Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Sed posuere consectetur est at lobortis. Vestibulum id ligula porta felis euismod semper. Donec ullamcorper nulla non metus auctor fringilla. Aenean lacinia bibendum nulla sed consectetur. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Cras mattis consectetur purus sit amet fermentum. Morbi leo risus, porta ac consectetur ac, vestibulum at eros. Sed posuere consectetur est at lobortis. Etiam porta sem malesuada magna mollis euismod. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Duis mollis, est non commodo luctus, nisi erat porttitor ligula, eget lacinia odio sem nec elit. Cras justo odio, dapibus ac facilisis in, egestas eget quam. Aenean eu leo quam. Pellentesque ornare sem lacinia quam venenatis vestibulum. Curabitur blandit tempus porttitor. Sed posuere consectetur est at lobortis.
A virus has infected explorer.exe and cannot be detected nor replaced. I doubt that the actual explorer.exe is even running.
After installing a firewall to figure out what program was connecting to the IRC I found the explorer.exe is connecting to virus.dload.ws every 20 seconds. This is occuring on 4 different machines that have Symantec Antivirus Corporate edition and 2007.
It dropped bob.exe and lovely.exe in a FAKE
c:\RESTORE\S-1-51 XXXXXXXXXXXXXXXXXXXXX\lovely.exe
NAV did not and still does not detect this file as a threat altho AVAST, TREND and others recognize it as win32:Agent-XKO or
WORM_HAMEQ.AO
Even after removing the files they return, usually within an hour.
Even with explorer.exe blocked from communicating over the internet.
Hi Normandy36
The folder "C:\RESTORE......................" is Win XP's System Restore, you won't find the folder by browsing the hard drive normally, So because you can't see the folder doesn't mean it's fake. So What do you mean by FAKE??
The System Restore feature backs up system files etc. so if the user accidently deletes aimportant file, the file can be placed back by Windows or by the user who has found He/She has made a mistake.
On System Restore being made part of Windows Virus /Malware creators found it a good way to keep the system infected by having the important virus files backed up in System Restore. So at on Syetem restart the files in question get placed back where they need to be. I have see this problem when repairing the odd PC now and them.
System Restore Generally can't have files removed by Security Software as a protective measure (this may have changed). This was another reason virus creators started using this feature.
The other reason it comes back or you get "Start-up" errors is there are still some entries in the registry.
To turn off System Restore
If you are running winxp.
1. Click Start,,,
2. Go to "My Computer". On the top left hand side of the window
3. Click "View system information" under "System Tasks". In the System Properties Window.
4. Click the "System Restore" Tab. There is a chech box beside Turn off System Restore,,,
5. Place a check mark there and click apply,,
(this deletes all your previous system restore point, thus deleting the virus, trogan, worm, dialers etc)....
The registry entries,
Download "Hijackthis 2.02" from the likes of http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
On the Main menu you will see the option, " Do a System Scan and save to log file". Use this option.
Them Copy the entries inside the "hijack.log" and you can PM (Personal Message ) me the entries. I will look down the Processes and entries in that file to attempt to find any (may be more than one) infections. via registry entries. Will also tell me usually the name of the file associated and where it's located, and to fix the correct entries.
I am willing to do that. 
Then do a full Virus scan, once completely free of infecton, turn back on "System Restore" and create a restore point.
Cheers
Quads
Hello Normandy36,
Did you see this issue with Norton AntiVirus 2007 (or any version of Norton AntiVirus), or is this just with Symantec AntiVirus Corporate?
Hi Normandy36
And oh you should have 1 legitimate "explorer.exe" running as a process.
cheers
Quads
Yes NAV 2007 on this computer.... I have Corporate Edition on many others.
It just does not recognize loveley.exe as a virus... btw looking at it with the dos edit command the last words in the file are Attacking and Attack Complete.
When starting the computer a box in the upper left corner quickly displays loading personal settings for
C:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\lovely.exe
Today explorer.exe is trying to connect to : dp.0days.in (207.126.115.245) and also virus.dload.ws (74.52.177.2)
on port 3211 and incrementing the local port to get around the firewall.
Firstly, I would recommend submitting the file to the following site: Malware Submission Website
When you receive a submission number via email, please let us know that number so it can be thoroughly tracked.
Secondly, I would recommend updating your product and virus definitions to the latest versions (in that order). You may want to borrow a friend's computer to download them and put them on some media, then use that media on your system.
Thirdly, I would recommend that you follow the steps listed in the How To Troubleshoot a Suspected Malware Infection announcement.
I apologize if you have already tried these steps. Please let me know what the results were of trying these things. Thanks!
Hi
The Names given, "win32:Agent-XKO or WORM_HAMEQ.AO" has other names by other antivirus products, It does seem that the file name like "lovely.exe" is indeed a random name.
http://virscan.org/report/34ff45c89b90e3df082736b656eb8977.html
Quads
Additionally, here is the technical information and removal information from Symantec:
http://www.symantec.com/security_response/writeup.jsp?docid=2004-021914-2822-99&tabid=3
Hi Normandy
Do you have anything like, Sys32.exe, explorer.exe and/or Iexplore.exe (IEXPLORE.EXE) in this folder "C:\WINDOWS\system" ??
if so, could be what is monitoring the Internet and using the IRC to steal your information sending the information to a hacker site.
The Program also has the ability to update itself over the Internet, causing it to modify.
Remember NOT the "explorer.exe" that is located in the "C:\WINDOWS" folder. That is legitimate.
Hope it's getting helpful.
Cheers
Quads
Yes it had Sys32.exe (not in c:\windows\system) it shows up after deleting lovely.sys on the next reboot, also along with bob.exe.
I did seem to block those files from being re-dropped by creating folders with those names and adding folders and hidden files under that. Then I replaced my explorer.exe from cd. I am still sure that I am infected with whatever it was that dropped those files in the first place. I will have to try all suggestions. Thanks for any help.
K. G. Smith
Hi
Anything seen unusual in these registry branches,
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
If so the strange entry would start with windows loading
Cheers
Quads
You will probably be notified that this is not the right place for this post (corporate editions). However, I will mention that from my experience of this type of virus (warning messages about an infection flash up on your screen and you are told to click here to deal with the virus -- except clicking here actually launches the virus) is that it takes over your AV program and keeps it from detecting the virus itself. Best thing you can do would be to get the Norton Recovery Tool imaged onto a CD and boot to the CD.
However, again based on my experiences of last winter, once this kind of virus has taken hold, the damage is so bad that your desktop is pretty much wiped out. If you don't want to reinstall everything, you might try what worked for a couple of computers I was working on:
a. create a new user (who should have a clean desktop).
b. make sure the software you need is all available.
c. export/import whatever outlook settings you need to and any other settings that aren't corrupt.
d. delete the other user name completely (choose the DO NOT SAVE FILES AND FOLDERS option.
e. if you really want to preserve the user name, recreate it and transfer all settings from the newly creately user name.
Please let us know if any of this is relevant or useful to you.