Iexplore.exe errors [now looks like a spyware issue]

Hello??? How come no one has answered yet? I need removal instructions....the longer I wait, the longer this computer will be occupied, and the longer it will prevent certain people from getting work they need to get done on it...

 

It is well understood that you would like an answer as quickly as possible, since you have some nasty form of malware actively running on your machine, but look in the forum, so do a lot of other folks. Your in the queue, settle back, post some answers on some other threads while you wait.

 

I'm very sorry and I apologize. I will be patient. You are right. It isn't right of me to be thinking I need immediate assistance. Help me when you can.

 

Sorry for the delay.

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = http://localhost;windowsupdate.micr...ndowsupdate.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - blank (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

Download Pocket Killbox from here: http://www.downloads.subratam.org/KillBox.zip

Unzip the files to a folder, then open and double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

C:\PROGRA~1\wvpsxtwv\NhwfAQYd.exe

Check the box to delete on reboot and click the red X to the right. Click OK, then no to reboot now. Copy the next filepath and paste it in the box, and repeat the abiove steps. When all of the below filepaths are done, allow it to reboot.

C:\PROGRA~1\wvpsxtwv\***** insert every filename in that folder
C:\WINDOWS\System32\drivers\winik.sys

After reboot, you should be able to delete that wvpsxtwv folder.

Also suggest you; (best done in safe mode)
Open C:\Temp if present, select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Windows\Prefetch, select all and delete.
Open C:\Documents and Settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
Open the control panel, then internet options and delete the temporary internet files, checking the box for offline content. Close Internet Options. Then, still in the control panel, open the Java Plug-in, click the cache tab and then clear.
Empty the recycle bin.

Go to the Sun Java Website and update your JRE. Current is 1.4.2_07

Run another HijackThis scan and post the log.

 

Problem Solved!

BEAUTIFUL!!! You guys are the BEST! THE SUPER BEST! Thank you so very much! I really don't know how to thank you enough! I followed all of your procedures noahdfear

...one thing extra I thought I should do is clean the registry. I kind of followed what JacobSteelSmith said from post#7 on this thread: http://www.wilderssecurity.com/showthread.php?t=64316 regarding cleaning the registry, but the folder "LEGACY_WINIK" doesn't show up when you do a Search for "winik ". Instead, it found a "winik.sys" along with other familiar names such as "dYQAfwhN" in a folder under the "Search Assistant" folder. I backed up then deleted that entire folder with all those files (folder under the Search and Assistant folder). Then I did a search for the "LEGACY_WINIK" folder itself and found it...but that folder was separate from where the "winik.sys" key was found. I tried to delete the "LEGACY_WINIK" folder (after backing it up) but an error occurred telling me I couldn't delete it. I checked Permissions and saw that Full Control was not enabled. I enabled Full Control for Everyone and then successfully deleted the entire folder.

It rebooted flawlessly, tried to reproduce the Iexplore.exe and Internet Explorer Errors by going to the same sites that incurred the errors, and I received NO ERRORS! Everything seems to work flawlessly now.

However, when I did a new HiJackThis log, I STILL found the following entries:

O4 - HKLM\..\Run: [eYVGYsUw] C:\PROGRA~1\wvpsxtwv\dYQAfwhN.exe
O4 - HKLM\..\Run: [REpHZ5Uw] C:\PROGRA~1\wvpsxtwv\dYQAfwhN.exe
O4 - HKLM\..\Run: [dwVGYoox] C:\PROGRA~1\wvpsxtwv\dYQAfwhN.exe

I deleted all three entires.

Then I did a system search.

Although the folder "wvpsxtwv" was to be found nowhere, the file "dYQAfwhN.exe" was FOUND IN THE SEARCH:

dYQAfwhN.exe C:\!Submit

The TWO files sitting in the C:\!Submit folder were "dYQAfwhN.exe†and "winik.sys" !!! HOW EVIL! The two most nasty files that kept haunting my mind were sitting in this little folder I never noticed before! I simply deleted the folder and it deleted fine. I then emptied the Recycle Bin. I reran all my antispyware software then generated a new log with HiJackThis. Here are the results. Please notify me of anything you may perceive as "unclean" or should be removed:

-----------------------------------------------------------------
Logfile of HijackThis v1.99.0
Scan saved at 9:09:07 PM, on 2/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\EPOX\USDM\USDM.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = DiBananaRi@hotmail.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPoXUSDM] "C:\Program Files\EPOX\USDM\USDM.EXE" "5000 "
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe "
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0003949E-06B6-4261-88F0-F9C06506D8E6}: NameServer = 4.2.2.4,4.2.2.5
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Iomega Active Disk - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
-------------------------------------------------------------------------

Once again, thank you all. I also apologize for appearing so impatient and demanding. It sure is good to get this sort of help without receiving a big bill in the mail. There would be just no way I could afford it anyway...


And one last question for you Microsoft Support Specialists and Computer Specialists. What books would you recommend buying that will teach you all the ins-and-outs of Windows XP, 2000, etc Operating Systems? What books will list to you, for example, all the different commands for Start>Run, opening Utilities...setting settings etc.? What books did you study that helped you get to where you're at now?

 

Looks like a clean log. Glad we could help.

The !submit folder was created by Pocket Killbox. Part of the tool's design that makes it easy to submit a file to the experts so they can study it.

Very good idea to do some house cleaning in the registry, and I recommend you go one more step and use RegSeeker. I personally have always deleted everything it finds and run it 2 or 3 times consecutively, till it comes up clean. Never had it remove anything it shouldn't. It also has registry and files search functions, as well as the ability to clear typed URLs, cookies, etc., and does create backups if needed.

Books..... I've learned what I know from the good folks here and other forums, as well as Google. Throw in some trial and error and curiosity too.

 

Well that explains it about the "!Submit" folder....heh...and here I thought it was some devious thing the malware did...I almost thought it was intelligent enough to know that I was trying to get rid of it...lol

Thanks for the RegSeeker link....it just baffles me how much freeware there really is out there. Usually it's hard to find them in search engines...and when I do find "free software ", they make you believe you're downloading the full version...but lo and behold after you're done with a scan, they make you pay just to clean or fix what you scanned!

So you learned through forums, etc, eh? Well, to tell you the truth, most of what I've learned seems to have come off the web too, so I kind of understand. However, there are some things that you know that I just can't figure out how you knew.

For example, when you told me to delete the following three entries,, what was it about these entries that made you know that they needed to be removed?

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = http://localhost;windowsupdate.micr...ndowsupdate.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - blank (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

How did you judge this and know which to check and which to leave unchecked? I'd like to know how you go about judging these things...heh

You see, I'm developing my own computing business...so it will be kind of nice to know some of these things.

My business is PracTek Computing, and just fresh new website is www.practek.com Plz bear with the poor design, as I'm in the process of trying to get my business going and was forced to get a simple web page up asap....but it's under construction and should have a better, more professional design, within the next few months.

P.S. Oh, and please, one more thing...do my service rates look reasonable? Or do they need to be adjusted?

 

Here's a tutorial that will help you out. Use Google for anything unknown to you.

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - blank (file missing)

File missing from a Browser Helper Object..........just cluttering the registry. I have since looked up that CSLID and see it belongs to Spybot's SDHelper, so I recommend you check the folder where Spybot's executable resides (usually C:\Program Files\Spybot Search and Destroy) and see if sdhelper.dll is present. If not, get it here and extract it to that folder. Then open Spybot (advanced mode) and click the tools button, then Resident. Check the box for SDHelper and exit.

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

An out-of-date Sun Java auto-updater that doesn't work anyway. No need for it to run at startup. Since that version has security issues, I recommended the update.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = http://localhost;windowsupdate.micr...ndowsupdate.com

Lets just say that after studying thousands of logs, this entry just doesn't look right. (the link goes nowhere too)

BTW, rates look reasonable, depending on the community you serve. (don't be surprised if a forum moderator removes your link though.......advertising)

 

Thanks for the reply...

Oh, and for all you Mods, my link was not to advertise! I just needed input from professionals... I only service people in my local area in northern Wisconsin anyway...so considering it an ad in WindowsBBS would be impossible...heh

 

Hello Lysimachus,

I see that your immediate problem is solved, for backup to AVG use the on-line virus scanners listed below.

From the Quick Links at the top of this page > Miscellaneous > Recomended Links you'll find links to etrust - House Call - RAV

Regards - Charles