Spyware embedded in/utilising explorer.exe?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by chameleon_789, Dec 21, 2004.

  1. chameleon_789

    chameleon_789 Private E-2

    I have a very (I think) unusual spyware problem, this is the only Windows problem I've had where the answer hasn't been on google!

    I'm running:
    Win XP SP1 (I refuse to upgrade to 2!!!)
    AdAware SE
    Avast Antivirus
    Spybot S&D
    Sygate Personal Firewall
    Firefox

    I'm not sure exactly when it started, but recently SPF has been asking me if I want to let explorer.exe connect to money.cafreedom.com (strangely, it mostly happens when I close an explorer window). Doing a search on cafreedom.com made it obvious it was a site some spyware connects to, but even then I didn't find one mention of explorer.exe connecting to the site, only other executables. Nothing comes up when I use anti-spyware, and when I scanned with Hijack This all I found was an ancient registry entry for some other spyware I had removed manually.

    Is it possible somehow that explorer.exe could have been replaced with a different version, or that another well hidden program is manipulating it (I had no application hijacking warnings)? Anyone have the same thing or know how to get rid of it?
     
    chameleon_789, Dec 21, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm probably going to need to see a HijackThis log but first follow our standard cleanup prerequisites.

    First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
    If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

    NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


    After doing ALL of the above if you still have a problem:

    Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
     
    chaslang, Dec 22, 2004
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds