"explorer.exe" Virus

On 02-24-08, I removed an "explorer.exe" parasite / virus from a machine protected with both Symantec and AVR - again proving that these programs provide only a false sense of security.

Actually, I am not sure how many parasites I removed ... it is possible that the information presented below applies to several ... all allowed on a "protected" system.

Symptoms | Debug | Whois Data | setupapi.log | Registry | Other Bad Files | References


The infected system was running Windows XP and Symantec antivirus.

The previous week, the system would not let you type a url in the IE address field ... while typing, a different window would move to the top and what ever you had typed would be gone when you returned. I tried the standard System Restore, but that failed. That's right, after the reboot it said that the restore failed.

I wanted to fix the system, but was told that it was against policy to load software (I use ProcessExplorer, RegMon, and AgentRansack) and that the local IT department would repair the system.

During the week, the IT people came, updated Symantec antivirus, and added AVR ... that appeared to have fixed the problem.

Today, I was asked to see why it was still broken. After a boot, the computer was working normally. However, after a google search, the system would automatically search for the same terms using one of several other search engines.

I know that Symantec was still running because every few minutes it would popup and say that it had found some new virus in System Volume Information - the area where the system restore points are stored.

There was no way to determine if Symantec was broken by the IT department or the virus, but either way, it produced errors when shutting down the system.


Using RegMon, these entries were seen every few seconds A google search found no hits for Ok, that was enough to identify the virus. (I tried with and without the curly braces.)

Using ProcessExplorer, I observed that 2 versions of explorer.exe were running

Every time cpccpmqian.asp is called, it returns another entry from a database. Apparently, the local program then fakes a click on an advertisement to generate revenue. Occasionally, a search page is displayed - presumably, these are due to errors in the database or because the URL is no longer available.

After opening (double clicking) a *.log file, I caught this running

I also found a couple of *.exe files that displayed a folder icon ... that's right, if you tried to "open" the folder, it would actually run the virus.

Whois Data

It is a bit weird that (646) is a New York city area code ... perhaps a cell phone. The address is student housing (Campus View Apartments) at Indiana University.

This person is associated with several advertising schemes. However, it appears that he is not the source of the virus, but actually a victim. Apparently, one purpose of the virus is to generate "click through" advertising revenue.

On the other hand, that means that he knows (is sending checks to) the virus writer.

carordriver.com resolves to which appears to be in China.


Microsoft keeps track of certain updates in These are examples of relevant entries wusetup.exe is a trojan installer that adds machines to a botnet. The criminals then use the botnet for anything they want ... basically, they have stolen your machine, your data, your internet access.

Based on many entries like these, this system has been infected repeatedly since 2005.

This page indicates that, as of 03-12-2006, most antivirus programs did not flag this problem.

Relevant Registry Entries

These registry keys are related to the problem. The numbers were added to show that this person tried to hide the actual extension by adding 62 spaces.

jyturtnhy.exe is one of the exe files that had a folder icon.

The following entry causes browsing/editing all text type files - txt log ini bat reg - to reinstall the virus.

This is how it should look (ie, how it looked after I fixed it)

These entries show how the virus gets even deeper into the system

The *.dbt extension was added by the virus ... the references suggest that this file is used to store keylogs and other stolen data.

However, using the key above, the following key (and the identical HKLM key above) will automatically reinstall the virus every time the system boots. This works because windows will automatically call the key above when the system tries to Open the *.dbt file.

Other Bad Files

These are additional files that are known to be viruses that had about the same date on them. I do not know for sure if they are all related ... but they appear to be.
C:\WINDOWS\Installer\{50ce3d24-5c4c-4ab2-80a0-02d3989c0225}\zip.dll  38 KB 02-12-08


On 02-25-08, I searched Google for

Well, this is why I thought it was necessary to write this page.


Author: Robert Clemenzi
URL: http:// mc-computing.com / Parasites / explorer_exe.html