IEXPLORE.EXE trojan (?) - can somebody help?

Blader5489 · 2007/04/07

Hi,

For the past couple days, my computer has suffered from more viruses and adware than it has in the four years I've had it. I have tried everything: I've called Dell and Comcast's tech support several times; I've tried running System Restore but to no avail; I've run Adaware literally ten times. Adaware seems to have helped a lot (it has already deleted hundreds of critical objects), but I still have this one problem that I can't figure out how to get rid of.

Due to the recent problems my computer has had, I decided to switch browsers to Firefox. But even though I've stopped using Internet Explorer, the IEXPLORE.EXE process still runs in my task manager, and it's been causing several popups to appear. Even after I end the process, it reappears in a matter of seconds and the only way of I've been able to stop it from reappearing is by closing EXPLORE.EXE - which really isn't a practical solution.

So I was wondering if anyone could help me figure out where the problem is and how to fix it. I ran HijackThis but I'm not sure about what to keep and what to get rid of, if anything. Thanks for anyone willing to help.

Here's my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:37:39 AM, on 4/7/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Len\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.52/2484/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.52/2484/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.52/2484/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.52/2484/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.52/2484/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://bestsearch.cc/2484/search.php?qq=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {090B3EED-FE27-7B12-F7F3-0AFE44F5CF50} - C:\WINDOWS\System32\wzggsbk.dll
O2 - BHO: 0 - {16F012E7-E47F-420B-32A3-720F88218CA8} - C:\Program Files\XEROX\qucamoxyr.dll
O2 - BHO: (no name) - {1CEFB8A3-33AA-4E02-BEFD-6DA7170E8101} - \
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {25B1B367-6F71-4410-AAD1-45315F4B5AA1} - \
O2 - BHO: (no name) - {3899D356-1483-4122-8CB7-24C829CB3690} - C:\Program Files\Windows NT\meqosaw.dll
O2 - BHO: DeskalertsBHO - {5298B64F-C3F6-4e81-8A30-627CA3671C7C} - C:\Program Files\DeskAlerts\deskbar.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\System32\tmp84.tmp.dll (file missing)
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll
O2 - BHO: (no name) - {6f406b00-e2ab-4d8e-a071-6a2ca1bb3add} - C:\WINDOWS\system32\aRES.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\tuvvuu.dll ",realset
O4 - HKLM\..\Run: [svchost] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [ziqw] C:\Program Files\Common Files\ziqw\ziqwm.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\Lime_Shop\Sy700\Tp700\scri700a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {12E5E9D9-4366-45D9-BA41-D0BCD55AD8CF} - http://17.sharedsource.org/html/NrsgroupUD_1.0.0.3ie.cab?
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_US_XP.cab
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://download-ak.systemsoap.com/ssoap/pptproactauthakamai/systemsoappro.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173542179468
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1004a_pack_XP.cab
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\System32\a3dxq.dll
O20 - Winlogon Notify: aRES - C:\WINDOWS\SYSTEM32\aRES.dll
O23 - Service: TCP and UDP Supp0rt - Unknown owner - C:\WINDOWS\System32\tccpip.exe (file missing)

TeMerc · 2007/04/07

Hello and welcome to WindowsBBS Forums.

I would ask if that HJT log you presented was one made while in safe mode? If so, please create a new one in 'normal mode'. Also, please be sure you have no items in the 'ignore' list, as we need to see a complete list of everything that's running on your system, no matter how inconsequential you think it is.

HJT also needs to be moved to its own folder.

Please follow these instructions, exactly, for proper HJT installation. Please place HJT into ITS OWN PERMANANT FOLDER. It must not be installed on the desktop nor in any temp folders.

You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. Move HijackThis.exe into this folder (C:\HJT\HijackThis.exe). When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible when it is properly installed.

Blader5489 · 2007/04/07

Okay, I ran it again in normal mode. I don't think I have anything in my ignore list - today was my first time running HJT so I know I haven't put anything on ignore (at least not to my knowledge). Here's my new log, though I think it looks kind of the same:

Logfile of HijackThis v1.99.1
Scan saved at 12:11:20 PM, on 4/7/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\wscript.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://69.50.191.52/2484/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://69.50.191.52/2484/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.52/2484/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.191.52/2484/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://69.50.191.52/2484/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://bestsearch.cc/2484/search.php?qq=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {090B3EED-FE27-7B12-F7F3-0AFE44F5CF50} - C:\WINDOWS\System32\wzggsbk.dll
O2 - BHO: 0 - {16F012E7-E47F-420B-32A3-720F88218CA8} - C:\Program Files\XEROX\qucamoxyr.dll
O2 - BHO: (no name) - {1CEFB8A3-33AA-4E02-BEFD-6DA7170E8101} - \
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {25B1B367-6F71-4410-AAD1-45315F4B5AA1} - \
O2 - BHO: (no name) - {3899D356-1483-4122-8CB7-24C829CB3690} - C:\Program Files\Windows NT\meqosaw.dll
O2 - BHO: DeskalertsBHO - {5298B64F-C3F6-4e81-8A30-627CA3671C7C} - C:\Program Files\DeskAlerts\deskbar.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\System32\tmp84.tmp.dll (file missing)
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll
O2 - BHO: (no name) - {6f406b00-e2ab-4d8e-a071-6a2ca1bb3add} - C:\WINDOWS\system32\aRES.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\tuvvuu.dll ",realset
O4 - HKLM\..\Run: [svchost] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [ziqw] C:\Program Files\Common Files\ziqw\ziqwm.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\Lime_Shop\Sy700\Tp700\scri700a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {12E5E9D9-4366-45D9-BA41-D0BCD55AD8CF} - http://17.sharedsource.org/html/NrsgroupUD_1.0.0.3ie.cab?
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_US_XP.cab
O16 - DPF: {421A63BA-4632-43E0-A942-3B4AB645BE51} - http://download-ak.systemsoap.com/ssoap/pptproactauthakamai/systemsoappro.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173542179468
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1004a_pack_XP.cab
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\System32\a3dxq.dll
O20 - Winlogon Notify: aRES - C:\WINDOWS\SYSTEM32\aRES.dll
O23 - Service: TCP and UDP Supp0rt - Unknown owner - C:\WINDOWS\System32\tccpip.exe (file missing)

TeMerc · 2007/04/07

OK, thanks for running that in normal mode. We need to run a special tool now to rid one infection and likely more fixing after that as well.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, the Advanced Options Menu should appear;

Select the first option, to run Windows in Safe Mode, then press Enter.

Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.

It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.

Press any Key and it will restart the PC.

When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.

Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

Blader5489 · 2007/04/07

I don't think it's working for me. Everything runs fine up to the step where Fix reboots the computer and then finishes up. The problem is that it once the computer restarts, the window just says "Finishing..." and stays like that. It never actually finishes and prompts me to (as you said) close the script and save the record.

Plus, it's incredibly difficult to run anything in normal mode because of the endless amount of popups that continue to appear (due to the IEXPLORE.exe process that reappears no matter how many times I close it in the task manager).

TeMerc · 2007/04/08

OK, did you by chance try looking to see if the report was saved into the SDFix folder? It's possible it's there and the other bad files are preventing the tool from displaying the notification that it's done.

I'm going to look for this similar problem in some of the developers notes.

Blader5489 · 2007/04/08

You were right, the report was still there.

Here's the SDFix Report:

SDFix: Version 1.77

Run by Len - Sun 04/08/2007 - 12:24:04.65

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\Len\Desktop\SDFix

Safe Mode:
Checking Services:

Name:
EXAMPLE
Microsoft IEUpdater22
Runtime
TCP and UDP Supp0rt
EXAMPLE
Runtime
EXAMPLE
Runtime
EXAMPLE
Runtime

ImagePath:
\??\C:\WINDOWS\System32\main.sys
\??\C:\WINDOWS\System32\drivers\runtime.sys
\??\C:\WINDOWS\System32\main.sys
\??\C:\WINDOWS\System32\drivers\runtime.sys
\??\C:\WINDOWS\System32\main.sys
\??\C:\WINDOWS\System32\drivers\runtime.sys
\??\C:\WINDOWS\System32\main.sys
\??\C:\WINDOWS\System32\drivers\runtime.sys

EXAMPLE - Deleted
Runtime - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\2LGNI7E9\CA6ZEZY9.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\4TIJER4B\LW_1_~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\U783YBIP\AD_1_~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\U783YBIP\CAZIE937.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\U7EFYHCD\AL_1_~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\U7EFYHCD\INDEX_~2.HTM - Deleted
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM~1\LOCALS~1\TEMPOR~1\CONTENT.IE5\U7EFYHCD\TMP_46~3.HTM - Deleted
C:\Documents and Settings\Len\Local Settings\Temp\2.dllb - Deleted
C:\Documents and Settings\Len\Local Settings\Temp\5.dllb - Deleted
C:\Documents and Settings\Len\Local Settings\Temp\6.dllb - Deleted
C:\Documents and Settings\Len\Local Settings\Temp\7.dllb - Deleted
C:\WINDOWS\SYSTEM32\mmn.exe.exe - Deleted
C:\WINDOWS\SYSTEM32\pdp.exe.exe - Deleted
C:\WINDOWS\SYSTEM32\zup.exe.exe - Deleted
C:\WINDOWS\Temp\tmp6.tmp.exe - Deleted
C:\WINDOWS\Temp\tmp6.tmp.exe - Deleted
C:\WINDOWS\TEMP\tmp6.tmp.exe - Deleted
C:\Documents and Settings\Len\ie_updater.exe - Deleted
C:\WINDOWS\TEMP\abc123.pid - Deleted
C:\as.txt - Deleted
C:\WINDOWS\system32\dlh9jkd1q2.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q5.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q6.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q7.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q8.exe - Deleted
C:\WINDOWS\system32\main.sys - Deleted
C:\WINDOWS\system32\max1d164v.exe - Deleted
C:\WINDOWS\system32\qvxga6met3.exe - Deleted
C:\WINDOWS\system32\qvxga7met4.exe - Deleted
C:\WINDOWS\system32\regscan.exe - Deleted
C:\WINDOWS\system32\rpcc.exe - Deleted
C:\WINDOWS\system32\unsvchosts.exe - Deleted
C:\WINDOWS\system32\vexga1me4t1.exe - Deleted
C:\WINDOWS\system32\vexga3me2.exe - Deleted
C:\WINDOWS\system32\vexga5me3.exe - Deleted
C:\WINDOWS\system32\win32.exe - Deleted
C:\WINDOWS\system32\wincom32.ini - Deleted
C:\WINDOWS\system32\wincom32.sys - Deleted
C:\WINDOWS\system32\wsys.dll - Deleted
C:\WINDOWS\Uninst2.htm - Deleted
C:\WINDOWS\Unist1.htm - Deleted
C:\WINDOWS\xpupdate.exe - Deleted
C:\as.txt - Deleted
C:\WINDOWS\system32\main.sys - Deleted
C:\as.txt - Deleted
C:\WINDOWS\system32\main.sys - Deleted
C:\WINDOWS\TEMP\abc123.pid - Deleted
C:\as.txt - Deleted

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Final Check:

Remaining Services:
------------------

Rootkit PE386 Active, Use a Rootkit scanner !

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\DOCUME~1\\Len\\LOCALS~1\\Temp\\bl4ck.com "= "C:\\DOCUME~1\\Len\\LOCALS~1\\Temp\\bl4ck.com:*:ENABLED:0 "
"C:\\WINDOWS\\System32\\vexga3me2.exe "= "C:\\WINDOWS\\System32\\vexga3me2.exe:*:Enabled:taskmgr32 "
"%windir%\\system32\\tcpip.exe "= "%windir%\\system32\\tcpip.exe:*:Enabled:TCP and UDP Support "
"C:\\DOCUME~1\\Len\\LOCALS~1\\Temp\\D12.tmp.exe "= "C:\\DOCUME~1\\Len\\LOCALS~1\\Temp\\D12.tmp.exe:*:Enabled:qwertybot "
"C:\\DOCUME~1\\Len\\LOCALS~1\\Temp\\D15.tmp.exe "= "C:\\DOCUME~1\\Len\\LOCALS~1\\Temp\\D15.tmp.exe:*:Enabled:qwertybot "
"C:\\WINDOWS\\System32\\qwertybot.exe "= "C:\\WINDOWS\\System32\\qwertybot.exe:*:Enabled:qwertybot "

Remaining Files:
---------------

Backups Folder: - C:\DOCUME~1\Len\Desktop\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp
C:\Documents and Settings\Andy\My Documents\~WRL1675.tmp
C:\Documents and Settings\Andy\My Documents\Pirate's Eye\~WRL0930.tmp
C:\Documents and Settings\Andy\My Documents\Pirate's Eye\~WRL0935.tmp
C:\Documents and Settings\Andy\My Documents\Pirate's Eye\~WRL0945.tmp
C:\Documents and Settings\Andy\My Documents\Pirate's Eye\~WRL1547.tmp
C:\Documents and Settings\Andy\My Documents\Pirate's Eye\~WRL3654.tmp
C:\Documents and Settings\Andy\My Documents\School\10th Grade\American Studies 1 Honors\~WRL0040.tmp
C:\Documents and Settings\Andy\My Documents\School\10th Grade\American Studies 1 Honors\~WRL2102.tmp
C:\Documents and Settings\Andy\My Documents\School\9th Grade\Spanish II\~WRL0749.tmp
C:\Documents and Settings\Kristen\Application Data\Microsoft\Templates\~WRL3620.tmp
C:\Documents and Settings\Kristen\My Documents\8th Grade\Science\~WRL2452.tmp
C:\Documents and Settings\Kristen\My Documents\8th Grade\Science\~WRL3535.tmp
C:\Documents and Settings\Kristen\My Documents\Biology\~WRL1078.tmp
C:\Documents and Settings\Kristen\My Documents\Biology\~WRL3826.tmp

Finished

----------------------------------------------------------------------------

Here's a new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:56:16 PM, on 4/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://bestsearch.cc/2484/search.php?qq=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {090B3EED-FE27-7B12-F7F3-0AFE44F5CF50} - C:\WINDOWS\System32\wzggsbk.dll
O2 - BHO: 0 - {16F012E7-E47F-420B-32A3-720F88218CA8} - C:\Program Files\XEROX\qucamoxyr.dll
O2 - BHO: (no name) - {1CEFB8A3-33AA-4E02-BEFD-6DA7170E8101} - \
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {25B1B367-6F71-4410-AAD1-45315F4B5AA1} - \
O2 - BHO: (no name) - {3899D356-1483-4122-8CB7-24C829CB3690} - C:\Program Files\Windows NT\meqosaw.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\System32\tmp4.tmp.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dll
O2 - BHO: (no name) - {6f406b00-e2ab-4d8e-a071-6a2ca1bb3add} - C:\WINDOWS\system32\aRES.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\vtttrq.dll ",realset
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ziqw] C:\Program Files\Common Files\ziqw\ziqwm.exe
O4 - Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\Lime_Shop\Sy700\Tp700\scri700a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {12E5E9D9-4366-45D9-BA41-D0BCD55AD8CF} - http://17.sharedsource.org/html/NrsgroupUD_1.0.0.3ie.cab?
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_US_XP.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173542179468
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\System32\a3dxq.dll
O20 - Winlogon Notify: aRES - C:\WINDOWS\SYSTEM32\aRES.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

TeMerc · 2007/04/08

OK, as per the scan it appears you have a rootkit running so lets try and root it out with GMER.

Download GMER from one of the following sites listed on this Google page. Due to an ongoing DDoS attack, the good people at Google have offered to host the download links

Right Click the Zip and Select "Extract All "

Double-click gmer.exe to launch the program.

Click on the Rootkit Tab and on the right side, untick the Registry box, then click Scan.

Once the scan is done, hit the copy button, then open notepad and paste the results here for me to see.

Blader5489 · 2007/04/08

I hope it's not a problem that I ran GMER while in safe mode. Here's the results of the scan:

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-04-08 15:31:53
Windows 5.1.2600 Service Pack 1

---- System - GMER 1.0.12 ----

SYSENTER \??\C:\WINDOWS\System32:lzx32.sys F8E03BD2

Code \??\C:\WINDOWS\System32:lzx32.sys pIofCallDriver

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!Kei386EoiHelper + 1568 804DD07B 3 Bytes [ 59, FD, 6A ]
.text ntdll.dll!NtClose 77F5B5C8 5 Bytes JMP 72033FAA
.text ntdll.dll!NtCreateProcess 77F5B728 5 Bytes JMP 72034135
.text ntdll.dll!NtCreateProcessEx 77F5B738 5 Bytes JMP 72034019
.text ntdll.dll!NtCreateSection 77F5B758 5 Bytes JMP 72033FC8

---- Services - GMER 1.0.12 ----

Service C:\WINDOWS\System32:lzx32.sys (*** hidden *** ) [SYSTEM] pe386 <-- ROOTKIT !!!

---- Files - GMER 1.0.12 ----

ADS C:\WINDOWS\SYSTEM32:lzx32.sys <-- ROOTKIT !!!

---- EOF - GMER 1.0.12 ----

TeMerc · 2007/04/08

OK, looks like Rustock rk, lets remove it.

Download RustbFix from here. Save it to your desktop.

Double click on rustbfix.exe to run the tool.

If a Rustock.b-infection is found, you will shortly thereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically.

After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt).

Post the content of these logfiles along with a new HijackThis log as well as a new GMER log.

Blader5489 · 2007/04/08

I ran this all in safe mode because my "normal mode" is really ******* up. My desktop no longer shows up - it's just my background and a blue strip at the bottom (no start button, clock, etc.).

Here's the avenger logfile:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\lijgfgyo

*******************

Script file located at: \??\C:\rldivgsl.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

----------------------------------------------------------------------

Here's the pelog file:

************************* Rustock.b-fix -- By ejvindh *************************
Sun 04/08/2007 17:38:03.45

******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....

Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 80888
Total size: 80888 bytes.
Attempting to remove ADS...
system32: deleted 80888 bytes in 1 streams.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32

******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32

******************************* End of Logfile ********************************

Here's my new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 5:43:29 PM, on 4/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://bestsearch.cc/2484/search.php?qq=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {6f406b00-e2ab-4d8e-a071-6a2ca1bb3add} - C:\WINDOWS\system32\aRES.dll
O2 - BHO: C:\WINDOWS\System32\qch29sr.dll - {8D5849A2-93F3-429D-FF34-260A2068897C} - C:\WINDOWS\System32\qch29sr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\vtttrq.dll ",realset
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [luyosmdp] C:\onugnkcb.bat
O4 - HKCU\..\Run: [ziqw] C:\Program Files\Common Files\ziqw\ziqwm.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [Restore Operation] C:\WINDOWS\TEMP\svchots.exe
O4 - HKCU\..\Run: [Firewall auto setup] C:\WINDOWS\TEMP\winlogon.exe
O4 - Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\Lime_Shop\Sy700\Tp700\scri700a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {12E5E9D9-4366-45D9-BA41-D0BCD55AD8CF} - http://17.sharedsource.org/html/NrsgroupUD_1.0.0.3ie.cab?
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_US_XP.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173542179468
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX.cab
O20 - AppInit_DLLs:
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

-------------------------------------------------------------------------------------------

And here's the new GMER log:

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-04-08 18:02:35
Windows 5.1.2600 Service Pack 1

---- Kernel code sections - GMER 1.0.12 ----

.text ntdll.dll!NtClose 77F5B5C8 5 Bytes JMP 72033FAA
.text ntdll.dll!NtCreateProcess 77F5B728 5 Bytes JMP 72034135
.text ntdll.dll!NtCreateProcessEx 77F5B738 5 Bytes JMP 72034019
.text ntdll.dll!NtCreateSection 77F5B758 5 Bytes JMP 72033FC8

---- EOF - GMER 1.0.12 ----

TeMerc · 2007/04/09

OK, as you state, the 'normal mode' desktop is buggered up, but can you run anything from it? Please let me know. I'll assume you have Net access? If so, lets run AVG.

Boy this system really was quite buggered up with nasties.

Download AVG Anti-Spyware 7.5 from HERE and save that file to your desktop.
This is a 30 day trial of the program

Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.

Once the setup is complete you will need run ewido and update the definition files.

On the main screen select the icon "Update" then select the "Update now" link.

Next select the [Start Update] button, the update will start and a progress bar will show the updates being installed.

Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.

Once in the Settings screen click on "Recommended actions" and then select "Quarantine ".

Under "Reports "

Select "Automatically generate report after every scan "

Un-Select "Only if threats were found "

Close AVG anti-spyware, Do Not run a scan just yet, we will shortly.

Reboot, into safe mode, this way:

Turn on the computer

Immediately begin tapping the <F8> key.

Use the arrow keys to highlight Safe Mode and press the <Enter> key.

IMPORTANT: Do not open any other windows or programs while AVG is scanning, it may interfere with the scanning process.

Launch ewido-anti-spyware by double-clicking the icon on your desktop.

Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan ".

AVG will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:

If you have any infections you will prompted, then select "Apply all actions "

Next select the "Reports" icon at the top.

Select the [Save report as[ button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).

Close AVG and reboot your system back into Normal Mode and post the results of the AVG report scan.

Blader5489 · 2007/04/09

I figured out what was screwing up my desktop, so I managed to fix it with Spybot. I ran AVG three times (once to clean up hundreds of infected objects, again to make sure there was nothing left, and a third time when I started noticing problems again). The Resident Shield has been doing a great job of blocking things, and whenever IEXPLORE.exe shows up in my task manager (or sometimes, an IE popup actually appearing on screen) it disappears within seconds.

Here's a new HJT log, run in normal mode:

Logfile of HijackThis v1.99.1
Scan saved at 9:13:55 AM, on 4/9/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\TEMP\svchots.exe
C:\WINDOWS\TEMP\winlogon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.exe
C:\WINDOWS\system32\cidaemon.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://bestsearch.cc/2484/search.php?qq=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {6f406b00-e2ab-4d8e-a071-6a2ca1bb3add} - C:\WINDOWS\system32\aRES.dll
O2 - BHO: C:\WINDOWS\System32\qch29sr.dll - {8D5849A2-93F3-429D-FF34-260A2068897C} - C:\WINDOWS\System32\qch29sr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\vtttrq.dll ",realset
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ziqw] C:\Program Files\Common Files\ziqw\ziqwm.exe
O4 - HKCU\..\Run: [Restore Operation] C:\WINDOWS\TEMP\svchots.exe
O4 - HKCU\..\Run: [Firewall auto setup] C:\WINDOWS\TEMP\winlogon.exe
O4 - Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmasy\Tmasy.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\Lime_Shop\Sy700\Tp700\scri700a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {12E5E9D9-4366-45D9-BA41-D0BCD55AD8CF} - http://17.sharedsource.org/html/NrsgroupUD_1.0.0.3ie.cab?
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_US_XP.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173542179468
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX.cab
O20 - AppInit_DLLs:
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

TeMerc · 2007/04/09

OK, looks like there is still some left.

Can you please get me the AVG log, so we can get a better idea of what we're up against? Thanks.

Please hit the 'Ctrl' key + 'Alt' key + 'Delete' key to bring up the Task Manager and select the 'Processes' tab. Then find, high-light and select 'End Task' on the following process(es) if present:
C:\WINDOWS\TEMP\svchots.exe
C:\WINDOWS\TEMP\winlogon.exe

Download Atribunes ATF Cleaner

Double-click ATF-Cleaner.exe to run the program.

Tick the following boxes:

Windows Temp

Current User Temp

All User Temp

Cookies<<<---By deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

Temporary Internet Files

History

Prefetch

Java Cache

Click the [Empty Selected] button.

We'll empty the Recycle Bin later, once we know you're all cleaned up and nothing needs to be restored.

Download the Killbox from here and save it to the desktop.

Double-click the KillBox icon on your desktop to open it

Select "Delete on Reboot "

Then select "All files ".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\vtttrq.dll
C:\WINDOWS\System32\qch29sr.dll
C:\WINDOWS\system32\aRES.dll
C:\WINDOWS\TEMP\svchots.exe
C:\WINDOWS\TEMP\winlogon.exe

Return to Killbox

Go to the File menu, and choose "Paste from Clipboard ".

Click the red-and-white [Delete File] button.

Click "Yes" at the Delete on Reboot prompt. Click "No" at the 'Pending Operations' prompt.

Do not allow a reboot yet.

Open Hijackthis, select the [Do a system scan only] button and look over the following entries I have listed, check the boxes [] next to them and press the [Fix Checked] button. When you are doing this, make sure you have No IE windows, nor any other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://bestsearch.cc/2484/search.php?qq=

O2 - BHO: (no name) - {6f406b00-e2ab-4d8e-a071-6a2ca1bb3add} - C:\WINDOWS\system32\aRES.dll

O2 - BHO: C:\WINDOWS\System32\qch29sr.dll - {8D5849A2-93F3-429D-FF34-260A2068897C} - C:\WINDOWS\System32\qch29sr.dll

O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\vtttrq.dll ",realset

O4 - HKCU\..\Run: [ziqw] C:\Program Files\Common Files\ziqw\ziqwm.exe

O4 - HKCU\..\Run: [Restore Operation] C:\WINDOWS\TEMP\svchots.exe

O4 - HKCU\..\Run: [Firewall auto setup] C:\WINDOWS\TEMP\winlogon.exe

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)

O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://akamai.downloadv3.com/binarie...HTML_US_XP.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe

O20 - AppInit_DLLs:

Reboot into Normal mode and post a new HJT log back into this thread please.

Blader5489 · 2007/04/09

I wasn't able to follow all of your instructions.

I closed svchots.exe from my Task Manager, but it wouldn't allow to me close winlogon.exe, the reason being it is a "critical system process." Are you sure I should be trying to close winlogon.exe (and select it for deletion in the Killbox list)?

I ran the ATF Cleaner, and deleted about 360 MB from the sections you listed. However, I wasn't able to run Killbox because I can't download it (the link you posted gave me a 404 error). Is there any way to circumvent this?

TeMerc · 2007/04/09

Blader5489 said:

I wasn't able to follow all of your instructions.

I closed svchots.exe from my Task Manager, but it wouldn't allow to me close winlogon.exe, the reason being it is a "critical system process." Are you sure I should be trying to close winlogon.exe (and select it for deletion in the Killbox list)?

However, I wasn't able to run Killbox because I can't download it (the link you posted gave me a 404 error). Is there any way to circumvent this?
Click to expand...

Ok, don't worry so much about killing those processes. I wasn't sure if you were going to get that message or not.

For the KB download, use this link

Blader5489 · 2007/04/09

Okay, now I've run into yet another problem. I downloaded Killbox to the desktop, but every time I open it I get this message:

C:\Documents and Settings\Len\Desktop\KillBox.exe is not a valid Win32 application.

Any idea on how to get around this?

By the way, thank you for all your help and patience already. I really appreciate all the aid you've been able to give me thus far.

TeMerc · 2007/04/09

Hmmm...that's very odd. That usually means a corrupted down load.

Delete the first one, and try another. Apologies for these somewhat frustrating problems. Appreciate your patience.

Blader5489 · 2007/04/10

I've downloaded Killbox several times, and each time I try to run it I get the same aforementioned message ( "KillBox.exe is not a valid Win32 application "). If it's a sign of corrupted download, is there another link I could use?

TeMerc · 2007/04/10

Blader5489 said:

I've downloaded Killbox several times, and each time I try to run it I get the same aforementioned message ( "KillBox.exe is not a valid Win32 application "). If it's a sign of corrupted download, is there another link I could use?
Click to expand...

Uggh....Darn, I had a link to get a file which is likely needing replacement and forgot to do it before I hit the sack last nite, sorry.

Go to this page to replace that file:
http://www.malwareteks.com/e107_plugins/forum/forum_viewtopic.php?64

Then DL the appropriate version for your OS. Links are about 3\4 of the page down.

Log in or Sign up

IEXPLORE.EXE trojan (?) - can somebody help?

Blader5489 Inactive Thread Starter

TeMerc Inactive Alumni

Blader5489 Inactive Thread Starter

TeMerc Inactive Alumni

Blader5489 Inactive Thread Starter

TeMerc Inactive Alumni

Blader5489 Inactive Thread Starter

TeMerc Inactive Alumni

Blader5489 Inactive Thread Starter

TeMerc Inactive Alumni

Blader5489 Inactive Thread Starter

TeMerc Inactive Alumni

Blader5489 Inactive Thread Starter

TeMerc Inactive Alumni

Blader5489 Inactive Thread Starter

TeMerc Inactive Alumni

Blader5489 Inactive Thread Starter

TeMerc Inactive Alumni

Blader5489 Inactive Thread Starter

TeMerc Inactive Alumni

Share This Page

Log in or Sign up

IEXPLORE.EXE trojan (?) - can somebody help?

Blader5489 Inactive Thread Starter

TeMerc Inactive Alumni

Blader5489 Inactive Thread Starter

TeMerc Inactive Alumni

Blader5489 Inactive Thread Starter

TeMerc Inactive Alumni

Blader5489 Inactive Thread Starter

TeMerc Inactive Alumni

Blader5489 Inactive Thread Starter

TeMerc Inactive Alumni

Blader5489 Inactive Thread Starter

TeMerc Inactive Alumni

Blader5489 Inactive Thread Starter

TeMerc Inactive Alumni

Blader5489 Inactive Thread Starter

TeMerc Inactive Alumni

Blader5489 Inactive Thread Starter

TeMerc Inactive Alumni

Blader5489 Inactive Thread Starter

TeMerc Inactive Alumni

Share This Page

Useful Searches