[Solved] explorer.exe infected !

apollyon · Sep 21, 2005

tried out every antivirus - kaspersky, nod32, symantec...not detected by anyone...but its definitely infected....using bitdefender av+firewall
if i do not use a firewall, my upload goes up to 30-40 kBps, it seems that explorer.exe is sending mail to random addresses..plzzz help

bosky101 · Sep 21, 2005

possible virus 1

W32.Netsky.D@mm is a mass-mailing worm that is a variant of W32.Netsky.C@mm. The worm scans drives C through Z for email addresses and sends itself to those that are found.

Deletes the values:

* Taskmon

* Explorer

* Windows Services Host

* KasperskyAV

source

possible virus 2

W32/MyDoom-AQ , Sends itself to email addresses found on the infected computer

possible virus 3

shell = explorer.exe load.exe â€“dontrunold

while it should be

shell = explorer.exe .

if found like so ,check out for the "W32.Nimda.A@mm" Worm .

4. I-Worm.Win32.Bagle.E , Changes registry, Sends email, Opens the specific port, Process shuts down . Note: GODO.EXE is integrated to Explorer.exe process for execution. more herehttp://www.hauri.net/virus/virusinfo_read.php?code=IWW3000481&start=&

5.W32/Lovelorn@mm , The worm tries to retreive the icon of Windows "explorer.exe" and if successful updates the worms "explorer.exe" with that same icon, the same applies for the copy of kernel32.exe which the worm tries to update with the icon of rundll32.exe. more herehttp://www.f-prot.com/virusinfo/descriptions/lovelorn.html

I suggest doing an online virus scan .check out this thread for more info on resources for defending virus.

KingKrool · Sep 22, 2005

Are u sure it is not spyware?

apollyon · Sep 22, 2005

naaa...ran webroot spysweeper, ewido, adaware....nada

XTerminator · Sep 22, 2005

apollyon said:
tried out every antivirus - kaspersky, nod32, symantec...not detected by anyone...but its definitely infected....using bitdefender av+firewall
if i do not use a firewall, my upload goes up to 30-40 kBps, it seems that explorer.exe is sending mail to random addresses..plzzz help

this may not produce any results but is worth the try.....have u executed Hijack this?
if not do so and remove any suspicious entry, or post the logs here....ppl here will help.

cowax · Sep 22, 2005

i had the same prob...i think u have the blaster worm...

bosky101 · Sep 22, 2005

Defnintely a virus ...infact some virue's have the knack of being detected only second time around or so.

apollyon · Sep 23, 2005

did everything! hijackthis revealed nothing suspicious....am stumped...

digen · Sep 23, 2005

Firstly I hope you are denying "explorer.exe" internet access by blocking it at the application layer through a software firewall.

As for the infection can you provide a few more details to us like which port its trying to communicate to? what domain or IP address?

For the above you could use a combination of tools such as Process Explorer & TCPView from sysinternals.com[They are FREE !]

Another thing that I wont rule out is a rootkit or some sort of a trojan binding itself to explorer.exe.It might help if you could have Rootkit Revealer installed there[another freeware from sysinternals].

apollyon · Sep 23, 2005

yeah i am using the bd firewall to deny access for explorer.exe
here is the tcpview log, i cant make anything out, have mailed u

apollyon · Sep 29, 2005

yay!! virus found n cleaned...win32/spabot.r trojan...was found when av database was updated on 26th sep....nod32