Articles

iexplore.exe virus

Dell precision / Pws670
June 3, 2009 at 15:56:00
Specs: Windows XP 2002 SP2

I seem to have a virus linked to iexplore.exe. A second iexplore.exe keeps appearing in Task manager even after I delete it. It appears to be a valid incarnation of iexplore.exe in the Program Files\Internet Explorer directory. Periodically this iexplore.exe establishes a link to an outside site (sounds like a radio station at first and then transitions to an open-mike type setting). If I kill the unwanted iexplore.exe it kills the link. Annoying but manageable, however, there seems to be a second feature in that my computer now hangs and I have to do a hard reboot (sometimes more than once) to come back up. I have seen other sites talking about an iexplore.exe virus but the symptoms seem quite different than mine. I have SpyDoctor and RegGenie but neither fix the problem nor detect seem to detect it. Any ideas?

See More: iexplore.exe virus

Report •


#1
June 3, 2009 at 16:01:59

Download and run Kaspersky AVP tool: http://devbuilds.kaspersky-labs.com...
Once you download and start the tool:
# Check below options:

    * Select all the objects/places to be scanned. 
    * Settings > Customize > Heuristic analyzer > Enable deep rootkit search

# Click Scan
# Fix what it detects
# Attach Scan log/Summary to your next message.

Illustrated tutorial: http://img32.imageshack.us/img32/76...

-------------------------------------------------


Report •

#2
June 3, 2009 at 16:34:03

Thanks for the prompt reply. I have initiated the download of Kapersky software. It tells me to delete other anti-virus software... does that include SpyDoctor and RegGenie?

Report •

#3
June 3, 2009 at 17:03:02

Doesn't it tell you? You can also run web AV scanner: http://usa.kaspersky.com/products_s...

-------------------------------------------------


Report •

Related Solutions

#4
June 4, 2009 at 11:28:26

Okay, I have removed all other virus protection software and run Kaspersky AVP tool. There appears to be two types of viruses: Rootkit.Win32.TDSS.a and three instances of Packed.Win32.TDSS.f. The Kaspersky tool seems to be able to delete the .f files but they reappear on reboot. It is not clear that it has been to do anything about the .a virus. Since I don't see a mechanism for 'attaching' a file .... I have pasted the scan log text results below.

=====================
Disinfect active threats: completed 6/4/2009 1:50:58 PM (events: 4, objects: 2483, time: 00:00:16)
6/4/2009 10:28:48 AM Task completed
6/4/2009 10:28:00 AM Task started
Disinfect active threats: completed 6/4/2009 1:50:58 PM (events: 4, objects: 2483, time: 00:00:16)
6/4/2009 10:41:24 AM Task stopped
6/4/2009 10:41:03 AM Detected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 10:41:03 AM Task started
6/4/2009 10:38:59 AM Task stopped
6/4/2009 10:37:22 AM Detected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 10:37:22 AM Task started
Disinfect active threats: completed 6/4/2009 1:50:58 PM (events: 4, objects: 2483, time: 00:00:16)
6/4/2009 10:39:11 AM Task completed
6/4/2009 10:38:59 AM Disinfected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 10:38:59 AM Detected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 10:38:59 AM Task started
Disinfect active threats: completed 6/4/2009 1:50:58 PM (events: 4, objects: 2483, time: 00:00:16)
6/4/2009 10:41:40 AM Task completed
6/4/2009 10:41:24 AM Disinfected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 10:41:24 AM Detected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 10:41:24 AM Task started
Disinfect active threats: completed 6/4/2009 1:50:58 PM (events: 4, objects: 2483, time: 00:00:16)
6/4/2009 11:14:22 AM Task completed
6/4/2009 11:14:22 AM Disinfected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 11:09:43 AM Detected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 11:09:43 AM Untreated: not-a-virus:AdWare.Win32.BHO.fb C:\WINDOWS\system32\vwR455ef.dll Skipped by user
6/4/2009 11:09:43 AM Detected: not-a-virus:AdWare.Win32.BHO.fb C:\WINDOWS\system32\vwR455ef.dll
6/4/2009 11:09:43 AM Untreated: not-a-virus:AdWare.Win32.BHO.fb C:\WINDOWS\system32\vQU7Cn1s.dll Skipped by user
6/4/2009 11:09:43 AM Detected: not-a-virus:AdWare.Win32.BHO.fb C:\WINDOWS\system32\vQU7Cn1s.dll
6/4/2009 11:09:43 AM Untreated: not-a-virus:AdWare.Win32.BHO.fb C:\Documents and Settings\c9489\Local Settings\Temp\vwR455ef.exe Skipped by user
6/4/2009 11:09:43 AM Detected: not-a-virus:AdWare.Win32.BHO.fb C:\Documents and Settings\c9489\Local Settings\Temp\vwR455ef.exe
6/4/2009 11:09:43 AM Untreated: not-a-virus:AdWare.Win32.BHO.fb C:\Documents and Settings\c9489\Local Settings\Temp\vQU7Cn1s.exe Skipped by user
6/4/2009 11:09:43 AM Detected: not-a-virus:AdWare.Win32.BHO.fb C:\Documents and Settings\c9489\Local Settings\Temp\vQU7Cn1s.exe
6/4/2009 11:09:43 AM Deleted: Packed.Win32.Tdss.m C:\Documents and Settings\c9489\Local Settings\Temp\d.exe
6/4/2009 11:09:43 AM Detected: Packed.Win32.Tdss.m C:\Documents and Settings\c9489\Local Settings\Temp\d.exe
6/4/2009 11:09:43 AM Deleted: not-a-virus:FraudTool.Win32.WinSpywareProtect.qt C:\Documents and Settings\c9489\Local Settings\Temp\c.exe
6/4/2009 11:09:39 AM Detected: not-a-virus:FraudTool.Win32.WinSpywareProtect.qt C:\Documents and Settings\c9489\Local Settings\Temp\c.exe
6/4/2009 11:01:02 AM Untreated: not-a-virus:AdWare.Win32.BHO.fb C:\WINDOWS\system32\vwR455ef.dll Postponed
6/4/2009 11:01:02 AM Detected: not-a-virus:AdWare.Win32.BHO.fb C:\WINDOWS\system32\vwR455ef.dll
6/4/2009 11:01:02 AM Untreated: not-a-virus:AdWare.Win32.BHO.fb C:\WINDOWS\system32\vQU7Cn1s.dll Postponed
6/4/2009 11:01:02 AM Detected: not-a-virus:AdWare.Win32.BHO.fb C:\WINDOWS\system32\vQU7Cn1s.dll
6/4/2009 11:00:25 AM Detected: http://www.viruslist.com/en/advisor... C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\msxml6.dll
6/4/2009 11:00:15 AM Detected: http://www.viruslist.com/en/advisor... C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\flash.ocx
6/4/2009 10:54:44 AM Detected: http://www.viruslist.com/en/advisor... C:\Program Files\Java\jre1.6.0_03\bin\java.exe
6/4/2009 10:54:42 AM Detected: http://www.viruslist.com/en/advisor... C:\Program Files\Java\j2re1.4.2_03\bin\eula.dll
6/4/2009 10:54:37 AM Detected: http://www.viruslist.com/en/advisor... C:\Program Files\Dell\RAID Storage Manager\jre\bin\eula.dll
6/4/2009 10:54:01 AM Detected: http://www.viruslist.com/en/advisor... C:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\Annots.api
6/4/2009 10:53:17 AM Detected: http://www.viruslist.com/en/advisor... C:\i386\swflash.ocx
6/4/2009 10:52:24 AM Detected: http://www.viruslist.com/en/advisor... C:\i386\flash.ocx
6/4/2009 10:49:54 AM Untreated: not-a-virus:AdWare.Win32.BHO.fb C:\Documents and Settings\c9489\Local Settings\Temp\vwR455ef.exe Postponed
6/4/2009 10:49:54 AM Untreated: not-a-virus:AdWare.Win32.BHO.fb C:\Documents and Settings\c9489\Local Settings\Temp\vQU7Cn1s.exe Postponed
6/4/2009 10:49:53 AM Detected: not-a-virus:AdWare.Win32.BHO.fb C:\Documents and Settings\c9489\Local Settings\Temp\vQU7Cn1s.exe
6/4/2009 10:49:53 AM Detected: not-a-virus:AdWare.Win32.BHO.fb C:\Documents and Settings\c9489\Local Settings\Temp\vwR455ef.exe
6/4/2009 10:49:52 AM Untreated: Packed.Win32.Tdss.m C:\Documents and Settings\c9489\Local Settings\Temp\d.exe Postponed
6/4/2009 10:49:52 AM Detected: Packed.Win32.Tdss.m C:\Documents and Settings\c9489\Local Settings\Temp\d.exe
6/4/2009 10:49:52 AM Untreated: not-a-virus:FraudTool.Win32.WinSpywareProtect.qt C:\Documents and Settings\c9489\Local Settings\Temp\c.exe Postponed
6/4/2009 10:49:52 AM Detected: not-a-virus:FraudTool.Win32.WinSpywareProtect.qt C:\Documents and Settings\c9489\Local Settings\Temp\c.exe
6/4/2009 10:48:15 AM Untreated: Rootkit.Win32.TDSS.a System Memory Postponed
6/4/2009 10:47:54 AM Detected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 10:47:53 AM Task started
Disinfect active threats: completed 6/4/2009 1:50:58 PM (events: 4, objects: 2483, time: 00:00:16)
6/4/2009 11:36:11 AM Task completed
6/4/2009 11:36:11 AM Will be deleted on system restart: Packed.Win32.Tdss.f C:\WINDOWS\system32\UACouhdktuwaxhkhyw.dll
6/4/2009 11:36:11 AM Detected: Packed.Win32.Tdss.f C:\WINDOWS\system32\UACouhdktuwaxhkhyw.dll
6/4/2009 11:36:11 AM Will be deleted on system restart: Packed.Win32.Tdss.f C:\WINDOWS\system32\UACnfhefbrahlpofps.dll
6/4/2009 11:36:11 AM Detected: Packed.Win32.Tdss.f C:\WINDOWS\system32\UACnfhefbrahlpofps.dll
6/4/2009 11:36:11 AM Will be deleted on system restart: Packed.Win32.Tdss.f C:\WINDOWS\system32\UAClsqefvmuegnyacf.dll
6/4/2009 11:36:11 AM Detected: Packed.Win32.Tdss.f C:\WINDOWS\system32\UAClsqefvmuegnyacf.dll
6/4/2009 11:36:11 AM Deleted: Trojan.Win32.TDSS.acbv C:\WINDOWS\system32\UACgluqjsbslktivlt.dll
6/4/2009 11:36:11 AM Detected: Trojan.Win32.TDSS.acbv C:\WINDOWS\system32\UACgluqjsbslktivlt.dll
6/4/2009 11:36:10 AM Deleted: Packed.Win32.Tdss.f C:\WINDOWS\system32\UACfbsdshvdohhwnkn.dll
6/4/2009 11:36:10 AM Detected: Packed.Win32.Tdss.f C:\WINDOWS\system32\UACfbsdshvdohhwnkn.dll
6/4/2009 11:36:10 AM Deleted: Trojan.Win32.Agent.chly C:\WINDOWS\system32\drivers\UACtjfcksqhcidxjka.sys
6/4/2009 11:36:06 AM Detected: Trojan.Win32.Agent.chly C:\WINDOWS\system32\drivers\UACtjfcksqhcidxjka.sys
6/4/2009 11:29:04 AM Untreated: Trojan.Win32.Agent.chly C:\WINDOWS\system32\drivers\UACtjfcksqhcidxjka.sys Postponed
6/4/2009 11:29:04 AM Detected: Trojan.Win32.Agent.chly C:\WINDOWS\system32\drivers\UACtjfcksqhcidxjka.sys
6/4/2009 11:28:54 AM Untreated: Packed.Win32.Tdss.f C:\WINDOWS\system32\UACnfhefbrahlpofps.dll Postponed
6/4/2009 11:28:54 AM Detected: Packed.Win32.Tdss.f C:\WINDOWS\system32\UACnfhefbrahlpofps.dll
6/4/2009 11:28:54 AM Untreated: Packed.Win32.Tdss.f C:\WINDOWS\system32\UACouhdktuwaxhkhyw.dll Postponed
6/4/2009 11:28:54 AM Detected: Packed.Win32.Tdss.f C:\WINDOWS\system32\UACouhdktuwaxhkhyw.dll
6/4/2009 11:28:54 AM Untreated: Packed.Win32.Tdss.f C:\WINDOWS\system32\UAClsqefvmuegnyacf.dll Postponed
6/4/2009 11:28:54 AM Detected: Packed.Win32.Tdss.f C:\WINDOWS\system32\UAClsqefvmuegnyacf.dll
6/4/2009 11:28:54 AM Untreated: Packed.Win32.Tdss.f C:\WINDOWS\system32\UACfbsdshvdohhwnkn.dll Postponed
6/4/2009 11:28:54 AM Detected: Packed.Win32.Tdss.f C:\WINDOWS\system32\UACfbsdshvdohhwnkn.dll
6/4/2009 11:28:53 AM Untreated: Trojan.Win32.TDSS.acbv C:\WINDOWS\system32\UACgluqjsbslktivlt.dll Postponed
6/4/2009 11:28:53 AM Detected: Trojan.Win32.TDSS.acbv C:\WINDOWS\system32\UACgluqjsbslktivlt.dll
6/4/2009 11:28:24 AM Detected: http://www.viruslist.com/en/advisor... C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\msxml6.dll
6/4/2009 11:28:18 AM Detected: http://www.viruslist.com/en/advisor... C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\flash.ocx
6/4/2009 11:24:24 AM Detected: http://www.viruslist.com/en/advisor... C:\Program Files\Java\jre1.6.0_03\bin\java.exe
6/4/2009 11:24:22 AM Detected: http://www.viruslist.com/en/advisor... C:\Program Files\Java\j2re1.4.2_03\bin\eula.dll
6/4/2009 11:24:18 AM Detected: http://www.viruslist.com/en/advisor... C:\Program Files\Dell\RAID Storage Manager\jre\bin\eula.dll
6/4/2009 11:23:50 AM Detected: http://www.viruslist.com/en/advisor... C:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\Annots.api
6/4/2009 11:23:31 AM Detected: http://www.viruslist.com/en/advisor... C:\i386\swflash.ocx
6/4/2009 11:23:00 AM Detected: http://www.viruslist.com/en/advisor... C:\i386\flash.ocx
6/4/2009 11:19:45 AM Task started
Disinfect active threats: completed 6/4/2009 1:50:58 PM (events: 4, objects: 2483, time: 00:00:16)
6/4/2009 12:09:42 PM Task completed
6/4/2009 11:57:27 AM Detected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 11:49:32 AM Detected: http://www.viruslist.com/en/advisor... C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\msxml6.dll
6/4/2009 11:49:26 AM Detected: http://www.viruslist.com/en/advisor... C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\flash.ocx
6/4/2009 11:45:34 AM Detected: http://www.viruslist.com/en/advisor... C:\Program Files\Java\jre1.6.0_03\bin\java.exe
6/4/2009 11:45:32 AM Detected: http://www.viruslist.com/en/advisor... C:\Program Files\Java\j2re1.4.2_03\bin\eula.dll
6/4/2009 11:45:29 AM Detected: http://www.viruslist.com/en/advisor... C:\Program Files\Dell\RAID Storage Manager\jre\bin\eula.dll
6/4/2009 11:45:00 AM Detected: http://www.viruslist.com/en/advisor... C:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\Annots.api
6/4/2009 11:44:41 AM Detected: http://www.viruslist.com/en/advisor... C:\i386\swflash.ocx
6/4/2009 11:44:10 AM Detected: http://www.viruslist.com/en/advisor... C:\i386\flash.ocx
6/4/2009 11:41:00 AM Untreated: Rootkit.Win32.TDSS.a System Memory Postponed
6/4/2009 11:40:51 AM Detected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 11:40:51 AM Task started
Disinfect active threats: completed 6/4/2009 1:50:58 PM (events: 4, objects: 2483, time: 00:00:16)
6/4/2009 12:09:42 PM Task started
6/4/2009 12:09:42 PM Detected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 12:09:42 PM Disinfected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 12:09:57 PM Task completed
Disinfect active threats: completed 6/4/2009 1:50:58 PM (events: 4, objects: 2483, time: 00:00:16)
6/4/2009 12:17:58 PM Task started
6/4/2009 12:17:58 PM Detected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 12:18:04 PM Untreated: Rootkit.Win32.TDSS.a System Memory Postponed
6/4/2009 12:18:17 PM Detected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 12:19:38 PM Task completed
Disinfect active threats: completed 6/4/2009 1:50:58 PM (events: 4, objects: 2483, time: 00:00:16)
6/4/2009 12:19:38 PM Task started
6/4/2009 12:19:38 PM Detected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 12:19:38 PM Disinfected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 12:19:47 PM Task completed
Disinfect active threats: completed 6/4/2009 1:50:58 PM (events: 4, objects: 2483, time: 00:00:16)
6/4/2009 12:40:06 PM Task started
6/4/2009 12:42:21 PM Task completed
Disinfect active threats: completed 6/4/2009 1:50:58 PM (events: 4, objects: 2483, time: 00:00:16)
6/4/2009 12:56:20 PM Task started
6/4/2009 1:16:42 PM Task completed
Disinfect active threats: completed 6/4/2009 1:50:58 PM (events: 4, objects: 2483, time: 00:00:16)
6/4/2009 1:25:21 PM Task started
6/4/2009 1:25:21 PM Detected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 1:25:31 PM Untreated: Rootkit.Win32.TDSS.a System Memory Postponed
6/4/2009 1:29:53 PM Detected: http://www.viruslist.com/en/advisor... C:\i386\flash.ocx
6/4/2009 1:30:43 PM Detected: http://www.viruslist.com/en/advisor... C:\i386\swflash.ocx
6/4/2009 1:31:30 PM Detected: http://www.viruslist.com/en/advisor... C:\Program Files\Adobe\Acrobat 7.0\Reader\plug_ins\Annots.api
6/4/2009 1:32:05 PM Detected: http://www.viruslist.com/en/advisor... C:\Program Files\Dell\RAID Storage Manager\jre\bin\eula.dll
6/4/2009 1:32:09 PM Detected: http://www.viruslist.com/en/advisor... C:\Program Files\Java\j2re1.4.2_03\bin\eula.dll
6/4/2009 1:32:11 PM Detected: http://www.viruslist.com/en/advisor... C:\Program Files\Java\jre1.6.0_03\bin\java.exe
6/4/2009 1:37:52 PM Detected: http://www.viruslist.com/en/advisor... C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\flash.ocx
6/4/2009 1:38:02 PM Detected: http://www.viruslist.com/en/advisor... C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\msxml6.dll
6/4/2009 1:47:42 PM Detected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 1:50:42 PM Task completed
Disinfect active threats: completed 6/4/2009 1:50:58 PM (events: 4, objects: 2483, time: 00:00:16)
6/4/2009 1:50:42 PM Task started
6/4/2009 1:50:42 PM Detected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 1:50:42 PM Disinfected: Rootkit.Win32.TDSS.a System Memory
6/4/2009 1:50:58 PM Task completed

=============
I hope this is sufficient. Thanks.


Report •

#5
June 4, 2009 at 12:33:03

1) Can you please post your AVZ log:
Note: Run AVZ in windows normal mode. If avz.exe doesn't start, then try to rename the file avz.exe to something else and try to run it again. Make sure you have your web browser open in background before following the steps below.

i) To create the logfile, download AVZ by clicking HERE. Please save this file to your desktop or "My Documents" folder.

ii) Next, unpack the file to a new folder using the Compressed (zipped) folders wizard built into Windows XP/Vista, or a zip utility of your choice.

iii) Once you have unpacked the contents of the zip archive, please launch the file AVZ.exe by double clicking on it or right clicking and selecting Open.
Note: If you are running Windows vista launch AVZ.exe by right clicking and selecting Run as Administrator.

You should now see the main window of the AVZ utility. Please navigate to File->Custom Scripts. Copy the script below by using the keyboard shortcut CTRL+C or the corresponding option via right click.

begin
ExecuteStdScr(3);
RebootWindows(true);
end.


Paste the script into the execution window by using CTRL+V keyboard shortcut, or the "paste" option via the right click menu. Click on Run to run the script, the PC will reboot. After the reboot the LOG subfolder is created in the folder with AVZ, with a file called virusinfo_syscure.zip inside. Upload that file to rapidshare.com and paste the link here.

Image Tutorial

2) Can you also make a new HijackThis log and upload it to rapidshare.com. HijackThis: Here

-------------------------------------------------


Report •

#6
June 5, 2009 at 06:17:17

I tried to upload these links yesterday and I don't think they went through so here we go again.

http://rapidshare.com/files/2408744...
MD5: 4AADAD7C2796969ECB717EE8BE95FD2E


http://rapidshare.com/files/2408744...
MD5: CD95A703F7440962DC7042168AE578DC


Report •

#7
June 5, 2009 at 06:40:53

Follow these Steps in order numbered. Don't proceed to next step unless you have sucessfully completed previous step:

1) Run this script in AVZ like before, your computer will reboot:

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 QuarantineFile('\\?\globalroot\systemroot\system32\UAClsqefvmuegnyacf.dll','');
 DeleteFile('\\?\globalroot\systemroot\system32\UAClsqefvmuegnyacf.dll');
BC_ImportDeletedList;
ExecuteSysClean;
 ExecuteRepair(13);
 ExecuteRepair(14);
 ExecuteRepair(15);
BC_Activate;
RebootWindows(true);
end.

2) After Reboot. Attach a Combofix log, please review and follow these instructions carefully.

Download it here -> http://download.bleepingcomputer.co...

Before Saving it to Desktop, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan. Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please upload that file to rapidshare.com and paste the link here.

-------------------------------------------------


Report •

#8
June 5, 2009 at 08:46:21

Okay, running the AVZ did not appear to complete so I have not attempted the second part and won't until I hear back. While running the script supplied above, the AVZ came up with a window saying that the application could not complete because netsh.exe could not find framedyn.dll. When I hit okay to that message (no other choice) it did say that the script had run to completion and then the computer rebooted. I tried running the AVZ script a couple of times with the same result. Please advise.

Report •

#9
June 5, 2009 at 08:51:01

Leave fix for now and continue with combofix. This is the fix: http://support.microsoft.com/kb/319114

-------------------------------------------------


Report •

#10
June 5, 2009 at 09:43:50

Well, I could not find Framedyn.dll in the dllcache folder and my path wasn't set at all. There was a framedyn.dll in the correct directory So I set my path as directed and gave it a go... same result. This could mean my framedyn.dll is corrupted. I notice that when I renamed it in \wbem directory (I tried copying a version that found in the \i386 directory) that it was regenerated immediately. Please advise.

Report •

#11
June 5, 2009 at 09:52:47

Continue with combofix

-------------------------------------------------


Report •

#12
June 5, 2009 at 10:38:56

Okay here is the link

http://rapidshare.com/files/2411854...
MD5: FC212F693C47A2E43D716DDD20F7A9DD


Report •

#13
June 5, 2009 at 12:00:23

1) Please zip up C:\qoobox\quarantine and the copy of following files:
c:\windows\system32\pgdfgsvc.exe
c:\windows\RegGenieOnUninstall.exe
upload all of them to a filehost such as http://rapidshare.com/ Then, Private Message me the Download link to the uploaded file.

2) Lastly, uninstall Combofix by: pause Antivirus/Sypware programs (http://www.bleepingcomputer.com/forums/topic114351.html Programs to disable) > Start > run > type combofix /u > ok. Or Start > run > type 123 /u > ok.

-------------------------------------------------


Report •

#14
June 5, 2009 at 12:50:56

Sorry I have been away for a couple of days. When I try to Direct Message you with the info it tells me to post the info in this box ... is that what you want me to do.

Report •

#15
June 9, 2009 at 09:54:59

Is your original problem fixed?

-------------------------------------------------


Report •

#16
June 11, 2009 at 19:46:56

Yes, I my original problem has been cleared up. Thank you.

Report •

#17
June 11, 2009 at 20:12:05

Complete Response Number 13. Use the link below this message to private message me. In addition send me this files as well: c:\windows\system32\dssmg.exe . You still might have infected files on your system so complete all the steps till i say you malware free.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#18
June 12, 2009 at 06:57:24

I cannot zip up dssmg.exe - won't let me.

Report •

#19
June 12, 2009 at 07:02:58

No need to zip it just copy it to your desktop or upload it directly to rapidshare.com. Do not delete or move files which i told you to send. I just want a copy of them.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#20
June 12, 2009 at 09:16:19

I can't upload the dssmg.exe file to Rapidshare...it keeps telling me there is no file to upload when I have clearly selected the file and placed its name in the filename box. ???

Report •

#21
June 12, 2009 at 09:18:04

Leave that file for now. Continue with the rest.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#22
June 12, 2009 at 09:50:08

Redo Response Number 5. Generate and post new set of logs.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#23
June 12, 2009 at 10:30:08

http://rapidshare.com/files/2438023...
MD5: 2D4484E25EFDA80D0A2E0CB0A606BB64

http://rapidshare.com/files/2438023...
MD5: 77B8E019798E7E6F4A6CDBF3CB0DC308


Report •

#24
June 12, 2009 at 12:52:08

Follow these Steps in order numbered. Don't proceed to next step unless you have sucessfully completed previous step:

1) Run this script in AVZ like before, your computer will reboot:

begin
SetAVZGuardStatus(True);
SearchRootkit(true, true);
 QuarantineFile('C:\WINDOWS\system32\dssmg.exe','');
 DeleteService('AFSEGTGF Windows Service');
 StopService('AFSEGTGF Windows Service');
 DeleteFile('C:\WINDOWS\system32\dssmg.exe');
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
RebootWindows(true);
end.

2) After reboot execute following script in AVZ:

begin
CreateQurantineArchive('C:\quarantine3.zip');    
end.


A file called quarantine3.zip should be created in C:\. Upload that file to Rapidshare.com and private message me download link.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#25
June 12, 2009 at 13:39:25

Thanks for the files. Please follow these steps in order numbered and post summary log after each step.

1) Install, update database and run full scan with Malwarebytes' Anti-Malware. Attach malwarebyte full scan log, fix anything detected.

2) House cleaning. Run full Scan with SuperAntispyware : http://www.superantispyware.com/dow... . Fix what it detects and post summary scan log.

If I'm helping you and I don't reply within 24 hours send me a PM.

PS: You use kaspersky 2009 antivirus?


Report •

#26
June 13, 2009 at 07:33:47

With regard to your PS.. I have Kaspersky 2009 on a trial basis right now as per your initial instructions. I was using SpyDoctor and had something called Etrust but they didn't seem to cut it... do you have a recommendation?

Here are the log outputs:
Malwarebytes' Anti-Malware 1.37
Database version: 2268
Windows 5.1.2600 Service Pack 2

6/12/2009 5:33:39 PM
mbam-log-2009-06-12 (17-33-39).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 218618
Time elapsed: 45 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
d:\RECYCLER\s-1-5-21-1417001333-1645522239-682003330-20025\Dd1.exe (Rogue.Installer) -> Quarantined and deleted successfully.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/12/2009 at 06:04 PM

Application Version : 4.26.1004

Core Rules Database Version : 3937
Trace Rules Database Version: 1880

Scan type : Complete Scan
Total Scan Time : 00:18:20

Memory items scanned : 376
Memory threats detected : 0
Registry items scanned : 5346
Registry threats detected : 0
File items scanned : 22927
File threats detected : 63

Adware.Tracking Cookie
C:\Documents and Settings\c9489\Cookies\c9489@imrworldwide[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@ads.pgatour[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@msnbc.112.2o7[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@enhance[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@insightexpressai[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@mediaplex[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@toseeka[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@specificmedia[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@realmedia[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@www.toseeka[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@smartadserver[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@pro-market[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@statcounter[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@c7.zedo[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@questionmarket[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@casalemedia[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@cdnh.tremormedia[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@www.windowsmedia[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@fastclick[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@clickbank[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@msnportal.112.2o7[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@specificclick[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@xiti[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@hitbox[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@tribalfusion[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@apmebf[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@revsci[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@serving-sys[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@www.shopica[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@advertising[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@overture[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@www.findstuff[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@ads.pointroll[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@bluestreak[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@serw.clicksor[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@zedo[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@revenue[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@ads.techguy[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@windowsmedia[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@myroitracking[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@bs.serving-sys[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@dc.tremormedia[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@tacoda[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@ehg-winnercomm.hitbox[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@shopica[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@www.googleadservices[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@kaspersky.122.2o7[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@chitika[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@www.googleadservices[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@onetoone.112.2o7[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@7572.91423.clickshield[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@doubleclick[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@at.atwola[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@list[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@server.cpmstar[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@7587.91423.clickshield[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@atdmt[2].txt
C:\Documents and Settings\c9489\Cookies\c9489@adserver.adtechus[1].txt
C:\Documents and Settings\c9489\Cookies\c9489@ad.yieldmanager[1].txt


Report •

#27
June 13, 2009 at 07:42:18

Is your original problem fixed? I like kaspersky/bitdefender/eset/norton none of them are free. If you want free try avast/avg.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#28
June 13, 2009 at 07:53:39

Yes, my original problem is fixed...thank you. Do I need to do anything else to clean up.

Report •

#29
June 13, 2009 at 08:02:42

Follow these security measures and clean up procedures in order numbered:

1) Update windows via windows update till all critical patches are applied (sp3).

2) http://onecare.live.com/site/en-Us/...

3) http://onecare.live.com/site/en-Us/...

PS: No need to report back. Since the problem is solved i am not longer monitoring this post if you have any further relating malware problem private message me.

If I'm helping you and I don't reply within 24 hours send me a PM.


Report •

#30
June 30, 2009 at 10:53:54

To screen your computer on all background processes try the www.xraymypc.com scanner. It will show description, location, and security risk of each process found. You can download this free scanner from here:
http://www.xraymypc.com/scanner.html

Report •

#31
June 30, 2009 at 11:28:12

Okay, thanks for the info.

Report •


Ask Question