23D5A51BD481152EEF04E2F1125B4C1B
C:\Windows\winsxs\amd64_microsoft-windows-explorer.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_90b7c0fb4a98d0fb\explorer.exe.mui --a---- 16896 bytes [05:49 09/11/2009] [11:15 13/07/2009] EECE6BBAA594B165A9D62451D2A29EE8
C:\Windows\winsxs\amd64_microsoft-windows-explorer.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_34219db03d099811\explorer.exe.mui --a---- 15872 bytes [08:30 06/11/2009] [12:15 13/07/2009] BD688D0CB84FFC27BF4AFD8595C13A7A
C:\Windows\winsxs\amd64_microsoft-windows-explorer.resources_31bf3856ad364e35_6.1.7600.16385_zh-cn_c16de3327474abad\explorer.exe.mui --a---- 13312 bytes [05:06 09/11/2009] [12:15 13/07/2009] 8F467646DE8AB05A9152FE26B8C42CF1
C:\Windows\winsxs\amd64_microsoft-windows-explorer.resources_31bf3856ad364e35_6.1.7600.16385_zh-tw_c56a208871e5881d\explorer.exe.mui --a---- 13312 bytes [05:20 09/11/2009] [12:09 13/07/2009] 6EA5059311CF522EBA9C860B8493DE02
C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_ada998b9936d7566\explorer.exe --a---- 2868224 bytes [23:56 13/07/2009] [01:39 14/07/2009] C235A51CB740E45FFA0EBFB9BAFCDA64
C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_adff19b5932d79ae\explorer.exe --a---- 2868224 bytes [07:53 03/11/2009] [06:17 03/08/2009] F170B4A061C9E026437B193B4D571799
C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_adc508f19359a007\explorer.exe --a---- 2870272 bytes [01:49 05/03/2010] [06:34 31/10/2009] 9AAAEC8DAC27AA17B053E6352AD233AE
C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_ae84b558ac4eb41c\explorer.exe --a---- 2868224 bytes [07:53 03/11/2009] [06:19 03/08/2009] 700073016DAC1C3D2E7E2CE4223334B6
C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_ae46d6aeac7ca7c7\explorer.exe --a---- 2870272 bytes [01:49 05/03/2010] [06:38 31/10/2009] B8EC4BD49CE8F6FC457721BFC210B67F
C:\Windows\winsxs\amd64_microsoft-windows-s..ouppolicy.resources_31bf3856ad364e35_6.1.7600.16385_de-de_d6049b4095286d3f\Explorer.adml --a---- 4226 bytes [04:02 05/11/2009] [11:01 13/07/2009] EE23420A7C0E74A9D316221F8BFB2477
C:\Windows\winsxs\amd64_microsoft-windows-s..ouppolicy.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7ef5713984067904\Explorer.adml --a---- 3695 bytes [05:35 14/07/2009] [02:30 14/07/2009] 7A4C7F3CB156543113596988479CAFCE
C:\Windows\winsxs\amd64_microsoft-windows-s..ouppolicy.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_2178441c76ff810b\Explorer.adml --a---- 4366 bytes [07:36 06/11/2009] [11:08 13/07/2009] 08B7C46F43CAF60319B5DE61EDCCA056
C:\Windows\winsxs\amd64_microsoft-windows-s..ouppolicy.resources_31bf3856ad364e35_6.1.7600.16385_it-it_0ba03a634e316689\Explorer.adml --a---- 4183 bytes [08:13 06/11/2009] [11:00 13/07/2009] 4CF10EA9BAB7750F41A7E154AECAF977
C:\Windows\winsxs\amd64_microsoft-windows-s..ouppolicy.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_adc5b970414c7864\Explorer.adml --a---- 4765 bytes [05:50 09/11/2009] [11:21 13/07/2009] 93AABD2885B004C34E64863724AEA621
C:\Windows\winsxs\amd64_microsoft-windows-s..ouppolicy.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_512f962533bd3f7a\Explorer.adml --a---- 4077 bytes [08:30 06/11/2009] [12:09 13/07/2009] 8762C7617062B48018B4CF640326A270
C:\Windows\winsxs\amd64_microsoft-windows-s..ouppolicy.resources_31bf3856ad364e35_6.1.7600.16385_zh-cn_de7bdba76b285316\Explorer.adml --a---- 3660 bytes [05:06 09/11/2009] [12:09 13/07/2009] EB8EC2773976226EC9FCCD8D42B62E54
C:\Windows\winsxs\amd64_microsoft-windows-s..ouppolicy.resources_31bf3856ad364e35_6.1.7600.16385_zh-tw_e27818fd68992f86\Explorer.adml --a---- 3552 bytes [05:21 09/11/2009] [12:16 13/07/2009] 32F91728269CD01FAEC4F9E0363D38FA
C:\Windows\winsxs\amd64_microsoft-windows-shell-grouppolicy_31bf3856ad364e35_6.1.7600.16385_none_71af9b5b0a86e6b7\Explorer.admx --a---- 3836 bytes [21:48 13/07/2009] [20:53 10/06/2009] AD131A834808E6AFF4A3918DE05BFCF6
C:\Windows\winsxs\wow64_microsoft-windows-explorer.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c34b4d1dd2d587d1\explorer.exe.mui --a---- 25600 bytes [04:02 05/11/2009] [10:47 13/07/2009] EB67605F636687E5F3C988B0059A8C46
C:\Windows\winsxs\wow64_microsoft-windows-explorer.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6c3c2316c1b39396\explorer.exe.mui --a---- 22016 bytes [05:35 14/07/2009] [02:06 14/07/2009] B9F4B1CA23D60775736059D72BA48526
C:\Windows\winsxs\wow64_microsoft-windows-explorer.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0ebef5f9b4ac9b9d\explorer.exe.mui --a---- 26624 bytes [07:36 06/11/2009] [10:48 13/07/2009] FD173730E78468962F9AF98C274B723B
C:\Windows\winsxs\wow64_microsoft-windows-explorer.resources_31bf3856ad364e35_6.1.7600.16385_it-it_f8e6ec408bde811b\explorer.exe.mui --a---- 25088 bytes [08:14 06/11/2009] [10:40 13/07/2009] D871BB5958AEF9F493B330FCB533DE6B
C:\Windows\winsxs\wow64_microsoft-windows-explorer.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_9b0c6b4d7ef992f6\explorer.exe.mui --a---- 16896 bytes [05:50 09/11/2009] [12:00 13/07/2009] 4A0670BE08EFA7504B75D0955CEC7CD8
C:\Windows\winsxs\wow64_microsoft-windows-explorer.resources_31bf3856ad364e35_6.1.7600.16385_ko-kr_3e764802716a5a0c\explorer.exe.mui --a---- 15872 bytes [08:30 06/11/2009] [12:00 13/07/2009] E8948167041A135FFD63FD4172598833
C:\Windows\winsxs\wow64_microsoft-windows-explorer.resources_31bf3856ad364e35_6.1.7600.16385_zh-cn_cbc28d84a8d56da8\explorer.exe.mui --a---- 13312 bytes [05:07 09/11/2009] [11:53 13/07/2009] ECD0D6CAA227CEDB28528A08762764DB
C:\Windows\winsxs\wow64_microsoft-windows-explorer.resources_31bf3856ad364e35_6.1.7600.16385_zh-tw_cfbecadaa6464a18\explorer.exe.mui --a---- 13312 bytes [05:21 09/11/2009] [12:00 13/07/2009] A566E879D8850B59EAFA8116FFA2ECE1
C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_b7fe430bc7ce3761\explorer.exe --a---- 2613248 bytes [23:41 13/07/2009] [01:14 14/07/2009] 15BC38A7492BEFE831966ADB477CF76F
C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_b853c407c78e3ba9\explorer.exe --a---- 2613248 bytes [07:53 03/11/2009] [05:35 03/08/2009] B95EEB0F4E5EFBF1038A35B3351CF047
C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_b819b343c7ba6202\explorer.exe --a---- 2614272 bytes [01:49 05/03/2010] [05:45 31/10/2009] 2626FC9755BE22F805D3CFA0CE3EE727
C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_b8d95faae0af7617\explorer.exe --a---- 2613248 bytes [07:53 03/11/2009] [05:49 03/08/2009] 9FF6C4C91A3711C0A3B18F87B08B518D
C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_b89b8100e0dd69c2\explorer.exe --a---- 2614272 bytes [01:49 05/03/2010] [06:00 31/10/2009] C76153C7ECA00FA852BB0C193378F917
C:\Windows\zh-CN\explorer.exe.mui --a---- 13312 bytes [05:06 09/11/2009] [12:15 13/07/2009] 8F467646DE8AB05A9152FE26B8C42CF1
C:\Windows\zh-TW\explorer.exe.mui --a---- 13312 bytes [05:20 09/11/2009] [12:09 13/07/2009] 6EA5059311CF522EBA9C860B8493DE02

-= EOF =-

#72 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:22 AM

Posted 09 January 2011 - 11:16 AM

Hello, Skitz69.
Good news/bad news.

Good news: explorer.exe IS infected, at lest the 32-bit one. It must be a new variant as it was not detected by Jotti.
Bad news: we need to replace it, and much like winlogon, you don't have a clean copy on your system.

Do you have access ot that Windows CD/other computer we used before?



etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#73 Skitz69

Skitz69
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 09 January 2011 - 11:24 AM

Hey, just wondering how you could tell it was infected?
And yes I do have access to the other computer. It's what I use to post all my replies.
Thanks

#74 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:22 AM

Posted 09 January 2011 - 11:44 AM

Hi,

C:\Windows\explorer.exe --a---- 2870272 bytes [01:49 05/03/2010] [06:34 31/10/2009] F47DFDA363D37960D3713260F4BBC160


That is the file information for C:\windows\explorer.exe. Note that random letters/characters after the date. That's the MD5 signature of the file. Copy and paste that MD5 hash into Google...there are 3 hits. A legitimate windows file would have thousands. Known malware would have a ton too. So, it's patched by something.

Please boot into xPud like before. Rename c:\windows\explorer.exe to explorer.old, then copy C:\windows\explorer.exe from your clean computer into the same spot on the infected computer. Reboot into Windows and let me know how it is running.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#75 Skitz69

Skitz69
  • Topic Starter

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:01:22 PM

Posted 12 January 2011 - 06:28 AM

Hey,

I followed your steps and the infected laptop seems to be running fine. It hasn't had any issues with explorer.exe needing restarting although I have only been on it for a few minutes. Again sorry for the delayed response.

I think the laptop is fixed but I'm not sure if now my main computer is infected. When I log in to windows after a restart I get User Account Control popping up saying an unknown publisher wants to make changes to the computer. The program name is newdev.exe
The program location is C:\Windows\System32\newdev.exe followed by different letters and PNP_device_install_pipe
I click no to make changes, but it still comes up every time i restart the computer.

Edited by Skitz69, 12 January 2011 - 10:33 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users