[death_hand]

Another one:

File: qkcrxvibs.exe
Path: C:\WINDOWS
Infection: Spyware.BetterInternet

[Advertisements]

Here is the log from RKFiles:

C:\Program Files\AntiVirus\RKFiles\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\protector_update.exe: PEC2

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\RMAgentOutput.dll: UPX!
C:\WINDOWS\svcproc.exe: UPX!
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye

[death_hand]

Here is the log from RKFiles:

C:\Program Files\AntiVirus\RKFiles\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
C:\WINDOWS\protector_update.exe: PEC2

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\RMAgentOutput.dll: UPX!
C:\WINDOWS\svcproc.exe: UPX!
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye

[Metallica]

These files should be deleted:

C:\WINDOWS\protector_update.exe
C:\WINDOWS\svcproc.exe

Use the Killbox if necessary.

Then do me a favor and get this hosts file:
http://www.mvps.org/...p2002/hosts.htm

Am I correct in assuming that Ewido was able to get rid of the other two?

Regards,

[death_hand]

Right, I've reoved the two files using Killbox and have got the new hosts file and put that in the right folder.

As for Ewido it brings up the warning window and I tell it to clean what it has found, but the sae warning pops up at a later point in time, so it seems as if the file is deleted for a while and then re-downloaded - and Ewido picks it up again.

[death_hand]

Just had this from Symantec AV

Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Trojan.Admincash.B
File: C:\WINDOWS\explorer.exe
Location: C:\WINDOWS
Computer: GEO
User: George
Action taken: Clean failed : Quarantine failed : Access denied
Date found: 28 April 2005 14:01:35

[Metallica]

so it seems as if the file is deleted for a while and then re-downloaded - and Ewido picks it up again.

My theory exactly. So let's hope the hosts file blocks any traffic with their sites.

Regards,

[Metallica]

Threat: Trojan.Admincash.B
File:  C:\WINDOWS\explorer.exe

That makes sense:
http://www.symantec....dmincash.b.html

Follow the removal instructions there.

Regards,

[death_hand]

I'm in process of running the steps from the link, I get the warning from my AV everytime I do something like open a folder or click on a link. I couldn't undrstand why but now I understand that explorer.exe is used to carry out these actions and when it does, Symantec notices that the file is infected

[Metallica]

That's correct. The windows file responsible for opening folders etc. is explorer.exe
Since that file was replaced by the trojan, it gets activated every time.

This ought to stop once you have replaced it.

You can use IE (or any other browser) to move through your folders by the way. Just type the path to the file in the browser window.

Regards,

[death_hand]

This ought to stop once you have replaced it.

I'm still getting the warning from my AV software telling me it has found explorer.exe even after I had replaced it.

I'm not so sure that that the explorer.exe was replaced using the steps from the Symantec website and I don't want to delete it if it hasn't been replaced.

I followed the steps it said to, I typed sfc /scannow into the coomand prompt and it asked me to put in my XP disc. I did that and it began checking the files against the ones on the XP disc.

But, when the status bar reached the end of the scale, it finished and just went without any promps saying if anything had been replaced and/or was corrupt.

Also, when I did a full scan with Symantec, it didn't delete the infected explorer.exe file it said 'action taken: None'

Sorry if I'm being stupid - I just don't want to kill my PC

Edited by death_hand, 28 April 2005 - 09:13 AM.

[Metallica]

You're not being stupid. Give me a minute to work something out.

Regards,

Pieter

[Metallica]

You will have to copy the files over to the relevant locations in the command-prompt.

Best print this out.

See if you have this file: C:\i386\explorer.exe and compare it's properties with the infected one. If you can tell they are different use this one to copy to the C:\ directory, if not copy C:\Program Files\Internet Explorer\iexplore.exe to C:\WINDOWS\
Rename the file you are going to use to Explorer.new

Now open TaskManager by hitting Ctrl-Alt-Del
Open the command prompt f.e. by Start > Run > cmd
Divide to the two over your screen so you can work in both.
In taskmanager select all the explorer.exe processes and terminate them one by one.

At the first prompt type cd\
At the C:\> prompt type...
ren C:\WINDOWS\explorer.exe explorer.old press Enter.

Now at the C:\> prompt type....
ren C:\windows\explorer.new explorer.exe press Enter.

Now in Taskmanager on the Applications tab click "New Task"
and type C:\WINDOWS\explorer.exe

Now delete:
C:\WINDOWS\SYSTEM32\DLLCACHE\explorer.exe

Now run sfc /scannow again

Let me know,

[death_hand]

Hi Pieter,

Thanks for the fast reply. Is it possible for you to do some more detailed instructions for the above steps. Everyone else on here probably understands them perfectly and I sort of get what I need to do, I just don't want to get it wrong.

Instead of modyfying the IEXPLORE.exe file could I copy the Explorer.exe file from my housemates PC? He has XP Home SP2, the same as me.

Thanks,

Geo

[Metallica]

Hi Geo,

Sure, any explorer.exe you are sure to be clean can be used.

Running sfc /scannow after removing the infected one will alert you anyway if it is the wrong version.

Regards,

[death_hand]

OK that makes life a bit easier then.

A few questions, where is the explorer.exe file located
And where do I put the uninfected one
Also how will I go about deleting the infected one, a simple file delete??
How can windows run if I terminate explorer.exe and delete the infected version and before it is replaced with the new one??

Sorry again for my poor computer knowledge