IE6 Reinstall

Having had IEXPLORER.EXE (IE6) flagged as containing a virus, I would like to reinstall IE6 under windows 2000...

Can I just install a fresh copy over the existing installation or do I need to uninstall first?

Thanks in advance...

 

Hi

what says theres a virus in iexplore ?
where is this iexplorer located ?
(there can be more than one)
What service packs do you have ?
Have you gotten second opinions by using an online other than your av programs online ?

Regards

If youd like
post a hijackthis log so we can see whats up
http://www.windowsbbs.com/showpost.php?p=159220&postcount=3

 

Hi ...

My local virus program as well as the online Trend Micro on...
Located in c:\program files\internet explorer\
(Hmmm, wasn;t aware there could be more than one)
Am current as far as service packs and updates!

Al

 

What is you anti virus program ?
and does it detect the same viri as the online ?
and what exaclty does it detect

Theres usualy a log, if you have one post it from both scans

 

I use AVAST! which indicates:
WIN32: Trojan-gen.{UPX!}

Trnd Micro:
TROJ GEMA.A

Don;t have a log.. on another machine...

 

Im still wondering
are both unable to clean and or delete what they find ?

Try this
start run command

choose repair, note for us any errors (if any)

Now scan again with avast , any infections ?

 

DOne...
No errors displayed
Ran the scan again and the infection remains..

 

Hum Odd
untill the others have a better idea
get another opinion http://www3.ca.com/virusinfo/virusscan.aspx
and Post a hijackthis log

 

To add to the 'oddity'..

Ran the scan and no viruses reported....

What is a "hijackthis" log?

 

OK, figured out that you were looking for me to run HIJACKTHIS...

Here is the log....

----------------------
Logfile of HijackThis v1.97.7
Scan saved at 10:34:08 AM, on 6/11/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\System32\NPDORNT.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ScsiAccess.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINNT\system32\Promon.exe
C:\WINNT\system32\PspContr.Exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\npdor\npdor.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\WINNT\system32\Smtray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Atomic Clock Sync\Atomic.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\TEMP\FreeRAM XP Pro 1.40.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Kirby Alarm\kirbyalarm.exe
C:\Program Files\Sony Handheld\HOTSYNC.EXE
C:\WINNT\System32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Al Lawrence\Local Settings\Temporary Internet Files\Content.IE5\8TYB4P2Z\HijackThis[2].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.se1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = sas.se1.attbb.net;;localhost;<local>
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [PspContr] PspContr.Exe
O4 - HKLM\..\Run: [PspUsbCf] PspUsbCf.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Hti] C:\npdor\npdor.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [Imagemgt32] c:\winnt\system32\imagemgt32.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe "
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Atomic.exe] C:\Program Files\Atomic Clock Sync\Atomic.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe "
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [FreeRAM XP] "C:\TEMP\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe "
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Kirby Alarm.lnk = C:\Program Files\Kirby Alarm\kirbyalarm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\winnt\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Fill Forms (HKLM)
O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)
O9 - Extra button: Save (HKLM)
O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)
O9 - Extra button: RoboForm (HKLM)
O9 - Extra 'Tools' menuitem: RF Toolbar &2 (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2e529727a6ef04/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37861.7984259259
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?319
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab

 

Its a tool created by [created by merijn bellekom], to analize startups and other key areas

Take a look
http://www.windowsbbs.com/showpost.php?p=159220&postcount=3

Heres an example log

http://www.windowsbbs.com/showthread.php?t=31517

also if you would zip up a copy of the infected (supposedly) iexplorer and send it here
This address<<
attach it to an email and include in the email body a url back to this thread
Thanks

 

Please make a new folder and place hijackthis there
C:\Documents and Settings\Anti Spyware will do
start hijackthis and fix this one item
O4 - HKLM\..\Run: [Imagemgt32] c:\winnt\system32\imagemgt32.exe

This is not needed,
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
if you fix it check in the programs options and turn off auto updates(KODAK)

then restart the PC find and delete the file
c:\winnt\system32\imagemgt32.exe
then look here for other file's it may have droped(be carefull if in doubt leave them alone)
http://securityresponse.symantec.com/avcenter/venc/data/trojan.gema.html

 

Sorry for not responding sooner, but for some reason I have stopped getting notification from this forum when someone replies...

I have turned off the KODAK update thing...

 

Ran HJT and FIXED:
O4 - HKLM\..\Run: [Imagemgt32] c:\winnt\system32\imagemgt32.exe

Turned off the Kidak Updater

Did not find the imagemgt32.exefile so I guess it was deleted by HJT

 

Hijackthis wont delte 04's so it must have been a left over from a cleanup an anti virus program did.

Is ie still reported as being infected ? if so you might ask at avast's forums ?

Regards

 

Scan with RAV. Check the box to autoclean. If anything is found and uncleanable, click report, then copy/paste the results here.

 

Yes it still reports the infection....

One question for you if I may...

I noticed that the link you gave me to Symantec had a list of files that could have been infected as well... a problem I have been having lately along with the reported IE infection is the inability to load a CD thru my CD drive... noticing that there are programs referenced on the Synamtec page that 'appear' to be related to CD/DVD drives would you think it may be related to this virus? Just somehting that came to me a few minutes ago!

 

Checked the box to autclean and scanned the c:\programs\internet explorer folder... here are the results...

Scan started at 6/12/2004 5:01:00 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\Program Files\Internet Explorer\iexplorer.exe -
TrojanDownloader:Win32/Crypter -> Infected
Scanned
============================
Objects: 119
Directories: 11
Archives: 0
Size(Kb): 32442
Infected files: 1
Found
============================
Viruses found: 1
Suspicious files: 0
Disinfected files: 0
Mail files: 0

 

Search your drive for IE6setup.exe to verify that you have it. Install Move-on-Boot. You will have a new right click option to delete on next boot. Right click on iexplorer.exe and select it for deletion.
Reboot.
Empty the recycle bin.
Paste the following command into the run dialog box and hit enter. Make sure to include the quotes. (You may want to copy and paste it to notepad now so it's available after reboot)

rundll32 setupwbv.dll,IE6Maintenance "C:\Program Files\Internet Explorer\Setup\SETUP.EXE" /g "C:\WINDOWS\IE Uninstall Log.Txt"

Reboot after it completes. Locate IE6Setup.exe and double click. Reboot if prompted. You will need to visit Windows Update.

Scan again with RAV.

 

Before you proceed, search the system32 folder for this file. cpusave32.exe If present, select it for deletion also.