Please Help...Windows Explorer Infected

Welcome to Major Geeks!

You have HijackThis installed in the below folder which is exactly where we specify not to install it.
C:\Documents and Settings\Luis\Desktop\Documents\Hijack This\analyzeit.exe

Please install it properly so that it looks like this:
C:\Program Files\Hijack This\analyzeit.exe

Is there a reason you did not attach a log from either CounterSpy or AVG AntiSpyware as requested?

Also you must put your system into Normal Startup mode as requested in a couple of places in the READ ME. You are using MSconfig to control Startups and services. Please run MSconfig and select Normal Startup now.

Also you did not install and run GetRunKey and ShowNew as instructed on the download pages for them. Please follow those directions and attach new logs. The logs you attached are incomplete.

Then also attach a new log from HijackThis.

 

That still normally means that you did not EXTRACT the files from the ZIP file. Many people have confuses opening up the ZIP file with a either the Windows Explorer shell (or with another ZIP extraction program) with looking at the true folder where the files should be extracted to. Delete the GetRunKey.zip and ShowNew.zip files. Now run the GetRunKey.bat and then ShowNew.bat files. If you cannot find the bat files, that means you were previously running from the ZIP file.

If you still have problems, tell me the exact full path of the folder where you have downloaded the ZIP files too. And also the folder where you have extracted them too. If you want to make things easier, I recommend that you download and extract both ZIP files into the C:\MGtools folder. It will make our next steps easier if you still have problems.

I cannot continue until I get these logs.

Not necessary! I just needed to know the results. Your other logs are not showing much either. This is another reason why we need the logs from GetRunKey and ShowNew.

 

That's because the file was exactly the same as last time. You don't need to keep attaching logs. Only attach new ones if/when they run properly. You will know because you will not see those error messages.

Are you running a 32 bit version or a 64 bit versions of Windows?

If you click Start, Run, and enter regedit and click OK, what happens.

 

Click Start, Run, and enter cmd and click OK! In the command prompt window that opens, enter the below command

dir c:\MGTools > c:\filelist.txt

Now attach the c:\filelist.txt file here.

Do you have any problems running any other programs on this PC? Do you ever see the same error message ( not a valid Win32 application ) when running anything else?

 

Well I'm not sure exactly what the problem is then since we run this on literally hundreds of PCs each week without problems like this. It seems to indicate a problem or conflict within your system.

You really don't have any malware anyway as I was implying earlier, but here are somethings you need to do.

Goto Add/Remove Programs and uninstall the below. You don't have any Symantec software installed, so you don't need the first item. And we are finished with the CounterSpy trial now too.
LiveUpdate 2.0 (Symantec Corporation)
Sunbelt CounterSpy

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now locate the below files if found ( you probably will not find any of these )
C:\Documents and Settings\Luis\Local Settings\Temp\nsj42.tmp
C:\WINDOWS\SYSTEM32\yteusssr.exe
C:\WINDOWS\SYSTEM32\G4\mwspasrt83122.exe

Now attach a new log from GetRunKey even thoug it does not run exactly as desired.

 

Good! It fixed what I wanted it to fix.

Yes I know. I said it would not work as desired but it did allow me to see the particular items related to the registry patch.

This was also expected. None of the logs that you have posted have indicated any remaining problems related to malware. If you really think explorer.exe is infected, you can try scanning it at the below website to see if it picks up anything.

http://virusscan.jotti.org/

You may have to wait awhile in the scan queue as this site can be really busy.

Also as an additional test, let's do a check for rootkits. Run the below.

Now please download F-Secure's BlacklightBeta

• Download fsbl.exe and save it to the Desktop.
• Once saved... double click fsbl.exe to install the program.
• Click accept agreement and Click scan
• This application may trigger a warning from your antivirus. Let the driver load. Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please attach the BlackLight log.

 

This just sounds like a registry setting has been changed.

• Right click My Computer and select the Advanced tab.
• Under Performance area, click Settings.
• In the Performance Options dialog box, make sure the second to last option which is called Use drop shadows for icon labels on the desktop has a check mark on it. Then click Apply.
• This should remove the blue Highlighted Icons effect which makes them all look like they are selected.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, and the C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
9. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Was it checked or unchecked when you first looked?


Also you should try the below.

• right click on your Desktop and select Properties.
• Then click the Desktop tab and then the Customize Desktop button.
• Now in the next window that comes up click the Web tab.
• Make sure at the bottom that Lock desktop items is unchecked.
• Then in the Web pages: box delete all items but My Current Home Page and make sure it is unchecked too.
• Then click OK. Apply. OK.

 

Great! Now make sure you have completed those final steps I gave you.

 

Great! Surf safely!